From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 25 06:01:41 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4576616A41F for ; Sun, 25 Sep 2005 06:01:41 +0000 (GMT) (envelope-from ozgur.ozdemircili@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEF5D43D4C for ; Sun, 25 Sep 2005 06:01:40 +0000 (GMT) (envelope-from ozgur.ozdemircili@gmail.com) Received: by xproxy.gmail.com with SMTP id t14so881750wxc for ; Sat, 24 Sep 2005 23:01:40 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=tLY8jRqV4uNN4g/ioCgtC/64COQeem5/kbbmt45U/sOtp1Fv83B34/y0japKdFctmhhR722jqB5eFLESLdqyYEVPw9+lYOHjkxLGeM8WmKcAuBZApLTP8RS95LWFFagEW12kbRvWEMS2ugo5RcVseG4uQJpUbS9ryxMgG3lbA8c= Received: by 10.70.49.12 with SMTP id w12mr1238455wxw; Fri, 23 Sep 2005 23:21:19 -0700 (PDT) Received: from author ( [81.215.227.172]) by mx.gmail.com with ESMTP id i13sm1276687wxd.2005.09.23.23.21.17; Fri, 23 Sep 2005 23:21:19 -0700 (PDT) Message-ID: <015801c5c0d0$865bc960$640ce00a@casiotours.com> From: "Ozgur Ozdemircili" To: , References: Date: Sat, 24 Sep 2005 09:23:45 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2005 06:01:41 -0000 You can try bash# sysctl net.inet.ip.fw.enable=1 parameter ----- Original Message ----- From: To: Sent: Friday, September 23, 2005 7:13 PM Subject: Enable ipfw without rebooting > Hi all, > > What is the best way to enable/disable ipfw on a FBSD 5.x box, > without reboot? > > I.e. If I have a box that booted with 'firewall_enable="NO"' in > rc.conf, how can I enable it without reboot? > > Thank you, > > - Marcelo > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 26 02:36:58 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 007E016A41F for ; Mon, 26 Sep 2005 02:36:57 +0000 (GMT) (envelope-from on@cs.ait.ac.th) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AFD443D48 for ; Mon, 26 Sep 2005 02:36:56 +0000 (GMT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.12.11/8.12.11) with ESMTP id j8Q2ZcFS034642 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 26 Sep 2005 09:35:38 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.13.1/8.12.11) id j8Q2Y2LM038938; Mon, 26 Sep 2005 09:34:02 +0700 (ICT) Date: Mon, 26 Sep 2005 09:34:02 +0700 (ICT) Message-Id: <200509260234.j8Q2Y2LM038938@banyan.cs.ait.ac.th> From: Olivier Nicole To: free.bsd@gmx.net In-reply-to: <18703.1127479590@www80.gmx.net> (free.bsd@gmx.net) References: <18703.1127479590@www80.gmx.net> X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/) Cc: ipfw@freebsd.org, lists@wm-access.no, vladone@spaingsm.com Subject: Re: blocking a host X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 02:36:58 -0000 // why would you want such a host on your network? if you run a isp of some // sort and it's a customer who wants to steal static IP's. Why not give // him one and charge extra? Or design the network better? I'd say there are plenty of cases where you need to deny access by MAC rather than by IP. An example: we are a learning institution, students have their own laptop (some of them at least). When they abuse the usage policy, we want to block them by MAC because the IP is dynamic and so does not reflect one specific machine. (OK they will change the MAC too, but that kind of think will get them denied of internet access for good). Olivier From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 26 11:02:11 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E53C16A423 for ; Mon, 26 Sep 2005 11:02:11 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE24143D4C for ; Mon, 26 Sep 2005 11:02:10 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8QB2AQG027051 for ; Mon, 26 Sep 2005 11:02:10 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8QB2957027042 for freebsd-ipfw@freebsd.org; Mon, 26 Sep 2005 11:02:09 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 26 Sep 2005 11:02:09 GMT Message-Id: <200509261102.j8QB2957027042@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 11:02:11 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 26 11:03:03 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88A8916A41F for ; Mon, 26 Sep 2005 11:03:03 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B10A443D5D for ; Mon, 26 Sep 2005 11:02:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8QB2rd6027688 for ; Mon, 26 Sep 2005 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8QB2q8C027682 for ipfw@freebsd.org; Mon, 26 Sep 2005 11:02:52 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 26 Sep 2005 11:02:52 GMT Message-Id: <200509261102.j8QB2q8C027682@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 11:03:03 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 26 12:00:39 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0339816A41F for ; Mon, 26 Sep 2005 12:00:39 +0000 (GMT) (envelope-from jahangir@vimpelcom.com) Received: from vimpelcom.com (aix131.neoplus.adsl.tpnet.pl [83.25.231.131]) by mx1.FreeBSD.org (Postfix) with SMTP id C8C2A43D49 for ; Mon, 26 Sep 2005 12:00:36 +0000 (GMT) (envelope-from jahangir@vimpelcom.com) Received: from [192.168.199.117] (helo=interdental) by vimpelcom.com with SMTP (Observatory ni 5.0 (Signal)) id lzSPxw-omVflR-BY for ipfw@freebsd.org; Mon, 26 Sep 2005 06:59:47 -0500 Message-ID: <27427.BPLQSXLNENFP@interdental> From: "Jahangir Swaim" To: "Beulah Mazza" Date: Mon, 26 Sep 2005 06:59:44 -0500 MIME-Version: 1.0 X-Priority: 3 X-Mailer: Observatory ni 5.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Great offr , Pharrwmacy X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jahangir Swaim List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 12:00:39 -0000 LevValAmVia= UltMeXanCiaCelPro itraiumbiengrara= mridiaaxlisebrexpecia $ $ $ = 3.75 3.33 1.21 = http://www.ampleseach.com opinion. The Ox took under his patronage the next term of life, all the = young fellows will propose to me, but I will toss my head vessel. Determined = to keep as far apart as possible, the one it from him. Standing at a safe = distance, the Wolf exclaimed, The Serpent and the Eagle bolted to the brink = of a deep precipice. While he was in the act From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 26 13:41:30 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C12216A41F for ; Mon, 26 Sep 2005 13:41:30 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AFBD43D49 for ; Mon, 26 Sep 2005 13:41:29 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by qproxy.gmail.com with SMTP id p36so409733qba for ; Mon, 26 Sep 2005 06:41:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:references; b=spcyeW3jkQq9dmyFwv6QIONRBC8I9iH0SSs2C378xa78c2c/U4r6VtXqCj4VvERbu8wBJ2O2Ooc4Z5aTDiIIr51UszbPC5wQXJCB7JuM64SMnuxGgSzw3goTN8jK4ShtuxyO/o1i6gDo7FIdN+IVqjFpJN2vdL+VhWpBm6u0Qk8= Received: by 10.65.81.3 with SMTP id i3mr520268qbl; Mon, 26 Sep 2005 06:41:28 -0700 (PDT) Received: by 10.65.95.18 with HTTP; Mon, 26 Sep 2005 06:41:28 -0700 (PDT) Message-ID: <680ac847050926064125be4e0@mail.gmail.com> Date: Mon, 26 Sep 2005 08:41:28 -0500 From: Hugo Osorio To: Chuck Swiger In-Reply-To: <43342E8E.6060004@mac.com> MIME-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> <43342E8E.6060004@mac.