From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 12 16:38:05 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8348D16A422; Sun, 12 Jun 2005 16:38:05 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4293043E14; Sun, 12 Jun 2005 16:34:10 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C3C9.dip.t-dialin.net [84.163.195.201] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwtQ-1DhVPV0Ffo-00013f; Sun, 12 Jun 2005 18:34:09 +0200 From: Max Laier To: freebsd-current@freebsd.org Date: Sun, 12 Jun 2005 18:33:54 +0200 User-Agent: KMail/1.8 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart6079990.JVTdZoh8OC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506121834.02020.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: freebsd-ipfw@freebsd.org Subject: Fwd: cvs commit: src/sys/netinet ip_fw2.c X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jun 2005 16:38:05 -0000 --nextPart6079990.JVTdZoh8OC Content-Type: multipart/mixed; boundary="Boundary-01=_0PGrC/u4C6yc+AM" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_0PGrC/u4C6yc+AM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline All, if you are relying on IPFW2's new IPv6 capabilities as your IPv6 packet=20 filter, it's time to update. The commit below fixes a problem with in the= =20 code that would match random IPv6 packets to IPv4 rules. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_0PGrC/u4C6yc+AM Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Description: Max Laier : cvs commit: src/sys/netinet ip_fw2.c Content-Disposition: inline; filename*= Return-Path: Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 51960 invoked by alias); 12 Jun 2005 16:27:44 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 51957 invoked from network); 12 Jun 2005 16:27:44 -0000 Received: from mx2.freebsd.org (216.136.204.119) by p54a3c3c9.dip.t-dialin.net with SMTP; 12 Jun 2005 16:27:44 -0000 Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 0D70558DAF for ; Sun, 12 Jun 2005 16:27:17 +0000 (GMT) (envelope-from owner-src-committers@FreeBSD.org) Received: by hub.freebsd.org (Postfix) id 7514516A480; Sun, 12 Jun 2005 16:27:13 +0000 (GMT) Delivered-To: mlaier@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 538) id 5FEE116A420; Sun, 12 Jun 2005 16:27:11 +0000 (GMT) X-Original-To: src-committers@FreeBSD.org Delivered-To: src-committers@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB5D116A41C; Sun, 12 Jun 2005 16:27:10 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 725C743D1F; Sun, 12 Jun 2005 16:27:10 +0000 (GMT) (envelope-from mlaier@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j5CGRAFg090004; Sun, 12 Jun 2005 16:27:10 GMT (envelope-from mlaier@repoman.freebsd.org) Received: (from mlaier@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j5CGRAMe090003; Sun, 12 Jun 2005 16:27:10 GMT (envelope-from mlaier) Message-Id: <200506121627.j5CGRAMe090003@repoman.freebsd.org> From: Max Laier Date: Sun, 12 Jun 2005 16:27:10 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet ip_fw2.c X-FreeBSD-CVS-Branch: HEAD Sender: owner-src-committers@FreeBSD.org Precedence: bulk X-Loop: FreeBSD.ORG Content-Type: X-UID: 30203 X-Length: 2823 mlaier 2005-06-12 16:27:10 UTC FreeBSD src repository Modified files: sys/netinet ip_fw2.c Log: When doing matching based on dst_ip/src_ip make sure we are really looking on an IPv4 packet as these variables are uninitialized if not. This used to allow arbitrary IPv6 packets depending on the value in the uninitialized variables. Some opcodes (most noteably O_REJECT) do not support IPv6 at all right now. Reviewed by: brooks, glebius Security: IPFW might pass IPv6 packets depending on stack contents. Approved by: re (blanket) Revision Changes Path 1.102 +13 -10 