From owner-freebsd-ipfw Mon Jul 15 13:42:11 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C35E437B401; Mon, 15 Jul 2002 13:42:03 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F61B43E84; Mon, 15 Jul 2002 13:42:01 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6FKg0S91816; Mon, 15 Jul 2002 13:42:00 -0700 (PDT) (envelope-from rizzo) Date: Mon, 15 Jul 2002 13:42:00 -0700 From: Luigi Rizzo To: ipfw@FreeBSD.ORG Subject: updated ipfw2 patches for -stable Message-ID: <20020715134200.A91754@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Bcc to -stable as relevant there] As the subject says, the latest patches to run ipfw2 on -stable are at http://info.iet.unipi.it/~luigi/ipfw2.stable.020715.diffs They rely on the code that I have committed to -stable last week, and replicate the functionality that is available in -current in the CVS repository. This version fixes all bugs reported so far (which were limited to minor problems in the userland code, and alignment issues on 64-bit architectures) and implements keepalives to prevent dynamic rules from expiring when your session is idle for longer than the timeout. Once you have patched your source tree, you need to add options IPFW2 to your kernel config file to have the new functionality available, otherwise you will still use the old ipfw code. You also need to recompile /sbin/ipfw. Note that this patch *does not* update libalias (I will add patches for that in the next version of the code). (For the curious, ipfw2 is a nickname for the new firewall code which is in -current. It is much faster and more flexible than the old one, and implements the old ipfw syntax as a subset, so your existing configuration files should work unmodified -- and if they don't, please report the rule(s) where it chokes so i can fix that). cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 15 18: 1:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9172037B405 for ; Mon, 15 Jul 2002 18:01:32 -0700 (PDT) Received: from c011.snv.cp.net (h003.c011.snv.cp.net [209.228.34.216]) by mx1.FreeBSD.org (Postfix) with SMTP id B0D5843E5E for ; Mon, 15 Jul 2002 18:01:31 -0700 (PDT) (envelope-from admin@biowarnet.info) Received: (cpmta 13812 invoked from network); 15 Jul 2002 18:01:31 -0700 Received: from 209.228.34.221 (HELO mail.biowarnet.info.criticalpath.net) by smtp.hosting-14.namesecure.com (209.228.34.216) with SMTP; 15 Jul 2002 18:01:31 -0700 X-Sent: 16 Jul 2002 01:01:31 GMT Received: from [202.155.77.114] by mail.biowarnet.info with HTTP; Mon, 15 Jul 2002 18:01:30 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 To: rizzo@icir.org Cc: freebsd-ipfw@FreeBSD.ORG From: admin@biowarnet.info Subject: NewBie Question X-Sent-From: admin@biowarnet.info Date: Mon, 15 Jul 2002 18:01:30 -0700 (PDT) X-Mailer: Web Mail 5.0.10-17 Message-Id: <20020715180131.2114.h008.c011.wm@mail.biowarnet.info.criticalpath.net> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Rizzo I would like to ask you what is the right configuration for my network here : I run FreeBSD 4.6-STABLE on server, and here i got traffic bandwidth around 80kbit/s. (from MRTG Page) I have 14 client here on my server not included server. I run squid and accept http request on port 3128 And this is the question : What sould i put on my firewall config, so every client have max http traffic bandwidth around 5kbit/s? (from 80kbit/s /14 client in my network) For a while i put these on /etc/firewall.conf case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Dummynet Rules /sbin/ipfw add pipe 1 tcp from any 3128 to ${inet}:${imask} /sbin/ipfw pipe 1 config bw 40kbit/s queue 50 delay 10 mask dst-ip 0xffffff00 # Allow established connections with minimal overhead ${fwcmd} add pass tcp from any to any established I wait for your answer And I would thank very very thank you Rinto N To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 16 4:30:52 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A53E37B400; Tue, 16 Jul 2002 04:30:50 -0700 (PDT) Received: from xy.blank.spb.ru (xy.blank.spb.ru [194.67.6.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 017D443E67; Tue, 16 Jul 2002 04:30:49 -0700 (PDT) (envelope-from borman@blank.spb.ru) Received: from xy.blank.spb.ru (localhost.blank.spb.ru [127.0.0.1]) by xy.blank.spb.ru (8.12.3/8.12.3/blank) with ESMTP id g6GBUlKj005105; Tue, 16 Jul 2002 15:30:47 +0400 (MSD) (envelope-from borman@xy.blank.spb.ru) Received: (from borman@localhost) by xy.blank.spb.ru (8.12.3/8.12.3/Submit) id g6GBUlCA005104; Tue, 16 Jul 2002 15:30:47 +0400 (MSD) Date: Tue, 16 Jul 2002 15:30:47 +0400 From: boris karlov To: ipfw@FreeBSD.ORG Cc: Ruslan Ermilov Subject: Re: keep-state rule before nat Message-ID: <20020716113047.GC4470@xy.blank.spb.ru> References: <3C6A38F2.8B65E6EC@jet.msk.su> <20020213105807.B46245@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20020213105807.B46245@sunbay.