From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 6 11:00:20 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57AEB10656B7 for ; Mon, 6 Sep 2010 11:00:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 46F5E8FC16 for ; Mon, 6 Sep 2010 11:00:20 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o86B0JoR099506 for ; Mon, 6 Sep 2010 11:00:19 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o86B0JAd099497; Mon, 6 Sep 2010 11:00:19 GMT (envelope-from gnats) Date: Mon, 6 Sep 2010 11:00:19 GMT Message-Id: <201009061100.o86B0JAd099497@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Dan Lukes Cc: Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dan Lukes List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2010 11:00:20 -0000 The following reply was made to PR kern/128260; it has been noted by GNATS. From: Dan Lukes To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets Date: Mon, 06 Sep 2010 12:08:48 +0200 The 8.1-RELEASE partially corrects such problem. But for DIVERT (not the TEE) there are still issues. For non-tee case, the header is still unconditionally considered to be (struct ip). The ip->ip_off & (IP_MF | IP_OFFMASK) may be unintentionally true (for a IPv6 packet), then ip_reass will be called with IPv6 packet, which is not apropriate. We still need to check the IP version: - if (!tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { + if (ip->ip_v == 4 && !tee && ntohs(ip->ip_off) & (IP_MF | IP_OFFMASK)) { Dan From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 6 11:06:58 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DAA01065697 for ; Mon, 6 Sep 2010 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2B7D58FC26 for ; Mon, 6 Sep 2010 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o86B6woJ011804 for ; Mon, 6 Sep 2010 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o86B6vbx011802 for freebsd-ipfw@FreeBSD.org; Mon, 6 Sep 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Sep 2010 11:06:57 GMT Message-Id: <201009061106.o86B6vbx011802@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2010 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/150141 ipfw [ipfw]: Not working kernel nat freeBSD 8.1 o kern/149572 ipfw [ipfw] ipfw kernel nat not working properly o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 79 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 6 15:53:16 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98D8E1065673 for ; Mon, 6 Sep 2010 15:53:16 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 4EFE58FC1E for ; Mon, 6 Sep 2010 15:53:16 +0000 (UTC) Received: by qyk31 with SMTP id 31so2614117qyk.13 for ; Mon, 06 Sep 2010 08:53:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=/MFBgGEkVkVSJkd56DkKCBqsXRhYDWNg4ER3Cx175aA=; b=aOVZzSSNYAnvAg9ZGF7oAMXgHhexHPBCqWZI5zIydLATiYMc9hcwDI0nZJpAA9OkV/ 8BPEl+rlVyXOIypP9lOScuLQpMSftR7A0Zmp6wdLwaWHbDd5RtICz5f7OrtVOgsQRiAb w9ZCzh9pdjw0K/3mLh7GPcyYFDvfGu0a7dN+o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=xFrnrkqCgiIMYrCbEqpVXVWszKA3wa6wbN0EQ91P9q3QaI31TWsWof1Dc6fFJRrlyc 0s+QpXcizWbYpKBvYXvE4ya5H0iYccEeol3JveRBhFhxm3q9J5l+8HJPtVq9le8t49fw fi1HmASTYvUxQ8u0L5Ui+d67PMP/QQ+H1IiSA= MIME-Version: 1.0 Received: by 10.229.181.210 with SMTP id bz18mr3660788qcb.43.1283788395301; Mon, 06 Sep 2010 08:53:15 -0700 (PDT) Received: by 10.229.46.146 with HTTP; Mon, 6 Sep 2010 08:53:15 -0700 (PDT) Date: Mon, 6 Sep 2010 18:53:15 +0300 Message-ID: From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Default router changes unexpectedly when dummynet enabled X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2010 15:53:16 -0000 Hi, When I enable dummynet rules, default router changes unexpectedly. If the pipe & queue rules not exists, there is no problem. I tried all FreeBSD 7.1, 7.2, 7.3, 8.1-STABLE-201008 releases ( both i386 and amd64 ). All this FreeBSD versions are affected. I inspected logs if someone logged in or changed route (with route -n monitor command). When the default route changed, there isnt any messages at the "route -n monitor" command output. I think there can be a buffer overflow in dummynet code. This problem repeats once per 10 minute. I wrote a shell script which monitors the default router. I saw that sometimes netstat -rn shows that default router is changed as 10.0.16.251 or 10.6.10.240 etc. which are client IP addresses but routing still routes to right router 193.X.Y.Z . After a while, routing really fails. You can access tcpdump capture file from: http://193.255.128.30/~ryland/flowdata_10_0_16_251 This file captured while the default router changes. Tcpdump capture, belongs to the IP Address which shown in default router (10.0.16.251) the tcpdump command: tcpdump -w /home/flowdata_10_0_16_251 -ni bce0.116 host 10.0.16.251 dummynet rules are: 30000 pipe 3 tcp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any dst-port 8000,80,22,25,88,110,443,1720,1863,1521,3389,4489 via em0 // Upload 30000 pipe 3 udp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any dst-port 53 via em0 // Upload 30000 pipe 4 tcp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any via em0 // Upload 30000 pipe 4 udp from 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 to any via em0 // Upload .... LOTS OF NAT RULES HERE (in kernel nat) 60000 pipe 1 tcp from any 8000,80,22,25,88,110,443,1720,1863,1521,3389,4489 to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download 60000 pipe 1 udp from any 53 to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download 60000 pipe 2 tcp from any to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download 60000 pipe 2 udp from any to 10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 via bce0* // Download /sbin/ipfw pipe 1 config bw 8192Kbit/s mask dst-ip 0xffffffff /sbin/ipfw pipe 3 config bw 1024Kbit/s mask src-ip 0xffffffff /sbin/ipfw pipe 2 config bw 4096Kbit/s mask dst-ip 0xffffffff /sbin/ipfw pipe 4 config bw 1024Kbit/s mask src-ip 0xffffffff sysctl vars: net.inet.ip.dummynet.hash_size=256 ( also tried with 8192 ) net.inet.ip.dummynet.pipe_slot_limit=500 net.inet.ip.dummynet.io_fast=1 Some Information about network: System has 3 NICS as WAN, LAN, DMZ. There are VLANs on WAN and LAN interfaces Throuput between 20Mbps and 100Mbps. Any ideas? Regards, Ozkan KIRIK Mersin University @ Turkey From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 8 22:09:23 