From owner-freebsd-ipfw Tue Sep 26 5:45:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from netvalue-gw.netvalue.fr (netvalue-gw.netvalue.fr [195.115.44.161]) by hub.freebsd.org (Postfix) with ESMTP id 1E16D37B42C for ; Tue, 26 Sep 2000 05:45:37 -0700 (PDT) Received: (from bin@localhost) by netvalue-gw.netvalue.fr (8.9.3/8.8.8) id OAA46083 for ; Tue, 26 Sep 2000 14:45:34 +0200 (CEST) (envelope-from erwan@netvalue.com) X-Authentication-Warning: netvalue-gw.netvalue.fr: bin set sender to using -f Received: from (dauphine.netvalue.fr [192.168.1.13]) by netvalue-gw.netvalue.fr via smap (V2.1) id xma046080; Tue, 26 Sep 00 14:45:33 +0200 Received: from mail-hk.netvalue.fr ([192.168.100.13]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA96D for ; Tue, 26 Sep 2000 14:45:33 +0200 Received: from netvalue.com ([192.168.100.100]) by mail-hk.netvalue.fr (Netscape Messaging Server 4.15) with ESMTP id G1HVF500.25U; Tue, 26 Sep 2000 20:45:05 +0800 Message-ID: <39D09A6A.C890BD35@netvalue.com> Date: Tue, 26 Sep 2000 20:45:30 +0800 From: Erwan Arzur Organization: NetValue Ltd. X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Ari Suutari Cc: "Eric J. Schwertfeger" , freebsd-ipfw@FreeBSD.ORG Subject: Re: IPSEC tunnel mode & ipfw References: <003f01bffaac$5cfd3440$0e05a8c0@intranet.syncrontech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ari Suutari wrote: > > Hi, > > > On Fri, 28 Jul 2000, Ari Suutari wrote: > > > > > However, I'm a little bit worried, since this last rule > > > would also allow packets through if someone pretends > > > to be 192.168.1.xxx since there is no way to tell ipfw > > > that the rule is valid only if the packet being examined > > > has arrived through IPsec tunnel. > > > > > > I solved this temporarily by using pipsecd - now I can > > > trust that packets coming from interface tun0 have > > > gone through IPsec checks. However, I would like > > > to use the functionality available in kernel. > > > > I've tackled that problem as well, and came up with two possible > > solutions. > > A second box on each end (with 2 ethernet cards) would do the trick. You'd only have to let ip proto 50 go through your firewall. A bit more expensive, but much safer, i think ... -- Erwan Arzur NetValue ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 26 20: 9:44 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 495DF37B424; Tue, 26 Sep 2000 20:08:47 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 9B13D1C41; Tue, 26 Sep 2000 23:08:46 -0400 (EDT) Date: Tue, 26 Sep 2000 23:08:46 -0400 From: Bill Fumerola To: freebsd-ipfw@freebsd.org Cc: luigi@freebsd.org Subject: REVIEW REQUEST - new ipfw options Message-ID: <20000926230846.H34501@jade.chc-chimes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [ sent to net@ and ipfw@, discussion in ipfw@ ] Please review the following patch for ipfw, adding more fields to provide the firewall administrator with a higher level of granularity. This patch also introduces a new flags member to struct ip_fw as I ran out of space in that, and I feel that splitting up things that change the operation of ipfw internally and things that define where we poke around belong in different locations. Its possible that more things now belong in the new flag member. Everything should be pretty straightforward. One thing notably absent is the diff to ipfw.8 in this patch. That's not due to incompetence with cvs, that's due to incompetence with mdoc. It should be very easy for someone with any mdoc clue to add these options in ipfw.8, and I'd ask that someone