From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 12 19:10:06 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 01138106564A for ; Sun, 12 Sep 2010 19:10:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E40BD8FC13 for ; Sun, 12 Sep 2010 19:10:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8CJA59l073807 for ; Sun, 12 Sep 2010 19:10:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8CJA5Ft073806; Sun, 12 Sep 2010 19:10:05 GMT (envelope-from gnats) Date: Sun, 12 Sep 2010 19:10:05 GMT Message-Id: <201009121910.o8CJA5Ft073806@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Thomas Sandford Cc: Subject: Re: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Thomas Sandford List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Sep 2010 19:10:06 -0000 The following reply was made to PR kern/148928; it has been noted by GNATS. From: Thomas Sandford To: bug-followup@FreeBSD.org, fmyoen@gmail.com Cc: Subject: Re: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup Date: Sun, 12 Sep 2010 19:24:39 +0100 The problem seems to be that ipdivert.ko is not loaded prior to the /etc/rc.d/ipfw script being run. /etc/rc.d/natd _does_ load this module so restarting the firewall after boot sequence is complete works. I've fixed this on my own system by adding === cut here 8<=== if checkyesno natd_enable; then required_modules="$required_modules ipdivert" fi === cut here 8<=== at the end of the ipfw_prestart() function in /etc/rc.d/ipfw This appears to be a regression between the "out of the box" states for 8.0-RELEASE and 8.1-RELEASE. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 13 11:06:57 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F9B810656BE for ; Mon, 13 Sep 2010 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 22E148FC25 for ; Mon, 13 Sep 2010 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8DB6vpg001913 for ; Mon, 13 Sep 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8DB6uem001911 for freebsd-ipfw@FreeBSD.org; Mon, 13 Sep 2010 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Sep 2010 11:06:56 GMT Message-Id: <201009131106.o8DB6uem001911@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2010 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/150141 ipfw [ipfw]: Not working kernel nat freeBSD 8.1 o kern/149572 ipfw [ipfw] ipfw kernel nat not working properly o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 79 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 13 20:36:34 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69BD2106564A for ; Mon, 13 Sep 2010 20:36:34 +0000 (UTC) (envelope-from web1@vcvps1364.vcdns.de) Received: from vcvps1364.vcdns.de (vcvps1364.vcdns.de [88.80.215.7]) by mx1.freebsd.org (Postfix) with ESMTP id 321FE8FC0A for ; Mon, 13 Sep 2010 20:36:34 +0000 (UTC) Received: by vcvps1364.vcdns.de (Postfix, from userid 33) id 9F0C610BAE32; Mon, 13 Sep 2010 22:06:40 +0200 (CEST) To: freebsd-ipfw@freebsd.org From: Mme Claire Page MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <20100913200640.9F0C610BAE32@vcvps1364.vcdns.de> Date: Mon, 13 Sep 2010 22:06:40 +0200 (CEST) Subject: Ramadan heureux mon cher X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mm.chiwe.conte@gmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2010 20:36:34 -0000 I am Mrs Claire Page sending you this mail from my sick bed in the hospital. Please contact my lawyer, Email:(barr_willam_frank@lawyer.com) Je suis Mme Claire Page vous envoie ce mail de mon lit de malade à l'hôpital. S'il vous plaît communiquer avec mon avocat, Email: (barr_willam_frank@lawyer.com) From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 15 03:22:30 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8A671065674 for ; Wed, 15 Sep 2010 03:22:30 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 811118FC16 for ; Wed, 15 Sep 2010 03:22:30 +0000 (UTC) Received: by wwb18 with SMTP id 18so546722wwb.31 for ; Tue, 14 Sep 2010 20:22:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=PJMnnfeXYNB6FaiWc/HyDnxIrWlDxmRayCr8IczWSQg=; b=lCA7XlU8SisHaKgFJDm75KXrwpfjDft+rky8aOYMM8Xrag/wX6njM5aH+VbVPQPSsx