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4EBE10656C3 for ; Wed, 8 Sep 2010 22:09:23 +0000 (UTC) (envelope-from rigstars@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 5D41E8FC08 for ; Wed, 8 Sep 2010 22:09:22 +0000 (UTC) Received: by wwb18 with SMTP id 18so606314wwb.31 for ; Wed, 08 Sep 2010 15:09:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=+hWZz67e5hzdbk/JnnaUvOKgabEh/OdU5jh/ca/R1eU=; b=XSJ0Pr1l0N3haarK0s5Gm6Cxs+AG1tjqqvZFybvJ9hFP+STPWnkarBsPYocaIavdQ1 ombjgAa7CskOQ1zyYoAcflCyF8cykjxznWiHgAWoFtau5qpGDVuxfPyBo2SdP7deKbga mxomJtcNOAWE3h80NWFlXgNOD1fE7BtIHCCzY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=MxxakIdQeQeDTSoxNlo7Gg0fLduKuhg4oDsDpu7LTmOWXMcvmSNeKVk/UOetoxO1/F F/UoqdzfgRebm9rXmtAURt/g/cEbyNe1jbSvl8VF/+9rPzaLzJw3jjviAI9FH2x6QUls UcnhnCTOgFFbBTwpY/T9EAs3ykuDQi4K0Lz5U= MIME-Version: 1.0 Received: by 10.227.157.213 with SMTP id c21mr97377wbx.194.1283982392535; Wed, 08 Sep 2010 14:46:32 -0700 (PDT) Received: by 10.227.140.211 with HTTP; Wed, 8 Sep 2010 14:46:32 -0700 (PDT) Date: Wed, 8 Sep 2010 17:46:32 -0400 Message-ID: From: Tony To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 22:09:23 -0000 I have one computer that has Dansguardian (127.0.0.1:8888) and Squid (127.0.0.1) and IPFW installed. From the same computer, I'm trying to redirect port 80 to Dansguardian's port 8888 using the rulesets below. Is this possible? I read that ipfw does not allow forwarding from the same machine. Is this true? I'm have tried both these ruleset separately and are not getting any hits when I do ipw show. Something wrong with my rules? Ruleset #1 ipfw add fwd 127.0.0.1:8888 tcp from 192.168.0.154 to any 80 in recv en1 ipfw add allow tcp from me to any 80 out xmit en1 ipfw add allow tcp from any 80 to me in recv en1 Ruleset#2 ipfw add allow tcp from 192.168.0.154 to any 80 out xmit en1 ipfw add fwd 127.0.0.1,8888 tcp from 192.168.0.154 to any dst-port 80 ipfw add allow tcp from any 80 to 192.168.0.154 in recv en1 established From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 8 23:30:03 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 133BF1065673 for ; Wed, 8 Sep 2010 23:30:03 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (out-0-30.mx.aerioconnect.net [216.240.47.90]) by mx1.freebsd.org (Postfix) with ESMTP id E20BC8FC15 for ; Wed, 8 Sep 2010 23:30:02 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o88NCiIh011884; Wed, 8 Sep 2010 16:12:45 -0700 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 52D7A2D6011; Wed, 8 Sep 2010 16:12:44 -0700 (PDT) Message-ID: <4C88188A.8010903@elischer.org> Date: Wed, 08 Sep 2010 16:13:14 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3 MIME-Version: 1.0 To: Tony References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 23:30:03 -0000 On 9/8/10 2:46 PM, Tony wrote: > I have one computer that has Dansguardian (127.0.0.1:8888) and Squid > (127.0.0.1) and IPFW installed. From the same computer, I'm trying to > redirect port 80 to Dansguardian's port 8888 using the rulesets below. > Is this possible? I read that ipfw does not allow forwarding from the same > machine. Is this true? I'm have tried both these ruleset separately and are > not getting any hits when I do ipw show. Something wrong with my rules? there was a small window around 6.x (I think) where you needed a special option to fwd to oneself in ipfw. It was removed quickly as it made forwarding useless in general. > > Ruleset #1 > > ipfw add fwd 127.0.0.1:8888 tcp from 192.168.0.154 to any 80 in recv en1 looks vaguely right but I haven't done it in a while. > ipfw add allow tcp from me to any 80 out xmit en1 > ipfw add allow tcp from any 80 to me in recv en1 > > > Ruleset#2 > > ipfw add allow tcp from 192.168.0.154 to any 80 out xmit en1 make up your mind.. is that machine out via en1 or somewhere else? > ipfw add fwd 127.0.0.1,8888 tcp from 192.168.0.154 to any dst-port 80 > ipfw add allow tcp from any 80 to 192.168.0.154 in recv en1 established can you draw a diagram? are these two rulesets supposed to coexist on the same machine? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 8 23:35:20 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BBE810656B7 for ; Wed, 8 Sep 2010 23:35:20 +0000 (UTC) (envelope-from rigstars@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 086EA8FC13 for ; Wed, 8 Sep 2010 23:35:19 +0000 (UTC) Received: by wyb33 with SMTP id 33so762247wyb.13 for ; Wed, 08 Sep 2010 16:35:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=4IwHPSUjJ/nT5hptDeahL1xC2xTS9FLgra2Vqid1DjU=; b=xdPH0oewOUcexrC6n23LQN385vzHqZrwS3acPGgYO9iUfxZ8YctmxZ2nBbvHysnMGa /BfvtFwg1zu4+TMpx1miFiwf19BCgZiDPiredVnWumjCkOmMRTv/fn1xJQhavJpMo2CC v+i9TfdNcGDZIzgu4E/BgOUtpJUYiBGK/WV3k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=UMujpY8VAzcSKzvkvbpmjiJj0pF9NoW9DdOWk5e0kaH/k9M5blAb3OOJbrG6/qmhSw UA4iAjypVm16DQQVa7N/xI0dy+V4U57flP/TTZDU4LRDQoEg2mi2MR21XfuBkYc5MQ9W GtrjlUoVt7mIAWlOFPSc9qi8QHuiLu6S5Lpm4= MIME-Version: 1.0 Received: by 10.227.156.199 with SMTP id y7mr34578wbw.21.1283988918255; Wed, 08 Sep 2010 16:35:18 -0700 (PDT) Received: by 10.227.140.211 with HTTP; Wed, 8 Sep 2010 16:35:18 -0700 (PDT) In-Reply-To: <4C88188A.8010903@elischer.org> References: <4C88188A.8010903@elischer.org> Date: Wed, 8 Sep 2010 19:35:18 -0400 Message-ID: From: Tony To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 23:35:20 -0000 I only use one ruleset at a time ..just trying different ones to see if one or the other works. en1 is my private lan ..