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, ipfw@freebsd.org Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hugo Osorio List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 13:41:30 -0000 I have seen that "open rule" is insecure, and i wouldn't like to use it... = i want to continue trying to find the closed port, with this policy... there must be something somewhere... so... i will continue bothering. sorry i am = a beginner, here are some conversations in the past that weren't submitted to the group. ------------------ Proxy is an cache server. If u dont need , not use. If u want to use proxy for caching web traffic and force this traffic throught proxy,u can d= o that with fwd option in ipfw example: ipfw fwd $ip_proxy,$port_proxy tcp from not me to any 80 in via $private_interface This not affect in any way functionality for mail aplication (that work in case of pop3 with 25 respectively 110 ports). If u acces mail via web, this work well with proxy. If still have problem, i'm sure is because configuration of proxy (think use squid). I this case u need some options to permit "connect" method. I dont remember now how look exactly. ---------------------- I have done this.. at the command line, ipfw add fwd 172.25.1.5 ,80 tcp from not me to any 80 i= n via vr0 04200 fwd 172.25.1.5 ,80 tcp from not me to any 80 in recv vr0 also ipfw add fwd 172.2X.X.X,80 tcp from 17X.XX.XX.0/24 to any 80 in via vr0 nothing happens.. i do see traffic, but very little.. this should refresh it ? i mean, this rule is active immediately? because i can not do attachments yet.. not even showing my message list in yahoo.. ( http://e1.f405.mail.yahoo.com/ym/ShowFolder?YY=3D29820&box=3DInbox&YN=3D1) Proxy is Proxy server 2.0 microsoft, I have unset the firewall, and i have plugged the router directly to the switch.. and all is fine, so i am almost sure the hassle is in the fw, thx --------------------------------------------- I have two proxies available, and in the machine where i have the fw there are routes created, for routing one proxy or another... 172.25.x.x or 172.24.x.x with the .24.x.x proxy dont have any hassle.. but i do with the 25.x.x >You have to redirect the whole HTTP traffic to the proxy, or nothing. >You can't decide on layer 7 content. what do you recommend me to do first? ---------------------------------------------- 2005/9/23, Chuck Swiger : > > Hugo Osorio wrote: > > gracias, > > > > our (172.24.33.0 ) LAN goes to > internet through two > > proxies, the new proxy which is the one i am trying to set up, is in > another > > network we have set routes to that LAN, (172.25.1.0 = < > http://172.25.1.0>) > > OK. > > > -is it inappropriate to put these address here? i hope not :s > > No. I was confused by the "" strings, which someone > said > may be something to do with gmail.com . > > > in order to be protected, we have set a firewall in this way: > > > > LAN(172.24.33.0 ) --> SWITCH > --> fw --> Router( > > 172.25.19.X) --> proxy(172.25.1.5 >) > > OK. You should start by testing access through the proxy server when > logged > onto your firewall box. If that doesn't work, debug your router or your > network routes. > > > i have the other conf (using another proxy, another network) without th= e > > string 'http://' and it works, and transfer everything. > > and besides, using the new proxy, without the 'http://' string, it show= s > > bytes activity in 'ipfw show', i mean i can enter sites. > > > > For using "open firewall ruleset" do you have any basic document? > > > > another hint or help, will be appreciated, thank you. > > Look at /etc/rc.firewall and the "open" ruleset there. > > See: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.= html > > ...which i!=3Du=19ailable translated to other languages, also. > > -- > -Chuck > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 26 13:41:30 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B04816A420 for ; Mon, 26 Sep 2005 13:41:30 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B13943D4C for ; Mon, 26 Sep 2005 13:41:29 +0000 (GMT) (envelope-from osorio.hugo@gmail.com) Received: by qproxy.gmail.com with SMTP id p36so409732qba for ; Mon, 26 Sep 2005 06:41:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:references; b=spcyeW3jkQq9dmyFwv6QIONRBC8I9iH0SSs2C378xa78c2c/U4r6VtXqCj4VvERbu8wBJ2O2Ooc4Z5aTDiIIr51UszbPC5wQXJCB7JuM64SMnuxGgSzw3goTN8jK4ShtuxyO/o1i6gDo7FIdN+IVqjFpJN2vdL+VhWpBm6u0Qk8= Received: by 10.65.81.3 with SMTP id i3mr520268qbl; Mon, 26 Sep 2005 06:41:28 -0700 (PDT) Received: by 10.65.95.18 with HTTP; Mon, 26 Sep 2005 06:41:28 -0700 (PDT) Message-ID: <680ac847050926064125be4e0@mail.gmail.com> Date: Mon, 26 Sep 2005 08:41:28 -0500 From: Hugo Osorio To: Chuck Swiger In-Reply-To: <43342E8E.6060004@mac.com> MIME-Version: 1.0 References: <680ac84705082407576dd2f6b4@mail.gmail.com> <20050825084039.GH659@obiwan.tataz.chchile.org> <680ac84705082507486347b67@mail.gmail.com> <680ac847050922171856ed2904@mail.gmail.com> <43334E81.9080707@mac.com> <680ac84705092309007d69b088@mail.gmail.com> <43342E8E.6060004@mac.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, ipfw@freebsd.org Subject: Re: mime contents thru ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hugo Osorio List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2005 13:41:30 -0000 I have seen that "open rule" is insecure, and i wouldn't like to use it... = i want to continue trying to find the closed port, with this policy... there must be something somewhere... so... i will continue bothering. sorry i am = a beginner, here are some conversations in the past that weren't submitted to the group. ------------------ Proxy is an cache server. If u dont need , not use. If u want to use proxy for caching web traffic and force this traffic throught proxy,u can d= o that with fwd option in ipfw example: ipfw fwd $ip_proxy,$port_proxy tcp from not me to any 80 in via $private_interface This not affect in any way functionality for mail aplication (that work in case of pop3 with 25 respectively 110 ports). If u acces mail via web, this work well with proxy. If still have problem, i'm sure is because configuration of proxy (think use squid). I this case u need some options to permit "connect" method. I dont remember now how look exactly. ---------------------- I have done this.. at the command line, ipfw add fwd 172.25.1.5 ,80 tcp from not me to any 80 i= n via vr0 04200 fwd 172.25.1.5 ,80 tcp from not me to any 80 in recv vr0 also ipfw add fwd 172.2X.X.X,80 tcp from 17X.XX.XX.0/24 to any 80 in via vr0 nothing happens.. i do see traffic, but very little.. this should refresh it ? i mean, this rule is active immediately? because i can not do attachments yet.. not even showing my message list in yahoo.. ( http://e1.f405.mail.yahoo.com/ym/ShowFolder?YY=3D29820&box=3DInbox&YN=3D1) Proxy is Proxy server 2.0 microsoft, I have unset the firewall, and i have plugged the router directly to the switch.. and all is fine, so i am almost sure the hassle is in the fw, thx --------------------------------------------- I have two proxies available, and in the machine where i have the fw there are routes created, for routing one proxy or another... 