do that. Thanks, -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org ----- Forwarded message from Bill Fumerola ----- Index: ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.89 diff -u -r1.89 ipfw.c --- ipfw.c 2000/08/16 07:36:29 1.89 +++ ipfw.c 2000/09/27 02:38:43 @@ -412,7 +412,7 @@ if (chain->fw_flg & IP_FW_F_FRAG) printf(" frag"); - if (chain->fw_ipopt || chain->fw_ipnopt) { + if (chain->fw_ipflg & IP_FW_IF_IPOPT) { int _opt_printed = 0; #define PRINTOPT(x) {if (_opt_printed) printf(",");\ printf(x); _opt_printed = 1;} @@ -428,12 +428,39 @@ if (chain->fw_ipnopt & IP_FW_IPOPT_TS) PRINTOPT("!ts"); } + if (chain->fw_ipflg & IP_FW_IF_IPLEN) + printf(" iplen %u", chain->fw_iplen); + if (chain->fw_ipflg & IP_FW_IF_IPID) + printf(" ipid 0x%04x", chain->fw_ipid); + + if (chain->fw_ipflg & IP_FW_IF_IPTOS) { + int _opt_printed = 0; + + printf(" iptos "); + if (chain->fw_iptos & IPTOS_LOWDELAY) PRINTOPT("lowdelay"); + if (chain->fw_ipntos & IPTOS_LOWDELAY) PRINTOPT("!lowdelay"); + if (chain->fw_iptos & IPTOS_THROUGHPUT) PRINTOPT("throughput"); + if (chain->fw_ipntos & IPTOS_THROUGHPUT) PRINTOPT("!throughput"); + if (chain->fw_iptos & IPTOS_RELIABILITY) PRINTOPT("reliability"); + if (chain->fw_ipntos & IPTOS_RELIABILITY) PRINTOPT("!reliability"); + if (chain->fw_iptos & IPTOS_MINCOST) PRINTOPT("mincost"); + if (chain->fw_ipntos & IPTOS_MINCOST) PRINTOPT("!mincost"); + if (chain->fw_iptos & IPTOS_CE) PRINTOPT("congestion"); + if (chain->fw_ipntos & IPTOS_CE) PRINTOPT("!congestion"); + } + + if (chain->fw_ipflg & IP_FW_IF_IPTTL) + printf(" ipttl %u", chain->fw_ipttl); + + if (chain->fw_ipflg & IP_FW_IF_IPVER) + printf(" ipversion %u", chain->fw_ipver); + if (chain->fw_tcpf & IP_FW_TCPF_ESTAB) printf(" established"); else if (chain->fw_tcpf == IP_FW_TCPF_SYN && chain->fw_tcpnf == IP_FW_TCPF_ACK) printf(" setup"); - else if (chain->fw_tcpf || chain->fw_tcpnf) { + else if (chain->fw_ipflg & IP_FW_IF_TCPOPT) { int _flg_printed = 0; #define PRINTFLG(x) {if (_flg_printed) printf(",");\ printf(x); _flg_printed = 1;} @@ -452,7 +479,7 @@ if (chain->fw_tcpf & IP_FW_TCPF_URG) PRINTFLG("urg"); if (chain->fw_tcpnf & IP_FW_TCPF_URG) PRINTFLG("!urg"); } - if (chain->fw_tcpopt || chain->fw_tcpnopt) { + if (chain->fw_ipflg & IP_FW_IF_TCPOPT) { int _opt_printed = 0; #define PRINTTOPT(x) {if (_opt_printed) printf(",");\ printf(x); _opt_printed = 1;} @@ -470,6 +497,13 @@ if (chain->fw_tcpnopt & IP_FW_TCPOPT_CC) PRINTTOPT("!cc"); } + if (chain->fw_ipflg & IP_FW_IF_TCPSEQ) + printf(" tcpseq %lu", ntohl(chain->fw_tcpseq)); + if (chain->fw_ipflg & IP_FW_IF_TCPACK) + printf(" tcpack %lu", ntohl(chain->fw_tcpack)); + if (chain->fw_ipflg & IP_FW_IF_TCPWIN) + printf(" tcpwin %hu", ntohs(chain->fw_tcpwin)); + if (chain->fw_flg & IP_FW_F_ICMPBIT) { int type_index; int first = 1; @@ -837,7 +871,15 @@ " {established|setup}\n" " tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n" " ipoptions [!]{ssrr|lsrr|rr|ts},...\n" +" iplen {length}\n" +" ipid {identification number (in hex)}\n" +" iptos [!]{lowdelay|throughput|reliability|mincost|congestion}\n" +" ipttl {time to live}\n" +" ipversion {version number}\n" " tcpoptions [!]{mss|window|sack|ts|cc},...\n" +" tcpseq {sequence number}\n" +" tcpack {acknowledgement number}\n" +" tcpwin {window size}\n" " icmptypes {type[,type]}...