src/sys/netinet/ip_fw2.c --Boundary-01=_0PGrC/u4C6yc+AM-- --nextPart6079990.JVTdZoh8OC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCrGP5XyyEoT62BG0RApU5AJsFZZm4zlb6hF/yw8M33NsqE/CkZgCeN0+w tQeouPZfZc+e/XBfbo3oa60= =Qq/k -----END PGP SIGNATURE----- --nextPart6079990.JVTdZoh8OC-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 13 11:02:09 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D93816A431 for ; Mon, 13 Jun 2005 11:02:09 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BFDC43D4C for ; Mon, 13 Jun 2005 11:02:09 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5DB29Mm046166 for ; Mon, 13 Jun 2005 11:02:09 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5DB28qs046160 for freebsd-ipfw@freebsd.org; Mon, 13 Jun 2005 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 13 Jun 2005 11:02:08 GMT Message-Id: <200506131102.j5DB28qs046160@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2005 11:02:09 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/02/15] kern/77570 ipfw [PATCH] ipfw: Multiple rules may have the 3 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 13 11:02:44 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BAAF16A420 for ; Mon, 13 Jun 2005 11:02:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0923E43D48 for ; Mon, 13 Jun 2005 11:02:44 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5DB2hbW046685 for ; Mon, 13 Jun 2005 11:02:43 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5DB2h0B046679 for ipfw@freebsd.org; Mon, 13 Jun 2005 11:02:43 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 13 Jun 2005 11:02:43 GMT Message-Id: <200506131102.j5DB2h0B046679@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2005 11:02:44 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 14 17:00:08 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 46DE716A41C; Tue, 14 Jun 2005 17:00:08 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D1D743D1D; Tue, 14 Jun 2005 17:00:08 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5EH088I065883; Tue, 14 Jun 2005 17:00:08 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5EH07nc065877; Tue, 14 Jun 2005 17:00:07 GMT (envelope-from arved) Date: Tue, 14 Jun 2005 17:00:07 GMT From: Tilman Linneweh Message-Id: <200506141700.j5EH07nc065877@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/80642: [patch] IPFW small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2005 17:00:08 -0000 Synopsis: [patch] IPFW small patch - new RULE OPTION Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: arved Responsible-Changed-When: Tue Jun 14 16:59:45 GMT 2005 Responsible-Changed-Why: Over to ipfw Mailinglist for discussion http://www.freebsd.org/cgi/query-pr.cgi?pr=80642 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 15 12:54:01 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5934716A41C for ; Wed, 15 Jun 2005 12:54:01 +0000 (GMT) (envelope-from kuangnd@mail.ru) Received: from f40.mail.ru (f40.mail.ru [194.67.57.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17A8D43D48 for ; Wed, 15 Jun 2005 12:54:01 +0000 (GMT) (envelope-from kuangnd@mail.ru) Received: from mail by f40.mail.ru with local id 1DiXP5-0000aq-00 for freebsd-ipfw@freebsd.org; Wed, 15 Jun 2005 16:53:59 +0400 Received: from [195.225.128.22] by eng.mail.ru with HTTP; Wed, 15 Jun 2005 16:53:59 +0400 From: Quang Nguyen Dang To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [195.225.128.22] Date: Wed, 15 Jun 2005 16:53:59 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: Subject: Need help about Internet Sharing Connection in FreeBSD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Quang Nguyen Dang List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2005 12:54:01 -0000 In Local Network we have a Server Internet Gateway with address Gateway 10.10.1.1 connected internet from WAN and then share to other computers. Now I'm making a new server with FreeBSD 5.3 and I want to share Internet from this new Server to make cheaper (5cents/MB). How to share it? Please help me. I' using UTM for Billing System. http://www.netup.info INTERNET <---> GATEWAY (Eth0: 195.225.xx.xx - Eth1: 10.10.1.1) <----> FREEBSD 5.3 (Eth0: 10.10.1.2 - Eth1: 10.10.2.2) <----> CLIENTS Best Regards. Quangnd. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 15 12:59:05 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4CAD16A41C for ; Wed, 15 Jun 2005 12:59:05 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from espresso2.syncrontech.com (sync-old.syncrontech.com [213.28.98.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3128343D4C for ; Wed, 15 Jun 2005 12:59:04 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57]) by espresso2.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5FCx26K073345 for ; Wed, 15 Jun 2005 15:59:02 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Received: from [62.71.8.37] (coffee.syncrontech.com [62.71.8.37]) by guinness.syncrontech.com (8.12.11/8.12.11) with ESMTP id j5FCwuLS009933 for ; Wed, 15 Jun 2005 15:58:57 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <42B0260D.1040007@suutari.iki.fi> Date: Wed, 15 Jun 2005 15:58:53 +0300 From: Ari Suutari User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw fwd: woud it be possible to continue processing rest of rules after match ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jun 2005 12:59:06 -0000 Hi, Currently the ipfw fwd rules work so that the packet is accepted when fwd rule matches. Would it be possible just tag the packet with information about next_hop and just continue processing the rules ? This would make complex rulesets with policy-based routing much simpler, since one could just have relevat fwd statments at beginning of rule sets and then filter the packets in usual way. Ari S. From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 17 10:40:21 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0A7116A41C for ; Fri, 17 Jun 2005 10:40:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D07043D49 for ; Fri, 17 Jun 2005 10:40:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j5HAeLpe073959 for ; Fri, 17 Jun 2005 10:40:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j5HAeLNj073958; Fri, 17 Jun 2005 10:40:21 GMT (envelope-from gnats) Date: Fri, 17 Jun 2005 10:40:21 GMT Message-Id: <200506171040.j5HAeLNj073958@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Andrey V. Elsukov" Cc: Subject: Re: kern/80642: [patch] IPFW small patch - new RULE OPTION X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Andrey V. Elsukov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 10:40:21 -0000 The following reply was made to PR kern/80642; it has been noted by GNATS. From: "Andrey V. Elsukov" To: bug-followup@FreeBSD.org, bu7cher@yandex.ru Cc: Subject: Re: kern/80642: [patch] IPFW small patch - new RULE OPTION Date: Fri, 17 Jun 2005 14:31:20 +0400 This is a multi-part message in MIME format. --------------020602060206080505060104 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Robert Watson wrote: > This patch breaks the ABI by inserting a new type into an implicitly > numbered enumeration, renumbering all entries later in the enum. > O_BOUND, if added, should be appended to the end, and/or we should > number the operations explicitly. Ok. I have corrected this. * ipfw_bound.diff - the patch with smallest changes, with only bound option. * ipfw_bound2.diff - bound and check-bound option. Examples: We can limit incoming traffic (internet is external interface): # ipfw add allow ip from any to 10.0.0.20 in recv