SZYm5s63QEwJxXmXuQgLrSwMp+wDKdbiNTQDKWLo9JVHaCECHkMdokCdlzSUJFJxnaGB SR7tqbVplHbBZWmkfKwPrECmXh1hN8Nf3IV+c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=TXcc+aaDfadmX4HMI6owT/pMhd0zZp/Desvaw35hl1RagO2ZXRJIgiEzWYO6D1Lqge lY7iflMu74yrKflvt8gvDCu1+XMR6dZlMmV/FHGjAPyqf79LBbRHFXIxh54YQCYWe04V FsVGfe/yPuTlz2/e0e+0ACnzOWQWedmMEru0w= MIME-Version: 1.0 Received: by 10.216.28.204 with SMTP id g54mr4643057wea.73.1284519441649; Tue, 14 Sep 2010 19:57:21 -0700 (PDT) Received: by 10.216.133.2 with HTTP; Tue, 14 Sep 2010 19:57:21 -0700 (PDT) In-Reply-To: <20100909131733.GA21535@lordcow.org> References: <20100909131733.GA21535@lordcow.org> Date: Tue, 14 Sep 2010 21:57:21 -0500 Message-ID: From: Brandon Gooch To: Gareth de Vaux Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: ipfw@freebsd.org Subject: Re: phantom rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2010 03:22:31 -0000 On Thu, Sep 9, 2010 at 8:17 AM, Gareth de Vaux wrote: > Hi all, for some reason these rules get loaded on boot up before the > ones I specify in a file: > > 00100 =A0 0 =A0 =A0 0 allow ip from any to any via lo0 > 00200 =A0 0 =A0 =A0 0 deny ip from any to 127.0.0.0/8 > 00300 =A0 0 =A0 =A0 0 deny ip from 127.0.0.0/8 to any > 00400 =A0 0 =A0 =A0 0 deny ip from any to ::1 > 00500 =A0 0 =A0 =A0 0 deny ip from ::1 to any > 00600 =A0 0 =A0 =A0 0 allow ipv6-icmp from :: to ff02::/16 > 00700 =A0 0 =A0 =A0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 =A0 0 =A0 =A0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 =A0 0 =A0 =A0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 =A0 0 =A0 =A0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,13= 5,136 > > I just flush this manually but how do I stop the behaviour properly? > > My rc.conf entries: > > firewall_enable=3D"YES" > firewall_type=3D"/usr/local/etc/firewall" > firewall_logging=3D"YES" I would begin by reading: $ man 7 firewall $ man 5 rc.conf $ less /etc/rc.firewall I think the source of /etc/rc.firewall may be most enlightening in regard to the behavior in question (setup_loopback(), setup_ipv6_mandatory(), etc...). Have fun, and don't get discouraged (speaking from experience) :) -Brandon From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 15 04:50:00 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6517D1065672 for ; Wed, 15 Sep 2010 04:50:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 9863C8FC0C for ; Wed, 15 Sep 2010 04:49:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o8F4d6cZ096390; Wed, 15 Sep 2010 14:39:06 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 15 Sep 2010 14:39:06 +1000 (EST) From: Ian Smith To: Brandon Gooch In-Reply-To: Message-ID: <20100915134357.A73353@sola.nimnet.asn.au> References: <20100909131733.GA21535@lordcow.org> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-427590806-1284525546=:73353" Cc: Gareth de Vaux , ipfw@freebsd.org Subject: Re: phantom rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2010 04:50:00 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-427590806-1284525546=:73353 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Tue, 14 Sep 2010, Brandon Gooch wrote: > On Thu, Sep 9, 2010 at 8:17 AM, Gareth de Vaux wrote: > > Hi all, for some reason these rules get loaded on boot up before the > > ones I specify in a file: > > > > 00100   0     0 allow ip from any to any via lo0 > > 00200   0     0 deny ip from any to 127.0.0.0/8 > > 00300   0     0 deny ip from 127.0.0.0/8 to any > > 00400   0     0 deny ip from any to ::1 > > 00500   0     0 deny ip from ::1 to any > > 00600   0     0 allow ipv6-icmp from :: to ff02::/16 > > 00700   0     0 allow ipv6-icmp from fe80::/10 to fe80::/10 > > 00800   0     0 allow ipv6-icmp from fe80::/10 to ff02::/16 > > 00900   0     0 allow ipv6-icmp from any to any ip6 icmp6types 1 > > 01000   0     0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > > > I just flush this manually but how do I stop the behaviour properly? > > > > My rc.conf entries: > > > > firewall_enable="YES" > > firewall_type="/usr/local/etc/firewall" > > firewall_logging="YES" > > I