\n" " pipeconfig:\n" " {bw|bandwidth} {bit/s|Kbit/s|Mbit/s|Bytes/s|KBytes/s|MBytes/s}\n" @@ -1148,6 +1190,40 @@ } static void +fill_iptos(u_char *set, u_char *reset, char **vp) +{ + char *p = *vp,*q; + u_char *d; + + while (p && *p) { + if (*p == '!') { + p++; + d = reset; + } else { + d = set; + } + q = strchr(p, ','); + if (q) + *q++ = '\0'; + if (!strncmp(p,"lowdelay",strlen(p))) + *d |= IPTOS_LOWDELAY; + if (!strncmp(p,"throughput",strlen(p))) + *d |= IPTOS_THROUGHPUT; + if (!strncmp(p,"reliability",strlen(p))) + *d |= IPTOS_RELIABILITY; + if (!strncmp(p,"mincost",strlen(p))) + *d |= IPTOS_MINCOST; + if (!strncmp(p,"congestion",strlen(p))) + *d |= IPTOS_CE; +#if 0 /* conflicting! */ + if (!strncmp(p,"ecntransport",strlen(p))) + *d |= IPTOS_ECT; +#endif + p = q; + } +} + +static void fill_icmptypes(types, vp, fw_flg) u_long *types; char **vp; @@ -1878,22 +1954,78 @@ rule.fw_flg |= IP_FW_F_FRAG; av++; ac--; continue; } - if (!strncmp(*av,"ipoptions",strlen(*av))) { + if (!strncmp(*av,"ipoptions",strlen(*av)) || + !strncmp(*av,"ipopts",strlen(*av))) { av++; ac--; if (!ac) show_usage("missing argument" " for ``ipoptions''"); + rule.fw_ipflg |= IP_FW_IF_IPOPT; fill_ipopt(&rule.fw_ipopt, &rule.fw_ipnopt, av); av++; ac--; continue; } + if (!strncmp(*av,"iplen",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``iplen''"); + rule.fw_ipflg |= IP_FW_IF_IPLEN; + rule.fw_iplen = (u_short)strtoul(*av, NULL, 0); + av++; ac--; continue; + } + if (!strncmp(*av,"ipid",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``ipid''"); + rule.fw_ipflg |= IP_FW_IF_IPID; + if (strlen(*av) != 6 || (*av)[0] != '0' || (*av)[1] != 'x' || + isxdigit((*av)[2]) == 0 || + isxdigit((*av)[3]) == 0 || + isxdigit((*av)[4]) == 0 || + isxdigit((*av)[5]) == 0) + show_usage("arguement to ipid must be in hex"); + rule.fw_ipid = (u_short)strtoul(*av, NULL, 0); + av++; ac--; continue; + } + if (!strncmp(*av,"iptos",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``iptos''"); + rule.fw_ipflg |= IP_FW_IF_IPTOS; + fill_iptos(&rule.fw_iptos, &rule.fw_ipntos, av); + av++; ac--; continue; + } + if (!strncmp(*av,"ipttl",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``ipttl''"); + rule.fw_ipflg |= IP_FW_IF_IPTTL; + rule.fw_ipttl = (u_short)strtoul(*av, NULL, 0); + av++; ac--; continue; + } + if (!strncmp(*av,"ipversion",strlen(*av)) || + !strncmp(*av,"ipver",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``ipversion''"); + rule.fw_ipflg |= IP_FW_IF_IPVER; + rule.fw_ipver = (u_short)strtoul(*av, NULL, 0); + av++; ac--; continue; + } if (rule.fw_prot == IPPROTO_TCP) { if (!strncmp(*av,"established",strlen(*av))) { rule.fw_tcpf |= IP_FW_TCPF_ESTAB; + rule.fw_ipflg |= IP_FW_IF_TCPFLG; av++; ac--; continue; } if (!strncmp(*av,"setup",strlen(*av))) { rule.fw_tcpf |= IP_FW_TCPF_SYN; rule.fw_tcpnf |= IP_FW_TCPF_ACK; + rule.fw_ipflg |= IP_FW_IF_TCPFLG; av++; ac--; continue; } if (!strncmp(*av,"tcpflags",strlen(*av)) || !strncmp(*av,"tcpflgs",strlen(*av))) { @@ -1901,6 +2033,7 @@ if (!ac) show_usage("missing argument" " for ``tcpflags''"); + rule.fw_ipflg |= IP_FW_IF_TCPFLG; fill_tcpflag(&rule.fw_tcpf, &rule.fw_tcpnf, av); av++; ac--; continue; } @@ -1909,9 +2042,37 @@ if (!ac) show_usage("missing argument" " for ``tcpoptions''"); + rule.fw_ipflg |= IP_FW_IF_TCPOPT; fill_tcpopts(&rule.fw_tcpopt, &rule.fw_tcpnopt, av); av++; ac--; continue; } + if (!strncmp(*av,"tcpseq",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``tcpseq''"); + rule.fw_ipflg |= IP_FW_IF_TCPSEQ; + rule.fw_tcpseq = htonl((u_int32_t)strtoul(*av, NULL, 0)); + av++; ac--; continue; + } + if (!strncmp(*av,"tcpack",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``tcpack''"); + rule.fw_ipflg |= IP_FW_IF_TCPACK; + rule.fw_tcpack = htonl((u_int32_t)strtoul(*av, NULL, 0)); + av++; ac--; continue; + } + if (!strncmp(*av,"tcpwin",strlen(*av))) { + av++; ac--; + if (!ac) + show_usage("missing arguement" + " for ``tcpwin''"); + rule.fw_ipflg |= IP_FW_IF_TCPWIN; + rule.fw_tcpwin = htons((u_short)strtoul(*av, NULL, 0)); + av++; ac--; continue; + } } if (rule.fw_prot == IPPROTO_ICMP) { if (!strncmp(*av,"icmptypes",strlen(*av))) { Index: /sys/netinet/ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.140 diff -u -r1.140 ip_fw.c --- /sys/netinet/ip_fw.c 2000/09/12 02:38:05 1.140 +++ /sys/netinet/ip_fw.c 2000/09/26 07:14:14 @@ -193,6 +193,7 @@ iface_match __P((struct ifnet *ifp, union ip_fw_if *ifu, int byname)); static int ipopts_match __P((struct ip *ip, struct ip_fw *f)); +static int iptos_match __P((struct ip *ip, struct ip_fw *f)); static __inline int port_match __P((u_short *portptr, int nports, u_short port, int range_flag, int mask)); @@ -354,6 +355,33 @@ } static int +iptos_match(struct ip *ip, struct ip_fw *f) +{ + + u_int flags = (ip->ip_tos & 0x1f); + u_char opts, nopts, nopts_sve; + + opts = f->fw_iptos; + nopts = nopts_sve = f->fw_ipntos; + + while (flags != 0) { + u_int flag; + + flag = 1 << (ffs(flags) -1); + opts &= ~flag; + nopts &= ~flag; + flags &= ~flag; + } + + if (opts == 0 && nopts == nopts_sve) + return 1; + else + return 0; + +} + + +static int tcpopts_match(struct tcphdr *tcp, struct ip_fw *f) { register u_char *cp; @@ -1108,9 +1136,19 @@ continue; } - /* Check IP options */ - if (f->fw_ipopt != f->fw_ipnopt && !ipopts_match(ip, f)) + /* Check IP header values */ + if (f->fw_ipflg & IP_FW_IF_IPOPT && !ipopts_match(ip, f)) + continue; + if (f->fw_ipflg & IP_FW_IF_IPLEN && f->fw_iplen != ip->ip_len) + continue; + if (f->fw_ipflg & IP_FW_IF_IPID && f->fw_ipid != ip->ip_id) continue; + if (f->fw_ipflg & IP_FW_IF_IPTOS && !iptos_match(ip, f)) + continue; + if (f->fw_ipflg & IP_FW_IF_IPTTL && f->fw_ipttl != ip->ip_ttl) + continue; + if (f->fw_ipflg & IP_FW_IF_IPVER && f->fw_ipver != ip->ip_v) + continue; /* Check protocol; if wildcard, and no [ug]id, match */ if (f->fw_prot == IPPROTO_IP) { @@ -1211,9 +1249,15 @@ } tcp = (struct tcphdr *) ((u_int32_t *)ip + ip->ip_hl); - if (f->fw_tcpopt != f->fw_tcpnopt && !tcpopts_match(tcp, f)) + if (f->fw_ipflg & IP_FW_IF_TCPOPT && !tcpopts_match(tcp, f)) + continue; + if (f->fw_ipflg & IP_FW_IF_TCPFLG && !tcpflg_match(tcp, f)) + continue; + if (f->fw_ipflg & IP_FW_IF_TCPSEQ && tcp->th_seq != f->fw_tcpseq) + continue; + if (f->fw_ipflg & IP_FW_IF_TCPACK && tcp->th_ack != f->fw_tcpack) continue; - if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f)) + if (f->fw_ipflg & IP_FW_IF_TCPWIN && tcp->th_win != f->fw_tcpwin) continue; goto check_ports; } Index: /sys/netinet/ip_fw.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.52 diff -u -r1.52 ip_fw.h --- /sys/netinet/ip_fw.h 2000/08/22 00:32:52 1.52 +++ /sys/netinet/ip_fw.h 2000/09/26 07:14:42 @@ -54,7 +54,7 @@ struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ u_short fw_number; /* Rule number */ - u_int fw_flg; /* Flags word */ + u_int fw_flg; /* Operational Flags word */ #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ union { u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ @@ -62,9 +62,16 @@ #define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ } fw_uar; + u_int fw_ipflg; /* IP flags word */ u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ + u_short fw_iplen, fw_ipid; /* IP length, identification */ + u_char fw_iptos, fw_ipntos; /* IP type of service set/unset */ + u_char fw_ipttl; /* IP time to live */ + u_int fw_ipver:4; /* IP version */ u_char