internet bound 10MB # ipfw add deny ip from any to 10.0.0.0/24 in recv internet We can use traffic shaper after excess of a limit: # ipfw add allow ip from any to 10.0.0.20 in recv internet bound 10MB # ipfw add pipe 1 ip from any to 10.0.0.20 in recv internet # ipfw pipe 1 config bw 5Kbit/s queue 10Kbytes We can block any access after limit excess: # ipfw add 100 allow ip from 10.0.0.20 to any out xmit internet \ check-bound 200 # ipfw add 200 allow ip from any to 10.0.0.20 in recv internet bound \ 10MB # ipfw add 300 deny ip from any to any More details you can read on http://butcher.heavennet.ru/ -- WBR, Andrey V. Elsukov --------------020602060206080505060104 Content-Type: text/plain; name="ipfw_bound.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw_bound.diff" --- sbin/ipfw/ipfw2.c Tue Jun 7 18:11:17 2005 +++ sbin/ipfw/ipfw2.c Fri Jun 17 13:09:43 2005 @@ -277,6 +277,7 @@ TOK_SRCIP6, TOK_IPV4, + TOK_BOUND, }; struct _s_x dummynet_params[] = { @@ -403,6 +404,7 @@ { "dst-ip6", TOK_DSTIP6}, { "src-ipv6", TOK_SRCIP6}, { "src-ip6", TOK_SRCIP6}, + { "bound", TOK_BOUND}, { "//", TOK_COMMENT }, { "not", TOK_NOT }, /* pseudo option */ @@ -1858,6 +1860,10 @@ print_ext6hdr( (ipfw_insn *) cmd ); break; + case O_BOUND: + printf(" bound %u", ((ipfw_insn_u64 *)cmd)->bound); + break; + default: printf(" [opcode %d len %d]", cmd->opcode, cmd->len); @@ -2515,7 +2521,7 @@ " icmp6types LIST | ext6hdr LIST | flow-id N[,N] |\n" " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" tcpdatalen LIST | verrevpath | versrcreach | antispoof\n" +" tcpdatalen LIST | verrevpath | versrcreach | antispoof | bound VALUE\n" ); exit(0); } @@ -3683,6 +3689,7 @@ int i; int open_par = 0; /* open parenthesis ( */ + int have_bound = 0; /* proto is here because it is used to fetch ports */ u_char proto = IPPROTO_IP; /* default protocol */ @@ -4492,6 +4499,33 @@ fill_comment(cmd, ac, av); av += ac; ac = 0; + break; + + case TOK_BOUND: + NEED1("bound requires numeric value"); + if (have_bound) + errx(EX_USAGE, "only one of bound is allowed"); + if (open_par) + errx(EX_USAGE, "bound cannot be part " + "of an or block"); + if (cmd->len & F_NOT) + errx(EX_USAGE, + "\"not\" not allowed with bound option"); + { + char *end = NULL; + uint64_t bound = strtoull(*av, &end, 0); + if (bound) + switch (*end){ + case 'G': bound *= 1024; + case 'M': bound *= 1024; + case 'K': bound *= 1024; + }; + cmd->opcode = O_BOUND; + ((ipfw_insn_u64 *)cmd)->bound = bound; + cmd->len = F_INSN_SIZE(ipfw_insn_u64) & F_LEN_MASK; + have_bound = 1; + ac--; av++; + } break; default: --- sys/netinet/ip_fw.h Fri Jun 3 05:10:28 2005 +++ sys/netinet/ip_fw.h Fri Jun 17 11:30:30 2005 @@ -154,6 +154,7 @@ O_NGTEE, /* copy to ng_ipfw */ O_IP4, + O_BOUND, /* u64 = bound in bytes */ O_LAST_OPCODE /* not an opcode! */ }; @@ -228,6 +229,14 @@ ipfw_insn o; u_int32_t d[1]; /* one or more */ } ipfw_insn_u32; + +/* + * This is used to store 64-bit bound value. + */ +typedef struct _ipfw_insn_u64 { + ipfw_insn o; + u_int64_t bound; +} ipfw_insn_u64; /* * This is used to store IP addr-mask pairs. --- sys/netinet/ip_fw2.c Thu Jun 16 18:55:58 2005 +++ sys/netinet/ip_fw2.c Fri Jun 17 11:46:36 2005 @@ -2251,6 +2251,10 @@ * logic to deal with F_NOT and F_OR flags associated * with the opcode. */ + case O_BOUND: + match = (f->bcnt < ((ipfw_insn_u64 *)cmd)->bound); + break; + case O_NOP: match = 1; break; @@ -3387,6 +3391,11 @@ case O_PROB: case O_ICMPTYPE: if (cmdlen != F_INSN_SIZE(ipfw_insn_u32)) + goto bad_size; + break; + + case O_BOUND: + if (cmdlen != F_INSN_SIZE(ipfw_insn_u64)) goto bad_size; break; --------------020602060206080505060104 Content-Type: text/plain; name="ipfw_bound2.