(wireless interface) either case, it doesn't work ..btw, I'm using snow leopard .. anyone here try using natd for redirection ..that may work i guess On Wed, Sep 8, 2010 at 7:13 PM, Julian Elischer wrote: > On 9/8/10 2:46 PM, Tony wrote: > >> I have one computer that has Dansguardian (127.0.0.1:8888) and Squid >> (127.0.0.1) and IPFW installed. From the same computer, I'm trying to >> redirect port 80 to Dansguardian's port 8888 using the rulesets below. >> Is this possible? I read that ipfw does not allow forwarding from the same >> machine. Is this true? I'm have tried both these ruleset separately and >> are >> not getting any hits when I do ipw show. Something wrong with my rules? >> > > there was a small window around 6.x (I think) where you needed a > special option to fwd to oneself in ipfw. It was removed quickly as it made > forwarding useless in general. > > > >> Ruleset #1 >> >> ipfw add fwd 127.0.0.1:8888 tcp from 192.168.0.154 to any 80 in recv en1 >> > > looks vaguely right but I haven't done it in a while. > > > > ipfw add allow tcp from me to any 80 out xmit en1 >> ipfw add allow tcp from any 80 to me in recv en1 >> >> >> Ruleset#2 >> >> ipfw add allow tcp from 192.168.0.154 to any 80 out xmit en1 >> > > make up your mind.. is that machine out via en1 or somewhere else? > > > ipfw add fwd 127.0.0.1,8888 tcp from 192.168.0.154 to any dst-port 80 >> ipfw add allow tcp from any 80 to 192.168.0.154 in recv en1 established >> > > can you draw a diagram? > > are these two rulesets supposed to coexist on the same > machine? > >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 8 23:44:46 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BD081065694 for ; Wed, 8 Sep 2010 23:44:46 +0000 (UTC) (envelope-from rigstars@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 8D6098FC16 for ; Wed, 8 Sep 2010 23:44:45 +0000 (UTC) Received: by wwb18 with SMTP id 18so725556wwb.31 for ; Wed, 08 Sep 2010 16:44:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=PQ1+pL6eUYhFsWCfJXViWZwbNPOml1tRfhSWByUBv5s=; b=QBqXx86n3Xsh1IPTei8qkMB6bHnFBvbJu9LCjY/JVE4xw5He8uIuQNTxqZQOmR5YE4 wHdWSxqm6PxngKnSpTVm2xqkuVH5UWTBnSul9p0oUudFAjnaZ4jRNKswu74NxU4O8oxQ 9VGQlDhFqm8lYmbH3Dq1A9yVGCn9JBlc0QZ5I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=enBMJJFMhwC/oMD8KweTZh7/I21vTyFSaMexiBVIyErQG1zVmngVjt0FQZCZK2P7dV OKYh8G1SqGoJJvNrQKmrYdqIGfukIhkOP53WEYYH0EFG+SFmmXlWtLwR9X7pz5e6jICE uQw5gS0VAn2/yTPZu4Hg3OxBi7lbjRl1H/IAM= MIME-Version: 1.0 Received: by 10.227.128.134 with SMTP id k6mr198732wbs.23.1283989484305; Wed, 08 Sep 2010 16:44:44 -0700 (PDT) Received: by 10.227.140.211 with HTTP; Wed, 8 Sep 2010 16:44:44 -0700 (PDT) In-Reply-To: <4C88188A.8010903@elischer.org> References: <4C88188A.8010903@elischer.org> Date: Wed, 8 Sep 2010 19:44:44 -0400 Message-ID: From: Tony To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 23:44:46 -0000 my setup looks like this PC1 -> browser -> firewall(redirects port 80 to 8888) -> dansguardian( 127.0.0.1:8888) -> squid(127.0.0.1:3333) -> internet keep in mind that everything you see above are all on the same PC1 On Wed, Sep 8, 2010 at 7:13 PM, Julian Elischer wrote: > On 9/8/10 2:46 PM, Tony wrote: > >> I have one computer that has Dansguardian (127.0.0.1:8888) and Squid >> (127.0.0.1) and IPFW installed. From the same computer, I'm trying to >> redirect port 80 to Dansguardian's port 8888 using the rulesets below. >> Is this possible? I read that ipfw does not allow forwarding from the same >> machine. Is this true? I'm have tried both these ruleset separately and >> are >> not getting any hits when I do ipw show. Something wrong with my rules? >> > > there was a small window around 6.x (I think) where you needed a > special option to fwd to oneself in ipfw. It was removed quickly as it made > forwarding useless in general. > > > >> Ruleset #1 >> >> ipfw add fwd 127.0.0.1:8888 tcp from 192.168.0.154 to any 80 in recv en1 >> > > looks vaguely right but I haven't done it in a while. > > > > ipfw add allow tcp from me to any 80 out xmit en1 >> ipfw add allow tcp from any 80 to me in recv en1 >> >> >> Ruleset#2 >> >> ipfw add allow tcp from 192.168.0.154 to any 80 out xmit en1 >> > > make up your mind.. is that machine out via en1 or somewhere else? > > > ipfw add fwd 127.0.0.1,8888 tcp from 192.168.0.154 to any dst-port 80 >> ipfw add allow tcp from any 80 to 192.168.0.154 in recv en1 established >> > > can you draw a diagram? > > are these two rulesets supposed to coexist on the same > machine? > >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 00:03:57 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0772210656B2 for ; Thu, 9 Sep 2010 00:03:57 +0000 (UTC) (envelope-from apauljoe@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 91BBE8FC14 for ; Thu, 9 Sep 2010 00:03:56 +0000 (UTC) Received: by qyk4 with SMTP id 4so809665qyk.13 for ; Wed, 08 Sep 2010 17:03:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=yoR+aNSmU22hcQad2Q/1M7embulGrbO9mWqbslsV3zw=; b=aXkPA5NquaFN2A65v/T/umwUgydLM49TnmW0rQ1hSiWeqdGD1iySoL+lZohCh0qyMh eMP7etjjqG2Z7YE+p4/id64wc+TcFOXa6RfyKQbwQkaXhAXYVZ2gk3WX6ks34zsP1By1 FP0ceWqrc0P7tOW5Cxe5fA4iQwyzA3VXwSZEE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=GPXx12mGtGQKXoyDjx9WDXktumQ9cVX9Om+CSH14TOQdAb/+IXV2i3Fw6KnBP7wMKW QYThZ2F0l88FMnFs2u3XeLTaRricI8cdDA3TbPgOhd5JY5YCQNKop+MClziKbQGa3r01 Kx7MQ3LKa5sOp8oiEfg+3OjUvSk45Gu5l59AI= MIME-Version: 1.0 Received: by 10.229.91.9 with SMTP id k9mr509639qcm.248.1283988749894; Wed, 08 Sep 2010 16:32:29 -0700 (PDT) Received: by 10.229.45.13 with HTTP; Wed, 8 Sep 2010 16:32:29 -0700 (PDT) In-Reply-To: <20091007230909.GB37005@onelab2.iet.unipi.it> References: <286e18280910071246r33d33476ya9dd846cd1de6062@mail.gmail.com> <20091007225452.GA37005@onelab2.iet.unipi.it> <20091007230909.GB37005@onelab2.iet.unipi.it> Date: Thu, 9 Sep 2010 05:02:29 +0530 Message-ID: From: Paul Joe To: Luigi Rizzo , julian , apauljoe@gmail.com Content-Type: multipart/mixed; boundary=001636164a2b5543c3048fc7ed55 Cc: freebsd-ipfw@freebsd.org Subject: Re: Extension of dummynet/ipfw to support userspace packet classification X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 00:03:57 -0000 --001636164a2b5543c3048fc7ed55 Content-Type: text/plain; charset=ISO-8859-1 On 10/8/09, Luigi Rizzo wrote: > On Thu, Oct 08, 2009 at 12:54:52AM +0200, Luigi Rizzo wrote: >> On Wed, Oct 07, 2009 at 12:46:24PM -0700, Joe R wrote: >> > We at ironport have a requirement to do bandwidth management, but the >> > traffic classification (and selection of bandwidth pipes) is done in >> > userspace. The reason classification is done in userspace is because the >> > traffic classifications are something like streaming audio traffic, >> > video >> > traffic, based on website categories etc. >> > >> > >> > >> > Our appliance is based on FreeBSD, and so we decided to look at dummynet >> > to >> > support our requirement. We could not use dummynet as such because it >> > uses >> > ipfw for packet classification, where packet classification (and pipe >> > selection) is done in kernel based on tcp/ip parameters like IP and >> > port. >> > >> > >> > >> > So we decided to extended dummynet/ipfw to support packet classification >> > in >> > userspace. >> > >> > Our idea is to extended socket structure to have a pipe number and have >> > a >> > setsockoption to associate the