fw_tcpopt,fw_tcpnopt; /* TCP options set/unset */ u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ + u_int32_t fw_tcpseq, fw_tcpack; /* TCP sequence and acknowledgement */ + u_short fw_tcpwin; /* TCP window size */ long timestamp; /* timestamp (tv_sec) of last match */ union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */ union { @@ -206,6 +213,26 @@ #define IP_FW_F_CHECK_S 0x10000000 /* check state */ #define IP_FW_F_MASK 0x1FFFFFFF /* All possible flag bits mask */ + +/* + * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. + */ +#define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */ +#define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */ +#define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */ +#define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */ +#define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */ +#define IP_FW_IF_TCPMSK 0x0000001f /* mask of all tcp values */ + +#define IP_FW_IF_IPOPT 0x00000100 /* ip options */ +#define IP_FW_IF_IPLEN 0x00000200 /* ip length */ +#define IP_FW_IF_IPID 0x00000400 /* ip identification */ +#define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */ +#define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */ +#define IP_FW_IF_IPVER 0x00002000 /* ip version */ +#define IP_FW_IF_IPMSK 0x00003f00 /* mask of all ip values */ + +#define IP_FW_IF_MSK 0x0000ffff /* All possible bits mask */ /* * For backwards compatibility with rules specifying "via iface" but ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 27 3:46:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from guard.polynet.lviv.ua (Guard.PolyNet.Lviv.UA [209.58.62.194]) by hub.freebsd.org (Postfix) with SMTP id D802137B42C for ; Wed, 27 Sep 2000 03:46:44 -0700 (PDT) Received: (qmail 5075 invoked from network); 27 Sep 2000 10:46:38 -0000 Received: from unknown (HELO postoffice.polynet.lviv.ua) (unknown) by unknown with SMTP; 27 Sep 2000 10:46:38 -0000 Received: (qmail 37898 invoked by uid 1001); 27 Sep 2000 10:46:38 -0000 Date: 27 Sep 2000 13:46:37 +0300 Date: Wed, 27 Sep 2000 13:46:37 +0300 From: Adrian Pavlykevych To: ipfw@freebsd.org Subject: "fwd" rule of IPFW freezes all IP traffic Message-ID: <20000927134637.A24652@polynet.lviv.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.1.11i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi everybody! This is followup to my previous post about problems with "fwd" rule on FreeBSD 4-Stable. I'm trying to upgrade my _existing_ firewall, which uses IPFW and FWTK proxies in transparent mode. I can confirm that following ruleset is working of FreeBSD 3.1 and doesn't work on RELENG_4 as of Sep 21. add 300 allow tcp from 192.168.0.14/32 to 192.168.0.0/16 via de0 add allow tcp from 192.168.0.0/16 to 192.168.0.14/32 via de0 add fwd 127.0.0.1,23 tcp from 0.0.0.0/0 to 0.0.0.0/0 23 via de0 add fwd 127.0.0.1,2221 tcp from 0.0.0.0/0 to 0.0.0.0/0 22 via de0 add fwd 127.0.0.1,21 tcp from 0.0.0.0/0 to 0.0.0.0/0 21 via de0 add fwd 127.0.0.1,110 tcp from 0.0.0.0/0 to 0.0.0.0/0 110 via de0 add fwd 127.0.0.1,6667 tcp from 0.0.0.0/0 to 0.0.0.0/0 6667 via de0 add fwd 127.0.0.1,6791 tcp from 0.0.0.0/0 to 0.0.0.0/0 6791 via de0 add fwd 127.0.0.1,2401 tcp from 0.0.0.0/0 to 0.0.0.0/0 2401 via de0 add fwd 127.0.0.1,5999 tcp from 0.0.0.0/0 to 0.0.0.0/0 5999 via de0 add 65534 allow ip from any to any Hitting "fwd" rule immediately stops _all_ IP traffic on the machine - even ping 127.0.0.1 doesn't work. BTW, Previous responces I've got were misdirected due to my typo in the posted rule. I'd appreciate any