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw_bound2.diff" --- sbin/ipfw/ipfw2.c Tue Jun 7 18:11:17 2005 +++ sbin/ipfw/ipfw2.c Fri Jun 17 13:40:54 2005 @@ -277,6 +277,8 @@ TOK_SRCIP6, TOK_IPV4, + TOK_BOUND, + TOK_CHECK_BOUND, }; struct _s_x dummynet_params[] = { @@ -403,6 +405,8 @@ { "dst-ip6", TOK_DSTIP6}, { "src-ipv6", TOK_SRCIP6}, { "src-ip6", TOK_SRCIP6}, + { "bound", TOK_BOUND}, + { "check-bound", TOK_CHECK_BOUND}, { "//", TOK_COMMENT }, { "not", TOK_NOT }, /* pseudo option */ @@ -1636,6 +1640,9 @@ flags |= HAVE_PROTO; break; + case O_BOUND: + break; + default: /*options ... */ if (!(cmd->len & (F_OR|F_NOT))) if (((cmd->opcode == O_IP6) && @@ -1858,6 +1865,10 @@ print_ext6hdr( (ipfw_insn *) cmd ); break; + case O_CHECK_BOUND: + printf(" check-bound %d", cmd->arg1); + break; + default: printf(" [opcode %d len %d]", cmd->opcode, cmd->len); @@ -1872,6 +1883,8 @@ } } show_prerequisites(&flags, HAVE_IP, 0); + if (rule->cmd->opcode == O_BOUND) + printf(" bound %u", ((ipfw_insn_u64 *)(rule->cmd))->bound); if (comment) printf(" // %s", comment); printf("\n"); @@ -2515,7 +2528,8 @@ " icmp6types LIST | ext6hdr LIST | flow-id N[,N] |\n" " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" tcpdatalen LIST | verrevpath | versrcreach | antispoof\n" +" tcpdatalen LIST | verrevpath | versrcreach | antispoof | bound VALUE |\n" +" check-bound NUM\n" ); exit(0); } @@ -3677,7 +3691,8 @@ * various flags used to record that we entered some fields. */ ipfw_insn *have_state = NULL; /* check-state or keep-state */ - ipfw_insn *have_log = NULL, *have_altq = NULL; + ipfw_insn *have_log = NULL, *have_altq = NULL, + *have_bound = NULL; size_t len; int i; @@ -4494,6 +4509,39 @@ ac = 0; break; + case TOK_BOUND: + NEED1("bound requires numeric value"); + if (have_bound) + errx(EX_USAGE, "only one of bound is allowed"); + if (open_par) + errx(EX_USAGE, "bound cannot be part " + "of an or block"); + if (cmd->len & F_NOT) + errx(EX_USAGE, + "\"not\" not allowed with bound option"); + { + char *end = NULL; + uint64_t bound = strtoull(*av, &end, 0); + if (bound) + switch (*end){ + case 'G': bound *= 1024; + case 'M': bound *= 1024; + case 'K': bound *= 1024; + }; + cmd->opcode = O_BOUND; + ((ipfw_insn_u64 *)cmd)->bound = bound; + cmd->len = F_INSN_SIZE(ipfw_insn_u64) & F_LEN_MASK; + have_bound = cmd; + ac--; av++; + } + break; + + case TOK_CHECK_BOUND: + NEED1("check-bound requires rule number"); + fill_cmd(cmd, O_CHECK_BOUND, 0, strtoul(*av, NULL, 0)); + ac--; av++; + break; + default: errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s); } @@ -4506,6 +4554,8 @@ done: /* * Now copy stuff into the rule. + * If we have a bound option, the first instruction MUST BE + * a O_BOUND. * If we have a keep-state option, the first instruction * must be a PROBE_STATE (which is generated here). * If we have a LOG option, it was stored as the first command, @@ -4514,7 +4564,15 @@ dst = (ipfw_insn *)rule->cmd; /* - * First thing to write into the command stream is the match probability. + * First write into the command stream bound instruction + */ + if (have_bound) { + bcopy(have_bound, dst, F_LEN(have_bound) * sizeof(uint32_t)); + dst = next_cmd(dst); + } + + /* + * write the match probability */ if (match_prob != 1) { /* 1 means always match */ dst->opcode = O_PROB; @@ -4531,7 +4589,8 @@ dst = next_cmd(dst); } /* - * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ + * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, + * O_BOUND */ for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) { i = F_LEN(src); @@ -4541,6 +4600,7 @@ case O_KEEP_STATE: case O_LIMIT: case O_ALTQ: + case O_BOUND: break; default: bcopy(src, dst, i * sizeof(uint32_t)); --- sys/netinet/ip_fw.h Fri Jun 3 05:10:28 2005 +++ sys/netinet/ip_fw.h Fri Jun 17 13:18:47 2005 @@ -154,6 +154,8 @@ O_NGTEE, /* copy to ng_ipfw */ O_IP4, + O_BOUND, /* u64 = bound in bytes */ + O_CHECK_BOUND, /* u16 = rule number */ O_LAST_OPCODE /* not an opcode! */ }; @@ -230,6 +232,14 @@ } ipfw_insn_u32; /* + * This is used to store 64-bit bound value. + */ +typedef struct _ipfw_insn_u64 { + ipfw_insn o; + u_int64_t bound; +} ipfw_insn_u64; + +/* * This is used to store IP addr-mask pairs. */ typedef struct _ipfw_insn_ip { @@ -351,11 +361,16 @@ * * When assembling instruction, remember the following: * + * + if a rule has a "bound" option, then the first instruction + * (at r->cmd) MUST BE an O_BOUND * + if a rule has a "keep-state" (or "limit") option, then the * first instruction (at r->cmd) MUST BE an O_PROBE_STATE * + if a rule has a "log" option, then the first action * (at ACTION_PTR(r)) MUST be O_LOG * + if a rule has an "altq" option, it comes after "log" + * + * NOTE: actually, O_PROB instruction may be first too. But O_BOUND + * MUST BE always first (at r->cmd). * * NOTE: we use a simple linked list of rules because we never need * to delete a rule without scanning the list. We do not use --- sys/netinet/ip_fw2.c Thu Jun 16 18:55:58 2005 +++ sys/netinet/ip_fw2.c Fri Jun 17 13:26:19 2005 @@ -2251,6 +2251,26 @@ * logic to deal with F_NOT and F_OR flags associated * with the opcode. */ + case O_BOUND: + match = (f->bcnt < ((ipfw_insn_u64 *)cmd)->bound); + break; + + case O_CHECK_BOUND: + { + struct ip_fw* rule; + for (rule = f->next; + rule && cmd->arg1 >= rule->rulenum; + rule = rule->next) + if (rule->rulenum == cmd->arg1 && + rule->cmd->opcode == O_BOUND ) + { + match = (rule->bcnt < + ((ipfw_insn_u64 *)(rule->cmd))->bound); + break; + } + } + break; + case O_NOP: match = 1; break; @@ -3373,6 +3393,7 @@ case O_EXT_HDR: case O_IP6: case O_IP4: + case O_CHECK_BOUND: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; @@ -3388,6 +3409,16 @@ case O_ICMPTYPE: if (cmdlen != F_INSN_SIZE(ipfw_insn_u32)) goto bad_size; + break; + + case O_BOUND: + if (cmdlen != F_INSN_SIZE(ipfw_insn_u64)) + goto bad_size; + if (cmd != rule->cmd) { + printf("ipfw: bogus rule, opcode %d must be first\n", + cmd->opcode); + return EINVAL; + } break; case O_LIMIT: --------------020602060206080505060104-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 17 19:12:18 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A190D16A41F for ; Fri, 17 Jun 2005 19:12:18 +0000 (GMT) (envelope-from linux@giboia.org) Received: from lda.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id C159343D1D for ; Fri, 17 Jun 2005 19:12:17 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 69773 invoked by uid 98); 17 Jun 2005 19:11:53 -0000 Received: from linux@giboia.org by lda.dilk.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.4.00/v4443. Clear:RC:1(200.250.23.66):. Processed in 0.049114 secs); 17 Jun 2005 19:11:53 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@200.250.23.66) by lda.dilk.com.br with SMTP; 17 Jun 2005 19:11:52 -0000 Date: Fri, 17 Jun 2005 16:12:11 -0300 From: Gilberto Villani Brito To: freebsd-ipfw@freebsd.org Message-ID: <20050617161211.797afb26@giboia> In-Reply-To: <20050609110843.18bdaa66@giboia> References: <43866.62.2.21.164.1117631913.squirrel@www.gwch.net> <20050608173038.2327b73f@giboia> <365B62E6-8D2E-47E1-9F86-A9CC315F88ED@mac.com> <200506081746.16756.asstec@matik.com.br> <20050609095322.4fdeb73c@giboia> <20050609110843.18bdaa66@giboia> X-Mailer: Sylpheed-Claws 0.9.13 (GTK+ 1.2.10; i586-mandrake-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 19:12:18 -0000 Hi, Can I control peer-to-peer connections using ipfw??? Gilberto From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 17 19:22:51 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEBFF16A41C for ; Fri, 17 Jun 2005 19:22:51 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D95E43D1D