would begin by reading: > > $ man 7 firewall > $ man 5 rc.conf > $ less /etc/rc.firewall > > I think the source of /etc/rc.firewall may be most enlightening in > regard to the behavior in question (setup_loopback(), > setup_ipv6_mandatory(), etc...). Indeed, that's where these have come from (and Gareth, you DO want those rules, including the ipv6_mandatory ones if running ipv6), but I suspect that you may have rather intended this to be: firewall_script="/usr/local/etc/firewall" Otherwise - see /etc/defaults/rc.conf for firewall_* - you'll have set: firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file Since you are (by default) using /etc/rc.firewall as the script, if you specify firewall_type as a file rather than one of those types directly handled by rc.firewall, then this file is not expected to be a shell script, but a list of ipfw commands to be directly consumed by ipfw: ipfw [-cfnNqS] [-p preproc [preproc-flags]] pathname t23# tail -n6 /etc/rc.firewall *) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac > Have fun, and don't get discouraged (speaking from experience) You'll have more fun if you study ipfw(8) rather than trying to learn much from the dreadful and often just WRONG Handbook section on ipfw .. > > :) > > -Brandon cheers, Ian --0-427590806-1284525546=:73353-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 15 15:57:06 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B4B6106564A for ; Wed, 15 Sep 2010 15:57:06 +0000 (UTC) (envelope-from lordcow@lordcow.org) Received: from lordcow.org (lordcow.org [41.203.5.188]) by mx1.freebsd.org (Postfix) with ESMTP id 910CD8FC1B for ; Wed, 15 Sep 2010 15:57:04 +0000 (UTC) Received: from lordcow.org (localhost [127.0.0.1]) by lordcow.org (8.14.4/8.14.4) with ESMTP id o8FFUVZP085390 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 15 Sep 2010 17:30:31 +0200 (SAST) (envelope-from lordcow@lordcow.org) Received: (from lordcow@localhost) by lordcow.org (8.14.4/8.14.4/Submit) id o8FFUNOr085388; Wed, 15 Sep 2010 17:30:23 +0200 (SAST) (envelope-from lordcow) Date: Wed, 15 Sep 2010 17:30:23 +0200 From: Gareth de Vaux To: Ian Smith Message-ID: <20100915153023.GA84975@lordcow.org> Mail-Followup-To: Ian Smith , Brandon Gooch , ipfw@freebsd.org References: <20100909131733.GA21535@lordcow.org> <20100915134357.A73353@sola.nimnet.asn.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100915134357.A73353@sola.nimnet.asn.au> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lordcow.org Cc: Brandon Gooch , ipfw@freebsd.org Subject: Re: phantom rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2010 15:57:06 -0000 On Wed 2010-09-15 (14:39), Ian Smith wrote: > Indeed, that's where these have come from (and Gareth, you DO want those > rules, including the ipv6_mandatory ones if running ipv6) I don't, because I run my own from my own file. (I'm not using ipv6 either). > but I suspect that you may have rather intended this to be: > > firewall_script="/usr/local/etc/firewall" Nope I intended it as before - firewall_type="", and my file is in the format you mention later, and it works, just preceded with that stuff I didn't ask for. The first line in /usr/local/etc/firewall for example is: add pass all from any to any via lo0 so I end up with 2 of these rules, plus that other stuff. So are there some variables I can set that disable this second-guessing behaviour? From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 15 16:34:26 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D0BB1065670 for ; Wed, 15 Sep 2010 16:34:26 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 1EBA38FC19 for ; Wed, 15 Sep 2010 16:34:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o8FGYO5o038334; Thu, 16 Sep 2010 02:34:24 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 16 Sep 2010 02:34:24 +1000 (EST) From: Ian Smith To: Gareth de Vaux In-Reply-To: <20100915153023.GA84975@lordcow.org> Message-ID: <20100916013417.X73353@sola.nimnet.asn.au> References: <20100909131733.GA21535@lordcow.org> <20100915134357.A73353@sola.nimnet.asn.au> <20100915153023.GA84975@lordcow.