pipe number to a socket structure. Then >> > have >> > a new ipfw target (mappedpipe), which will pass the packet to dummynet >> > (similar to pipe target) but with the pipe number in the socket >> > structure if >> > it is non-zero. >> > >> > >> > >> > I would like to know your comments on this proposal and if people are >> > interested, I will be happy to submit a patch on this. >> >> i think the feature is useful. However I would implement it as an >> ipfw 'option' called "sockarg" (or similar) as follows: >> >> ipfw pipe tablearg sockarg >> >> where 'sockarg' succeeds ONLY if the packet is associated to a socket >> for which the special setsockoption has been issued, and in this >> case sets the 'tablearg' to the value of the setsockopt. This is >> somewhat similar to the 'uid' and 'gid' options (except for setting >> tablearg). This way the mechanism can be very general (not limited >> to pipes) and the implementation is probably >> simpler than the one you propose. >> >> In terms of runtime costs, we can look at check_uidgid() function, >> and there are two ways to implement this feature: >> - as in check_uidgid() , actively lookup for a matching socket if one >> is not available. This is expensive but would allow the feature to >> match also incoming packets; >> - only match if the args->inp parameter is non-null, otherwise do not >> call in_pcblookup_hash(). This is cheaper but clearly only works >> for locally generated packets. >> Perhaps we could use an argument for 'sockarg' so we can decide >> whether to call or not the in_pcblookup_hash() on a case-by-case >> basis. > > To complete the analysis, I must say that I don't know how intrusive > is the setsockopt that can attach a classification tag to the socket. > This is my main concern for merging your proposal into the system > (and i am only concerned about the socket part, the ipfw change is > trivial). > > Also for completeness, there is also another possible approach to > address your problem, which is more general and fully contained in > ipfw (so less intrusive for the OS): > > add a 'hashtable' structure to ipfw, which works in a way similar > to the 'table' with the difference that entries would be the whole > 5-tuple of the packet. > > There is already a hash table in ipfw (used for dynamic rules) so > it would be only a matter of adding the necessary glue to manipulate > the hash table from /sbin/ipfw. An additional bonus of this approach > is that one could use this new code to 'prime' the dynamic rule table > after a reboot, which is a feature that people ask from time to time. > > cheers > luigi > Hi, I am attaching a patch taken against HEAD today which implements the socket and ipfw sockarg option as discussed in the thread. Applying this patch, you can associate a pipe to the socket using the setsocket option(in userspace) and an ipfw rule similar to ipfw add 100 pipe tablearg sockarg will forward the traffic to the pipe associated with the socket. Please let me know your comments. Regards, Joe. --001636164a2b5543c3048fc7ed55 Content-Type: text/x-diff; charset=US-ASCII; name=patch1 Content-Disposition: attachment; filename=patch1 Content-Transfer-Encoding: base64 X-Attachment-Id: file0 SW5kZXg6IHNyYy9zYmluL2lwZncvaXBmdzIuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvaG9tZS9u Y3ZzL3NyYy9zYmluL2lwZncvaXBmdzIuYyx2CnJldHJpZXZpbmcgcmV2aXNpb24gMS4xNTkKZGlm ZiAtYyAtdSAtcjEuMTU5IGlwZncyLmMKLS0tIHNyYy9zYmluL2lwZncvaXBmdzIuYwkxOSBBcHIg MjAxMCAxNjozNTo0NyAtMDAwMAkxLjE1OQorKysgc3JjL3NiaW4vaXBmdy9pcGZ3Mi5jCTggU2Vw IDIwMTAgMjI6Mjk6NDggLTAwMDAKQEAgLTI2Niw2ICsyNjYsNyBAQAogCXsgImVzdGFiIiwJCVRP S19FU1RBQiB9LAogCXsgImVzdGFibGlzaGVkIiwJVE9LX0VTVEFCIH0sCiAJeyAic2V0dXAiLAkJ VE9LX1NFVFVQIH0sCisJeyAic29ja2FyZyIsCQlUT0tfU09DS0FSRyB9LAogCXsgInRjcGRhdGFs ZW4iLAkJVE9LX1RDUERBVEFMRU4gfSwKIAl7ICJ0Y3BmbGFncyIsCQlUT0tfVENQRkxBR1MgfSwK IAl7ICJ0Y3BmbGdzIiwJCVRPS19UQ1BGTEFHUyB9LApAQCAtMTMzOCw2ICsxMzM5LDkgQEAKIAkJ CWNhc2UgT19GSUI6CiAJCQkJcHJpbnRmKCIgZmliICV1IiwgY21kLT5hcmcxICk7CiAJCQkJYnJl YWs7CisJCQljYXNlIE9fU09DS0FSRzoKKwkJCQlwcmludGYoIiBzb2NrYXJnIik7CisJCQkJYnJl YWs7CiAKIAkJCWNhc2UgT19JTjoKIAkJCQlwcmludGYoY21kLT5sZW4gJiBGX05PVCA/ICIgb3V0 IiA6ICIgaW4iKTsKQEAgLTM1MzEsNiArMzUzNSw5IEBACiAJCQlmaWxsX2NtZChjbWQsIE9fRklC LCAwLCBzdHJ0b3VsKCphdiwgTlVMTCwgMCkpOwogCQkJYXYrKzsKIAkJCWJyZWFrOworCQljYXNl IFRPS19TT0NLQVJHOgorCQkJZmlsbF9jbWQoY21kLCBPX1NPQ0tBUkcsIDAsIDApOworCQkJYnJl YWs7CiAKIAkJY2FzZSBUT0tfTE9PS1VQOiB7CiAJCQlpcGZ3X2luc25fdTMyICpjID0gKGlwZndf aW5zbl91MzIgKiljbWQ7CkluZGV4OiBzcmMvc2Jpbi9pcGZ3L2lwZncyLmgKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpS Q1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvc2Jpbi9pcGZ3L2lwZncyLmgsdgpyZXRyaWV2aW5nIHJl dmlzaW9uIDEuMTMKZGlmZiAtYyAtdSAtcjEuMTMgaXBmdzIuaAotLS0gc3JjL3NiaW4vaXBmdy9p cGZ3Mi5oCTE5IEFwciAyMDEwIDE1OjExOjQ1IC0wMDAwCTEuMTMKKysrIHNyYy9zYmluL2lwZncv aXBmdzIuaAk4IFNlcCAyMDEwIDIyOjI5OjQ4IC0wMDAwCkBAIC0xOTksNiArMTk5LDcgQEAKIAlU T0tfRklCLAogCVRPS19TRVRGSUIsCiAJVE9LX0xPT0tVUCwKKwlUT0tfU09DS0FSRywKIH07CiAv KgogICogdGhlIGZvbGxvd2luZyBtYWNybyByZXR1cm5zIGFuIGVycm9yIG1lc3NhZ2UgaWYgd2Ug cnVuIG91dCBvZgpJbmRleDogc3JjL3N5cy9rZXJuL3VpcGNfc29ja2V0LmMKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpS Q1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvc3lzL2tlcm4vdWlwY19zb2NrZXQuYyx2CnJldHJpZXZp bmcgcmV2aXNpb24gMS4zNDkKZGlmZiAtYyAtdSAtcjEuMzQ5IHVpcGNfc29ja2V0LmMKLS0tIHNy Yy9zeXMva2Vybi91aXBjX3NvY2tldC5jCTcgQXVnIDIwMTAgMTc6NTc6NTggLTAwMDAJMS4zNDkK KysrIHNyYy9zeXMva2Vybi91aXBjX3NvY2tldC5jCTggU2VwIDIwMTAgMjI6Mjk6NTQgLTAwMDAK QEAgLTEyMyw2ICsxMjMsOCBAQAogI2luY2x1ZGUgPHN5cy9zb2NrZXR2YXIuaD4KICNpbmNsdWRl IDxzeXMvcmVzb3VyY2V2YXIuaD4KICNpbmNsdWRlIDxuZXQvcm91dGUuaD4KKyNpbmNsdWRlIDxu ZXRpbmV0L2luLmg+CisjaW5jbHVkZSA8bmV0aW5ldC9pcF92YXIuaD4KICNpbmNsdWRlIDxzeXMv c2lnbmFsdmFyLmg+CiAjaW5jbHVkZSA8c3lzL3N0YXQuaD4KICNpbmNsdWRlIDxzeXMvc3guaD4K QEAgLTI0NjEsNiArMjQ2MywyNiBAQAogCQkJCXNvLT5zb19maWJudW0gPSAwOwogCQkJfQogCQkJ YnJlYWs7CisKKwkJY2FzZSBTT19TRVRCUElQRToKKwkJCWlmKGlwX2RuX2lvX3B0ciA9PSBOVUxM KXsKKwkJCQllcnJvciA9IEVOT1BST1RPT1BUOworCQkJCWdvdG8gYmFkOworCQkJfQorCisJCQll cnJvciA9IHNvb3B0Y29weWluKHNvcHQsICZvcHR2YWwsIHNpemVvZiBvcHR2YWwsCisJCQkJCQlz aXplb2Ygb3B0dmFsKTsKKwkJCXByaW50Zigib3B0IHZhbCBpcyAlZCBcbiIsIG9wdHZhbCk7CisJ CQlpZiAob3B0dmFsIDwgMCB8fCBlcnJvciApeworCQkJCWVycm9yPSBFSU5WQUw7IAorCQkJCWdv dG8gYmFkOworCQkJfQorCQorCQkJaWYoc28tPnNvX3Byb3RvLT5wcl9kb21haW4tPmRvbV9mYW1p