for ; Fri, 17 Jun 2005 19:22:51 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id D31325CB6; Fri, 17 Jun 2005 15:22:50 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78120-05; Fri, 17 Jun 2005 15:22:50 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-66-3.ny325.east.verizon.net [68.161.66.3]) by pi.codefab.com (Postfix) with ESMTP id 11D9E5C45; Fri, 17 Jun 2005 15:22:49 -0400 (EDT) Message-ID: <42B32386.8050802@mac.com> Date: Fri, 17 Jun 2005 15:24:54 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gilberto Villani Brito References: <43866.62.2.21.164.1117631913.squirrel@www.gwch.net> <20050608173038.2327b73f@giboia> <365B62E6-8D2E-47E1-9F86-A9CC315F88ED@mac.com> <200506081746.16756.asstec@matik.com.br> <20050609095322.4fdeb73c@giboia> <20050609110843.18bdaa66@giboia> <20050617161211.797afb26@giboia> In-Reply-To: <20050617161211.797afb26@giboia> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 19:22:51 -0000 Gilberto Villani Brito wrote: > Can I control peer-to-peer connections using ipfw??? Sure. Take a look at the manpages for ipfw and dummynet, there are examples, although it may take some time, and perhaps the "Building Internet Firewalls" book (by O'Reilley), for full understanding. :-) -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 17 19:43:56 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D8F616A41C for ; Fri, 17 Jun 2005 19:43:56 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from postfix4-1.free.fr (postfix4-1.free.fr [213.228.0.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E62D43D49 for ; Fri, 17 Jun 2005 19:43:56 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from serveur.thrruss.org (unknown [81.56.231.36]) by postfix4-1.free.fr (Postfix) with ESMTP id D9A68317C67; Fri, 17 Jun 2005 21:43:54 +0200 (CEST) Received: from artemis (artemis [192.168.2.2]) by serveur.thrruss.org (8.13.0/8.13.0) with SMTP id j5HKb2Nh030656; Fri, 17 Jun 2005 22:37:02 +0200 From: "Alexandre D." To: "Chuck Swiger" , "Gilberto Villani Brito" , Date: Fri, 17 Jun 2005 21:44:01 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <42B32386.8050802@mac.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 Cc: Subject: RE: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 19:43:56 -0000 The answer is not so easy. P2P is not only based on port numbers. The P2P detection is quite difficult, and maybe impossible. My own position is that ipfw is not able to block P2P Alex -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chuck Swiger Envoye : vendredi 17 juin 2005 21:25 A : Gilberto Villani Brito Cc : freebsd-ipfw@freebsd.org Objet : Re: Pipes. Gilberto Villani Brito wrote: > Can I control peer-to-peer connections using ipfw??? Sure. Take a look at the manpages for ipfw and dummynet, there are examples, although it may take some time, and perhaps the "Building Internet Firewalls" book (by O'Reilley), for full understanding. :-) -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 17 19:56:21 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C84B16A41C for ; Fri, 17 Jun 2005 19:56:21 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id F035C43D1D for ; Fri, 17 Jun 2005 19:56:20 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 5A4DE5DA4; Fri, 17 Jun 2005 15:56:20 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78215-05; Fri, 17 Jun 2005 15:56:19 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-66-3.ny325.east.verizon.net [68.161.66.3]) by pi.codefab.com (Postfix) with ESMTP id 6C0645C47; Fri, 17 Jun 2005 15:56:19 -0400 (EDT) Message-ID: <42B32B60.5060208@mac.com> Date: Fri, 17 Jun 2005 15:58:24 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Alexandre D." References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org, Gilberto Villani