From owner-freebsd-ipfw Fri Jun 8 8:56: 4 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [209.222.117.162]) by hub.freebsd.org (Postfix) with ESMTP id 20CE537B401 for ; Fri, 8 Jun 2001 08:56:01 -0700 (PDT) (envelope-from darren@nighttide.net) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.3/8.11.2) with ESMTP id f58Ftxu81889 for ; Fri, 8 Jun 2001 11:55:59 -0400 (EDT) (envelope-from darren@nighttide.net) Date: Fri, 8 Jun 2001 11:55:59 -0400 (EDT) From: Darren Henderson To: Subject: buckets & sysctl In-Reply-To: <7e96417ea3ae.7ea3ae7e9641@mbox.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I can't seem to get the number of buckets ipfw uses to increase. This is on a 4.3-STABLE machine with kern.securelevel -1 In /etc/sysctl.conf I set net.inet.ip.fw.dyn_buckets=512 net.inet.ip.fw.dyn_max=2000 The dyn_buckets does go to 512 and dyn_max goes to 2000 but the curr_dyn_buckets never goes beyond the default 256. ipfw just doesn't resize the structure, even if all 2000 buckets are used and ipfw is reporting that it can't create any new dynamic rules. The goal here is to have fewer entries in each bucket. How do I convice ipfw to use all the buckets? Does dyn_max have to be a multiple of dyn_buckets? That doesn't appear to be true, (I still can achieve 2000 dynamic rules with the 256 buckets). Is it a timing issue, does dyn_buckets have to be set at some point earlier then sysctl.conf is processed? sysctl -A | grep ip.fw shows the following... net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 512 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 114 net.inet.ip.fw.dyn_max: 2000 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 30 Any thoughts appreciated. ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 8 10:33:28 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 17D0937B406 for ; Fri, 8 Jun 2001 10:33:25 -0700 (PDT) (envelope-from carlos@rjstech.com) Received: from null ([66.85.10.250]) by smtp.whc.net (8.11.4/8.11.4/kbp) with SMTP id for ; Fri, 8 Jun 2001 11:31:37 -0600 (MDT) Reply-To: From: "Carlos Andrade" To: Subject: A epiphany of sorts Date: Fri, 8 Jun 2001 11:21:45 -0600 Message-ID: <001101c0f03f$7eb57140$fa0a5542@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have been working on our company's firewall for some time and I have been helped quite a bit from the wonderful people on this list. I had a epiphany of sorts today. Due to the way our office is networked to our other sales offices I want to redo our firewall rules. (background) our_network : will be put behind the firewall, natd will be running so I may have to have nat rules somewhere for directing requests to the correct machine. midland_office : a sales office behind a DSL router, machines are dhcp'ing to the net. abilene_office : a sales office behind a DSL router, machines are dhcp'ing to the net. (theoretical rule set) allow everything from our_network out allow everything? from our midland_office in allow everything? from our abilene_office in pass tcp from any to our outside_interface 80 setup (access web servers) and then our thin client (which we use to connect to a app server from the offices and sometimes from the road) : TCP/IP port 1494 (inbound) UDP port 1604 (inbound and outbound) Outbound ports 1023 and above for both TCP/IP & UDP deny the rest (commentary) we have no mail or dns servers, all that is done by our ISP. So there is very little traffic wanting to come into our network, so I can let those things in. I hope that I can just allow in the IP's of the DSL routers since the machines behind it pass through it over DHCP, or am I loony and need to read up more on DHCP? Yes, I know I must have a huge measure of trust to allow everything from our offices. I do. I am just trying to add to the layers of security by dictating exactly where people can access us from and by how. thanks in advance, Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jun 8 15:42:39 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gscamnlm03.wr.usgs.gov (gscamnlm03.wr.usgs.gov [130.118.4.113]) by hub.freebsd.org (Postfix) with ESMTP id C8CFD37B401; Fri, 8 Jun 2001 15:42:35 -0700 (PDT) (envelope-from rsowders@usgs.gov) To: Cc: freebsd-ipfw@FreeBSD.ORG, owner-freebsd-ipfw@FreeBSD.ORG Subject: Re: A epiphany of sorts MIME-Version: 1.0 X-Mailer: Lotus Notes Release 5.0.7 March 21, 2001 Message-ID: From: "Robert L Sowders" Date: Fri, 8 Jun 2001 15:42:31 -0700 X-MIMETrack: Serialize by Router on gscamnlm03/SERVER/USGS/DOI(Release 5.0.7 |March 21, 2001) at 06/08/2001 03:42:34 PM, Serialize complete at 06/08/2001 03:42:34 PM Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You might be able to simplify your rules by setting up a VPN tunnel with IPSec. Here is a simple step by step. http://www.freeBSDdiary.org/ipsec-tunnel.php "Carlos Andrade" Sent by: owner-freebsd-ipfw@FreeBSD.ORG 06/08/2001 10:21 AM Please respond to carlos To: cc: Subject: A epiphany of sorts I have been working on our company's firewall for some time and I have been helped quite a bit from the wonderful people on this list. I had a epiphany of sorts today. Due to the way our office is networked to our other sales offices I want to redo our firewall rules. (background) our_network : will be put behind the firewall, natd will be running so I may have to have nat rules somewhere for directing requests to the correct machine. midland_office : a sales office behind a DSL router, machines are dhcp'ing to the net. abilene_office : a sales office behind a DSL router, machines are dhcp'ing to the net. (theoretical rule set) allow everything from our_network out allow everything? from our midland_office in allow everything? from our abilene_office in pass tcp from any to our outside_interface 80 setup (access web servers) and then our thin client (which we use to connect to a app server from the offices and sometimes from the road) : TCP/IP port 1494 (inbound) UDP port 1604 (inbound and outbound) Outbound ports 1023 and above for both TCP/IP & UDP deny the rest (commentary) we have no mail or dns servers, all that is done by our ISP. So there is very little traffic wanting to come into our network, so I can let those things in. I hope that I can just allow in the IP's of the DSL routers since the machines behind it pass through it over DHCP, or am I loony and need to read up more on DHCP? Yes, I know I must have a huge measure of trust to allow everything from our offices. I do. I am just trying to add to the layers of security by dictating exactly where people can access us from and by how. thanks in advance, Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 9 4:31:15 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 4104537B403 for ; Sat, 9 Jun 2001 04:31:11 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id NAA61182; Sat, 9 Jun 2001 13:27:02 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200106091127.NAA61182@info.iet.unipi.it> Subject: Re: buckets & sysctl In-Reply-To: from Darren Henderson at "Jun 8, 2001 11:55:59 am" To: Darren Henderson Date: Sat, 9 Jun 2001 13:27:02 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > I can't seem to get the number of buckets ipfw uses to increase. you are right, there is some bug in the part of code which handles updates to dyn_buckets. The actual variable used is curr_dyn_buckets, which in my intentions should be set to the power of 2 closest to dyn_buckets -- but as you can see in the code there is no place where the variable is actually set. This should be done in add_dyn_rule, probably something like this in /sys/netinet/ip_fw.c u_int32_t i = dyn_buckets ; while ( i > 0 && (i & 1) == 0 ) i >>= 1 ; if (i != 1) /* not a power of 2 */ dyn_buckets = curr_dyn_buckets ; /* reset */ else { + curr_dyn_buckets = dyn_buckets ; /* update */ if (ipfw_dyn_v != NULL) free(ipfw_dyn_v, M_IPFW); ipfw_dyn_v = malloc(curr_dyn_buckets * sizeof r, but i want to look at the code a bit more carefully before committing this. If you want to test this patch, i'd be glad to know how it works for you. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message