172.25.x.x or 172.24.x.x with the .24.x.x proxy dont have any hassle.. but i do with the 25.x.x >You have to redirect the whole HTTP traffic to the proxy, or nothing. >You can't decide on layer 7 content. what do you recommend me to do first? ---------------------------------------------- 2005/9/23, Chuck Swiger : > > Hugo Osorio wrote: > > gracias, > > > > our (172.24.33.0 ) LAN goes to > internet through two > > proxies, the new proxy which is the one i am trying to set up, is in > another > > network we have set routes to that LAN, (172.25.1.0 = < > http://172.25.1.0>) > > OK. > > > -is it inappropriate to put these address here? i hope not :s > > No. I was confused by the "" strings, which someone > said > may be something to do with gmail.com . > > > in order to be protected, we have set a firewall in this way: > > > > LAN(172.24.33.0 ) --> SWITCH > --> fw --> Router( > > 172.25.19.X) --> proxy(172.25.1.5 >) > > OK. You should start by testing access through the proxy server when > logged > onto your firewall box. If that doesn't work, debug your router or your > network routes. > > > i have the other conf (using another proxy, another network) without th= e > > string 'http://' and it works, and transfer everything. > > and besides, using the new proxy, without the 'http://' string, it show= s > > bytes activity in 'ipfw show', i mean i can enter sites. > > > > For using "open firewall ruleset" do you have any basic document? > > > > another hint or help, will be appreciated, thank you. > > Look at /etc/rc.firewall and the "open" ruleset there. > > See: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.= html > > ...which i!=3Du=19ailable translated to other languages, also. > > -- > -Chuck > > From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 27 16:26:48 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4257716A425 for ; Tue, 27 Sep 2005 16:26:48 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from mdhost1.centroin.com.br (mdhost1.centroin.com.br [200.225.63.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 754F943D48 for ; Tue, 27 Sep 2005 16:26:46 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from hypselo.centroin.com.br (hypselo.centroin.com.br [200.225.63.1]) by mdhost1.centroin.com.br (8.13.4/8.13.4/CIP SMTP HOST) with ESMTP id j8RGQgv1008926; Tue, 27 Sep 2005 13:26:43 -0300 (BRT) (envelope-from scuba@centroin.com.br) Date: Tue, 27 Sep 2005 13:27:04 -0300 (EST) From: Sender: To: vladone In-Reply-To: <1878271936.20050923194103@spaingsm.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Hits: 1.226 X-Scanned-By: MIMEDefang 2.52 on 200.225.63.205 Cc: freebsd-ipfw@freebsd.org Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2005 16:26:48 -0000 Hi, On Fri, 23 Sep 2005, vladone wrote: |U can use: |ipfw enable or ipfw disable command (man ipfw) =09It doesn't work. Do nothing. |or from sysctl: |sysctl net.inet.ip.fw.enable=3D0 (to disable) =09This generate a error: =89sysctl: unknown id 'net.inet.ip.fw.enable' =09It seems that if it is not enabled from boot the OIDs are not available. - Marcelo Souza From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 27 17:12:59 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F9D616A41F for ; Tue, 27 Sep 2005 17:12:59 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75F1543D72 for ; Tue, 27 Sep 2005 17:12:56 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (elopip@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8RHCsu5008089 for ; Tue, 27 Sep 2005 19:12:54 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8RHCspb008088; Tue, 27 Sep 2005 19:12:54 +0200 (CEST) (envelope-from olli) Date: Tue, 27 Sep 2005 19:12:54 +0200 (CEST) Message-Id: <200509271712.j8RHCspb008088@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2005 17:12:59 -0000 scuba@centroin.com.br wrote: > On Fri, 23 Sep 2005, vladone wrote: > |U can use: > |ipfw enable or ipfw disable command (man ipfw) > > It doesn't work. Do nothing. > > |or from sysctl: > |sysctl net.inet.ip.fw.enable=0 (to disable) > > This generate a error: > > ‰sysctl: unknown id 'net.inet.ip.fw.enable' Do you have IPFW code in your kernel? (Either statically compiled via kernel config, or dynamically loaded as KLD) If you don't, then it doesn't work, of course. Try loading the IPFW KLD ("kldload ipfw"). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 27 18:05:20 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A644316A41F for ; Tue, 27 Sep 2005 18:05:20 +0000 (GMT) (envelope-from ap@bnc.net) Received: from mailomat.net (mailomat.net [217.110.117.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78CFB43D60 for ; Tue, 27 Sep 2005 18:05:18 +0000 (GMT) (envelope-from ap@bnc.net) X-SpamCatcher-Score: 2 [X] Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by mailomat.net (CommuniGate Pro SMTP 4.3.6) with ESMTPSA id 5578491 for freebsd-ipfw@freebsd.org; Tue, 27 Sep 2005 20:05:11 +0200 X-BNC-SpamCatcher-Score: 2 [X] Received: from [194.39.192.247] (account ap HELO [194.39.192.247]) by bnc.net (CommuniGate Pro SMTP 4.3.5) with ESMTPSA id 1230753 for freebsd-ipfw@FreeBSD.ORG; Tue, 27 Sep 2005 20:05:10 +0200 Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <200509271712.j8RHCspb008088@lurza.secnetix.de> References: <200509271712.j8RHCspb008088@lurza.secnetix.de> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <7247A1D7-DCB4-493D-B28A-8E98A21C3983@bnc.net> Content-Transfer-Encoding: 7bit From: Achim Patzner Date: Tue, 27 Sep 2005 20:05:06 +0200 To: freebsd-ipfw@FreeBSD.ORG X-Mailer: Apple Mail (2.734) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2005 18:05:20 -0000 > Do you have IPFW code in your kernel? (Either statically > compiled via kernel config, or dynamically loaded as KLD) > > If you don't, then it doesn't work, of course. > > Try loading the IPFW KLD ("kldload ipfw"). And remember - doing a "shutdown -r +10" before trying might be a good idea - last time I did this I found out the hard way that the kernel module was built with a default action of "deny all from any to any". There were only 800 km between me and the server. Of course. Achim From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 07:04:16 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFACF16A41F; Wed, 28 Sep 2005 07:04:16 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.rdu.kirov.ru (ns.rdu.kirov.ru [217.9.151.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE53C43D49; Wed, 28 Sep 2005 07:04:13 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id 209D2FEB4; Wed, 28 Sep 2005 11:04:12 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id 0CE6315C85; Wed, 28 Sep 2005 11:04:12 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id C70FF15C82; Wed, 28 Sep 2005 11:04:11 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id 9712915C79; Wed, 28 Sep 2005 11:04:11 +0400 (MSD) Message-ID: <433A406B.3000300@yandex.ru> Date: Wed, 28 Sep 2005 11:04:11 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.0.6 (FreeBSD/20050716) MIME-Version: 1.0 To: ipfw@freebsd.org, hackers@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: nonprivileged access to ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bu7cher@yandex.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 07:04:16 -0000 Hi All! I want a nonprivileged access to ipfw (without sudo, suid and etc..). But RAW sockets restrict this. I have an one idea - a pseudo device /dev/ipfw. I think that realisation of this feature is not difficult task. Now i have some questions. 