From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 19 06:18:09 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7852D16A41F for ; Mon, 19 Sep 2005 06:18:09 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxsurfer.com (dns1.foxsurfer.com [205.134.229.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C7B943D46 for ; Mon, 19 Sep 2005 06:18:08 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from [24.172.9.74] (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by foxsurfer.com (8.13.3/8.13.3) with ESMTP id j8J6Hv1j046578 for ; Sun, 18 Sep 2005 23:17:57 -0700 (PDT) (envelope-from daemon@foxchat.net) Message-ID: <432E581B.8030206@foxchat.net> Date: Mon, 19 Sep 2005 02:18:03 -0400 From: Daemon User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050907) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-102.8 required=9.5 tests=ALL_TRUSTED, USER_IN_WHITELIST autolearn=failed version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on FoxSurfer.Com Subject: Pipe and Queue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 06:18:09 -0000 I have a 2 part question. #1 I have tried to set up some pipe rules to shape the bandwidth on my internal network. They are as follows; ${iip} = internal subnet ${oif} = external Nic ${fwcmd} add 240 pipe 1 all from ${iip} to any xmit ${oif} ${fwcmd} pipe 1 config mask src-ip 0xffffffff bw 35Kbits/s delay 100ms queue 40Kbytes ${fwcmd} add 241 pipe 2 all from any to ${iip} recv ${oif} ${fwcmd} pipe 2 config mask dst-ip 0xffffffff bw 4000Kbits/s delay 100ms queue 40Kbytes What I'd like to know is, do I have it set up correctly and are the queues of sufficient size? Is there a better way to do it? The reason I ask is, one of my kids loves to use bittorrent and sometimes they forget to control their upload. When they do forget, one by one, all my connects close and it gets really annoying. #2 Which is better to run in a production environment, Stable or Release? The reason I ask is, I have read in the handbook that Release should be run in a production environment, however, I also read that if one wishes to use altq with IPFW then they must "update" to Stable. Stable being FreeBSD 5.4. I'm currently running FreeBSD 5.4-RELEASE-p7 Regards, Mark From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 19 11:02:13 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80E9716A42B for ; Mon, 19 Sep 2005 11:02:13 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA15643D53 for ; Mon, 19 Sep 2005 11:02:12 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8JB2Cpt018087 for ; Mon, 19 Sep 2005 11:02:12 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8JB2CDE018081 for freebsd-ipfw@freebsd.org; Mon, 19 Sep 2005 11:02:12 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Sep 2005 11:02:12 GMT Message-Id: <200509191102.j8JB2CDE018081@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 11:02:13 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 19 11:02:56 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E694E16A420 for ; Mon, 19 Sep 2005 11:02:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 359FD43D45 for ; Mon, 19 Sep 2005 11:02:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8JB2r6V018696 for ; Mon, 19 Sep 2005 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8JB2roR018690 for ipfw@freebsd.org; Mon, 19 Sep 2005 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Sep 2005 11:02:53 GMT Message-Id: <200509191102.j8JB2roR018690@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 11:02:57 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 19 12:16:12 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E64916A41F for ; Mon, 19 Sep 2005 12:16:12 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6AFF43D45 for ; Mon, 19 Sep 2005 12:16:06 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from xeon.mshome.net (unknown [84.243.99.132]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id E74C924C79C for ; Mon, 19 Sep 2005 13:57:55 +0200 (CEST) Date: Mon, 19 Sep 2005 15:15:38 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <289838835.20050919151538@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <432E581B.8030206@foxchat.net> References: <432E581B.8030206@foxchat.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Pipe and Queue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 12:16:12 -0000 Look good. Most useful is to testing this rules, and depend of your traffic, u can change settings.I think that is good to eliminate delay options from pipe. For queue u can test different value. Man page explain very well. If u have too large queue size, then delay can grow for traffic. Second question: The latest release on the 5-STABLE branch is 5.4-RELEASE. Release version is for testing new options. This i think respond to your problem. For more information u can read this: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/introduction.html#LATEST-VERSION From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 19 12:21:55 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B2F816A41F for ; Mon, 19 Sep 2005 12:21:55 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id B87FE43D45 for ; Mon, 19 Sep 2005 12:21:54 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp1-g19.free.fr (Postfix) with ESMTP id A157C2E702; Mon, 19 Sep 2005 14:21:53 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 6BBF2405D; Mon, 19 Sep 2005 14:21:54 +0200 (CEST) Date: Mon, 19 Sep 2005 14:21:54 +0200 From: Jeremie Le Hen To: vladone Message-ID: <20050919122154.GM51142@obiwan.tataz.chchile.org> References: <97663975.20050917141303@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <97663975.20050917141303@spaingsm.com> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 12:21:55 -0000 Hi, > Can someone make an patch for dummynet, so an user can't get maximum > bandwith. Queue work great for sharing same bandwidth, but an user can > get much banditdth if is not used but anothers. > So is wonderfull if i can put an paramaters for queue (like for pipe), > to limit bandwidth: > For example: > ipfw pipe 1 congig bw 1mbit/s > ipfw queue 1 config weight 10 pipe 1 bw 128kbits/s > ipfw queue 1 config weight 15 pipe 1 bw 256kbits/s > > This mean that i have two queue that share same pipe. Bandwidth is > given accordint with their weight but no more that value indicated by > "bw" parameter. In my example queue 1 can get more than 128 kbits/s. > In this mode bandwidth is well splited but an user can't get all > bandidth if is alone on network. You can just set net.inet.ip.fw.one_pass to 0 and use more pipes to limit the maximum bandwidth. Let's say you want to limit the whole pipe to 1MBits/s and then limit user with UID 1001 to 128 KBits/s on your external interface fxp0 : % sysctl -w net.inet.ip.fw.one_pass=0 # First skip to the end of the rules if we're not on the outgoing # path through fxp0. % ipfw add 100 skipto 65000 all from any to any not xmit fxp0 # Limit user 1001 max bandwidth. % ipfw pipe 1001 config bw 128KBits/s % ipfw add 200 pipe 1001 all from any to any # System-wipe policy. % ipfw pipe 1 config bw 1MBits/s % ipfw queue 11 config weight 10 pipe 1 % ipfw queue 12 config weight 20 pipe 2 % ipfw add 210 queue 11 ... % ipfw add 220 queue 12 ... -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 19 13:07:19 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5983316A41F for ; Mon, 19 Sep 2005 13:07:19 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA1EB43D45 for ; Mon, 19 Sep 2005 13:07:18 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp3-g19.free.fr (Postfix) with ESMTP id 63E0124AB2; Mon, 19 Sep 2005 15:07:17 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 51969405D; Mon, 19 Sep 2005 15:07:18 +0200 (CEST) Date: Mon, 19 Sep 2005 15:07:18 +0200 From: Jeremie Le Hen To: Martin Message-ID: <20050919130718.GO51142@obiwan.tataz.chchile.org> References: <20050917111817.GG51142@obiwan.tataz.chchile.org> <200509172042.j8HKgoEX013028@bernina.office> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200509172042.j8HKgoEX013028@bernina.office> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@FreeBSD.org Subject: Re: in via or in recv X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Sep 2005 13:07:19 -0000 Hi Martin, > >This rule will apply on the outgoing path (because of "xmit") and will > >let through all packets that arrived on fxp0 and then leave through sis0. > > Yep, but the rule is only executed on the outgoing phase because at > the incoming phase, the xmit interfaces is unknown and as such, > the rule does not match. > > FreeBSD does have an IPFW option for single pass or regular handling > of the packets. Single pass means: Only once through the firewall rules, > done at arrival of the packet. > > The regular