suggestions/fixes, -- Adrian Pavlykevych email: System Administrator phone/fax: +380 (322) 742041 State University "Lvivska Polytechnica" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 27 6:43:26 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 0E20A37B422 for ; Wed, 27 Sep 2000 06:43:25 -0700 (PDT) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 87C2D1C85; Wed, 27 Sep 2000 09:43:24 -0400 (EDT) Date: Wed, 27 Sep 2000 09:43:24 -0400 From: Bill Fumerola To: Adrian Pavlykevych Cc: ipfw@freebsd.org Subject: Re: "fwd" rule of IPFW freezes all IP traffic Message-ID: <20000927094324.L34501@jade.chc-chimes.com> References: <20000927134637.A24652@polynet.lviv.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20000927134637.A24652@polynet.lviv.ua>; from pam@polynet.lviv.ua on Wed, Sep 27, 2000 at 01:46:37PM +0300 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Sep 27, 2000 at 01:46:37PM +0300, Adrian Pavlykevych wrote: > This is followup to my previous post about problems with "fwd" rule on > FreeBSD 4-Stable. > > I'm trying to upgrade my _existing_ firewall, which uses IPFW and FWTK proxies in transparent mode. > > I can confirm that following ruleset is working of FreeBSD 3.1 and doesn't work on RELENG_4 as of Sep 21. [...] ruleset deleted. I'd encourage you to change all those rules from 'fwd' rules to 'count' rules and see how many of them get triggered. I often find that helpful when trying to see what ipfw is doing. -- Bill Fumerola - Network Architect, BOFH / Chimes, Inc. billf@chimesnet.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 28 10: 2:47 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from kira.epconline.net (kira.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id D756837B423 for ; Thu, 28 Sep 2000 10:02:42 -0700 (PDT) Received: from therock (betterguard.epconline.net [209.83.132.193]) by kira.epconline.net (8.9.3/8.9.3) with SMTP id MAA10846 for ; Thu, 28 Sep 2000 12:02:40 -0500 (CDT) Reply-To: From: "Chuck Rock" To: "'Freebsd-Ipfw" Subject: nat ipfw and multiple IP's on interface.... Date: Thu, 28 Sep 2000 12:04:18 -0500 Message-ID: <000a01c0296e$23bec4a0$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have my public interface with several IP's, and I would like to specify which NAT internal IP uses which public IP on the external interface for out bound traffic. Is this possible? What commands should I be looking at to accomplish this? Thanks, Chuck Rock EPC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 28 10:55: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from forrie.net (forrie.net [64.20.73.233]) by hub.freebsd.org (Postfix) with ESMTP id C208437B43C for ; Thu, 28 Sep 2000 10:55:04 -0700 (PDT) Received: from boomer.forrie.com (dhcp-north-71-168.navipath.net [64.20.71.168]) by forrie.net with id e8SHsxd63292 for ; Thu, 28 Sep 2000 13:54:59 -0400 (EDT) Message-Id: <5.0.0.25.2.20000928134746.00b11eb0@64.20.73.233> X-Sender: forrie@64.20.73.233 X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Thu, 28 Sep 2000 13:48:18 -0400 To: freebsd-ipfw@freebsd.org From: Forrest Aldrich Subject: 4.1.1 rc.firewall Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Any reason why these rules are repated (2 times) in /etc/rc.firewall... or is it a typo. # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 28 19:25:57 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 07A8137B43E for ; Thu, 28 Sep 2000 19:24:15 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 28 Sep 2000 19:23:00 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8T2OAs02503; Thu, 