1. I think correctly about following? * adding cdevsw declaration with ipfw_ioctl implementation; * adding make_dev into ipfw initialization function (on MOD_LOAD event); * adding destroy_dev (on MOD_UNLOAD); * adding needed functionaly into /sbin/ipfw. 2. About ipfw_ioctl implemetation: I can pack an ioctl params into sockopt structure and directly call ipfw_ctl function. It's ok? 3. About ioctl requests - What symbol I should place into definition of ioctl request? On what it depends? For example: #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) >>-----------------------------^ 4. I can define only two ioctl requests, for example: IPFWIOCSCMD _IOW('x', 0, struct sockopt_like_struct) IPFWIOCGCMD _IOR('x', 1, struct sockopt_like_struct) and pass IP_FW_XXX sockoption's into sockopt_like_struct member, or I should define two definition (set/get) for each IP_FW_XXX option? Thanks and sorry for my english :( -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 11:04:08 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C7B616A41F for ; Wed, 28 Sep 2005 11:04:08 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B9A743D48 for ; Wed, 28 Sep 2005 11:04:07 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (zyrozo@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8SB457J044218 for ; Wed, 28 Sep 2005 13:04:06 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8SB45Bi044217; Wed, 28 Sep 2005 13:04:05 +0200 (CEST) (envelope-from olli) Date: Wed, 28 Sep 2005 13:04:05 +0200 (CEST) Message-Id: <200509281104.j8SB45Bi044217@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <7247A1D7-DCB4-493D-B28A-8E98A21C3983@bnc.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 11:04:08 -0000 Achim Patzner wrote: > > > Try loading the IPFW KLD ("kldload ipfw"). > > And remember - doing a "shutdown -r +10" before trying might be a > good idea - last time I did this I found out the hard way that the > kernel module was built with a default action of "deny all from any > to any". No. Performing a reboot is a rather bad idea. A much better way would be a small "at" job that inserts an appropriate "allow" rule: # echo "/sbin/ipfw add 1 allow ip from any to any" | at + 5 minutes # kldload ipfw The same procedure is also useful when activating untested changes to the IPFW rule sets. If everyting went well and you didn't get disconnected, use atrm(1) to remove the "at" job. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 11:36:50 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F02B916A41F for ; Wed, 28 Sep 2005 11:36:50 +0000 (GMT) (envelope-from ap@bnc.net) Received: from bis.bonn.org (www.bis.bonn.org [217.110.117.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61B2F43D48 for ; Wed, 28 Sep 2005 11:36:48 +0000 (GMT) (envelope-from ap@bnc.net) X-SpamCatcher-Score: 64 [XX] Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by bis.bonn.org (CommuniGate Pro SMTP 4.2) with ESMTP-TLS id 1549393 for freebsd-ipfw@freebsd.org; Wed, 28 Sep 2005 13:36:46 +0200 X-BNC-SpamCatcher-Score: 2 [X] Received: from [194.39.192.247] (account ap HELO [194.39.192.247]) by bnc.net (CommuniGate Pro SMTP 4.3.5) with ESMTPSA id 1231023 for freebsd-ipfw@FreeBSD.ORG; Wed, 28 Sep 2005 13:35:52 +0200 Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <200509281104.j8SB45Bi044217@lurza.secnetix.de> References: <200509281104.j8SB45Bi044217@lurza.secnetix.de> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> Content-Transfer-Encoding: 7bit From: Achim Patzner Date: Wed, 28 Sep 2005 13:35:50 +0200 To: freebsd-ipfw@FreeBSD.ORG X-Mailer: Apple Mail (2.734) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 11:36:51 -0000 Am 28.09.2005 um 13:04 schrieb Oliver Fromme: >>> Try loading the IPFW KLD ("kldload ipfw"). >> >> And remember - doing a "shutdown -r +10" before trying might be a >> good idea - last time I did this I found out the hard way that the >> kernel module was built with a default action of "deny all from any >> to any". > > No. Performing a reboot is a rather bad idea. Actually _loading kernel modules you haven't been using before_ without scheduling a reboot (which can be cancelled just as easily as removing an at job) is (not only in my opinion) a stupid idea. > A much better way would be a small "at" job that inserts > an appropriate "allow" rule: Where's the advantage? A reboot (on a well-maintained) machine should get me back to the state it was before I started tinkering with kernel modules. And shutdown is astonishingly resilient - if the kernel didn't find a way to merrily spin around a lock in a place the sun doesn't reach it usually works. The same applies to other devices (e.g. Cisco routers), too. I'm a Barbarian - why should I argue with ipfw if a battle axe would get the same result more comfortably? Achim From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 12:16:14 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BA2316A41F for ; Wed, 28 Sep 2005 12:16:14 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FE6743D48 for ; Wed, 28 Sep 2005 12:16:11 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from mc01.mega.net.br (nbc.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.13.3/8.13.1) with ESMTP id j8SCG9eu094720 for ; Wed, 28 Sep 2005 09:16:10 -0300 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 28 Sep 2005 09:15:53 -0300 User-Agent: KMail/1.8.2 References: <200509281104.j8SB45Bi044217@lurza.secnetix.de> <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> In-Reply-To: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200509280915.53439.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 12:16:14 -0000 On Wednesday 28 September 2005 08:35, Achim Patzner wrote: > > Where's the advantage? A reboot (on a well-maintained) machine should > get me back to the state it was before I started tinkering with probably rebooting a server is an unnecessary method at all and something=20 similar to the method you describe next ... (or a win-habit) > The same applies to other devices (e.g. Cisco routers), too. I'm a > Barbarian - why should I argue with ipfw if a battle axe would get > the same result more comfortably? sure, cutting the wire is the best firewall solution ever and still the=20 cheapest ;) but try a pulling the cord before cutting cheers Jo=E3o > A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 12:24:22 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81BCF16A41F for ; Wed, 28 Sep 2005 12:24:22 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEECB43D48 for ; Wed, 28 Sep 2005 12:24:21 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (dybkve@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8SCOJKq047048 for ; Wed, 28 Sep 2005 14:24:20 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8SCOJUv047047; Wed, 28 Sep 2005 14:24:19 +0200 (CEST) (envelope-from olli) Date: Wed, 28 Sep 2005 14:24:19 +0200 (CEST) Message-Id: <200509281224.j8SCOJUv047047@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 12:24:22 -0000 Achim Patzner wrote: > Oliver Fromme wrote: > > No. Performing a reboot is a rather bad idea. > > Actually _loading kernel modules you haven't been using before_ Lots of people have been using it before. (Personally I prefer to compile it statically in the kernel, though.) > without scheduling a reboot (which can be cancelled just as easily as > removing an at job) is (not only in my opinion) a stupid idea. Apropos ideas: Not having remote console access to a machine which is located at 800 km distance is (not only in my opinion) a stupid idea. ;-) > > A much better way would be a small "at" job that inserts > > an appropriate "allow" rule: > > Where's the advantage? A solution that doesn't require a reboot is always better, especially on production machines. This isn't Windows, after all. For changing (and testing) rules, there's an even more elegant (and non-[qddisruptive) solution, see: /usr/share/examples/ipfw/change_rules.sh Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often. From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 12:33:26 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5662816A41F for ; Wed, 28 Sep 2005 12:33:26 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 755D543D48 for ; Wed, 28 Sep 2005 12:33:24 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from mc01.mega.net.br (nbc.