handling is to call the firewall rules for each packet when the > packet enters the computer and once when the packet is send out. > The words "in" and "out" in the Firewall rules are intended to give the rule > designer the opportunity to let a rule work on incoming or outgoing packets. > > When a packet enters the PC, the outgoing interface is not known yet, so > the following rules do the same: > > ipfw add allow ip from any to any in recv fxp0 > ipfw add allow ip from any to any in via fxp0 Until there, I agree. > The following two rules do NOT (in general) behave the same: > ipfw add allow ip from any to any out recv fxp0 > ipfw add allow ip from any to any out via fxp0 > > The second rule will also match packets coming in through (read "via") fxp0. This is what I read numerous times on the archives indeed. But I checked the code myself : http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c?annotate=1.111 Here is a snap from line 2480 : % case O_RECV: % match = iface_match(m->m_pkthdr.rcvif, % (ipfw_insn_if *)cmd); % break; % % case O_XMIT: % match = iface_match(oif, (ipfw_insn_if *)cmd); % break; % % case O_VIA: % match = iface_match(oif ? oif : % m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd); % break; What I understand for the "via" keyword is that when the output interface is known, then it is matched against it, and nothing more. The two rules you have used above are _not_ equivalent. In the first case we will match on the outgoing path, whatever the output interface is, but when the input one was fxp0. In the second rule, the "out" (== "not in") keyword make the rule apply only on the outgoing path [1]. Therefore `oif' will be defined and the output interface will be checked, whereas in the first rule this was the input interface. [1] "in" is implemented as : % case O_IN: /* "out" is "not in" */ % match = (oif == NULL); % break; > Things get more complicated when the packet is "created" in the PC itself. Still reading the implementation, I would say that packets generated on the machine itself will have a NULL input interface, thus the iface_match() function will never match (first statement in the function). For what I understand, I would say that if you want to only match packet generated locally, you should use something like this (although it's quite tricky and does not perform very well due to the use of strings function) : % ipfw add allow all from any to any out not recv * "recv *" will match every input interface, except when it's NULL. Please, correct me if I'm wrong. -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 10:04:53 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1665916A420 for ; Tue, 20 Sep 2005 10:04:53 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8DB043D46 for ; Tue, 20 Sep 2005 10:04:52 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from xeon.mshome.net (unknown [84.243.99.132]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 11F7624C7C6 for ; Tue, 20 Sep 2005 11:46:38 +0200 (CEST) Date: Tue, 20 Sep 2005 13:04:53 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <477488950.20050920130453@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <20050919122154.GM51142@obiwan.tataz.chchile.org> References: <97663975.20050917141303@spaingsm.com> <20050919122154.GM51142@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 10:04:53 -0000 Yes, thanks! But is a little redundant and confused to pass packets to multiple pipe and queue. Isn't more elegant to put an option on queue that limit maximum bandwitdth to that queue (like "bw" option for pipe)? I dont know programming (not well), but i think that, can do the job, if is put an supplementary condition, to verify if bandwidth allocated for that queue is less or great than an "bw" parameter. An queue declaration like: ipfw queue 1 config weight 10 pipe 1 bw 128kbits/s ipfw queue 2 config weight 20 pipe 1 bw 256kbits/s is more clear and efficiently. This mean that an queue receive bandwidth according with they weight but no more that value indicated by "bw" parameter. Someone with experience and that know code for dummynet, can make easy (i think) an patch for that. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 13:08:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B26E16A436 for ; Tue, 20 Sep 2005 13:08:03 +0000 (GMT) (envelope-from bsdt@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5612843D46 for ; Tue, 20 Sep 2005 13:07:59 +0000 (GMT) (envelope-from bsdt@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id A47022A022 for ; Tue, 20 Sep 2005 14:57:08 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Tue, 20 Sep 2005 15:12:25 +0200 Received: from 127.0.0.1 (AVG SMTP 7.0.344 [267.11.1]); Tue, 20 Sep 2005 15:07:51 +0200 Message-ID: <433009A6.9070705@roamingsolutions.net> Date: Tue, 20 Sep 2005 15:07:50 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: multiple incoming lines X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 13:08:03 -0000 Hi all, I hope someone can help me with a routing / Natd / ipfw problem i'm having. Setup description: 1x FreeBSD 5.4 3x NIC's: 1x LAN, 2x connected to external DSL modems int_if - LAN ext_if1 - ISP1 ext_if2 - ISP2 Both dsl modems use NAT too, so it is a nat - nat, but did have it working for a single external line. I am running 2 natd's that use the 2 external if's. My problem is that when I define a default route (internal IP of dsl modem for ISP1), all the outgoing packets only want to use that route (duh!), but when I try to send the packets out the ext_if2 by divert natd2, it doesn't send them out ext_if2 - even tried to fwd IP_modem_ISP2, but nothing going. With no default route defined, I get the message - no route to destination. I simplified my ipfw to try get this working, but haven't got it right yet. I have seen posts of other people saying they have this solution working, but so far no joy. If you have any suggestions, I'd love to hear them. Thankx a mil Gray relevant config files below ------------------------------------------------------------- natd1.conf: interface rl0 dynamic pid_file /var/run/natd1.pid port natd1 ------------------------------------------------------------- natd2.conf: interface rl1 dynamic pid_file /var/run/natd2.pid port natd2 ------------------------------------------------------------- rc.conf: hostname="fw.a.b.c" network_interfaces="lo0 vr0 rl0 rl1" # Configure the internal network ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0" # Configure the external networks (connected to the internet) ifconfig_rl0="inet 192.168.0.75 netmask 255.255.255.0" ifconfig_rl1="inet 192.168.8.69 netmask 255.255.255.0" defaultrouter="192.168.0.1" # - Enabling the FreeBSD Firewall, IPFirewall (IPFW)- gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" # - Enabling the specific NAT server for IPFW natd_enable="YES" natd_flags="-f /etc/natd1.conf" natd2_enable="YES" natd2_flags="-f /etc/natd2.conf" ------------------------------------------------------------- ipfw.rules: #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 10000" ext_if1="rl0" # public interface name of NIC ext_if2="rl1" int_if="vr0" # private interface name of NIC # Setup the different Sets to be used for different connection options ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Initially only enable set 1 (and 2 and 12 when we have 2 WAN links) ipfw -q set enable 2 ################################################################# # Check and drop packets that are appearing to come from # the destination LAN i.e. a spoofed source ip address $cmd deny ip from any to any not antispoof in ################################################################# # No restrictions on Loopback Interface # Protect spoofing to localhost $cmd allow ip from any to any via lo0 $cmd deny ip from any to 127.0.0.0/8 $cmd deny ip from 127.0.0.0/8 to any ################################################################# # check if packet is inbound and nat address if it is $cmd 1000 divert natd1 ip from any to any in via $ext_if1 $cmd 1000 divert natd2 ip from any to any in via $ext_if2 ################################################################# # Allow the rest of the LAN traffic in and out $cmd allow ip from any to any via $int_if ################################################################# # Allow the packet through if it has previously been added to the # the "dynamic" rules table by an allow keep-state statement. $cmd check-state ################################################################# # Interface facing Public Internet (Outbound Section) ################################################################# $cmd $skip all from any to any out via $ext_if1 $cmd $skip all from any to any out via $ext_if2 ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# $cmd allow all from any to any in via $ext_if1 $cmd allow all from any to any in via $ext_if2 # This is skipto location for outbound stateful rules $cmd 10000 set 12 prob 0.5 skipto 10050 ip from any to any out via $ext_if1 keep-state $cmd 10020 set 1 divert natd1 ip from any to any out via $ext_if1 $cmd 10020 set 1 divert natd1 ip from any to any out via $ext_if2 $cmd 10030 set 1 allow ip from any to any out $cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if1 $cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if2 $cmd 10060 set 2 fwd 192.168.8.1 ip from 192.168.8.69 to any out via $ext_if1 $cmd 10100 allow ip from any to any out via $ext_if1 $cmd 10110 allow ip from any to any out via $ext_if2 # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 19990 deny log all from any to any ################ End of IPFW rules file ############################### From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 15:27:17 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D28AC16A41F for ; Tue, 20 Sep 2005 15:27:17 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id B227843D58 for ; Tue, 20 Sep 2005 15:27:15 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp1-g19.free.fr (Postfix) with ESMTP id 68F622F60D; Tue, 20 Sep 2005 17:27:14 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 33197405D; Tue, 20 Sep 2005 17:27:14 +0200 (CEST) Date: Tue, 20 Sep 2005 17:27:14 +0200 From: Jeremie Le Hen To: vladone Message-ID: <20050920152714.GF24643@obiwan.tataz.chchile.org> References: <97663975.20050917141303@spaingsm.com> <20050919122154.GM51142@obiwan.tataz.chchile.org> <477488950.20050920130453@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <477488950.20050920130453@spaingsm.com> User-Agent: Mutt/1.5.10i Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 15:27:17 -0000 Hi, > Yes, thanks! But is a little redundant and confused to pass packets to > multiple pipe and queue. Isn't more elegant to put an option on queue > that limit maximum bandwitdth to that queue (like "bw" option for pipe)? > I dont know programming (not well), but i think that, can do the job, > if is put an supplementary condition, to verify if bandwidth > allocated for that queue is less or great than an "bw" parameter. > An queue declaration like: > ipfw queue 1 config weight 10 pipe 1 bw 128kbits/s > ipfw queue 2 config weight 20 pipe 1 bw 256kbits/s > is more clear and efficiently. > This mean that an queue receive bandwidth according with they weight > but no more that value indicated by "bw" parameter. > Someone with experience and that know code for dummynet, can make easy > (i think) an patch for that. Many folks are reluctant to add syntactic sugar on IPFW when it does not add any functionnality. I think I am too : if we add every shorthand that one can think of, ipfw would become a real mess. Furthermore, pipes and queues are two distinct objects which have different semantics. Pipes are used to emulate a physical network link, with two main properties : bandwidth and delay, while queues provide WF2Q+ policy (see ipfw(8) manpage). Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 15:42:31 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F0C116A41F for ; Tue, 20 Sep 2005 15:42:31 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D8DD43D5C for ; Tue, 20 Sep 2005 15:42:23 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from xeon.mshome.net (unknown [84.243.99.132]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id EB57324C839 for ; Tue, 20 Sep 2005 17:24:01 +0200 (CEST) Date: Tue, 20 Sep 2005 18:41:48 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <255492927.20050920184148@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <433009A6.9070705@roamingsolutions.net> References: <433009A6.9070705@roamingsolutions.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: multiple incoming lines X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 15:42:31 -0000 U have (for set 2) this rules to divert packets that outgoing: $cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if1 $cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if2 I dont understand what u want to do? This rules translate all adress that outgoing throught $ext_if1 and $ext_if2 with address indicated by natd2. Divert and route is two thinks completly different. If u want to route packets to different outgoing interfaces, need to use different routes. (man route). If u want to outgoing packets with different addresses, but same interface, need to use divert (and need to put alias for external interface with addresses that u need). If u want to make so named load balancing, when use to lines for incoming trafic that sumarize bandwidth then is more complicated. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 15:58:07 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F63716A420 for ; Tue, 20 Sep 2005 15:58:07 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5251343D5C for ; Tue, 20 Sep 2005 15:58:06 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (qlwxkl@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8KFw43e069547 for ; Tue, 20 Sep 2005 17:58:04 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8KFw4fY069546; Tue, 20 Sep 2005 17:58:04 +0200 (CEST) (envelope-from olli) Date: Tue, 20 Sep 2005 17:58:04 +0200 (CEST) Message-Id: <200509201558.j8KFw4fY069546@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <433009A6.9070705@roamingsolutions.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: multiple incoming lines X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 15:58:07 -0000 G Bryant wrote: > Setup description: > 1x FreeBSD 5.4 > 3x NIC's: 1x LAN, 2x connected to external DSL modems > int_if - LAN > ext_if1 - ISP1 > ext_if2 - ISP2 > > Both dsl modems use NAT too, so it is a nat - nat, but did have it > working for a single external line. > I am running 2 natd's that use the 2 external if's. > > My problem is that when I define a default route (internal IP of dsl > modem for ISP1), all the outgoing packets only want to use that route > (duh!), That's expected behaviour, of course. That's why it is called the _default_ route. All packets will take it, unless there's a more specific route for the destination address. > With no default route defined, I get the message - no route to destination. Expected behaviour, too. I'm not sure what you actually want to do. Do you want to use your two uplinks in a load-balancing fashion? That's not possible when using different ISPs for your uplinks (even with the same ISP it's difficult). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "What is this talk of 'release'? We do not make software 'releases'. Our software 'escapes', leaving a bloody trail of designers and quality assurance people in its wake." From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 16:20:50 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55A8B16A41F for ; Tue, 20 Sep 2005 16:20:50 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5E3243D48 for ; Tue, 20 Sep 2005 16:20:49 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from xeon.mshome.net (unknown [84.243.99.132]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 69EB724C869 for ; Tue, 20 Sep 2005 18:02:29 +0200 (CEST) Date: Tue, 20 Sep 2005 19:20:26 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1135123196.20050920192026@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <20050920152714.GF24643@obiwan.tataz.chchile.org> References: <97663975.20050917141303@spaingsm.com> <20050919122154.GM51142@obiwan.tataz.chchile.org> <477488950.20050920130453@spaingsm.com> <20050920152714.GF24643@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 16:20:50 -0000 I know what is WF2Q, but still dont see what is the problem for wich dont't exist a possibility to limit bandwidth that is given to a queue, with queue settings. And exist a precedent, "queue" paramater that exist for pipe and queue. For example, if a "bw" parameter is not used for queue, then bandwidth is given only acording with they weight, so use this option who want, like anothers parameters ("dst-ip, mask, queue, even weight"). And my suggestion isn't a caprice. For example: if i have multiple users, that acces internet throught an freebsd gateway. How split bandwidth? I have two clear solutions: 1. assign for each host an pipe. But i dont know if in this mode, in conditions of heavy traffic, bandwidth is well splited. Is possibil for an user to take more bandwidth (according with his pipe), and another user remain without bandwidth. 