bHkgPT0gUEZfSU5FVCkgCisJCQkJc28tPnNvX3BpcGVudW0gPSBvcHR2YWw7CisJCQkKKwkJCWJy ZWFrOworCiAJCWNhc2UgU09fU05EQlVGOgogCQljYXNlIFNPX1JDVkJVRjoKIAkJY2FzZSBTT19T TkRMT1dBVDoKSW5kZXg6IHNyYy9zeXMvbmV0aW5ldC9pcF9mdy5oCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZp bGU6IC9ob21lL25jdnMvc3JjL3N5cy9uZXRpbmV0L2lwX2Z3LmgsdgpyZXRyaWV2aW5nIHJldmlz aW9uIDEuMTM4CmRpZmYgLWMgLXUgLXIxLjEzOCBpcF9mdy5oCi0tLSBzcmMvc3lzL25ldGluZXQv aXBfZncuaAkxNSBNYXIgMjAxMCAxNzoxNDoyNyAtMDAwMAkxLjEzOAorKysgc3JjL3N5cy9uZXRp bmV0L2lwX2Z3LmgJOCBTZXAgMjAxMCAyMjoyOTo1OCAtMDAwMApAQCAtMTkyLDEwICsxOTIsMTMg QEAKIAogCU9fU0VURklCLAkJLyogYXJnMT1GSUIgbnVtYmVyICovCiAJT19GSUIsCQkJLyogYXJn MT1GSUIgZGVzaXJlZCBmaWIgbnVtYmVyICovCisJCisJT19TT0NLQVJHLAkJLyogc29ja2V0IGFy Z3VtZW50ICovCiAKIAlPX0xBU1RfT1BDT0RFCQkvKiBub3QgYW4gb3Bjb2RlIQkJKi8KIH07CiAK KwogLyoKICAqIFRoZSBleHRlbnNpb24gaGVhZGVyIGFyZSBmaWx0ZXJlZCBvbmx5IGZvciBwcmVz ZW5jZSB1c2luZyBhIGJpdAogICogdmVjdG9yIHdpdGggYSBmbGFnIGZvciBlYWNoIGhlYWRlci4K SW5kZXg6IHNyYy9zeXMvbmV0aW5ldC9pcGZ3L2lwX2Z3Mi5jCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6 IC9ob21lL25jdnMvc3JjL3N5cy9uZXRpbmV0L2lwZncvaXBfZncyLmMsdgpyZXRyaWV2aW5nIHJl dmlzaW9uIDEuNDUKZGlmZiAtYyAtdSAtcjEuNDUgaXBfZncyLmMKLS0tIHNyYy9zeXMvbmV0aW5l dC9pcGZ3L2lwX2Z3Mi5jCTI3IEp1bCAyMDEwIDE0OjI2OjM0IC0wMDAwCTEuNDUKKysrIHNyYy9z eXMvbmV0aW5ldC9pcGZ3L2lwX2Z3Mi5jCTggU2VwIDIwMTAgMjI6MzA6MDUgLTAwMDAKQEAgLTE4 MDEsNiArMTgwMSwzOSBAQAogCQkJCQltYXRjaCA9IDE7CiAJCQkJYnJlYWs7CiAKKwkJCWNhc2Ug T19TT0NLQVJHOgl7CisJCQkJc3RydWN0IGlucGNiICppbnAgPSBhcmdzLT5pbnA7CisJCQkJc3Ry dWN0IGlucGNiaW5mbyAqcGk7CisJCQkJCisJCQkJaWYoaXNfaXB2NikKKwkJCQkJYnJlYWs7CisK KwkJCQlpZihwcm90byA9PSBJUFBST1RPX1RDUCkKKwkJCQkJcGkgPSAmVl90Y2JpbmZvOworCQkJ CWVsc2UgaWYgKHByb3RvID09IElQUFJPVE9fVURQKQorCQkJCQlwaSA9ICZWX3VkYmluZm87CisJ CQkJZWxzZQorCQkJCQlicmVhazsKKworCQkJCS8qIEZvciBpbmNvbW1pbmcgcGFja2V0LCBsb29r dXAgdXAgdGhlIAorCQkJCWlucGNiIHVzaW5nIHRoZSBzcmMvZGVzdCBpcC9wb3J0IHR1cGxlICov CisJCQkJaWYoaW5wID09IE5VTEwpIHsKKwkJCQkJSU5QX0lORk9fUkxPQ0socGkpOworCQkJCQlp bnAgPSBpbl9wY2Jsb29rdXBfaGFzaChwaSwgCisJCQkJCQlzcmNfaXAsIGh0b25zKHNyY19wb3J0 KSwKKwkJCQkJCWRzdF9pcCwgaHRvbnMoZHN0X3BvcnQpLAorCQkJCQkJMCwgTlVMTCk7CisJCQkJ CUlOUF9JTkZPX1JVTkxPQ0socGkpOworCQkJCX0KKwkJCQkKKwkJCQlpZihpbnAgJiYgaW5wLT5p bnBfc29ja2V0KSB7CisJCQkJCXRhYmxlYXJnID0gaW5wLT5pbnBfc29ja2V0LT5zb19waXBlbnVt OworCQkJCQlpZih0YWJsZWFyZykKKwkJCQkJCW1hdGNoID0gMTsKKwkJCQl9CisJCQkJYnJlYWs7 CisJCQl9CisKIAkJCWNhc2UgT19UQUdHRUQ6IHsKIAkJCQlzdHJ1Y3QgbV90YWcgKm10YWc7CiAJ CQkJdWludDMyX3QgdGFnID0gKGNtZC0+YXJnMSA9PSBJUF9GV19UQUJMRUFSRykgPwpJbmRleDog c3JjL3N5cy9uZXRpbmV0L2lwZncvaXBfZndfc29ja29wdC5jCj09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6 IC9ob21lL25jdnMvc3JjL3N5cy9uZXRpbmV0L2lwZncvaXBfZndfc29ja29wdC5jLHYKcmV0cmll dmluZyByZXZpc2lvbiAxLjE3CmRpZmYgLWMgLXUgLXIxLjE3IGlwX2Z3X3NvY2tvcHQuYwotLS0g c3JjL3N5cy9uZXRpbmV0L2lwZncvaXBfZndfc29ja29wdC5jCTcgQXByIDIwMTAgMDg6MjM6NTgg LTAwMDAJMS4xNworKysgc3JjL3N5cy9uZXRpbmV0L2lwZncvaXBfZndfc29ja29wdC5jCTggU2Vw IDIwMTAgMjI6MzA6MDYgLTAwMDAKQEAgLTU3Miw2ICs1NzIsNyBAQAogCQljYXNlIE9fSVBUT1M6 CiAJCWNhc2UgT19JUFBSRUNFREVOQ0U6CiAJCWNhc2UgT19JUFZFUjoKKwkJY2FzZSBPX1NPQ0tB Ukc6CiAJCWNhc2UgT19UQ1BXSU46CiAJCWNhc2UgT19UQ1BGTEFHUzoKIAkJY2FzZSBPX1RDUE9Q VFM6CkluZGV4OiBzcmMvc3lzL3N5cy9zb2NrZXQuaAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvaG9t ZS9uY3ZzL3NyYy9zeXMvc3lzL3NvY2tldC5oLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjEwNQpk aWZmIC1jIC11IC1yMS4xMDUgc29ja2V0LmgKLS0tIHNyYy9zeXMvc3lzL3NvY2tldC5oCTkgSmFu IDIwMTAgMjM6MjQ6NDkgLTAwMDAJMS4xMDUKKysrIHNyYy9zeXMvc3lzL3NvY2tldC5oCTggU2Vw IDIwMTAgMjI6MzA6MDcgLTAwMDAKQEAgLTEzNyw2ICsxMzcsNyBAQAogI2RlZmluZQlTT19MSVNU RU5RTEVOCTB4MTAxMgkJLyogc29ja2V0J3MgY29tcGxldGUgcXVldWUgbGVuZ3RoICovCiAjZGVm aW5lCVNPX0xJU1RFTklOQ1FMRU4JMHgxMDEzCS8qIHNvY2tldCdzIGluY29tcGxldGUgcXVldWUg bGVuZ3RoICovCiAjZGVmaW5lCVNPX1NFVEZJQgkweDEwMTQJCS8qIHVzZSB0aGlzIEZJQiB0byBy b3V0ZSAqLworI2RlZmluZSBTT19TRVRCUElQRQkweDEwMTUJCS8qIHVzZSB0aGlzIHBpcGUgdG8g dGhyb3R0bGUgKi8KICNlbmRpZgogCiAvKgpJbmRleDogc3JjL3N5cy9zeXMvc29ja2V0dmFyLmgK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQpSQ1MgZmlsZTogL2hvbWUvbmN2cy9zcmMvc3lzL3N5cy9zb2NrZXR2YXIuaCx2 CnJldHJpZXZpbmcgcmV2aXNpb24gMS4xNzMKZGlmZiAtYyAtdSAtcjEuMTczIHNvY2tldHZhci5o Ci0tLSBzcmMvc3lzL3N5cy9zb2NrZXR2YXIuaAkxOCBKdWwgMjAxMCAyMDo1Nzo1MyAtMDAwMAkx LjE3MworKysgc3JjL3N5cy9zeXMvc29ja2V0dmFyLmgJOCBTZXAgMjAxMCAyMjozMDowNyAtMDAw MApAQCAtMTE4LDYgKzExOCw3IEBACiAJCWNoYXIJKnNvX2FjY2VwdF9maWx0ZXJfc3RyOwkvKiBz YXZlZCB1c2VyIGFyZ3MgKi8KIAl9ICpzb19hY2NmOwogCWludCBzb19maWJudW07CQkvKiByb3V0 aW5nIGRvbWFpbiBmb3IgdGhpcyBzb2NrZXQgKi8KKwlpbnQgc29fcGlwZW51bTsKIH07CiAKIC8q Cg== --001636164a2b5543c3048fc7ed55-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 03:20:43 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FAC110656DB for ; Thu, 9 Sep 2010 03:20:43 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (out-0-34.mx.aerioconnect.net [216.240.47.94]) by mx1.freebsd.org (Postfix) with ESMTP id E4FC38FC12 for ; Thu, 9 Sep 2010 03:20:42 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o893KfGv027883; Wed, 8 Sep 2010 20:20:42 -0700 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 68E0A2D6011; Wed, 8 Sep 2010 20:20:41 -0700 (PDT) Message-ID: <4C8852A7.5060508@elischer.org> Date: Wed, 08 Sep 2010 20:21:11 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3 MIME-Version: 1.0 To: Tony References: <4C88188A.8010903@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 03:20:43 -0000 On 9/8/10 4:35 PM, Tony wrote: > I only use one ruleset at a time ..just trying different ones to see > if one or the other works. en1 is my private lan ..