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.13.3/8.13.1) with ESMTP id j8SCXNk1095838 for ; Wed, 28 Sep 2005 09:33:24 -0300 (BRST) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 28 Sep 2005 09:33:07 -0300 User-Agent: KMail/1.8.2 References: <200509281224.j8SCOJUv047047@lurza.secnetix.de> In-Reply-To: <200509281224.j8SCOJUv047047@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200509280933.07846.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2005 12:33:26 -0000 On Wednesday 28 September 2005 09:24, Oliver Fromme wrote: > > without scheduling a reboot (which can be cancelled just as easily as > > removing an at job) is (not only in my opinion) a stupid idea. > you might consider pasting this into your rc.firewall case ${fw_test_enable} in [Yy][Ee][Ss]) ${fwcmd} add 1 pass proto ip ;; esac and add=20 fw_test_enable=3D"YES" to your rc.conf so when running `sh /etc/rc.firewall` you can see if your rules are in corr= ect=20 order and delete manually rule 1 to activate it definitly and setting the=20 parameter in rc.conf to NO or/and you may consider creating a script like case $1 in abre) $cmd add $rnum pass proto ip echo "o FW est=E1 aberto agora!" ;; fecha) $cmd delete $rnum echo "o FW est=E1 fechado novamente." ;; test) $cmd delete $rnum clear echo "O FW fica agora 5 minutos fechado, fa=E7a os seus testes." echo "Use um outro terminal ou sess=E3o para o acesso remoto." echo "experimente tb todo acesso com navegador etc para confirmar." sleep 300 $cmd add $rnum pass proto ip echo "O FW est=E1 aberto novamente." ;; *) echo echo "Op=E7=F5es: abre | fecha | test " echo ;; esac where abre=3Dopen fecha=3Dclose and test=3Dtest and it stays closed for the= time you=20 configure cheers Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 29 03:32:58 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 281FE16A421 for ; Thu, 29 Sep 2005 03:32:58 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 303DA43D49 for ; Thu, 29 Sep 2005 03:32:57 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1EKovU-000Iqd-FN for freebsd-ipfw@FreeBSD.ORG; Thu, 29 Sep 2005 11:33:26 +0800 Message-Id: <6.2.1.2.2.20050929121426.02954710@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Thu, 29 Sep 2005 12:17:10 +0900 To: freebsd-ipfw@FreeBSD.ORG From: Ganbold In-Reply-To: <200509281224.j8SCOJUv047047@lurza.secnetix.de> References: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> <200509281224.j8SCOJUv047047@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 03:32:58 -0000 If you want to restart ipfw you can try: /etc/rc.d/ipfw restart command if you are using FreeBSD 5.x or later. hth, Ganbold At 09:24 PM 9/28/2005, you wrote: >Achim Patzner wrote: > > Oliver Fromme wrote: > > > No. Performing a reboot is a rather bad idea. > > > > Actually _loading kernel modules you haven't been using before_ > >Lots of people have been using it before. (Personally I >prefer to compile it statically in the kernel, though.) > > > without scheduling a reboot (which can be cancelled just as easily as > > removing an at job) is (not only in my opinion) a stupid idea. > >Apropos ideas: Not having remote console access to a >machine which is located at 800 km distance is (not only >in my opinion) a stupid idea. ;-) > > > > A much better way would be a small "at" job that inserts > > > an appropriate "allow" rule: > > > > Where's the advantage? > >A solution that doesn't require a reboot is always better, >especially on production machines. >This isn't Windows, after all. > >For changing (and testing) rules, there's an even more >elegant (and non-[qddisruptive) solution, see: >/usr/share/examples/ipfw/change_rules.sh > >Best regards > Oliver > >-- >Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing >Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd >Any opinions expressed in this message may be personal to the author >and may not necessarily reflect the opinions of secnetix in any way. > >Passwords are like underwear. You don't share them, >you don't hang them on your monitor or under your keyboard, >you don't email them, or put them on a web site, >and you must change them very often. >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 29 03:44:19 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED21416A41F for ; Thu, 29 Sep 2005 03:44:19 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id E947C43D4C for ; Thu, 29 Sep 2005 03:44:18 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1EKp6X-000J2F-Bq for freebsd-ipfw@FreeBSD.ORG; Thu, 29 Sep 2005 11:44:49 +0800 Message-Id: <6.2.1.2.2.20050929121426.02954710@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Thu, 29 Sep 2005 12:17:10 +0900 To: freebsd-ipfw@FreeBSD.ORG From: Ganbold In-Reply-To: <200509281224.j8SCOJUv047047@lurza.secnetix.de> References: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> <200509281224.j8SCOJUv047047@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 03:44:20 -0000 If you want to restart ipfw you can try: /etc/rc.d/ipfw restart command if you are using FreeBSD 5.x or later. hth, Ganbold At 09:24 PM 9/28/2005, you wrote: >Achim Patzner wrote: > > Oliver Fromme wrote: > > > No. Performing a reboot is a rather bad idea. > > > > Actually _loading kernel modules you haven't been using before_ > >Lots of people have been using it before. (Personally I >prefer to compile it statically in the kernel, though.) > > > without scheduling a reboot (which can be cancelled just as easily as > > removing an at job) is (not only in my opinion) a stupid idea. > >Apropos ideas: Not having remote console access to a >machine which is located at 800 km distance is (not only >in my opinion) a stupid idea. ;-) > > > > A much better way would be a small "at" job that inserts > > > an appropriate "allow" rule: > > > > Where's the advantage? > >A solution that doesn't require a reboot is always better, >especially on production machines. >This isn't Windows, after all. > >For changing (and testing) rules, there's an even more >elegant (and non-[qddisruptive) solution, see: >/usr/share/examples/ipfw/change_rules.sh > >Best regards > Oliver > >-- >Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing >Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd >Any opinions expressed in this message may be personal to the author >and may not necessarily reflect the opinions of secnetix in any way. > >Passwords are like underwear. You don't share them, >you don't hang them on your monitor or under your keyboard, >you don't email them, or put them on a web site, >and you must change them very often. >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 29 03:45:34 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0E0316A41F for ; Thu, 29 Sep 2005 03:45:34 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06F4543D48 for ; Thu, 29 Sep 2005 03:45:33 