2. share total bandwidth, to different hosts, with queue. This is more efficient but have a little problem. If an user is alone on traffic can get all bandwith. For this reason, i want (and i think many admins) an possibility to limit bandwidth that is given to a queue. I don't think that passing packets to multiple pipe and queue is e efficiently for traffic flow. My sugestion about "bw" parameter for queue is only for convenience. U can named how you want, so i dont see problem about "... pipes and queues are two distinct objects which have different semantics." From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 16:47:53 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDEEB16A41F for ; Tue, 20 Sep 2005 16:47:53 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A4BB43D48 for ; Tue, 20 Sep 2005 16:47:53 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j8KGlr0Z088695; Tue, 20 Sep 2005 09:47:53 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j8KGlrh3088694; Tue, 20 Sep 2005 09:47:53 -0700 (PDT) (envelope-from rizzo) Date: Tue, 20 Sep 2005 09:47:53 -0700 From: Luigi Rizzo To: vladone Message-ID: <20050920094753.A88575@xorpc.icir.org> References: <97663975.20050917141303@spaingsm.com> <20050919122154.GM51142@obiwan.tataz.chchile.org> <477488950.20050920130453@spaingsm.com> <20050920152714.GF24643@obiwan.tataz.chchile.org> <1135123196.20050920192026@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1135123196.20050920192026@spaingsm.com>; from vladone@spaingsm.com on Tue, Sep 20, 2005 at 07:20:26PM +0300 Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 16:47:54 -0000 On Tue, Sep 20, 2005 at 07:20:26PM +0300, vladone wrote: > I know what is WF2Q, but still dont see what is the problem for wich > dont't exist a possibility to limit bandwidth that is given to a > queue, with queue settings. it not implemented because there is an equivalently efficient mechanism which is first pass packets through a shaper and then to the WF2Q "queue". say you want to select on src-ip: sysctl net.inet.ip.fw.one_pass=0 // misc stuff that sends your traffic to rule 4500 (1) ipfw add 4500 pipe 1 ip from any to any ipfw add 4501 queue 2 ip from any to any ipfw add 4502 allow ip from any to any (2) ipfw pipe 1 config bw 300kbit/s mask src-ip 0xffffffff ipfw queue 2 config weight 10 pipe 3 mask src-ip 0xffffffff ipfw pipe 3 config bw 1Mbit/s and there you have 1mbit total, 300k max per flow. if you think your proposed scheme (which saves lines 1 and 2 from the configuration, but part of line 2 must be folded back into the next line) is more efficient, implement it and measure it. My take is that it saves maybe 5-10us/packet on 500MHz class boxes. To me, it is not worth the effort in terms of added code complexity. cheers luigi > And exist a precedent, "queue" paramater that exist for pipe and > queue. > For example, if a "bw" parameter is not used for queue, then bandwidth > is given only acording with they weight, so use this option who want, > like anothers parameters ("dst-ip, mask, queue, even weight"). > And my suggestion isn't a caprice. > For example: if i have multiple users, that acces internet throught an > freebsd gateway. How split bandwidth? > I have two clear solutions: > 1. assign for each host an pipe. But i dont know if in this mode, in > conditions of heavy traffic, bandwidth is well splited. Is possibil > for an user to take more bandwidth (according with his pipe), and > another user remain without bandwidth. > 2. share total bandwidth, to different hosts, with queue. This is more > efficient but have a little problem. If an user is alone on traffic > can get all bandwith. For this reason, i want (and i think many > admins) an possibility to limit bandwidth that is given to a queue. > > I don't think that passing packets to multiple pipe and queue is e > efficiently for traffic flow. > My sugestion about "bw" parameter for queue is only for convenience. U > can named how you want, so i dont see problem about "... pipes and queues are two distinct objects which have > different semantics." > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 16:56:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C61316A41F for ; Tue, 20 Sep 2005 16:56:57 +0000 (GMT) (envelope-from bsdt@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A88E743D45 for ; Tue, 20 Sep 2005 16:56:56 +0000 (GMT) (envelope-from bsdt@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 4025D7035 for ; Tue, 20 Sep 2005 18:46:09 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Tue, 20 Sep 2005 19:01:28 +0200 Received: from 127.0.0.1 (AVG SMTP 7.0.344 [267.11.1]); Tue, 20 Sep 2005 18:56:59 +0200 Message-ID: <43303F5B.2050108@roamingsolutions.net> Date: Tue, 20 Sep 2005 18:56:59 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <433009A6.9070705@roamingsolutions.net> <255492927.20050920184148@spaingsm.com> In-Reply-To: <255492927.20050920184148@spaingsm.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: multiple incoming lines X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 16:56:57 -0000 Thanks for the help. I am trying to do load-balancing using 2 ISP's. Mostly traffic from the LAN. I will look at possible routing, but don't see how I can manipulate outgoing packets to split the outgoing load between the two external NIC's. Anybody done this before? Thanks Gray vladone wrote: >U have (for set 2) this rules to divert packets that outgoing: >$cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if1 >$cmd 10050 set 2 divert natd2 ip from any to any out via $ext_if2 >I dont understand what u want to do? >This rules translate all adress that outgoing throught $ext_if1 and >$ext_if2 with address indicated by natd2. Divert and route is two >thinks completly different. > If u want to route packets to different >outgoing interfaces, need to use different routes. (man route). > If u want to outgoing packets with different addresses, but same >interface, need to use divert (and need to put alias for external >interface with addresses that u need). > If u want to make so named load balancing, when use to lines for >incoming trafic that sumarize bandwidth then is more complicated. > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 17:56:26 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A87A16A41F for ; Tue, 20 Sep 2005 17:56:26 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A7E743D45 for ; Tue, 20 Sep 2005 17:56:24 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.13.1/8.13.1) with SMTP id j8KHuMfi006632; Tue, 20 Sep 2005 19:56:22 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <010501c5be0c$867840c0$3501a8c0@pro.sk> From: "Peter Rosa" To: "Chuck Swiger" References: <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com> <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk> Date: Tue, 20 Sep 2005 19:55:44 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1506 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0 (ns.pro.sk [192.168.1.1]); Tue, 20 Sep 2005 19:56:23 +0200 (CEST) Cc: FreeBSD IPFW Subject: Re: IPFW2+NAT stateful rules VS. FTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 17:56:26 -0000 Hi all, I am not sure, if my post came here before, so I try again. Please, sorry if I re-post the same, but I still can not make it work. ----------------------------- Original message----------------------------- Thanks for the reply but... > If you use "passive mode" FTP, that ought to work fine. If you use > "active mode" FTP, you ought to use the FTP proxying built into NATD > (see the -use_sockets and -punch_fw options), which is aware of the > FTP data channel. Please, could you be little more specific? I tried your advice and it still does not work. What should be punch_fw basenumber if I have rules as follow (I shortened it a little bit)? good_tcpo="21,22,25,37,43,53,80,443,110,119" $cmd 002 allow all from any to any via xl0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 100 divert natd ip from any to any in via $pif $cmd 101 check-state # Authorized outbound packets $cmd 120 $skip udp from any to $dns1 53 out via $pif $ks $cmd 121 $skip udp from any to $dns2 53 out via $pif $ks $cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 135 $skip udp from any to any 123 out via $pif $ks # Deny all inbound traffic from non-routable reserved address spaces .... # Authorized inbound packets $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 1 $cmd 450 deny log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any Many thanks, Peter Rosa From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 19:29:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D613E16A41F for ; Tue, 20 Sep 2005 19:29:19 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A48A43D46 for ; Tue, 20 Sep 2005 19:29:19 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/8.12.11/smtpout01/MantshX 4.0) with ESMTP id j8KJTJl0007717; Tue, 20 Sep 2005 12:29:19 -0700 (PDT) Received: from [10.1.1.209] (nfw1.codefab.com [199.103.21.225]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id j8KJTH5S010837; Tue, 20 Sep 2005 12:29:18 -0700 (PDT) In-Reply-To: <010501c5be0c$867840c0$3501a8c0@pro.sk> References: <001501c5b616$0fb62c20$3501a8c0@pro.sk> <4322F9C3.10407@mac.com> <002b01c5b6cc$23ee71a0$3501a8c0@pro.sk> <010501c5be0c$867840c0$3501a8c0@pro.sk> Mime-Version: 1.0 (Apple Message framework v734) X-Priority: 3 Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <441A8941-82C0-4D01-86D2-E6ACAAC7A981@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 20 Sep 2005 15:28:54 -0400 To: Peter Rosa X-Mailer: Apple Mail (2.734) Cc: FreeBSD IPFW Subject: Re: IPFW2+NAT stateful rules VS. FTP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 19:29:19 -0000 On Sep 20, 2005, at 1:55 PM, Peter Rosa wrote: >> If you use "passive mode" FTP, that ought to work fine. If you use >> "active mode" FTP, you ought to use the FTP proxying built into NATD >> (see the -use_sockets and -punch_fw options), which is aware of the >> FTP data channel. > > Please, could you be little more specific? I tried your advice and > it still > does not work. What should be punch_fw basenumber if I have rules > as follow (I shortened it a little bit)? Basicly, you want to reserve a bunch of space in the ruleset numbers where dynamic rules are going to be created by NATD to pass the FTP data channel (or IRC, or so forth). Here, let me set up a trivial but working example. Consider this in /etc/rc.conf: network_interfaces="fxp0 dc0" ifconfig_fxp0="inet a.b.c.d netmask 255.255.255.0" ifconfig_dc0="inet 10.1.1.1 netmask 255.255.255.0" gateway_enable="YES" firewall_enable="YES" firewall_type="open" #firewall_type="/etc/CF_firewall" #firewall_flags="-p cpp" [ ... ] natd_enable="YES" natd_flags="-f /etc/natd.conf" natd_interface="fxp0" # without this, /etc/rc.firewall doesn't add the divert rule ...with this in /etc/natd.conf: # NATD configuration options dynamic yes interface fxp0 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes redirect_port tcp 10.1.1.2:ftp ftp punch_fw 10000:100 When someone from the outside FTP's to IP a.b.c.d, natd forwards this to the unroutable internal IP of 10.1.1.2, and will dynamicly create firewall rules starting from 10000 which look like: # ipfw -a l 00050 23587 11084247 divert 8668 ip from any to any via fxp0 00100 4 200 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 10001 6 5598 allow tcp from 10.1.1.2 51384 to a.b.c.e dst- port 52352 10001 12 648 allow tcp from a.b.c.e 52352 to 10.1.1.2 dst- port 51384 10003 3 164 allow tcp from 10.1.1.2 51385 to a.b.c.e dst- port 59614 10003 8 440 allow tcp from a.b.c.d 59614 to 10.1.1.2 dst- port 51385 65000 47947 22220588 allow ip from any to any 65535 1 84 deny ip from any to any You might well want to reserve a block of 1000 rules, say from 64000 to 65000, or where-ever it pleases you, if you've got a busy FTP server and you want to support ~250 active sessions. Does this help? -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 20 19:37:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0341216A41F for ; Tue, 20 Sep 2005 19:37:19 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8322F43D45 for ; Tue, 20 Sep 2005 19:37:18 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by smtp2-g19.free.fr (Postfix) with ESMTP id 6B79C2163D; Tue, 20 Sep 2005 21:37:17 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 351A3405D; Tue, 20 Sep 2005 21:37:17 +0200 (CEST) Date: Tue, 20 Sep 2005 21:37:17 +0200 From: Jeremie Le Hen To: vladone Message-ID: <20050920193717.GG24643@obiwan.tataz.chchile.org> References: <97663975.20050917141303@spaingsm.com> <20050919122154.GM51142@obiwan.tataz.chchile.org> <477488950.20050920130453@spaingsm.com> <20050920152714.GF24643@obiwan.tataz.chchile.org> <1135123196.20050920192026@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1135123196.20050920192026@spaingsm.com> User-Agent: Mutt/1.5.10i Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Sep 2005 19:37:19 -0000 Hi, > I know what is WF2Q, but still dont see what is the problem for wich > dont't exist a possibility to limit bandwidth that is given to a > queue, with queue settings. > And exist a precedent, "queue" paramater that exist for pipe and > queue. > For example, if a "bw" parameter is not used for queue, then bandwidth > is given only acording with they weight, so use this option who want, > like anothers parameters ("dst-ip, mask, queue, even weight"). > And my suggestion isn't a caprice. > For example: if i have multiple users, that acces internet throught an > freebsd gateway. How split bandwidth? > I have two clear solutions: > 1. assign for each host an pipe. But i dont know if in this mode, in > conditions of heavy traffic, bandwidth is well splited. Is possibil > for an user to take more bandwidth (according with his pipe), and > another user remain without bandwidth. > 2. share total bandwidth, to different hosts, with queue. This is more > efficient but have a little problem. If an user is alone on traffic > can get all bandwith. For this reason, i want (and i think many > admins) an possibility to limit bandwidth that is given to a queue. > > I don't think that passing packets to multiple pipe and queue is e > efficiently for traffic flow. > My sugestion about "bw" parameter for queue is only for convenience. U > can named how you want, so i dont see problem about "... pipes and queues are two distinct objects which have > different semantics." You definitely want to use ALTQ, which is available since RELENG_5. Dummynet is not designed to achieve traffic management, its intent is to emulate a network. ALTQ will allow you to share bandwidth in a very fair way, such as you describe here. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 21 11:16:44 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F31F16A41F for ; Wed, 21 Sep 2005 11:16:44 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54E6743D4C for ; Wed, 21 Sep 2005 11:16:42 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from xeon.mshome.net (unknown [84.243.99.132]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 60C8524C8D3 for ; Wed, 21 Sep 2005 12:58:21 +0200 (CEST) Date: Wed, 21 Sep 2005 14:16:44 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <212250465.20050921141644@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <20050920094753.A88575@xorpc.icir.org> References: <97663975.20050917141303@spaingsm.com> <20050919122154.GM51142@obiwan.tataz.chchile.org> <477488950.20050920130453@spaingsm.com> <20050920152714.GF24643@obiwan.tataz.chchile.org> <1135123196.20050920192026@spaingsm.com> <20050920094753.A88575@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: dummynet patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Sep 2005 11:16:44 -0000 Thanks for reply Luigi! I want to implements, but i dont know programming so good to modify dummynet code. My sugestions is because i love dummynet, i think that work great, but need some improvements, to be more adaptable to different situations. For moment will utilize, passing packets to multiple pipe or queue, but for future, if is possibil, please make some changes. Altq is not perfect, because he don't divides proportional bandwidth, only priority that is not very clear what mean. Dummynet is beautiful for this option in queue (weight). This is the reason for what i work with freebsd and not with linux (altq is like htb). I'm fan dummynet!! :) From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 22 12:55:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86FC216A41F for ; Thu, 22 Sep 2005 12:55:25 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28FE743D45 for ; Thu, 22 Sep 2005 12:55:24 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 4D5CC38021 for ; Thu, 22 Sep 2005 14:44:30 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Thu, 22 Sep 2005 15:00:04 +0200 Received: from 127.0.0.1 (AVG SMTP 7.0.344 [267.11.4]); Thu, 22 Sep 2005 14:55:32 +0200 Message-ID: <4332A9C4.3030603@roamingsolutions.net> Date: Thu, 22 Sep 2005 14:55:32 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: natd2, fwd GW2 - not reaching destination correctly? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2005 12:55:25 -0000 Hi all, I have a problem i'm trying to figure out with FreeBSD5.4, natd and ipfw fwd command. Have a box acting as a gateway with relevant kernel options compiled in. External NIC with inet x.y.1.10 and inet x.y.2.10 alias (I also tried using 2 seperate NIC's with the above 2 ip's, but no joy there either) defaultrouter = x.y.1.1 I'm trying to send some of the packets out of a second dsl connection at x.y.2.1 using natd on 2nd interface and a fwd gw2. Some reason the packets exit, but don't arrive at gw2. I can ping x.y.2.1 from the console as I placed it in the same lan-space. <-snip-> ipfw add divert natd2 ip from any to any out ipfw add check-state ipfw add fwd x.y.2.1 ip from x.y.2.10 to any out <-snip-> e.g. ping 1.2.3.4 (from lan pc): fwd command logged looks like this: fw kernel: ipfw: 9200 Forward to x.y.2.1 ICMP:8.0 x.y.2.10 1.2.3.4 out via rl0 I have seen some older posts where people have specifically shown this as the way to do it, but for me, the packets seem to have left their towel behind. Any ideas? Yes I know I've been told this isn't possible, but others have done it - so I just need to know what changed to stop this working (if anything), and what's the work-around / alternative now? Thanks in advance Gray From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 00:18:58 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCFE916A41F for ; Fri, 23 Sep 2005 00:18:58 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EF3543D46 for ; Fri, 23 Sep 2005 00:18:58 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so1631nzd for ; Thu, 22 Sep 2005 17:18:58 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=e3CgIqdg3po49W74nbHiIXQ3pxqPs3YCL1UcoSiZnmgOt+phly52sBhb79ZwMNDWJluwKWhyejmQRb4tBnVr3jj3uDdaXMk1ztaIbiLG5yr4TEp0B240yDHp1t0SXVo2WJB9lVPS316gt216L7jq5kZIao9rJDFM63n1lBRkKPw= Received: by 10.37.2.35 with SMTP id e35mr86280nzi; Thu, 22 Sep 2005 17:18:58 -0700 (PDT) Received: by 10.36.80.1 with HTTP; Thu, 22 Sep 2005 17:18:57 -0700 (PDT) Message-ID: <680ac847050922171856ed2904@mail.gmail.com> Date: Thu, 22 Sep 2005 19:18:58 -0500 From: Hugo Osorio To: freebsd-ipfw@freebsd.org In-Reply-To: <680ac84705082507486347b67@mail.gmail.com> MIME-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hugo Osorio List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 00:18:59 -0000 Hi everyone.. sorry i haven't received response, it is really still a headache, i dont find a reason while i am navigating, after trying to load a file for attachment, in squirrelmail, it says: 'documents contains no data' after entering in hotmail service, cannot access the page of my messages... it longs forever.. and nothing shows up.. address like this: https://loginnet.passport.com/ppsecure/post.srf?id=3D2&svc=3Dmail&msppjph= =3D1&tw=3D0&fs=3D1&fsa=3D1&fsat=3D1296000&lc=3D58378&_lang=3DES&bk=3D112740= 5014 i can not make atachments, it does not transfer files when attaching has something to do with SSL, TLS or PCT? this is my conf (i have set routes, and they are fine, i think): 04300 471 29586 allow udp from 172.24.33.0/24 to 172.25.1.5 53 keep-state via vr0 04500 54 3058 allow tcp from 172.24.33.0/24 to 172.25.1.8 20,21 keep-state via vr0 04600 1200 615333 allow tcp from 172.24.33.0/24 to 172.25.1.5 80,139,443,445 keep-state via vr0 another thing... when i do nmap to the proxy i get this 21 closed ftp 80 open http 139 open netbios-ssn 443 open https 445 open microsoft-ds another hint or light ? thank you 2005/8/25, Hugo Osorio : > > I have two proxies available, and in the machine where i have the fw ther= e > are routes created, for routing one proxy or another... 172.25.x.x or > 172.24.x.x > > with the .24.x.x proxy dont have any hassle.. > but i do with the 25.x.x > > >You have to redirect the whole HTTP traffic to the proxy, or nothing. > >You can't decide on layer 7 content. > > what do you recommend me to do first? > From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 00:38:26 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F4D116A41F for ; Fri, 23 Sep 2005 00:38:26 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A3FC43D46 for ; Fri, 23 Sep 2005 00:38:26 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 8F9745F8A; Thu, 22 Sep 2005 20:38:25 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36521-02; Thu, 22 Sep 2005 20:38:24 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-68-11.ny325.east.verizon.net [68.161.68.11]) by pi.codefab.com (Postfix) with ESMTP id 7E2BF5F85; Thu, 22 Sep 2005 20:38:24 -0400 (EDT) Message-ID: <43334E81.9080707@mac.com> Date: Thu, 22 Sep 2005 20:38:25 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hugo Osorio References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> In-Reply-To: <680ac847050922171856ed2904@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 00:38:26 -0000 Hugo Osorio wrote: > while i am navigating, after trying to load a file for attachment, in > squirrelmail, it says: > 'documents contains no data' > > after entering in hotmail service, cannot access the page of my messages... > it longs forever.. and nothing shows up.. > address like this: > https://loginnet.passport.com/ppsecure/post.srf?id=2&svc=mail&msppjph=1&tw=0&fs=1&fsa=1&fsat=1296000&lc=58378&_lang=ES&bk=1127405014 > > i can not make atachments, it does not transfer files when attaching > > has something to do with SSL, TLS or PCT? > > this is my conf (i have set routes, and they are fine, i think): > 04300 471 29586 allow udp from 172.24.33.0/24 to > 172.25.1.5 53 keep-state via vr0 > 04500 54 3058 allow tcp from 172.24.33.0/24 to > 172.25.1.8 20,21 keep-state via vr0 > 04600 1200 615333 allow tcp from 172.24.33.0/24 to > 172.25.1.5 80,139,443,445 keep-state via vr0 Those can't possibly be your actual IPFW rulesets-- the "http://" strings in the middle don't exist in the output from "ipfw -a l". It's unclear whether you are working on a client machine or box intended as a firewall. It's likely that you should start with the "open" firewall ruleset, and experiment from there, confirming that FTP access via the proxy works properly, HTTPS access, etc. If you still have problems without any firewall rules in place, those will need to be resolved before you have any realistic chance of getting a working IPFW ruleset going. It might also be the case that hanging trying to do FTP data means a PMTU problem, see whether "ifconfig vr0 mtu 1400" helps. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 01:53:10 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE97716A41F for ; Fri, 23 Sep 2005 01:53:10 +0000 (GMT) (envelope-from willmaier@ml1.net) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63B7243D46 for ; Fri, 23 Sep 2005 01:53:10 +0000 (GMT) (envelope-from willmaier@ml1.net) Received: from frontend1.internal (mysql-sessions.internal [10.202.2.149]) by frontend1.messagingengine.com (Postfix) with ESMTP id 7AF3DCCF7A2 for ; Thu, 22 Sep 2005 21:53:08 -0400 (EDT) Received: from frontend2.messagingengine.com ([10.202.2.151]) by frontend1.internal (MEProxy); Thu, 22 Sep 2005 21:53:08 -0400 X-Sasl-enc: WQvgHbKZVXVcZFVZ57M3p3eY0TXAniv0+WRdk3vXZRIt 1127440387 Received: from merkur (host-66-202-74-42.choiceone.net [66.202.74.42]) by frontend2.messagingengine.com (Postfix) with ESMTP id 2FFFB570364 for ; Thu, 22 Sep 2005 21:53:06 -0400 (EDT) Received: by merkur (nbSMTP-1.00) for uid 1000 willmaier@ml1.net; Thu, 22 Sep 2005 20:53:13 -0500 (CDT) Date: Thu, 22 Sep 2005 20:53:11 -0500 From: Will Maier To: freebsd-ipfw@freebsd.org Message-ID: <20050923015311.GF11933@localhost.localdomain> Mail-Followup-To: freebsd-ipfw@freebsd.org References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <43334E81.9080707@mac.com> User-Agent: Mutt/1.5.6+20040907i Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 01:53:11 -0000 On Thu, Sep 22, 2005 at 08:38:25PM -0400, Chuck Swiger wrote: [snip] > >this is my conf (i have set routes, and they are fine, i think): > >04300 471 29586 allow udp from 172.24.33.0/24 to 172.25.1.5 53 keep-state via vr0 > >04500 54 3058 allow tcp from 172.24.33.0/24 to 172.25.1.8 20,21 keep-state via vr0 > >04600 1200 615333 allow tcp from 172.24.33.0/24 to 172.25.1.5 80,139,443,445 keep-state via vr0 > Those can't possibly be your actual IPFW rulesets-- the "http://" > strings in the middle don't exist in the output from "ipfw -a l". I've noticed this occur on several lists I read; unfortunately, GMail seems to act this way by default. I'm not sure if it's configurable, although I assume so. -- o--------------------------{ Will Maier }--------------------------o | jabber:..wcmaier@jabber.ccc.de | email:..........wcmaier@ml1.net | | \.........wcmaier@cae.wisc.edu | \..........wcmaier@cae.wisc.edu | *------------------[ BSD Unix: Live Free or Die ]------------------* From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 09:33:58 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E79216A41F for ; Fri, 23 Sep 2005 09:33:58 +0000 (GMT) (envelope-from free.bsd@gmx.net) Received: from mail.gmx.net (pop.