Brito Subject: Re: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 19:56:21 -0000 Alexandre D. wrote: > The answer is not so easy. > P2P is not only based on port numbers. > The P2P detection is quite difficult, and maybe impossible. Not at all. Start with "deny all", and only allow stuff through which you really need to allow. Blocking all outbound client traffic and requiring them to go through a proxy on the LAN is adequate. > My own position is that ipfw is not able to block P2P Besides, the word was "control". You can shunt all high-priority stuff (NTP, DNS, ICMP) into one queue, and put HTTP, FTP, 6667, etc on a low-priority queue via dummynet, and/or adjust the permitted bandwidth. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 17 20:16:41 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1533B16A41C for ; Fri, 17 Jun 2005 20:16:41 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 4828D43D49 for ; Fri, 17 Jun 2005 20:16:39 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 59330 invoked by uid 0); 17 Jun 2005 17:16:50 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.3.20/v4516. spamassassin: 2.64. Clear:RC:1(201.17.165.147):. Processed in 0.409964 secs); 17 Jun 2005 20:16:50 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.165.147) by capeta.freebsdbrasil.com.br with SMTP; 17 Jun 2005 17:16:50 -0300 Message-ID: <42B32FA5.5000804@freebsdbrasil.com.br> Date: Fri, 17 Jun 2005 17:16:37 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050420 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Chuck Swiger References: <42B32B60.5060208@mac.com> In-Reply-To: <42B32B60.5060208@mac.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, "Alexandre D." , Gilberto Villani Brito Subject: Re: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jun 2005 20:16:41 -0000 Chuck Swiger wrote: > Alexandre D. wrote: > >> The answer is not so easy. >> P2P is not only based on port numbers. >> The P2P detection is quite difficult, and maybe impossible. > > > Not at all. Start with "deny all", and only allow stuff through which > you really need to allow. Blocking all outbound client traffic and > requiring them to go through a proxy on the LAN is adequate. > >> My own position is that ipfw is not able to block P2P > > > Besides, the word was "control". You can shunt all high-priority stuff > (NTP, DNS, ICMP) into one queue, and put HTTP, FTP, 6667, etc on a > low-priority queue via dummynet, and/or adjust the permitted bandwidth. > I personally like this approach a lot. I think it should be the first way to try to do what you need with packets which you might need to "open" and "look inside" to check what kind of traffic it is. At a very least you will have a very organized gateway/fw/segment of network, with closed policy and services policy. It might avoid a number of future problems. My understanding is that a IP packet filter, as it states, should only do packet filtering. I dislike "general purpose" tools. Content analisys "picking the packet, looking at it to figure what kind of data/flow it is" should be managed by other kind of tools. Back to the question point, there is a program somehwere in the net which allows you to "ipfw divert" the traffic to it, which can later filter traffic based on contents/layer7. You can also use an IDS, say, snort, and make IPFW filter/pipe/queue traffic for you based on snort rules/matching. There is "SnortSam" which might fit your needs if you can have snort. I dont remeber the "divert based" program name or URL, Ill check on my bookmarks and post it later. -- Patrick Tracanelli FreeBSD Brasil LTDA. The FreeBSD pt_BR Documentation Project http://www.freebsdbrasil.com.br patrick @ freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"