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1EKp9n-000J69-PA for freebsd-ipfw@FreeBSD.ORG; Thu, 29 Sep 2005 11:46:04 +0800 Message-Id: <6.2.1.2.2.20050929121426.02954710@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Thu, 29 Sep 2005 12:17:10 +0900 To: freebsd-ipfw@FreeBSD.ORG From: Ganbold In-Reply-To: <200509281224.j8SCOJUv047047@lurza.secnetix.de> References: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> <200509281224.j8SCOJUv047047@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 03:45:35 -0000 If you want to restart ipfw you can try: /etc/rc.d/ipfw restart command if you are using FreeBSD 5.x or later. hth, Ganbold At 09:24 PM 9/28/2005, you wrote: >Achim Patzner wrote: > > Oliver Fromme wrote: > > > No. Performing a reboot is a rather bad idea. > > > > Actually _loading kernel modules you haven't been using before_ > >Lots of people have been using it before. (Personally I >prefer to compile it statically in the kernel, though.) > > > without scheduling a reboot (which can be cancelled just as easily as > > removing an at job) is (not only in my opinion) a stupid idea. > >Apropos ideas: Not having remote console access to a >machine which is located at 800 km distance is (not only >in my opinion) a stupid idea. ;-) > > > > A much better way would be a small "at" job that inserts > > > an appropriate "allow" rule: > > > > Where's the advantage? > >A solution that doesn't require a reboot is always better, >especially on production machines. >This isn't Windows, after all. > >For changing (and testing) rules, there's an even more >elegant (and non-[qddisruptive) solution, see: >/usr/share/examples/ipfw/change_rules.sh > >Best regards > Oliver > >-- >Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing >Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd >Any opinions expressed in this message may be personal to the author >and may not necessarily reflect the opinions of secnetix in any way. > >Passwords are like underwear. You don't share them, >you don't hang them on your monitor or under your keyboard, >you don't email them, or put them on a web site, >and you must change them very often. >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 29 03:51:15 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BA1C16A41F for ; Thu, 29 Sep 2005 03:51:15 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DD9F43D49 for ; Thu, 29 Sep 2005 03:51:14 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1EKpSA-000JSz-JD for freebsd-ipfw@freebsd.org; Thu, 29 Sep 2005 11:51:45 +0800 Message-Id: <6.2.1.2.2.20050929125001.029121f0@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Thu, 29 Sep 2005 12:50:56 +0900 To: freebsd-ipfw@freebsd.org From: Ganbold In-Reply-To: <6.2.1.2.2.20050929121426.02954710@202.179.0.80> References: <8CEFEBE0-CC91-4FA6-8453-DF42AA9445A5@bnc.net> <200509281224.j8SCOJUv047047@lurza.secnetix.de> <6.2.1.2.2.20050929121426.02954710@202.179.0.80> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 03:51:15 -0000 Sorry for dup. Probably it is our mail server problem. Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 29 07:33:01 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAD8A16A41F for ; Thu, 29 Sep 2005 07:33:01 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCACA43D48 for ; Thu, 29 Sep 2005 07:33:00 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (klyvwf@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8T7WwMM086437 for ; Thu, 29 Sep 2005 09:32:58 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8T7Ww7j086436; Thu, 29 Sep 2005 09:32:58 +0200 (CEST) (envelope-from olli) Date: Thu, 29 Sep 2005 09:32:58 +0200 (CEST) Message-Id: <200509290732.j8T7Ww7j086436@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <6.2.1.2.2.20050929121426.02954710@202.179.0.80> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 07:33:01 -0000 Ganbold wrote: > Oliver Fromme wrote: > > [...] > > For changing (and testing) rules, there's an even more > > elegant (and non-[qddisruptive) solution, see: > > /usr/share/examples/ipfw/change_rules.sh > > If you want to restart ipfw you can try: > > /etc/rc.d/ipfw restart > > command if you are using FreeBSD 5.x or later. But that command does not provide _any_ safety net at all (against a problem with your ruleset) when you're logged in via network. It is only safe to use when you have access to the console. Better use the script that I mentioned (or an appropriate at(1) command or whatever): /usr/share/examples/ipfw/change_rules.sh Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Emacs ist für mich kein Editor. Für mich ist das genau das gleiche, als wenn ich nach einem Fahrrad (für die Sonntagbrötchen) frage und einen pangalaktischen Raumkreuzer mit 10 km Gesamtlänge bekomme. Ich weiß nicht, was ich damit soll." -- Frank Klemm, de.comp.os.unix.discussion From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 29 16:11:32 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A21D16A41F for ; Thu, 29 Sep 2005 16:11:32 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from mdhost1.centroin.com.br (mdhost1.centroin.com.br [200.225.63.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83AF643D49 for ; Thu, 29 Sep 2005 16:11:30 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from hypselo.centroin.com.br (hypselo.centroin.com.br [200.225.63.1]) by mdhost1.centroin.com.br (8.13.4/8.13.4/CIP SMTP HOST) with ESMTP id j8TGBPeA015952 for ; Thu, 29 Sep 2005 13:11:25 -0300 (BRT) (envelope-from scuba@centroin.com.br) Date: Thu, 29 Sep 2005 13:11:47 -0300 (EST) From: Sender: To: In-Reply-To: <200509271712.j8RHCspb008088@lurza.secnetix.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Hits: 1.227 X-Scanned-By: MIMEDefang 2.52 on 200.225.63.205 Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 16:11:32 -0000 Hi, =09Loading the kernel module "kldload ipfw", did the job. =09But nothing using rc's files helps to prevent being locked with a "deny all" default rule, since those files are not executed on module load. =09I had to use: =09kldload ipfw ; sh /etc/rc.firewall =09or =09kldload ipfw ; ipfw add 1 pass all from any to any Thank you for the help. - Marcelo Souza On Tue, 27 Sep 2005, Oliver Fromme wrote: |scuba@centroin.com.br wrote: | > On Fri, 23 Sep 2005, vladone wrote: | > |U can use: | > |ipfw enable or ipfw disable command (man ipfw) | > | > It doesn't work. Do nothing. | > | > |or from sysctl: | > |sysctl net.inet.ip.fw.enable=3D0 (to disable) | > | > This generate a error: | > | > =89sysctl: unknown id 'net.inet.ip.fw.enable' | |Do you have IPFW code in your kernel? (Either statically |compiled via kernel config, or dynamically loaded as KLD) | |If you don't, then it doesn't work, of course. | |Try loading the IPFW KLD ("kldload ipfw"). | |Best regards | Oliver | |-- |Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing |Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd |Any opinions expressed in this message may be personal to the author |and may not necessarily reflect the opinions of secnetix in any way. | |'Instead of asking why a piece of software is using "1970s technology," |start asking why software is ignoring 30 years of accumulated wisdom.' |_______________________________________________ |freebsd-ipfw@freebsd.org mailing list |http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw |To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" | - Marcelo From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 29 17:26:02 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 464FE16A41F for ; Thu, 29 Sep 2005 17:26:02 +0000 (GMT) (envelope-from ap@bnc.net) Received: from mailomat.net (mailomat.net [217.110.117.