28 Sep 2000 19:24:10 -0700 (PDT) (envelope-from cjc) Date: Thu, 28 Sep 2000 19:24:05 -0700 From: "Crist J . Clark" To: Chuck Rock Cc: "'Freebsd-Ipfw" Subject: Re: nat ipfw and multiple IP's on interface.... Message-ID: <20000928192405.I81242@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <000a01c0296e$23bec4a0$1805010a@epconline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000a01c0296e$23bec4a0$1805010a@epconline.net>; from carock@epctech.com on Thu, Sep 28, 2000 at 12:04:18PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Sep 28, 2000 at 12:04:18PM -0500, Chuck Rock wrote: > I have my public interface with several IP's, and I would like to specify > which NAT internal IP uses which public IP on the external interface for out > bound traffic. > > Is this possible? Could you try to rephrase what you want to do. I get a unrecoverable parser error when I try to read that sentence. I understand everything up to the 'and.' From there, things get a little hairy. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 28 21:38:10 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from jason.argos.org (a1-3a105.neo.rr.com [24.93.180.105]) by hub.freebsd.org (Postfix) with ESMTP id 402B637B42C for ; Thu, 28 Sep 2000 21:37:53 -0700 (PDT) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e8T4VQa16882; Fri, 29 Sep 2000 00:31:26 -0400 Date: Fri, 29 Sep 2000 00:31:25 -0400 (EDT) From: Mike Nowlin To: cjclark@alum.mit.edu Cc: Chuck Rock , "'Freebsd-Ipfw" Subject: Re: nat ipfw and multiple IP's on interface.... In-Reply-To: <20000928192405.I81242@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 28 Sep 2000, Crist J . Clark wrote: > On Thu, Sep 28, 2000 at 12:04:18PM -0500, Chuck Rock wrote: > > I have my public interface with several IP's, and I would like to specify > > which NAT internal IP uses which public IP on the external interface for out > > bound traffic. > > > > Is this possible? > > Could you try to rephrase what you want to do. I get a unrecoverable > parser error when I try to read that sentence. I understand everything > up to the 'and.' From there, things get a little hairy. I'll take a stab at it... Methinks he means "I would like to specify which of my public IPs are selected to act on behalf of NAT, dependant on which private-network machine is asking NAT to do it's thing." example: public IPs = 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4 private = 10.2.2.0/24 machine 10.2.2.17 should have it's NAT traffic run through 1.1.1.2 machine 10.2.2.29 should have it's NAT traffic run through 1.1.1.4 ...etc. I haven't looked at this recently, but I'm guessing you can do it through running several copies of natd (one for each public IP) that are each listening on a different port number, and some fancy ipfw divert rules... Just listen for requests from each internal IP and divert the packets to the appropriate copy of natd. ...maybe...... :) --mike - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Understated/funny man-page sentence of the current time period: From route(4) on FreeBSD-3.4, DESCRIPTION section: "FreeBSD provides some packet routing facilities." ...duh....... Mike Nowlin, N8NVW mike@argos.org http://www.viewsnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 28 22:19: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 119F537B423 for ; Thu, 28 Sep 2000 22:19:02 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 28 Sep 2000 22:16:39 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8T5HNh03837; Thu, 28 Sep 2000 22:17:23 -0700 (PDT) (envelope-from cjc) Date: Thu, 28 Sep 2000 22:17:23 -0700 From: "Crist J . Clark" To: Mike Nowlin Cc: Chuck Rock , "'Freebsd-Ipfw" Subject: Re: nat ipfw and multiple IP's on interface.... Message-ID: <20000928221723.O81242@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20000928192405.I81242@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mike@argos.org on Fri, Sep 29, 2000 at 12:31:25AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Sep 29, 2000 at 12:31:25AM -0400, Mike Nowlin wrote: > On Thu, 28 Sep 2000, Crist J . Clark wrote: > > > On Thu, Sep 28, 2000 at 12:04:18PM -0500, Chuck Rock wrote: > > > I have my public interface with several IP's, and I would like to specify > > > which NAT internal IP uses which public IP on the external interface for out > > > bound traffic. > > > > > > Is this possible? > > > > Could you try to rephrase what you want to do. I get a unrecoverable > > parser error when I try to read that sentence. I understand everything > > up to the 'and.' From there, things get a little hairy. > > I'll take a stab at it... > > Methinks he means "I would like to specify which of my public IPs are > selected to act on behalf of NAT, dependant on which private-network > machine is asking NAT to do it's thing." > > example: > public IPs = 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4 > > private = 10.2.2.0/24 > > machine 10.2.2.17 should have it's NAT traffic run through 1.1.1.2 > machine 10.2.2.29 should have it's NAT traffic run through 1.1.1.4 > ...etc. > > I haven't looked at this recently, but I'm guessing you can do it through > running several copies of natd (one for each public IP) that are each > listening on a different port number, and some fancy ipfw divert rules... > Just listen for requests from each internal IP and divert the packets to > the appropriate copy of natd. Nah. If that's an accurate translation, all he needs to do is, # cat /etc/natd.conf redirect_address 10.2.2.17 1.1.1.2 redirect_address 10.2.2.29 1.1.1.4 ... -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 28 23:50:51 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 4C30137B423 for ; Thu, 28 Sep 2000 23:50:42 -0700 (PDT) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id JAA19957; Fri, 29 Sep 2000 09:50:13 +0300 (EEST) Date: Fri, 29 Sep 2000 09:50:13 +0300 From: Ruslan Ermilov To: Forrest Aldrich Cc: freebsd-ipfw@freebsd.org Subject: Re: 4.1.1 rc.firewall Message-ID: <20000929095013.A19780@sunbay.com> Mail-Followup-To: Forrest Aldrich , freebsd-ipfw@freebsd.org References: <5.0.0.25.2.20000928134746.00b11eb0@64.20.73.233> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <5.0.0.25.2.20000928134746.00b11eb0@64.20.73.233>; from forrie@forrie.com on Thu, Sep 28, 2000 at 01:48:18PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Sep 28, 2000 at 01:48:18PM -0400, Forrest Aldrich wrote: > Any reason why these rules are repated (2 times) in /etc/rc.firewall... or > is it a typo. > > > # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, > # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) > # on the outside interface > ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} > ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} > ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} > ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} > ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} > They are not repeated twice, they just broken into two parts, first before NAT, and second after NAT. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message