(wireless interface) > > either case, it doesn't work ..btw, I'm using snow leopard .. um you forgot to mention that one little fact! being a FreeBSD mailing list I assumed you were using freeBSD! I have no idea if the apple folks implemented the changes in the IP stack needed to do the forwarding to localhost. I suspect not.. you may need to look at the darwin sources to find out. > anyone > here try using natd for redirection ..that may work i guess > > On Wed, Sep 8, 2010 at 7:13 PM, Julian Elischer > wrote: > > On 9/8/10 2:46 PM, Tony wrote: > > I have one computer that has Dansguardian (127.0.0.1:8888 > ) and Squid > (127.0.0.1) and IPFW installed. From the same computer, I'm > trying to > redirect port 80 to Dansguardian's port 8888 using the > rulesets below. > Is this possible? I read that ipfw does not allow forwarding > from the same > machine. Is this true? I'm have tried both these ruleset > separately and are > not getting any hits when I do ipw show. Something wrong with > my rules? > > > there was a small window around 6.x (I think) where you needed a > special option to fwd to oneself in ipfw. It was removed quickly > as it made forwarding useless in general. > > > > Ruleset #1 > > ipfw add fwd 127.0.0.1:8888 tcp from > 192.168.0.154 to any 80 in recv en1 > > > looks vaguely right but I haven't done it in a while. > > > > ipfw add allow tcp from me to any 80 out xmit en1 > ipfw add allow tcp from any 80 to me in recv en1 > > > Ruleset#2 > > ipfw add allow tcp from 192.168.0.154 to any 80 out xmit en1 > > > make up your mind.. is that machine out via en1 or somewhere else? > > > ipfw add fwd 127.0.0.1,8888 tcp from 192.168.0.154 to any > dst-port 80 > ipfw add allow tcp from any 80 to 192.168.0.154 in recv en1 > established > > > can you draw a diagram? > > are these two rulesets supposed to coexist on the same > machine? > > _______________________________________________ > freebsd-ipfw@freebsd.org > mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org > " > > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 03:22:27 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 381DB10656A3 for ; Thu, 9 Sep 2010 03:22:27 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (out-0-34.mx.aerioconnect.net [216.240.47.94]) by mx1.freebsd.org (Postfix) with ESMTP id 1702D8FC21 for ; Thu, 9 Sep 2010 03:22:26 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o893MQ8t027938; Wed, 8 Sep 2010 20:22:26 -0700 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id D52762D6010; Wed, 8 Sep 2010 20:22:25 -0700 (PDT) Message-ID: <4C88530F.7030709@elischer.org> Date: Wed, 08 Sep 2010 20:22:55 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3 MIME-Version: 1.0 To: Tony References: <4C88188A.8010903@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 03:22:27 -0000 On 9/8/10 4:44 PM, Tony wrote: > my setup looks like this > > PC1 -> browser -> firewall(redirects port 80 to 8888) -> dansguardian( > 127.0.0.1:8888) -> squid(127.0.0.1:3333) -> internet > > keep in mind that everything you see above are all on the same PC1 > you may need to use divert and natd to achieve the effect you require. > > > On Wed, Sep 8, 2010 at 7:13 PM, Julian Elischer wrote: > >> On 9/8/10 2:46 PM, Tony wrote: >> >>> I have one computer that has Dansguardian (127.0.0.1:8888) and Squid >>> (127.0.0.1) and IPFW installed. From the same computer, I'm trying to >>> redirect port 80 to Dansguardian's port 8888 using the rulesets below. >>> Is this possible? I read that ipfw does not allow forwarding from the same >>> machine. Is this true? I'm have tried both these ruleset separately and >>> are >>> not getting any hits when I do ipw show. Something wrong with my rules? >>> >> >> there was a small window around 6.x (I think) where you needed a >> special option to fwd to oneself in ipfw. It was removed quickly as it made >> forwarding useless in general. >> >> >> >>> Ruleset #1 >>> >>> ipfw add fwd 127.0.0.1:8888 tcp from 192.168.0.154 to any 80 in recv en1 >>> >> >> looks vaguely right but I haven't done it in a while. >> >> >> >> ipfw add allow tcp from me to any 80 out xmit en1 >>> ipfw add allow tcp from any 80 to me in recv en1 >>> >>> >>> Ruleset#2 >>> >>> ipfw add allow tcp from 192.168.0.154 to any 80 out xmit en1 >>> >> >> make up your mind.. is that machine out via en1 or somewhere else? >> >> >> ipfw add fwd 127.0.0.1,8888 tcp from 192.168.0.154 to any dst-port 80 >>> ipfw add allow tcp from any 80 to 192.168.0.154 in recv en1 established >>> >> >> can you draw a diagram? >> >> are these two rulesets supposed to coexist on the same >> machine? >> >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >> >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 06:26:46 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05AA71065740 for ; Thu, 9 Sep 2010 06:26:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 651D28FC1B for ; Thu, 9 Sep 2010 06:26:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o896Qcfg041823; Thu, 9 Sep 2010 16:26:39 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 9 Sep 2010 16:26:38 +1000 (EST) From: Ian Smith To: Julian Elischer In-Reply-To: <4C88530F.7030709@elischer.org> Message-ID: <20100909162334.N92609@sola.nimnet.asn.au> References: <4C88188A.8010903@elischer.org> <4C88530F.7030709@elischer.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, Tony Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 06:26:46 -0000 On Wed, 8 Sep 2010, Julian Elischer wrote: > On 9/8/10 4:44 PM, Tony wrote: > > my setup looks like this > > > > PC1 -> browser -> firewall(redirects port 80 to 8888) -> dansguardian( > > 127.0.0.1:8888) -> squid(127.0.0.1:3333) -> internet > > > > keep in mind that everything you see above are all on the same PC1 > > > > you may need to use divert and natd to achieve the effect you require. Is this a case where in-kernel NAT wouldn't work as well? Or haven't apple incorporated that into their ipfw? cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 06:39:26 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D0CD10656DF for ; Thu, 9 Sep 2010 06:39:26 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id DACE38FC1A for ; Thu, 9 Sep 2010 06:39:24 +0000 (UTC) Received: by qyk31 with SMTP id 31so6029026qyk.13 for ; Wed, 08 Sep 2010 23:39:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=ALNfKZUDc+CYYyi1dW5y+wcGdd+kKfNUdIKVb0oElis=; b=CZsHQkiA++kFtBhaizSyOLOhoHIqRnZCk6rqksW7H64nn+ucgAERITNAjMG5XCmFOH KMLoUeQk0ple/HaTSeog68ZvLqgME/kStRefNQpMasIjz2tXJp0PWXlwbYnCETsHXw58 X/Z/typUejtSY/Nl/XhnZH0KwZ2XlPRkiAU8k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=fa+40LXYn0xCd3mLdXwtVVQ7jVDzuQivSVWPJ9DJKoE6/t85DIBeQBN0y45YTyrQqH vT5s+p0VNBDZzhihOTVW4y4VmUz3IPAtL5xq5zGIS12kPafSo11xwZCl9KddFMC1pZXC 3cvrmWGtoyri80gYYqSnmDNxBSQ0molAlE7CY= MIME-Version: 1.0 Received: by 10.224.69.16 with SMTP id x16mr211666qai.284.1284012708585; Wed, 08 Sep 2010 23:11:48 -0700 (PDT) Received: by 10.229.46.146 with HTTP; Wed, 8 Sep 2010 23:11:48 -0700 (PDT) In-Reply-To: <4C88530F.7030709@elischer.org> References: <4C88188A.8010903@elischer.org> <4C88530F.7030709@elischer.org> Date: Thu, 9 Sep 2010 09:11:48 +0300 Message-ID: From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 06:39:26 -0000 you can forward packets