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id A74DB43D49 for ; Thu, 29 Sep 2005 17:26:00 +0000 (GMT) (envelope-from ap@bnc.net) X-SpamCatcher-Score: 2 [X] Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by mailomat.net (CommuniGate Pro SMTP 4.3.6) with ESMTPSA id 5591691 for freebsd-ipfw@freebsd.org; Thu, 29 Sep 2005 19:25:57 +0200 X-BNC-SpamCatcher-Score: 2 [X] Received: from [194.39.192.247] (account ap HELO [194.39.192.247]) by bnc.net (CommuniGate Pro SMTP 4.3.5) with ESMTPSA id 1260233 for freebsd-ipfw@FreeBSD.ORG; Thu, 29 Sep 2005 19:26:00 +0200 Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <200509281224.j8SCOJUv047047@lurza.secnetix.de> References: <200509281224.j8SCOJUv047047@lurza.secnetix.de> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Achim Patzner Date: Thu, 29 Sep 2005 19:25:54 +0200 To: freebsd-ipfw@FreeBSD.ORG X-Mailer: Apple Mail (2.734) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 17:26:02 -0000 >>> No. Performing a reboot is a rather bad idea. >> >> Actually _loading kernel modules you haven't been using before_ > > Lots of people have been using it before. *You* actually means: You have to have don it yourself, on the machine you want to use it before anyone is putting it to serious tasks. Been there, watched it being done, got a cellar full of t- shirts... > (Personally I prefer to compile it statically in the kernel, though.) Agreed 8-). > Apropos ideas: Not having remote console access to a > machine which is located at 800 km distance is (not only > in my opinion) a stupid idea. ;-) That was not my attempt at being funny ("Oh - yes, I needed that connection on the KVM switch. Didn't I tell you?"). >>> A much better way would be a small "at" job that inserts >>> an appropriate "allow" rule: >>> >> >> Where's the advantage? > > A solution that doesn't require a reboot is always better, > especially on production machines. I prefer doing the reboot thing from time to time, having had quite a history of customers neither testing nor documenting changes in system configuration... It's reducing the number of surprises per boot considerably. > This isn't Windows, after all. Windows' "firewall" couldn't keep me outside either... The problem isn't FreeBSD, it's the idiots in front of it fumbling around with the pitchfork. > For changing (and testing) rules, there's an even more > elegant (and non-[qddisruptive) solution, see: > /usr/share/examples/ipfw/change_rules.sh As I said: It's not about changing the rules, it's about loading kernel modules that could aid you in serious in-the-knee-shooting. > and you must change them very often. "If people were permitted to change their underwear only after changing their password you could even smell the idiots from afar." Achim From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 30 10:37:31 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CB3316A41F for ; Fri, 30 Sep 2005 10:37:31 +0000 (GMT) (envelope-from arvinn@sandakerveien.net) Received: from monday.timeplanen.no (monday.timeplanen.no [212.71.68.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAEC343D49 for ; Fri, 30 Sep 2005 10:37:30 +0000 (GMT) (envelope-from arvinn@sandakerveien.net) Received: from [139.105.137.157] (unknown [139.105.137.157]) by monday.timeplanen.no (Postfix) with ESMTP id DED6872 for ; Fri, 30 Sep 2005 12:37:28 +0200 (CEST) Message-ID: <433D1567.7020406@sandakerveien.net> Date: Fri, 30 Sep 2005 12:37:27 +0200 From: =?ISO-8859-1?Q?Arvinn_L=F8kkebakken?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: limited logging when using limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2005 10:37:31 -0000 First of all., I love ipfw, and I love logs, specially logs about packet drops. Recently I started using limit on my allow and pipe rules like this: ipfw add pipe 5 log tcp from 200.0.0.0/7 to me dst-port 25 limit src-addr 2 ipfw add allow log tcp from any to me dst-port 25 limit src-addr 10 ..as always with ipfw, it works like a charm:) However, packet drops caused by the conection limit does not get logged. Either source ip/port, destination ip/port or even rule number gets logged. Is there a reason for this? All I get in syslog is: Sep 30 11:14:40 hostname drop session, too many entries My system runs FreeBSD 4.11-p11 with ipfw2. Arvinn From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 30 13:19:10 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C147316A41F for ; Fri, 30 Sep 2005 13:19:10 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D53943D49 for ; Fri, 30 Sep 2005 13:19:10 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 99B4625007 for ; Fri, 30 Sep 2005 15:07:43 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Fri, 30 Sep 2005 15:24:01 +0200 Message-ID: <433D3B05.20105@roamingsolutions.net> Date: Fri, 30 Sep 2005 15:17:57 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: fwd: alias vs clone X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2005 13:19:10 -0000 Anybody help with difference between ifconfig: clone or alias? Trying to ipfw fwd packets to non-default router out the same interface. Currently using alias, but not working for some unexplainable reason. Would clone work? Thanks Graham From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 30 13:58:42 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19AE116A41F for ; Fri, 30 Sep 2005 13:58:42 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55EFD43D4C for ; Fri, 30 Sep 2005 13:58:41 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (jsbapq@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j8UDwdSF046253 for ; Fri, 30 Sep 2005 15:58:39 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j8UDwdPk046252; Fri, 30 Sep 2005 15:58:39 +0200 (CEST) (envelope-from olli) Date: Fri, 30 Sep 2005 15:58:39 +0200 (CEST) Message-Id: <200509301358.j8UDwdPk046252@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) Cc: Subject: Re: Enable ipfw without rebooting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2005 13:58:42 -0000 Achim Patzner wrote: > > > > > No. Performing a reboot is a rather bad idea. > > > > > > Actually _loading kernel modules you haven't been using before_ > > > > Lots of people have been using it before. > > *You* actually means: You have to have don it yourself, on the > machine you want to use it before anyone is putting it to serious > tasks. Been there, watched it being done, got a cellar full of t- > shirts... It's not completely clear to me what _you_ mean. Anyway, there are three cases for "kldload ipfw": 1. It just works. Then you can just remove the at(1) job or kill the shutdown(8) process. The former is usually less risky, because it's not a tragedy if you don't do it in time. (Apart form that, at(1) job numbers are usually much smaller than PIDs, thus easier to type and less error-prone.) 2. The kernel module loads fine, but you lock yourself out because of the default deny rule. The proposed at(1) job will help you in that case. Of course, a reboot helps, too, but -- it's a reboot. No sane person wants a reboot when there's a much less destructive way to solve a problem. 