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 13 Feb 2002 10:58:07 +0200, Ruslan Ermilov wrote: > On Wed, Feb 13, 2002 at 11:59:14AM +0200, Andrew V. Jemerya wrote: > > Hi, guys! > > > > I had some trouble with keep-state rules recently. > > My firewall rules are the folowing: > > > > check-state > > allow tcp from any to xxxx 25 keep-state > > allow udp from any 53 to xxx 53 keep-state > > > > divert natd from 192.168.0.0/24 to any out via rl0 > > divert from any to xxx in via rl0 > > > > > > allow all from 192.168.0.4 to any via rl1 keep-state > > > > This construction doen't work properly, but exactly it doesn't work at > > all > > What can I do for this situation? > > > Keep-state combined with divert is really tricky. > Search ML archives for a possible solution. I > posted them once. > -- Alas, I can't find smth. appropriate in ML archives. I've failed with Google too. Does anybody have a recipe? URL or paper? Finally I can't realize which rules I get from `keep-state' match in this case. 10x in advance, boris karlov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 16 10:19:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3F8237B400 for ; Tue, 16 Jul 2002 10:19:05 -0700 (PDT) Received: from dsee.fee.unicamp.br (dsee.fee.unicamp.br [143.106.11.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0662E43E4A for ; Tue, 16 Jul 2002 10:19:04 -0700 (PDT) (envelope-from morte@dsee.fee.unicamp.br) Received: from xapuri (dsee.fee.unicamp.br [143.106.11.14]) by dsee.fee.unicamp.br (8.10.1/8.10.1) with SMTP id g6GHJHv03243 for ; Tue, 16 Jul 2002 14:19:17 -0300 (EST) Reply-To: From: "Luiz Morte da Costa Jr" To: Subject: ENC: rexec Date: Tue, 16 Jul 2002 14:15:35 -0300 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01C22CD3.40DD4600" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C22CD3.40DD4600 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I don=B4t know if you had received this message (I receveid some = warnings), so I=B4m sending again ... My problem is with R command in a internal PC (10.10.10.0 network. See = below). I apreciate any help. Luiz. -----Mensagem original----- De: owner-freebsd-ipfw@FreeBSD.ORG = [mailto:owner-freebsd-ipfw@FreeBSD.ORG] Em nome de Luiz Morte da Costa Jr Enviada em: quarta-feira, 10 de julho de 2002 14:06 Para: ipfw@FreeBSD.ORG Assunto: rexec Hi there, I have a ipfw+nat running in a FreeBSD 4.5. I have this configuration: Internet 1 (fxp0) Internet 2 (fxp1) (a.b.c.164) (a.b.d.80) / \ / \ | | -------------------------------------------------- | \ / Internal (fxp2) (10.10.10.129) Obs: - The IP Class x.y.z.0 is in fxp0 network. - The default route to a.b.c.0 IP Class is a.b.c.129 - In /etc/rc.conf defaultrouter=3D"a.b.d.65" I have a sun with a valid IP and with a calendar server running - IP: a.b.c.152 - valid IP - calendar server running I have a PC in a internal network - IP: 10.10.10.130 - no valid IP - calendar client My problem is to have access in a calendar server from a internal IP = (10.10.10.130) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D NAT: /sbin/natd -p 8668 -n fxp0 (natd) /sbin/natd -p 8669 -n fxp1 (natd2) My rules are: # Internal IP Class add 0011 skipto 0055 all from a.b.c.0/24 to any add 0012 skipto 0055 all from any to a.b.c.0/24 add 0013 skipto 0055 all from x.y.z.0/24 to any add 0014 skipto 0055 all from any to x.y.z.0/24 # # NAT for all IP Class add 0051 divert natd2 all from any to any add 0052 skipto 0100 all from any to any # # NAT for Internal IP Class add 0055 divert natd all from any to any # forward internal IP Class add 0056 fwd a.b.c.129 all from a.b.c.164 to any out # # Deny source routing, record route add 0100 deny log tcp from any to any ipoptions ssrr,lsrr,rr # Allow loop back add 0102 allow all from any to any via lo0 # # Allow all (for test) add 60000 allow log logamount 20000 all from any to any =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D Thanks any way, Luiz. ------=_NextPart_000_0008_01C22CD3.40DD4600 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I = don=B4t know if you=20 had received this message (I receveid  some warnings), so I=B4m = sending again=20 ...
 
My = problem is with=20 R command in a internal PC (10.10.10.0 network. See = below).
 
I = apreciate any=20 help.
Luiz.
 
 
-----Mensagem original-----
De: = owner-freebsd-ipfw@FreeBSD.ORG=20 [mailto:owner-freebsd-ipfw@FreeBSD.ORG]
Em nome de Luiz Morte = da Costa=20 Jr
Enviada em: quarta-feira, 10 de julho de 2002 = 14:06
Para:=20 ipfw@FreeBSD.ORG
Assunto: rexec

Hi there,
 
I have a ipfw+nat running in a FreeBSD=20 4.5.