directly to squid by: ipfw add fwd 127.0.0.1,3333 tcp from not me to any dst-port 80 Ozkan KIRIK Mersin University @ Turkey On Thu, Sep 9, 2010 at 6:22 AM, Julian Elischer wrote= : > On 9/8/10 4:44 PM, Tony wrote: >> >> my setup looks like this >> >> PC1 -> =A0browser -> =A0firewall(redirects port 80 to 8888) -> =A0dansgu= ardian( >> 127.0.0.1:8888) -> =A0squid(127.0.0.1:3333) -> =A0internet >> >> keep in mind that everything you see above are all on the same PC1 >> > > you may need to use divert and natd to achieve the effect you require. > > >> >> >> On Wed, Sep 8, 2010 at 7:13 PM, Julian Elischer >> =A0wrote: >> >>> On 9/8/10 2:46 PM, Tony wrote: >>> >>>> I have one computer that has Dansguardian (127.0.0.1:8888) and Squid >>>> (127.0.0.1) and IPFW installed. From the same computer, I'm trying to >>>> redirect port 80 to Dansguardian's port 8888 using the rulesets below. >>>> Is this possible? I read that ipfw does not allow forwarding from the >>>> same >>>> machine. Is this true? I'm have tried both these ruleset separately an= d >>>> are >>>> not getting any hits when I do ipw show. Something wrong with my rules= ? >>>> >>> >>> there was a small window around 6.x (I think) where you needed =A0a >>> special option to fwd to oneself in ipfw. It was removed quickly as it >>> made >>> forwarding useless in general. >>> >>> >>> >>>> Ruleset #1 >>>> >>>> ipfw add fwd 127.0.0.1:8888 tcp from 192.168.0.154 to any 80 in recv e= n1 >>>> >>> >>> looks vaguely right but I haven't done it in a while. >>> >>> >>> >>> =A0ipfw add allow tcp from me to any 80 out xmit en1 >>>> >>>> ipfw add allow tcp from any 80 to me in recv en1 >>>> >>>> >>>> Ruleset#2 >>>> >>>> ipfw add allow tcp from 192.168.0.154 to any 80 out xmit en1 >>>> >>> >>> make up your mind.. is that machine out via en1 or somewhere else? >>> >>> >>> =A0ipfw add fwd 127.0.0.1,8888 tcp from 192.168.0.154 to any dst-port 8= 0 >>>> >>>> ipfw add allow tcp from any 80 to 192.168.0.154 in recv en1 establishe= d >>>> >>> >>> can you draw a diagram? >>> >>> are these two rulesets supposed to coexist on the same >>> machine? >>> >>>> _______________________________________________ >>>> freebsd-ipfw@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org= " >>>> >>> >>> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 13:01:00 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2FF510656D1 for ; Thu, 9 Sep 2010 13:01:00 +0000 (UTC) (envelope-from rigstars@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 4CA1F8FC20 for ; Thu, 9 Sep 2010 13:00:59 +0000 (UTC) Received: by wwb18 with SMTP id 18so1648392wwb.31 for ; Thu, 09 Sep 2010 06:00:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=TblE2MyhkRCAtjT2QDOmqaeVdE8+RWSjufb2ezYX+n0=; b=CQLPvWLqXpB867dMZhKCwvZxBqTQGFSVZ6jIJawka2F7Av//DD47DPGQMut1TRR55D 83tHu6HSKrdCnvGBbbtFzOwJxJdR0GBMp8uHaVm2vBxlK7VTotPH5FGPrsENq926400T iOBwjOJgSjErjANlNuB0gWMXVZ6AFGS1ZGd6E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=rk9Qo7khU/K8QrXzAkxeogZFP5DEQcbol9Qyi5foLU5S9s76efowBnqj//wQxNnc+z OZwmGNqvQB7z+YTXeeoG0tfDkusaJ0Fsc5ps7d3M8AujjY2DEhpzXXp5RmYuDrly5FPp K4K5O6tZO1d7VFafnfXpplqgdJoCzyNV4WLr4= MIME-Version: 1.0 Received: by 10.227.145.14 with SMTP id b14mr302837wbv.24.1284037259232; Thu, 09 Sep 2010 06:00:59 -0700 (PDT) Received: by 10.227.140.211 with HTTP; Thu, 9 Sep 2010 06:00:59 -0700 (PDT) Date: Thu, 9 Sep 2010 09:00:59 -0400 Message-ID: From: Tony To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Please convert the equivalent of these rules into IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 13:01:00 -0000 Can some please convert these iptable rules in IPFW #Allow Squid outbound access on port 8080 (Dansguardian) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner --uid-owner squid -j ACCEPT # Allow Squid outbound access on port 80 iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT # Don't redirect root on port 80 iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner root -j ACCEPT # Don't redirect root on port 3128 (Squid) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner root -j ACCEPT # Redirect all requests on port 80 to 8080 (Dansguardian) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 # Accept requests on port 3128 from nobody (Dansguardian user) iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner nobody -j ACCEPT # Redirect all other requests on port 3128 to 8080 to prevent users from getting around Dansguardian by going directly to Squid iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080 # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of the OUTPUT chain iptables -t raw -D OUTPUT -o lo -j NOTRACK From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 13:49:13 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1EC810656B7 for ; Thu, 9 Sep 2010 13:49:13 +0000 (UTC) (envelope-from rigstars@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 574A08FC16 for ; Thu, 9 Sep 2010 13:49:12 +0000 (UTC) Received: by wyb33 with SMTP id 33so1686043wyb.13 for ; Thu, 09 Sep 2010 06:49:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=RRp6DFCE1Swueo62r/lrWWUHt3lbWPJcQky+T57/kqo=; b=rqRS/HdKNjLWOfliyoSYGObXX1uDWJ9tuM6fdiQ6eFyADV7eoH+PHQvNl+75g8X+kj PmBGw+cNOde8iGaZ7DDDSPcsHlZSM28BEqzhyrk9tB3qmNRUb1K/YmxqwJ7Aqs99ul+v q6VvAxgXWrn1U+6C4xE36jQuml8U21JXFRnFU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=C2Jlfi9h7lx6wt5Fq91jWn6ipamxORMXEfi+swOJkFaV6erfcGdTscL0v1P/4P8cKc no+nDWFcowG602C4k7QHZdaXQ29LKz4aH08ZmFTcaPuwXB70s0h3sYHPOX753EKzS8/3 XTc2a5U+Ubpb7hB3xcBX7WtyYkRpygxkuyBx0= MIME-Version: 1.0 Received: by 10.227.68.145 with SMTP id v17mr181986wbi.159.1284040152186; Thu, 09 Sep 2010 06:49:12 -0700 (PDT) Received: by 10.227.140.211 with HTTP; Thu, 9 Sep 2010 06:49:12 -0700 (PDT) In-Reply-To: References: Date: Thu, 9 Sep 2010 09:49:12 -0400 Message-ID: From: Tony To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Please convert the equivalent of these rules into IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 13:49:13 -0000 I tried converting those iptables rules myself. How do they look? #Allow Squid outbound access on port 8883 (Dansguardian) ipfw add allow tcp from 192.168.0.154 to any dst-port 8883 out uid squid #Allow Squid outbound access on port 80 ipfw add allow tcp from 192.168.0.154 to any dst-port 80 out uid squid #Redirect all requests on port 80 to 8883 (Dansguardian) ipfw add fwd 127.0.0.1,8883 tcp from not me to any dst-port 80 # Accept requests on port 3333 from nobody (Dansguardian user) ipfw add allow tcp from 192.168.0.154 to any dst-port 3333 out uid nobody //this is to allow clients on same machine to go from browser->dansguardian->squid->internet //both services are running on the local loopback ip address On Thu, Sep 9, 2010 at 9:00 AM, Tony wrote: > Can some please convert these iptable rules in IPFW > > #Allow Squid outbound access on port 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 8080 -m owner > --uid-owner squid -j ACCEPT > > # Allow Squid outbound access on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > squid -j ACCEPT > > # Don't redirect root on port 80 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner > root -j ACCEPT > > # Don't redirect root on port 3128 (Squid) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner root -j ACCEPT > > # Redirect all requests on port 80 to 8080 (Dansguardian) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT > --to-ports 8080 > > # Accept requests on port 3128 from nobody (Dansguardian user) > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -m owner > --uid-owner nobody -j ACCEPT > > # Redirect all other requests on port 3128 to 8080 to prevent users from > getting around Dansguardian by going directly to Squid > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT > --to-ports 8080 > > # Delete the NOTRACK rule that SuSEfirewall2 adds to the raw table of > the OUTPUT chain > iptables -t raw -D OUTPUT -o lo -j NOTRACK > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 13:56:19 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D560010656ED for ; Thu, 9 Sep 2010 13:56:19 +0000 (UTC) (envelope-from lordcow@lordcow.org) Received: from lordcow.org (lordcow.org [41.203.5.188]) by mx1.freebsd.org (Postfix) with ESMTP id 09C268FC14 for ; Thu, 9 Sep 2010 13:56:18 +0000 (UTC) Received: from lordcow.org (localhost [127.0.0.1]) by lordcow.org (8.14.4/8.14.4) with ESMTP id o89DHcGT021973 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Thu, 9 Sep 2010 15:17:38 +0200 (SAST) (envelope-from lordcow@lordcow.org) Received: (from lordcow@localhost) by lordcow.org (8.14.4/8.14.4/Submit) id o89DHXAW021972 for ipfw@freebsd.org; Thu, 9 Sep 2010 15:17:33 +0200 (SAST) (envelope-from lordcow) Date: Thu, 9 Sep 2010 15:17:33 +0200 From: Gareth de Vaux To: ipfw@freebsd.org Message-ID: <20100909131733.GA21535@lordcow.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lordcow.org Cc: Subject: phantom rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 13:56:19 -0000 Hi all, for some reason these rules get loaded on boot up before the ones I specify in a file: 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 I just flush this manually but how do I stop the behaviour properly? My rc.conf entries: firewall_enable="YES" firewall_type="/usr/local/etc/firewall" firewall_logging="YES" From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 15:30:14 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A99561065670 for ; Thu, 9 Sep 2010 15:30:14 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (outg.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id 893A28FC15 for ; Thu, 9 Sep 2010 15:30:14 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o89FHiXi008558; Thu, 9 Sep 2010 08:17:44 -0700 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 7C4542D601B; Thu, 9 Sep 2010 08:17:42 -0700 (PDT) Message-ID: <4C88FAB4.4060401@elischer.org> Date: Thu, 09 Sep 2010 08:18:12 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3 MIME-Version: 1.0 To: Ian Smith References: <4C88188A.8010903@elischer.org> <4C88530F.7030709@elischer.org> <20100909162334.N92609@sola.nimnet.asn.au> In-Reply-To: <20100909162334.N92609@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org, Tony Subject: Re: All in one machine running w/ Dansguardian+Squid+IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 15:30:14 -0000 On 9/8/10 11:26 PM, Ian Smith wrote: > On Wed, 8 Sep 2010, Julian Elischer wrote: > > On 9/8/10 4:44 PM, Tony wrote: > > > my setup looks like this > > > > > > PC1 -> browser -> firewall(redirects port 80 to 8888) -> dansguardian( > > > 127.0.0.1:8888) -> squid(127.0.0.1:3333) -> internet > > > > > > keep in mind that everything you see above are all on the same PC1 > > > > > > > you may need to use divert and natd to achieve the effect you require. > > Is this a case where in-kernel NAT wouldn't work as well? > > Or haven't apple incorporated that into their ipfw? I have doubts as to whether either ipfw forward OR in-kernel nat are in their version of the stack. (I have no proof but....) > > cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 15:45:42 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C55510656E7 for ; Thu, 9 Sep 2010 15:45:42 +0000 (UTC) (envelope-from julian@elischer.org) Received: from out-0.mx.aerioconnect.net (outg.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id 3022D8FC17 for ; Thu, 9 Sep 2010 15:45:41 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id o89FSATD008976; Thu, 9 Sep 2010 08:28:10 -0700 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 7139B2D6016; Thu, 9 Sep 2010 08:28:09 -0700 (PDT) Message-ID: <4C88FD27.2060901@elischer.org> Date: Thu, 09 Sep 2010 08:28:39 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.9) Gecko/20100825 Thunderbird/3.1.3 MIME-Version: 1.0 To: Gareth de Vaux References: <20100909131733.GA21535@lordcow.org> In-Reply-To: <20100909131733.GA21535@lordcow.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: ipfw@freebsd.org Subject: Re: phantom rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2010 15:45:42 -0000 On 9/9/10 6:17 AM, Gareth de Vaux wrote: > Hi all, for some reason these rules get loaded on boot up before the > ones I specify in a file: > > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 deny ip from any to ::1 > 00500 0 0 deny ip from ::1 to any > 00600 0 0 allow ipv6-icmp from :: to ff02::/16 > 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > I just flush this manually but how do I stop the behaviour properly? > > My rc.conf entries: > > firewall_enable="YES" > firewall_type="/usr/local/etc/firewall" I think this is supposed to be one of the types supported in /etc/rc.firewall. haven't actually looked at it for a while though. > firewall_logging="YES" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"