3. The machine crashes (panic, freeze, whatever). Neither an at(1) job nor a shutdown(8) will help in this case. Depending on the kernel configuration, the machine will reboot automatically in either case when a panic occurs. And by the way: at(1) jobs survive reboots. So if you happen to have broken rules in you ipfw.conf which are loaded upon a reboot, the at(1) job will still save your ass. Shutdown(8) will not. > > For changing (and testing) rules, there's an even more > > elegant (and non-disruptive) solution, see: > > /usr/share/examples/ipfw/change_rules.sh > > As I said: It's not about changing the rules, it's about loading > kernel modules that could aid you in serious in-the-knee-shooting. It's exactly the same thing. When changing the rules, the same three cases can happen which I enumerated above: It works, or it locks you out because of the rules, or the machine crashes. (Although -- hopefully -- the crash case should be rather unlikely.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Python tricks" is a tough one, cuz the language is so clean. E.g., C makes an art of confusing pointers with arrays and strings, which leads to lotsa neat pointer tricks; APL mistakes everything for an array, leading to neat one-liners; and Perl confuses everything period, making each line a joyous adventure . -- Tim Peters From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 1 08:19:26 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA76C16A41F; Sat, 1 Oct 2005 08:19:26 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 565BC43D49; Sat, 1 Oct 2005 08:19:24 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id CA4E37032; Sat, 1 Oct 2005 10:07:53 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Sat, 01 Oct 2005 10:24:22 +0200 Message-ID: <433E4697.70206@roamingsolutions.net> Date: Sat, 01 Oct 2005 10:19:35 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD , FreeBSD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: alias ip and natd with ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2005 08:19:26 -0000 Not sure if previous posts came through, so please forgive if this is a repeat. Can anybody please help with problem. Using natd and ipfw and trying to fwd packets to a non-default router out the same interface. Currently using alias for the second ip, but it doesn't seem to be working for some some reason I'm missing. Would clone maybe work? Any advice would be appreciated. Thanks Graham From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 1 09:43:28 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A6A316A420 for ; Sat, 1 Oct 2005 09:43:28 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: from ints.mail.pike.ru (ints.mail.pike.ru [85.30.199.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFE8143D53 for ; Sat, 1 Oct 2005 09:43:26 +0000 (GMT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 15023 invoked from network); 1 Oct 2005 09:43:24 -0000 Received: from cicuta.babolo.ru (85.30.224.245) by ints.mail.pike.ru with SMTP; 1 Oct 2005 09:43:24 -0000 Received: (nullmailer pid 7050 invoked by uid 136); Sat, 01 Oct 2005 09:46:40 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <433E4697.70206@roamingsolutions.net> To: G Bryant Date: Sat, 1 Oct 2005 13:46:40 +0400 (MSD) From: .@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1128160000.491736.7049.nullmailer@cicuta.babolo.ru> Cc: FreeBSD , FreeBSD Subject: Re: alias ip and natd with ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2005 09:43:28 -0000 > Can anybody please help with problem. > Using natd and ipfw and trying to fwd packets to a non-default router > out the same interface. > Currently using alias for the second ip, but it doesn't seem to be > working for some some reason I'm missing. Would clone maybe work? > Any advice would be appreciated. ipfw rules, ifconfig -a and natd options need to be demonstrated. From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 1 10:13:42 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48FB616A420; Sat, 1 Oct 2005 10:13:42 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A97B843D48; Sat, 1 Oct 2005 10:13:41 +0000 (GMT) (envelope-from bsd@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 783DC3D015; Sat, 1 Oct 2005 12:02:11 +0200 (CEST) Received: from (66.110.35.16 [66.110.35.16]) by MailEnable Inbound Mail Agent with ESMTP; Sat, 01 Oct 2005 12:18:39 +0200 Message-ID: <433E6135.3020005@roamingsolutions.net> Date: Sat, 01 Oct 2005 12:13:09 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en References: <1128160000.491736.7049.nullmailer@cicuta.babolo.ru> In-Reply-To: <1128160000.491736.7049.nullmailer@cicuta.babolo.ru> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD , FreeBSD Subject: Re: alias ip and natd with ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2005 10:13:42 -0000 # ifconfig -a rl0: flags=8843 mtu 1500 options=8 inet 192.168.8.70 netmask 0xffffff00 broadcast 192.168.8.255 inet 192.168.0.99 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:11:95:5a:e2:da media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8802 mtu 1500 options=8 ether 00:11:95:5a:e2:dc media: Ethernet autoselect (10baseT/UTP) status: no carrier vr0: flags=8943 mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:11:09:08:11:c4 media: Ethernet autoselect (none) status: no carrier plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 # ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 allow ip from 192.168.1.0/24 to any in 00300 0 0 allow ip from any to 192.168.1.0/24 out 00400 184 16728 allow ip from 192.168.0.0/16 to me in 00500 173 14810 allow ip from me to 192.168.0.0/16 out 08000 0 0 divert 8672 ip from any to 192.168.0.0/24 out 08100 0 0 allow ip from me to 192.168.0.0/24 out 08200 0 0 divert 8671 ip from any to 192.168.8.0/24 out 08300 0 0 allow ip from me to 192.168.8.0/24 out 09000 0 0 divert 8672 ip from any to 196.4.160.7 out 09100 0 0 check-state 09200 0 0 fwd 192.168.0.1 log logamount 10 ip from 192.168.0.99 to any out keep-state 09300 9 629 divert 8671 ip from any to any out 09400 9 629 allow ip from me to any out via rl0 09500 0 0 allow ip from any to any out 09600 0 0 divert 8672 ip from any to 192.168.0.99 in via rl0 09700 7 1123 divert 8671 ip from any to 192.168.8.70 in via rl0 09800 42 4241 allow ip from any to any in via rl0 09900 0 0 allow ip from any to any in via rl0 09999 0 0 deny log logamount 10 ip from any to any 65535 0 0 deny ip from any to any ## was testing the divert by pinging 196.4.160.7 # natd1.conf alias_address 192.168.8.70 pid_file /var/run/natd1.pid port natd1 # natd2.conf alias_address 192.168.0.99 pid_file /var/run/natd2.pid port natd2 "."@babolo.ru wrote: Can anybody please help with problem. Using natd and ipfw and trying to fwd packets to a non-default router out the same interface. Currently using alias for the second ip, but it doesn't seem to be working for some some reason I'm missing. Would clone maybe work? Any advice would be appreciated. ipfw rules, ifconfig -a and natd options need to be demonstrated. _______________________________________________ [1]freebsd-net@freebsd.org mailing list [2]http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to [3]"freebsd-net-unsubscribe@freebsd.org" References 1. mailto:freebsd-net@freebsd.org 2. http://lists.freebsd.org/mailman/listinfo/freebsd-net 3. mailto:freebsd-net-unsubscribe@freebsd.org