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id B92C643D48 for ; Fri, 23 Sep 2005 09:33:57 +0000 (GMT) (envelope-from free.bsd@gmx.net) Received: (qmail 10565 invoked by uid 0); 23 Sep 2005 09:33:56 -0000 Received: from 141.20.195.87 by www66.gmx.net with HTTP; Fri, 23 Sep 2005 11:33:56 +0200 (MEST) Date: Fri, 23 Sep 2005 11:33:56 +0200 (MEST) From: "freebsd_daemon" To: ipfw@freebsd.org MIME-Version: 1.0 X-Priority: 3 (Normal) X-Authenticated: #20105305 Message-ID: <28779.1127468036@www66.gmx.net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: Subject: blocking a host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 09:33:58 -0000 dear list, is it possible to block a host with a known MAC address that is not using a specific IP address. Something like: deny all from host with MAC = {aa:bb:cc:dd:ee:ff} if src-ip is not ww:xx:yy:zz Or force a specific host to use a specific IP. The problem: I have some host on my network that does not allow DHCP service to configure its network settings. That host manually asigns some IP it likes to its interface causing collision. TIA zheyu -- Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko! Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 12:46:32 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BAE016A41F for ; Fri, 23 Sep 2005 12:46:32 +0000 (GMT) (envelope-from free.bsd@gmx.net) Received: from mail.gmx.net (imap.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C113643D46 for ; Fri, 23 Sep 2005 12:46:31 +0000 (GMT) (envelope-from free.bsd@gmx.net) Received: (qmail 14107 invoked by uid 0); 23 Sep 2005 12:46:30 -0000 Received: from 141.20.195.87 by www80.gmx.net with HTTP; Fri, 23 Sep 2005 14:46:30 +0200 (MEST) Date: Fri, 23 Sep 2005 14:46:30 +0200 (MEST) From: "freebsd_daemon" To: ipfw@freebsd.org MIME-Version: 1.0 X-Priority: 3 (Normal) X-Authenticated: #20105305 Message-ID: <18703.1127479590@www80.gmx.net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Cc: lists@wm-access.no, vladone@spaingsm.com Subject: RE: blocking a host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 12:46:32 -0000 // -----Original Message----- // From: Sten Daniel S鷨sdal [mailto:lists@wm-access.no] // Sent: Friday, September 23, 2005 6:32 PM // To: freebsd_daemon // Subject: Re: blocking a host // // freebsd_daemon wrote: // > is it possible to block a host with a known MAC address that is not using a // > specific IP address. Something like: // > // > deny all from host with MAC = {aa:bb:cc:dd:ee:ff} if src-ip is not // > ww:xx:yy:zz // > // > Or force a specific host to use a specific IP. // > // > The problem: I have some host on my network that does not allow DHCP service // > to configure its network settings. That host manually asigns some IP it // > likes to its interface causing collision. // // yes it is possible, but unless that host is connected directly to the // freebsd router and is all alone on the broadcast domain it wont help the // other hosts on that broadcast domain. // // why would you want such a host on your network? if you run a isp of some // sort and it's a customer who wants to steal static IP's. Why not give // him one and charge extra? Or design the network better? // // -- // Sten Daniel Sørsdal // -----Original Message----- // From: vladone [mailto:vladone@spaingsm.com] // Sent: Friday, September 23, 2005 8:08 PM // To: freebsd_daemon // Subject: Re: blocking a host // // This not prevent this guy to cause that problem. U can block access on // server but his still have network access. U have two choice: // 1. use cosh (not need to know freebsd operating system :) ) // 2. use some authentication method to acces network (i recommend u pppoe) well ... it is the new intern at the taipei/taiwan office he is assigning addresses of the 192.168.1.x to his NIC (wich is reserved for servers, vpn connections, ...). i told him to let DHCP configure his NIC (192.168.2.x are dynamic) but he just switches the 192.168,1,x addresses. i have been chasing him for a few days and want to bring it to an end. i CANNOT block the addresses he assigns to his nic as they belong to servers, vpn connections, ... which obviously are needed. i CANNOT kick him off the network totally (asked his boss in taipei/taiwan office) using MAC or so as he needs access to do his work therefore i want to secure the 192.168.1.x IPs by not leting him get traffic through by combining MAC with off-limit IPs such as: block traffic if src-MAC = {interns MAC} and src-MAC != {192.168.2.0/ff:ff:ff:00} or something like that ... zheyu P.S.: What is "cosh" -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse für Mail, Message, More +++ From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 16:00:06 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9118116A41F for ; Fri, 23 Sep 2005 16:00:06 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBD8F43D46 for ; Fri, 23 Sep 2005 16:00:05 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so207600nzd for ; Fri, 23 Sep 2005 09:00:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:references; b=kpgCkUI1ufFl+r0Eu9uWSQde3HqLiqWejCx5dKD7c1PBPTc5c+Cv3746ci17+VmFWpwH0ltGm0km6BpaCK0q8BzQtHXv/zky3Lwos8iOwSCu5G6eJGYuURV250E3ZlumRuuiehruhslLqShaYpsx2/foJq5Tpz+egeW/6rkQjOI= Received: by 10.36.56.8 with SMTP id e8mr2108524nza; Fri, 23 Sep 2005 09:00:05 -0700 (PDT) Received: by 10.36.80.1 with HTTP; Fri, 23 Sep 2005 09:00:05 -0700 (PDT) Message-ID: <680ac84705092309007d69b088@mail.gmail.com> Date: Fri, 23 Sep 2005 11:00:05 -0500 From: Hugo Osorio To: Chuck Swiger In-Reply-To: <43334E81.9080707@mac.com> MIME-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hugo Osorio List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 16:00:06 -0000 gracias, our (172.24.33.0 ) LAN goes to internet through two proxies, the new proxy which is the one i am trying to set up, is in anothe= r network we have set routes to that LAN, (172.25.1.0 ) -is it inappropriate to put these address here? i hope not :s in order to be protected, we have set a firewall in this way: LAN(172.24.33.0 ) --> SWITCH --> fw --> Router( 172.25.19.X) --> proxy(172.25.1.5 ) i have the other conf (using another proxy, another network) without the string 'http://' and it works, and transfer everything. and besides, using the new proxy, without the 'http://' string, it shows bytes activity in 'ipfw show', i mean i can enter sites. For using "open firewall ruleset" do you have any basic document? another hint or help, will be appreciated, thank you. 2005/9/22, Chuck Swiger : > > Hugo Osorio wrote: > > while i am navigating, after trying to load a file for attachment, in > > squirrelmail, it says: > > 'documents contains no data' > > > > after entering in hotmail service, cannot access the page of my > messages... > > it longs forever.. and nothing shows up.. > > address like this: > > > https://loginnet.passport.com/ppsecure/post.srf?id=3D2&svc=3Dmail&msppjph= =3D1&tw=3D0&fs=3D1&fsa=3D1&fsat=3D1296000&lc=3D58378&_lang=3DES&bk=3D112740= 5014 > > > > i can not make atachments, it does not transfer files when attaching > > > > has something to do with SSL, TLS or PCT? > > > > this is my conf (i have set routes, and they are fine, i think): > > 04300 471 29586 allow udp from 172.24.33.0/24 < > http://172.24.33.0/24> to > > 172.25.1.5 53 keep-state via vr= 0 > > 04500 54 3058 allow tcp from 172.24.33.0/24 < > http://172.24.33.0/24> to > > 172.25.1.8 20,21 keep-state via > vr0 > > 04600 1200 615333 allow tcp from 172.24.33.0/24 = < > http://172.24.33.0/24> to > > 172.25.1.5 80,139,443,445 > keep-state via vr0 > > Those can't possibly be your actual IPFW rulesets-- the "http://" strings > in > the middle don't exist in the output from "ipfw -a l". > > It's unclear whether you are working on a client machine or box intended > as a > firewall. It's likely that you should start with the "open" firewall > ruleset, > and experiment from there, confirming that FTP access via the proxy works > properly, HTTPS access, etc. > > If you still have problems without any firewall rules in place, those wil= l > need > to be resolved before you have any realistic chance of getting a working > IPFW > ruleset going. > > It might also be the case that hanging trying to do FTP data means a PMTU > problem, see whether "ifconfig vr0 mtu 1400" helps. > > -- > -Chuck > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 16:03:26 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF08916A41F for ; Fri, 23 Sep 2005 16:03:26 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18A8B43D45 for ; Fri, 23 Sep 2005 16:03:25 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so208703nzd for ; Fri, 23 Sep 2005 09:03:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references; b=CN/CIiOJrEN3TOfcwFTWFcj1GAmsgCFtP1u29IOsOctbqIcfdl0kWyGMhsIOOc0qwgww1lhUzdx0yIaTJoMKhsgRVCUqSRGY3i09R5TmCXEJMSG7k+6QSDaxmRSHQf0+tzwJ+mNuOOR55FJ1N9rHQOGFeNh4MsFo6ZFSCPzhIy0= Received: by 10.36.17.18 with SMTP id 18mr463541nzq; Fri, 23 Sep 2005 09:03:25 -0700 (PDT) Received: by 10.36.80.1 with HTTP; Fri, 23 Sep 