I have = this=20 configuration:
 
Internet=20 1 (fxp0)          Internet = 2=20 (fxp1)
  =20 (a.b.c.164)          &n= bsp;      (a.b.d.80)
     / \ &n= bsp;           &nb= sp;=20             &= nbsp;     /=20 \
     =20 |            =          =20              = |
----------------------------------------------= ----
       &nbs= p;           =20    |
       &nbs= p;        =20      \ /
       &nbs= p;      =20 Internal (fxp2)
       &nbs= p;     =20 (10.10.10.129)
 
Obs:
- The = IP Class=20 x.y.z.0 is in fxp0 network.
- The = default=20 route to a.b.c.0 IP Class is = a.b.c.129
-=20 In=20 /etc/rc.conf
  = defaultrouter=3D"a.b.d.65"
 
 
I have = a sun with a=20 valid IP and with a calendar server running
- IP:=20 a.b.c.152
- = valid=20 IP
- = calendar server=20 running
 
I have = a PC in a=20 internal network
- IP:=20 10.10.10.130
- no = valid=20 IP
- = calendar=20 client
 
My = problem is to=20 have access in a calendar server from a internal IP=20 (10.10.10.130)
 
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D
NAT:
/sbin/natd -p 8668=20 -n fxp0   (natd)
/sbin/natd -p 8669 -n fxp1  =20 (natd2)
My = rules=20 are:
 
# = Internal IP=20 Class
add = 0011 skipto 0055=20 all from a.b.c.0/24 to any
add 0012 skipto 0055 all from any to=20 a.b.c.0/24
add 0013 skipto 0055 all from x.y.z.0/24 to any
add = 0014 skipto=20 0055 all from any to x.y.z.0/24
#
# NAT = for all IP=20 Class
add 0051 divert natd2 all from any to any
add 0052 skipto = 0100 all=20 from any to any
#
# NAT = for Internal=20 IP Class
add 0055 divert natd all from any to any
# forward = internal IP=20 Class
add 0056 fwd a.b.c.129 all from a.b.c.164 to any out
#
#=20 Deny source routing, record route
add 0100 deny log tcp from any = to any=20 ipoptions ssrr,lsrr,rr
# Allow loop back
add 0102 allow all = from any=20 to any via lo0
#
# Allow all (for test)
add 60000 = allow log=20 logamount 20000 all from any to=20 any
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D
 
Thanks = any=20 way,
Luiz.
------=_NextPart_000_0008_01C22CD3.40DD4600-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 16 12:41: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECE9237B400 for ; Tue, 16 Jul 2002 12:41:04 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id A206A43E42 for ; Tue, 16 Jul 2002 12:41:04 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6GJexc02947; Tue, 16 Jul 2002 12:40:59 -0700 (PDT) (envelope-from rizzo) Date: Tue, 16 Jul 2002 12:40:59 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: Ouch! ipfw log and DoS Message-ID: <20020716124059.A2635@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG it just occurred to me that if you have ipfw add accept log and you log to a remote host and your syslog messages match your pattern, then you have created a loop. There are endless variations of the above. Bottom line is that (i believe) log messages generated by ipfw should be rate-limited to some not-too-large value (maybe controlled by a sysctl variable). Any objections if i implement that (which probably amounts to the following lines of code at the beginnning of ipfw_log(): ---------------- static last_log, log_left; if (last_log != time_second) { last_log = time_second; log_left = ipfw_log_rate; } if (log_left == 0) return; log_left--; ---------------- cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 16 23:46:52 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2802D37B400 for ; Tue, 16 Jul 2002 23:46:50 -0700 (PDT) Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6356943E65 for ; Tue, 16 Jul 2002 23:46:49 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020717064649.NSH26053.rwcrmhc53.attbi.com@blossom.cjclark.org>; Wed, 17 Jul 2002 06:46:49 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6H6kmJK023476; Tue, 16 Jul 2002 23:46:48 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6H6klHr023475; Tue, 16 Jul 2002 23:46:47 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 16 Jul 2002 23:46:47 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <20020717064647.GC22967@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020716124059.A2635@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020716124059.A2635@iguana.icir.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 16, 2002 at 12:40:59PM -0700, Luigi Rizzo wrote: > it just occurred to me that if you have > > ipfw add accept log > > and you log to a remote host and your syslog messages match your > pattern, then you have created a loop. > There are endless variations of the above. > > Bottom line is that (i believe) log messages generated by ipfw should > be rate-limited to some not-too-large value (maybe controlled by > a sysctl variable). > > Any objections if i implement that (which probably amounts to > the following lines of code at the beginnning of ipfw_log(): > > ---------------- > static last_log, log_left; > > if (last_log != time_second) { > last_log = time_second; > log_left = ipfw_log_rate; > } > if (log_left == 0) > return; > log_left--; > ---------------- Errr... Isn't this syslogd(8)'s job? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 17 2:26:22 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6387837B400; Wed, 17 Jul 2002 02:26:20 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 212E143E67; Wed, 17 Jul 2002 02:26:20 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6H9QJh08416; Wed, 17 Jul 2002 02:26:20 -0700 (PDT) (envelope-from rizzo) Date: Wed, 17 Jul 2002 02:26:19 -0700 From: Luigi Rizzo To: "Crist J. Clark" Cc: ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <20020717022619.A8351@iguana.icir.org> References: <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020717064647.GC22967@blossom.cjclark.org>; from crist.clark@attbi.com on Tue, Jul 16, 2002 at 11:46:47PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 16, 2002 at 11:46:47PM -0700, Crist J. Clark wrote: ... > > Bottom line is that (i believe) log messages generated by ipfw should > > be rate-limited to some not-too-large value (maybe controlled by > > a sysctl variable). ... > > static last_log, log_left; > > > > if (last_log != time_second) { > > last_log = time_second; > > log_left = ipfw_log_rate; > > } > > if (log_left == 0) > > return; > > log_left--; > > ---------------- > > Errr... Isn't this syslogd(8)'s job? i do not see any such option in syslogd. The only thing syslogd does is .... last message repeated 29 times but that will not break the loop that you could generate by improperly setting an ipfw rule. That's the whole point of my proposal above -- and given it is two instructions per log-entry, plus another 3 instructions per second, i think it is worthwhile having it. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 17 9:58:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 840DE37B400 for ; Wed, 17 Jul 2002 09:58:11 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C3ED43E5E for ; Wed, 17 Jul 2002 09:58:11 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020717165810.QIZZ24728.rwcrmhc51.attbi.com@blossom.cjclark.org>; Wed, 17 Jul 2002 16:58:10 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6HGw9JK025589; Wed, 17 Jul 2002 09:58:09 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6HGw84w025588; Wed, 17 Jul 2002 09:58:08 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Wed, 17 Jul 2002 09:58:08 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <20020717165807.GA25404@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020717022619.A8351@iguana.icir.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 17, 2002 at 02:26:19AM -0700, Luigi Rizzo wrote: > On Tue, Jul 16, 2002 at 11:46:47PM -0700, Crist J. Clark wrote: > ... > > > Bottom line is that (i believe) log messages generated by ipfw should > > > be rate-limited to some not-too-large value (maybe controlled by > > > a sysctl variable). > ... > > > static last_log, log_left; > > > > > > if (last_log != time_second) { > > > last_log = time_second; > > > log_left = ipfw_log_rate; > > > } > > > if (log_left == 0) > > > return; > > > log_left--; > > > ---------------- > > > > Errr... Isn't this syslogd(8)'s job? > > i do not see any such option in syslogd. Let me rephrase, "Shouldn't this be syslogd(8)'s job?" > The only thing syslogd does is > > .... last message repeated 29 times > > but that will not break the loop that you could generate > by improperly setting an ipfw rule. It would for the example you gave. (Well, it doesn't "break the loop," but it does slow it wa-ay down.) > That's the whole point of > my proposal above -- and given it is two instructions per log-entry, > plus another 3 instructions per second, i think it is worthwhile > having it. I just really do not think that this is the right place for such a limit. I don't like the idea that the firewall code just starts dropping notifications without way to know about it. Think about what happens for your example, a packet comes in that gets logged which triggers a syslog cascade until we hit the limit. What we end up with is only logging a small windows separated by at least a second, and the logs are still almost entirely filled with the syslog feedback. Of course the "right" thing to do is to configure your 'log' rules correctly to avoid feedback loops. I think this is a case where we should let the administrator shoot himself in the foot if he wants to. If someone did log her own syslog packets, I think that she would find out and fix it pretty quickly. Even with this rate limiting, people are still going to have to fix their rules otherwise their logs will be pretty much useless, filled with unintersting gunk and possibly dropping most of the interesting data. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 17 10:21:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ECCA37B401 for ; Wed, 17 Jul 2002 10:21:22 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10A9E43E4A for ; Wed, 17 Jul 2002 10:21:22 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6HHLJL13178; Wed, 17 Jul 2002 10:21:19 -0700 (PDT) (envelope-from rizzo) Date: Wed, 17 Jul 2002 10:21:19 -0700 From: Luigi Rizzo To: cjclark@alum.mit.edu Cc: ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <20020717102119.A12639@iguana.icir.org> References: <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org> <20020717165807.GA25404@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020717165807.GA25404@blossom.cjclark.org>; from crist.clark@attbi.com on Wed, Jul 17, 2002 at 09:58:08AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 17, 2002 at 09:58:08AM -0700, Crist J. Clark wrote: ... > I just really do not think that this is the right place for such a > limit. I don't like the idea that the firewall code just starts > dropping notifications without way to know about it. Think about what > happens for your example, a packet comes in that gets logged which > triggers a syslog cascade until we hit the limit. What we end up with > is only logging a small windows separated by at least a second, and > the logs are still almost entirely filled with the syslog feedback. the alternative being having your box hung until you hard-reset it, i know what i would choose :) cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 17 10:49:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38F3537B400 for ; Wed, 17 Jul 2002 10:49:22 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC7E43E42 for ; Wed, 17 Jul 2002 10:49:21 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020717174920.KASL6023.sccrmhc02.attbi.com@blossom.cjclark.org>; Wed, 17 Jul 2002 17:49:20 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6HHnKJK025843; Wed, 17 Jul 2002 10:49:20 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6HHnJAu025842; Wed, 17 Jul 2002 10:49:19 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Wed, 17 Jul 2002 10:49:19 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: Ouch! ipfw log and DoS Message-ID: <20020717174919.GB25404@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org> <20020717165807.GA25404@blossom.cjclark.org> <20020717102119.A12639@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020717102119.A12639@iguana.icir.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 17, 2002 at 10:21:19AM -0700, Luigi Rizzo wrote: > On Wed, Jul 17, 2002 at 09:58:08AM -0700, Crist J. Clark wrote: > ... > > I just really do not think that this is the right place for such a > > limit. I don't like the idea that the firewall code just starts > > dropping notifications without way to know about it. Think about what > > happens for your example, a packet comes in that gets logged which > > triggers a syslog cascade until we hit the limit. What we end up with > > is only logging a small windows separated by at least a second, and > > the logs are still almost entirely filled with the syslog feedback. > > the alternative being having your box hung until you hard-reset it, > i know what i would choose :) There's still IPFIREWALL_VERBOSE_LIMIT and 'logamount' to save you from such a fate. If you disable log limiting AND misconfigure your rules to create feedback loops, I would have no sympathy for you. (Does the kernel really spend enough time generating messages that you get a real hang (the console hangs, not just remote sessions)?) -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 1:40: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A709137B400; Thu, 18 Jul 2002 01:40:05 -0700 (PDT) Received: from relay.ie-online.it (mercurio.ie-online.it [212.110.22.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id B432243E31; Thu, 18 Jul 2002 01:40:04 -0700 (PDT) (envelope-from sriva@gufi.org) Received: from 127.0.0.1 (localhost.ie-online.it [127.0.0.1]) by dummy.domain.name (Postfix) with SMTP id 483C647B2F; Thu, 18 Jul 2002 10:40:03 +0200 (CEST) Message-Id: <3.0.5.32.20020718104002.00907de0@civetta.gufi.org> X-Sender: riva@civetta.gufi.org X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 18 Jul 2002 10:40:02 +0200 To: "Crist J. Clark" From: Stefano Riva Subject: Re: Ouch! ipfw log and DoS Cc: Luigi Rizzo , ipfw@FreeBSD.ORG In-Reply-To: <20020717174919.GB25404@blossom.cjclark.org> References: <20020717102119.A12639@iguana.icir.org> <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org> <20020717165807.GA25404@blossom.cjclark.org> <20020717102119.A12639@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 10.49 17/07/02 -0700, Crist J. Clark wrote: >There's still IPFIREWALL_VERBOSE_LIMIT and 'logamount' to save you >from such a fate. >If you disable log limiting AND misconfigure your rules to create >feedback loops, I would have no sympathy for you. Maybe I miss something, if so please correct me, but it seems to me that this "problem" isn't related only to feedback loops. At least on a production firewall IMO you should always enable log limiting, and if you enable it you have to reset it periodically... so in practice you're rate-limiting it. I don't know if in an ideal world this job should be ipfw's or syslogd's, but I for sure would like to be able to do it in a "cleaner" way rather than, let's say, using a CRON job. After all, with IPFIREWALL_VERBOSE_LIMIT we already have a way to specify an "absolute limit" for ipfw logging, so why don't we add an option to obtain a rate limit? Not enabled by default, of course. --- Stefano Riva (sriva@gufi.org) Gruppo Utenti FreeBSD Italia - http://www.gufi.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 9:25:34 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D4B137B400 for ; Thu, 18 Jul 2002 09:25:33 -0700 (PDT) Received: from notus.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C77CF43E67 for ; Thu, 18 Jul 2002 09:25:32 -0700 (PDT) (envelope-from drwitura@primus.ca) Received: from firewall.primus.ca ([216.254.141.68] helo=oemcomputer) by notus.primus.ca with smtp (Exim 3.33 #16) id 17VE5s-0000Oc-0A for ipfw@FreeBSD.ORG; Thu, 18 Jul 2002 12:25:32 -0400 Message-ID: <003501c22e78$0e2bcd20$b0120a0a@primustel.ca> From: "Didier Rwitura" To: References: <20020716124059.A2635@iguana.icir.org> <20020717064647.GC22967@blossom.cjclark.org> <20020717022619.A8351@iguana.icir.org> <20020717165807.GA25404@blossom.cjclark.org> <20020717102119.A12639@iguana.icir.org> <20020717174919.GB25404@blossom.cjclark.org> Subject: disconection Date: Thu, 18 Jul 2002 12:27:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi there my box (FreeBSD 4.6-RELEASE ) is disconecting me after few minutes ,when I conect remotely using SSH. I have IPFW as firewall. Is there anything I can do to fix this?? Thanx ==================================== Didier R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 10: 5:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2DAD37B400 for ; Thu, 18 Jul 2002 10:05:48 -0700 (PDT) Received: from mail.wsf.at (MAIL.WSF.AT [212.16.37.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id A57B143E58 for ; Thu, 18 Jul 2002 10:05:47 -0700 (PDT) (envelope-from net@wsf.at) Received: (from root@localhost) by mail.wsf.at (8.11.6/8.9.3) id g6IH5kl08473 for ipfw@FreeBSD.ORG.KAV; Thu, 18 Jul 2002 19:05:46 +0200 (CEST) (envelope-from net@wsf.at) Received: from wsf.at (localhost [127.0.0.1]) by www.wsf.at (8.11.6/8.9.3) with SMTP id g6IH5jY08457; Thu, 18 Jul 2002 19:05:45 +0200 (CEST) (envelope-from net@wsf.at) Message-Id: <200207181705.g6IH5jY08457@www.wsf.at> Date: Thu, 18 Jul 2002 17:05:44 -0000 To: "Didier Rwitura" , Subject: Re: disconection From: X-Mailer: TWIG 2.6.2 In-Reply-To: <003501c22e78$0e2bcd20$b0120a0a@primustel.ca> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Didier, Didier Rwitura schrieb: > hi there my box (FreeBSD 4.6-RELEASE ) is disconecting me after few minutes > ,when I conect remotely using SSH. I have IPFW as firewall. Is there > anything I can do to fix this?? > Thanx > Just a guess, do you have 'keep-state' on the rules which allow ssh to your box ? Perhaps it's just the temporary rules timing out that disconnect you. Thomas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 10:51: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B648337B401 for ; Thu, 18 Jul 2002 10:50:52 -0700 (PDT) Received: from zephir.primus.ca (mail.tor.primus.ca [216.254.136.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AF4D43E81 for ; Thu, 18 Jul 2002 10:50:44 -0700 (PDT) (envelope-from drwitura@primus.ca) Received: from firewall.primus.ca ([216.254.141.68] helo=oemcomputer) by zephir.primus.ca with smtp (Exim 3.33 #16) id 17VFQ9-00057J-0A for ipfw@FreeBSD.ORG; Thu, 18 Jul 2002 13:50:33 -0400 Message-ID: <005f01c22e83$e19188c0$b0120a0a@primustel.ca> From: "Didier Rwitura" To: References: <200207181921.1340411.6@btsoftware.com> Subject: Re: disconection Date: Thu, 18 Jul 2002 13:52:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanx martin and Thomas - the auto-off is off completely .. I guess the reason is mostly the firewall - to answer Thomas yeap i do here are my ipfw rules : #allow ssh add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state add 00301 allow tcp from any to any out setup keep-state add 00302 allow tcp from any ssh to any out setup keep-state add 00304 allow tcp from any to any ssh in add 00305 allow tcp from any to any out setup keep-state ==================================== Didier Rwitura Technical Support // Soutien Technique P R I M U S TELECOMMUNICATIONS Inc 1-888-222-8577 Business 1-800-370-0015 Residential Ext 8628 Email: drwitura@primus.ca Tech support Email : support@primus.ca Please visit // Visitez svp http://support.primus.ca or // ou http://www.primushost.com ----- Original Message ----- From: "bts" To: "Didier Rwitura" Sent: Thursday, July 18, 2002 1:19 PM Subject: Re: disconection > ===================== Hypersnap-DX 4 ============= Promotional Message ==== > HyperSnap-DX 4 is a fabulous screen capture tool. Capture screens > from standard desktop programs and hard-to-grab DirectX/Direct3D, 3dfx > Voodoo and Glide mode games. Snag frames from DVD players and other > video software. Grab long web pages or more than is visible on the screen > by auto-scrolling. HyperSnap-DX 4, with its new painting and editing tools, > integrates well with the Windows clipboard. Download the trial version from: > http://www.btsoftware.com/products/hypersnp.htm > ======================================================================= > > > Hi Didier, > > If you connect to a unix box, I would take a look at the > auto-logoff setting at that unix box. Turn it higher or > completely off. > > Martin. > > On Thu, 18 Jul 2002 12:27:48 -0400, Didier Rwitura wrote: > > >hi there my box (FreeBSD 4.6-RELEASE ) is disconecting me after few minutes > >,when I conect remotely using SSH. I have IPFW as firewall. Is there > >anything I can do to fix this?? > >Thanx > > > >==================================== > > Didier R > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-ipfw" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 11:41:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14C5C37B400 for ; Thu, 18 Jul 2002 11:41:52 -0700 (PDT) Received: from mail.wsf.at (MAIL.WSF.AT [212.16.37.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2808643E31 for ; Thu, 18 Jul 2002 11:41:51 -0700 (PDT) (envelope-from net@wsf.at) Received: (from root@localhost) by mail.wsf.at (8.11.6/8.9.3) id g6IIfo809700 for ipfw@FreeBSD.ORG.KAV; Thu, 18 Jul 2002 20:41:50 +0200 (CEST) (envelope-from net@wsf.at) Received: from wsf.at (localhost [127.0.0.1]) by www.wsf.at (8.11.6/8.9.3) with SMTP id g6IIfmY09684; Thu, 18 Jul 2002 20:41:48 +0200 (CEST) (envelope-from net@wsf.at) Message-Id: <200207181841.g6IIfmY09684@www.wsf.at> Date: Thu, 18 Jul 2002 18:41:48 -0000 To: "Didier Rwitura" , Subject: Re: disconection From: X-Mailer: TWIG 2.6.2 In-Reply-To: <005f01c22e83$e19188c0$b0120a0a@primustel.ca> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Didier, Didier Rwitura schrieb: > Thanx martin and Thomas > > - the auto-off is off completely .. I guess the reason is mostly the > firewall > > - to answer Thomas > > yeap i do > here are my ipfw rules : > > #allow ssh > add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state > > add 00301 allow tcp from any to any out setup keep-state > > add 00302 allow tcp from any ssh to any out setup keep-state I think this rule is useless. AFAIK there will be never an attempt to establish a connection originating from port 22 (sshd listens there) > add 00304 allow tcp from any to any ssh in This makes no sense either. You allow all traffic to port 22 but there is no rule that would let pass the responses (rule 302 only matches SYN packets). > add 00305 allow tcp from any to any out setup keep-state > > > > ==================================== Regarding your original problem, there are 3 options: 1) Configure ipfw to pass traffic to/from 22 without using 'keep-state', replace 300 with: add 00200 allow tcp from 216.254.136.110 to me ssh add 00201 allow tcp from me 22 to 216.254.136.110 (replace '216.254...' with 'any' if you want to connect from anywhere but check your version of sshd first! ) 2) increase the lifetime of the temporary rules created by 'keep-state'. See 'man ipfw, search for 'SYSCTL', see 'net.inet.ip.fw.dyn_ack_lifetime'. 3) Configure sshd and/or your ssh-client to use keepalives. HTH Thomas P.S.: Please don't top-post, it makes it much more difficult to follow the thread. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 11:45:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4FE537B400 for ; Thu, 18 Jul 2002 11:45:25 -0700 (PDT) Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CDAB43E31 for ; Thu, 18 Jul 2002 11:45:25 -0700 (PDT) (envelope-from rick.norman@lmco.com) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6/8.11.6) with ESMTP id g6IIjNJ06949 for ; Thu, 18 Jul 2002 14:45:24 -0400 (EDT) Received: from CONVERSION-DAEMON.lmco.com by lmco.com (PMDF V6.1-1 #40643) id <0GZG00701K3NHI@lmco.com> for freebsd-ipfw@freebsd.org; Thu, 18 Jul 2002 11:45:23 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V6.1-1 #40643) with ESMTP id <0GZG00O5WK3MJQ@lmco.com> for freebsd-ipfw@freebsd.org; Thu, 18 Jul 2002 11:45:22 -0700 (PDT) Date: Thu, 18 Jul 2002 11:40:11 -0700 From: rick norman Subject: ipfw limitation with subnets To: freebsd-ipfw@freebsd.org Message-id: <3D370B8B.A8F5FE4E@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In 4.5 there is a limitation in ipfw that won't allow pkts being routed out on different subnets to be treated separately if those subnets are aliases on the same physical interface. Since the information is available it should be a simple matter for ipfw to support this ability. Can this feature be supported or is there some reason not to support it ? Thanks, Rick Norman rick.norman@lmco.com -- "In the Big Rock Candy Mountains the jails are made of tin, And you can walk right out again as soon as you are in There ain't no short-handled shovels, no axes, saws or picks, I'm a-goin' to stay where you sleep all day Where they hung the jerk that invented work In the Big Rock Candy Mountains" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 13:43:41 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58A9A37B400 for ; Thu, 18 Jul 2002 13:43:38 -0700 (PDT) Received: from spin.web.net (spin.web.net [192.139.37.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2DBF43E58 for ; Thu, 18 Jul 2002 13:43:37 -0700 (PDT) (envelope-from rob@web.net) Received: by spin.web.net (Postfix, from userid 1000) id 8005E12EBA3; Thu, 18 Jul 2002 16:43:28 -0400 (EDT) Date: Thu, 18 Jul 2002 16:43:28 -0400 From: Rob Ellis To: net@wsf.at Cc: Didier Rwitura , ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020718204328.GQ40395@web.ca> References: <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <200207181841.g6IIfmY09684@www.wsf.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207181841.g6IIfmY09684@www.wsf.at> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG an alternative to ssh KeepAlive is to use protocol 2 with ClientAliveInterval and ClientAliveCountMax set. (see sshd man page). - rob > > Regarding your original problem, there are 3 options: > 1) Configure ipfw to pass traffic to/from 22 without using > 'keep-state', replace 300 with: > add 00200 allow tcp from 216.254.136.110 to me ssh > add 00201 allow tcp from me 22 to 216.254.136.110 > (replace '216.254...' with 'any' if you want to connect from anywhere > but check your version of sshd first! ) > > 2) increase the lifetime of the temporary rules created by > 'keep-state'. See 'man ipfw, search for 'SYSCTL', see > 'net.inet.ip.fw.dyn_ack_lifetime'. > > 3) Configure sshd and/or your ssh-client to use keepalives. > > HTH > > Thomas > > P.S.: Please don't top-post, it makes it much more difficult > to follow the thread. > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 18 13:49: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9776437B405 for ; Thu, 18 Jul 2002 13:48:57 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23B2C43E6D for ; Thu, 18 Jul 2002 13:48:54 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6IKmXc26193; Thu, 18 Jul 2002 13:48:33 -0700 (PDT) (envelope-from rizzo) Date: Thu, 18 Jul 2002 13:48:33 -0700 From: Luigi Rizzo To: Rob Ellis Cc: net@wsf.at, Didier Rwitura , ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020718134832.A25924@iguana.icir.org> References: <005f01c22e83$e19188c0$b0120a0a@primustel.ca> <200207181841.g6IIfmY09684@www.wsf.at> <20020718204328.GQ40395@web.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020718204328.GQ40395@web.ca>; from rob@web.ca on Thu, Jul 18, 2002 at 04:43:28PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 18, 2002 at 04:43:28PM -0400, Rob Ellis wrote: > an alternative to ssh KeepAlive is to use protocol 2 with > ClientAliveInterval and ClientAliveCountMax set. (see > sshd man page). the version of ipfw in -current now generates keepalives on dynamic rules. Patches for -stable are at http://info.iet.unipi.it/~luigi/ipfw2.stable.020715.diffs cheers luigi > - rob > > > > > Regarding your original problem, there are 3 options: > > 1) Configure ipfw to pass traffic to/from 22 without using > > 'keep-state', replace 300 with: > > add 00200 allow tcp from 216.254.136.110 to me ssh > > add 00201 allow tcp from me 22 to 216.254.136.110 > > (replace '216.254...' with 'any' if you want to connect from anywhere > > but check your version of sshd first! ) > > > > 2) increase the lifetime of the temporary rules created by > > 'keep-state'. See 'man ipfw, search for 'SYSCTL', see > > 'net.inet.ip.fw.dyn_ack_lifetime'. > > > > 3) Configure sshd and/or your ssh-client to use keepalives. > > > > HTH > > > > Thomas > > > > P.S.: Please don't top-post, it makes it much more difficult > > to follow the thread. > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 19 1:57: 4 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBBE537B400 for ; Fri, 19 Jul 2002 01:57:01 -0700 (PDT) Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD7A743E64 for ; Fri, 19 Jul 2002 01:57:00 -0700 (PDT) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (cicely5.cicely.de [IPv6:3ffe:400:8d0:301:200:92ff:fe9b:20e7]) (authenticated bits=0) by srv1.cosmo-project.de (8.12.3/8.12.3) with ESMTP id g6J8up0i009610 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK); Fri, 19 Jul 2002 10:56:56 +0200 (CEST) (envelope-from ticso@cicely5.cicely.de) Received: from cicely5.cicely.de (localhost [IPv6:::1]) by cicely5.cicely.de (8.12.1/8.12.1) with ESMTP id g6J8upFJ044882 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 19 Jul 2002 10:56:51 +0200 (CEST)?g (envelope-from ticso@cicely5.cicely.de) Received: (from ticso@localhost) by cicely5.cicely.de (8.12.1/8.12.1/Submit) id g6J8un4F044881; Fri, 19 Jul 2002 10:56:49 +0200 (CEST)?g (envelope-from ticso) Date: Fri, 19 Jul 2002 10:56:49 +0200 From: Bernd Walter To: Didier Rwitura Cc: ipfw@FreeBSD.ORG Subject: Re: disconection Message-ID: <20020719085648.GI41699@cicely5.cicely.de> Reply-To: ticso@cicely.de References: <200207181921.1340411.6@btsoftware.com> <005f01c22e83$e19188c0$b0120a0a@primustel.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <005f01c22e83$e19188c0$b0120a0a@primustel.ca> X-Operating-System: FreeBSD cicely5.cicely.de 5.0-CURRENT i386 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 18, 2002 at 01:52:26PM -0400, Didier Rwitura wrote: > Thanx martin and Thomas > > - the auto-off is off completely .. I guess the reason is mostly the > firewall > > - to answer Thomas > > yeap i do > here are my ipfw rules : > > #allow ssh > add 00300 allow tcp from 216.254.136.110 to any ssh in setup keep-state > > add 00301 allow tcp from any to any out setup keep-state > > add 00302 allow tcp from any ssh to any out setup keep-state > add 00304 allow tcp from any to any ssh in > add 00305 allow tcp from any to any out setup keep-state add 299 check-states What is the duplicate 301/305 for? If you need 304 that's a good sign that packets for your session did not passed through a check-states. -- B.Walter COSMO-Project http://www.cosmo-project.de ticso@cicely.de Usergroup info@cosmo-project.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message