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Brandon Gooch , ipfw@freebsd.org Subject: Re: phantom rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2010 16:34:26 -0000 On Wed, 15 Sep 2010, Gareth de Vaux wrote: > On Wed 2010-09-15 (14:39), Ian Smith wrote: > > Indeed, that's where these have come from (and Gareth, you DO want those > > rules, including the ipv6_mandatory ones if running ipv6) > > I don't, because I run my own from my own file. (I'm not using ipv6 > either). Ok. You do have inet6 available, which is why those rules were added. > > but I suspect that you may have rather intended this to be: > > > > firewall_script="/usr/local/etc/firewall" > > Nope I intended it as before - firewall_type="", and my file is > in the format you mention later, and it works, just preceded with that > stuff I didn't ask for. > > The first line in /usr/local/etc/firewall for example is: > > add pass all from any to any via lo0 > > so I end up with 2 of these rules, plus that other stuff. > > So are there some variables I can set that disable this second-guessing > behaviour? Using '-f flush' as your first ipfw command should do the job, just as rc.firewall did before calling setup_loopback and setup_ipv6_mandatory. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 16 17:12:13 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECC5B1065703; Thu, 16 Sep 2010 17:12:13 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C48D58FC20; Thu, 16 Sep 2010 17:12:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8GHCDQZ022827; Thu, 16 Sep 2010 17:12:13 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8GHCDdD022823; Thu, 16 Sep 2010 17:12:13 GMT (envelope-from linimon) Date: Thu, 16 Sep 2010 17:12:13 GMT Message-Id: <201009161712.o8GHCDdD022823@freefall.freebsd.org> To: linimon@FreeBSD.org, piso@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Sep 2010 17:12:14 -0000 Synopsis: [ipfw] ipfw nat traceroute problem Responsible-Changed-From-To: piso->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Thu Sep 16 17:10:45 UTC 2010 Responsible-Changed-Why: piso's bit has been returned. http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 17 17:12:05 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70788106566C for ; Fri, 17 Sep 2010 17:12:05 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.freebsd.org (Postfix) with ESMTP id 084BC8FC16 for ; Fri, 17 Sep 2010 17:12:04 +0000 (UTC) X-MimeOLE: Produced By Microsoft Exchange V6.5 Received: from 192.168.44.14 ([192.168.44.14]) by edusrv05.edu.irc.local ([192.168.44.14]) with Microsoft Exchange Server HTTP-DAV ; Fri, 17 Sep 2010 17:00:33 +0000 MIME-Version: 1.0 Content-class: urn:content-classes:message Date: Fri, 17 Sep 2010 19:00:26 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dummynet buckets Thread-Index: ActWiddurb5YL7qsRGWkFCBVWfM4Tg== From: "Jon Otterholm" To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Dummynet buckets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2010 17:12:05 -0000 SGkuDQoNCkluc3RhbGxlZCBhIG5ldyByb3V0ZXIgcnVubmluZyA4LXN0YWJsZSBhbmQgZW5jb3Vu dGVyIHNvbWUgcHJvYmxlbXMgd2hlbg0KY29uZmlndXJpbmcgZHVtbXluZXQgcGlwZXM6DQoNCldo ZW4gc2V0dGluZyBidWNrZXRzIGFib3ZlIDEwMjQuLi4NCmlwZncgcGlwZSA5MSBjb25maWcgYncg MTAwTWJpdC9zIG1hc2sgc3JjLWlwIDB4ZmZmZmZmZmYgYnVja2V0cyA0MDk2DQoNCi4uLkkgZ2V0 IHRoZSBmb2xsb3dpbmcgZXJyb3I6DQpDbGFtcCBzY2hlZCBidWNrZXRzIHRvIDEwMjQgKHdhcyA0 MDk2KQ0KDQojIHN5c2N0bCBuZXQuaW5ldC5pcC5kdW1teW5ldC5oYXNoX3NpemUNCm5ldC5pbmV0 LmlwLmR1bW15bmV0Lmhhc2hfc2l6ZTogNDA5Ng0KDQpmcm9tIG1hbiBpcGZ3Og0KICAgIGJ1Y2tl dHMgaGFzaC10YWJsZS1zaXplDQogICAgICAgICAgU3BlY2lmaWVzIHRoZSBzaXplIG9mIHRoZSBo YXNoIHRhYmxlIHVzZWQgZm9yIHN0b3JpbmcgdGhlDQp2YXJpb3VzDQogICAgICAgICAgcXVldWVz LiAgRGVmYXVsdCB2YWx1ZSBpcyA2NCBjb250cm9sbGVkIGJ5IHRoZSBzeXNjdGwoOCkNCnZhcmlh YmxlDQogICAgICAgICAgbmV0LmluZXQuaXAuZHVtbXluZXQuaGFzaF9zaXplLCBhbGxvd2VkIHJh bmdlIGlzIDE2IHRvIDY1NTM2Lg0KDQpBbSBJIG1pc3Npbmcgc29tZXRoaW5nIGhlcmU/IFRoaXMg d29ya2VkIGZpbmUgaW4gdGhlIDctYnJhbmNoLg0KDQovL0pPDQoNCg0KDQo=