2005 09:03:25 -0700 (PDT) Message-ID: <680ac847050923090349bf3505@mail.gmail.com> Date: Fri, 23 Sep 2005 11:03:25 -0500 From: Hugo Osorio To: ipfw@freebsd.org In-Reply-To: <680ac84705092309007d69b088@mail.gmail.com> MIME-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hugo Osorio List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 16:03:26 -0000 ---------- Forwarded message ---------- From: Hugo Osorio Date: 23-sep-2005 11:00 Subject: Re: mime contents thru ipfw To: Chuck Swiger Cc: freebsd-ipfw@freebsd.org gracias, our (172.24.33.0 ) LAN goes to internet through two proxies, the new proxy which is the one i am trying to set up, is in anothe= r network we have set routes to that LAN, (172.25.1.0 ) -is it inappropriate to put these address here? i hope not :s in order to be protected, we have set a firewall in this way: LAN(172.24.33.0 ) --> SWITCH --> fw --> Router( 172.25.19.X) --> proxy(172.25.1.5 ) i have the other conf (using another proxy, another network) without the string 'http://' and it works, and transfer everything. and besides, using the new proxy, without the 'http://' string, it shows bytes activity in 'ipfw show', i mean i can enter sites. For using "open firewall ruleset" do you have any basic document? another hint or help, will be appreciated, thank you. 2005/9/22, Chuck Swiger : > > Hugo Osorio wrote: > > while i am navigating, after trying to load a file for attachment, in > > squirrelmail, it says: > > 'documents contains no data' > > > > after entering in hotmail service, cannot access the page of my > messages... > > it longs forever.. and nothing shows up.. > > address like this: > > > https://loginnet.passport.com/ppsecure/post.srf?id=3D2&svc=3Dmail&msppjph= =3D1&tw=3D0&fs=3D1&fsa=3D1&fsat=3D1296000&lc=3D58378&_lang=3DES&bk=3D112740= 5014 > > > > i can not make atachments, it does not transfer files when attaching > > > > has something to do with SSL, TLS or PCT? > > > > this is my conf (i have set routes, and they are fine, i think): > > 04300 471 29586 allow udp from 172.24.33.0/24 < > http://172.24.33.0/24> to > > 172.25.1.5 53 keep-state via vr= 0 > > 04500 54 3058 allow tcp from 172.24.33.0/24 < > http://172.24.33.0/24> to > > 172.25.1.8 20,21 keep-state vi= a > vr0 > > 04600 1200 615333 allow tcp from 172.24.33.0/24 = < > http://172.24.33.0/24> to > > 172.25.1.5 80,139,443,445 > keep-state via vr0 > > Those can't possibly be your actual IPFW rulesets-- the "http://" strings > in > the middle don't exist in the output from "ipfw -a l". > > It's unclear whether you are working on a client machine or box intended > as a > firewall. It's likely that you should start with the "open" firewall > ruleset, > and experiment from there, confirming that FTP access via the proxy works > properly, HTTPS access, etc. > > If you still have problems without any firewall rules in place, those wil= l > need > to be resolved before you have any realistic chance of getting a working > IPFW > ruleset going. > > It might also be the case that hanging trying to do FTP data means a PMTU > problem, see whether "ifconfig vr0 mtu 1400" helps. > > -- > -Chuck > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 16:13:11 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D17E16A41F for ; Fri, 23 Sep 2005 16:13:11 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from mdhost1.centroin.com.br (mdhost1.centroin.com.br [200.225.63.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AE3C43D49 for ; Fri, 23 Sep 2005 16:13:07 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from hypselo.centroin.com.br (hypselo.centroin.com.br [200.225.63.1]) by mdhost1.centroin.com.br (8.13.4/8.13.4/CIP SMTP HOST) with ESMTP id j8NGD5fC047783 for ; Fri, 23 Sep 2005 13:13:05 -0300 (BRT) (envelope-from scuba@centroin.com.br) Date: Fri, 23 Sep 2005 13:13:27 -0300 (EST) From: Sender: To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Hits: 1.226 X-Scanned-By: MIMEDefang 2.52 on 200.225.63.205 Cc: Subject: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 16:13:11 -0000 Hi all, What is the best way to enable/disable ipfw on a FBSD 5.x box, without reboot? I.e. If I have a box that booted with 'firewall_enable="NO"' in rc.conf, how can I enable it without reboot? Thank you, - Marcelo From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 16:34:22 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C576E16A41F for ; Fri, 23 Sep 2005 16:34:22 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CB4D43D48 for ; Fri, 23 Sep 2005 16:34:22 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 8BB2B5E13; Fri, 23 Sep 2005 12:34:21 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44334-07; Fri, 23 Sep 2005 12:34:20 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-68-11.ny325.east.verizon.net [68.161.68.11]) by pi.codefab.com (Postfix) with ESMTP id 8109C5E8F; Fri, 23 Sep 2005 12:34:20 -0400 (EDT) Message-ID: <43342E8E.6060004@mac.com> Date: Fri, 23 Sep 2005 12:34:22 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050728 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hugo Osorio References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> In-Reply-To: <680ac84705092309007d69b088@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 16:34:22 -0000 Hugo Osorio wrote: > gracias, > > our (172.24.33.0 ) LAN goes to internet through two > proxies, the new proxy which is the one i am trying to set up, is in another > network we have set routes to that LAN, (172.25.1.0 ) OK. > -is it inappropriate to put these address here? i hope not :s No. I was confused by the "" strings, which someone said may be something to do with gmail.com. > in order to be protected, we have set a firewall in this way: > > LAN(172.24.33.0 ) --> SWITCH --> fw --> Router( > 172.25.19.X) --> proxy(172.25.1.5 ) OK. You should start by testing access through the proxy server when logged onto your firewall box. If that doesn't work, debug your router or your network routes. > i have the other conf (using another proxy, another network) without the > string 'http://' and it works, and transfer everything. > and besides, using the new proxy, without the 'http://' string, it shows > bytes activity in 'ipfw show', i mean i can enter sites. > > For using "open firewall ruleset" do you have any basic document? > > another hint or help, will be appreciated, thank you. Look at /etc/rc.firewall and the "open" ruleset there. See: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html ...which i!=uailable translated to other languages, also. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 18:38:50 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB5B416A41F for ; Fri, 23 Sep 2005 18:38:50 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEDF043D5D for ; Fri, 23 Sep 2005 18:38:48 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from xeon.mshome.net (unknown [84.243.99.132]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id DC09024C7EB for ; Fri, 23 Sep 2005 20:19:58 +0200 (CEST) Date: Fri, 23 Sep 2005 19:41:03 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1878271936.20050923194103@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 18:38:50 -0000 U can use: ipfw enable or ipfw disable command (man ipfw) or from sysctl: sysctl net.inet.ip.fw.enable=0 (to disable) From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 23 18:50:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCFD716A41F for ; Fri, 23 Sep 2005 18:50:19 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CCDC43D48 for ; Fri, 23 Sep 2005 18:50:19 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id E755F2F006; Fri, 23 Sep 2005 20:39:18 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Fri, 23 Sep 2005 20:55:09 +0200 Message-ID: <43344E4B.9060700@roamingsolutions.net> Date: Fri, 23 Sep 2005 20:49:47 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: scuba@centroin.com.br References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Sep 2005 18:50:19 -0000 You could use ipfw sets and disable the sets at the start of the script - excluding the pass-thru rules. My rc.firewall script disables all the scripts and only enables the ones I want. I can then run scripts from cron to enable/ disable any sets I like. You can load all the rules you want into sets that are disabled, and then you can enable them at will. That's one suggestion - although I did see a command somewhere to disable ipfw at runtime. man ipfw Regards, Graham scuba@centroin.com.br wrote: >Hi all, > > What is the best way to enable/disable ipfw on a FBSD 5.x box, >without reboot? > > I.e. If I have a box that booted with 'firewall_enable="NO"' in >rc.conf, how can I enable it without reboot? > >Thank you, > >- Marcelo > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > >