From owner-freebsd-ipfw Wed Oct 9 13:41:30 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9013637B401 for ; Wed, 9 Oct 2002 13:41:29 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id F056E43E3B for ; Wed, 9 Oct 2002 13:41:28 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20021009204128.JFKK6765.sccrmhc02.attbi.com@blossom.cjclark.org>; Wed, 9 Oct 2002 20:41:28 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g99KfRWn064889; Wed, 9 Oct 2002 13:41:27 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g99KfQ3J064883; Wed, 9 Oct 2002 13:41:26 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Wed, 9 Oct 2002 13:41:26 -0700 From: "Crist J. Clark" To: Danny.Carroll@mail.ing.nl Cc: ipfw@FreeBSD.ORG Subject: Re: Question about to/from matching. Message-ID: <20021009204126.GB64287@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Oct 04, 2002 at 01:14:00PM +0200, Danny.Carroll@mail.ing.nl wrote: > I have not got my copy of "Internetworking with TCP/IP Vol. x" with me (someone borrowed it indefinatly) so forgive this rather basic question. > > I have a rule, very early in my ruleset that says: > deny log ip from any to 10.0.0.0/8 via xl0 > > but my gateway (and default route) is 10.0.0.100 > > Now, it's working the way I want it to... In that it sends outside stuff to 10.0.0.100 and I can't telnet directly to the gateway. But I am curious why this rule does not get inforced. It does get enforced. You said you cannot telnet to 10.0.0.100. > What does a TCP packet look like when it's being sent *to* a remote destination, but via a gateway. Does the ip stack translate 10.0.0.100 to an ethernet address and pass it on that way? Yes. The gateway's IP address doesn't appear in the IP packet. Have a look at the packet. Use tcpdump(8) with '-X' and look diagram of the data fields in an IP datagram. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 10 4:31:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D2BA37B401 for ; Thu, 10 Oct 2002 04:31:43 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42B9143E97 for ; Thu, 10 Oct 2002 04:31:41 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g9ABVNJ23625; Thu, 10 Oct 2002 08:31:24 -0300 Message-ID: <3DA5650B.5000306@tcoip.com.br> Date: Thu, 10 Oct 2002 08:31:23 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 vs. ipfw1 and 4.7 References: <20021002064750.G22163@iguana.icir.org> <3D9B00F3.9040308@tcoip.com.br> <20021002074018.A22920@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Well, it turned out to be too late for the fix to get in 4.7-R. Now that 4.7-R is out of the door (just pending alpha bits, proper synch'ing on enough mirrors and formal announcement), will you commit the fix, or should I? -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net "What is wanted is not the will to believe, but the will to find out, which is the exact opposite." -- Bertrand Russell, "Skeptical_Essays", 1928 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 10 8:56: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4ECD837B401 for ; Thu, 10 Oct 2002 08:56:08 -0700 (PDT) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3C5F43EAA for ; Thu, 10 Oct 2002 08:56:07 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9AFu7O2062482; Thu, 10 Oct 2002 08:56:07 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9AFu6aZ062481; Thu, 10 Oct 2002 08:56:06 -0700 (PDT) (envelope-from rizzo) Date: Thu, 10 Oct 2002 08:56:06 -0700 From: Luigi Rizzo To: "Daniel C. Sobral" Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 vs. ipfw1 and 4.7 Message-ID: <20021010085606.A62435@carp.icir.org> References: <20021002064750.G22163@iguana.icir.org> <3D9B00F3.9040308@tcoip.com.br> <20021002074018.A22920@iguana.icir.org> <3DA5650B.5000306@tcoip.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3DA5650B.5000306@tcoip.com.br>; from dcs@tcoip.com.br on Thu, Oct 10, 2002 at 08:31:23AM -0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 10, 2002 at 08:31:23AM -0300, Daniel C. Sobral wrote: > Well, it turned out to be too late for the fix to get in 4.7-R. Now that > 4.7-R is out of the door (just pending alpha bits, proper synch'ing on > enough mirrors and formal announcement), will you commit the fix, or > should I? feel free to commit it. thanks luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 10 12:56:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A2EF37B404; Thu, 10 Oct 2002 12:56:11 -0700 (PDT) Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2542543E9C; Thu, 10 Oct 2002 12:56:11 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: (from root@localhost) by pebkac.owp.csus.edu (8.9.3/8.9.3) id MAA41962; Thu, 10 Oct 2002 12:58:47 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: (from root@localhost) by pebkac.owp.csus.edu (8.9.3/8.9.3) id MAA18097; Mon, 20 Aug 2001 12:30:35 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: from localhost (scottj@localhost) by pebkac.owp.csus.edu (8.9.3/8.9.3av) with ESMTP id MAA18090; Mon, 20 Aug 2001 12:30:34 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Date: Mon, 20 Aug 2001 12:30:34 -0700 (PDT) From: Joseph Scott X-Sender: scottj@pebkac.owp.csus.edu To: freebsd-stable@freebsd.org, freebsd-ipfw@freebsd.org Subject: ipfw broken in 4.4-RC from 20 Aug 2001 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It appears that ipfw is broken in -stable. uname -a output: FreeBSD guard.water-programs.com 4.4-RC FreeBSD 4.4-RC #2: Mon Aug 20 12:09:23 PDT 2001 admin@guard.water-programs.com:/usr/obj/usr/src/sys/GUARD i386 After running 'ipfw show' I get the following output: ipfw: getsockopt(IP_FW_GET): Protocol not available Any information or ideas on what may have caused this problem? In the meantime I'm going to try and rummage through the recent commits involving ipfw and see if I can pin this down further. I consider this a show stopper for 4.4-RELEASE. -Joseph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 10 12:59:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 607E837B401; Thu, 10 Oct 2002 12:59:45 -0700 (PDT) Received: from pebkac.owp.csus.edu (pebkac.owp.csus.edu [130.86.232.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id C667143EB2; Thu, 10 Oct 2002 12:59:44 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: (from root@localhost) by pebkac.owp.csus.edu (8.9.3/8.9.3) id NAA42608; Thu, 10 Oct 2002 13:02:20 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: (from root@localhost) by pebkac.owp.csus.edu (8.9.3/8.9.3) id MAA18621; Mon, 20 Aug 2001 12:54:06 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Received: from localhost (scottj@localhost) by pebkac.owp.csus.edu (8.9.3/8.9.3av) with ESMTP id MAA18614; Mon, 20 Aug 2001 12:54:04 -0700 (PDT) (envelope-from joseph.scott@owp.csus.edu) Date: Mon, 20 Aug 2001 12:54:04 -0700 (PDT) From: Joseph Scott X-Sender: scottj@pebkac.owp.csus.edu To: Joseph Scott Cc: freebsd-stable@freebsd.org, freebsd-ipfw@freebsd.org Subject: my bad : ipfw broken in 4.4-RC from 20 Aug 2001 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Please disregard the previous email, I just go crawl under a rock. I had several ssh sessions going to several different systems, and I'd mistaken which one I was actually in :-( Ug. -Joseph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 11 5: 9:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D6E237B401 for ; Fri, 11 Oct 2002 05:09:55 -0700 (PDT) Received: from infobahn.wilkerstaff.com (infobahn.wilkerstaff.com [208.233.223.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A18343E91 for ; Fri, 11 Oct 2002 05:09:54 -0700 (PDT) (envelope-from freebsd@wilkerstaff.com) Received: from dynamic (sbapqb@12-226-39-57.client.attbi.com [12.226.39.57]) by infobahn.wilkerstaff.com (8.12.5/8.12.3) with SMTP id g9BC8eLJ009780 for ; Fri, 11 Oct 2002 08:08:41 -0400 (EDT) (envelope-from freebsd@wilkerstaff.com) Message-ID: <004501c2711f$536e0800$6401a8c0@dynamic> From: "FreeBSD-IPFW" To: References: Subject: texts Date: Thu, 10 Oct 2002 22:37:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I've been a lurker here for ~2 months. I'm currently a college graduate and quite frankly I find this stuff (freebsd-ipfw) fascinating. I've decided to personally implement some ipfw stuff. I'm looking for some type of text that explains theory and can also be used as a reference w/ examples, maybe this will have to be two texts. Can anyone give a good website or text that is definitive (difficult for a work in progress)? I've checked www.freebsd.org/handbook and, of course, the man page [ipfw(8)] both of which seem to be a good start. I guess while I'm at it, I'll ask my specific question: I've decided to do an exercise in traffic shaping. Specifically I would like to do something along the lines of a QoS packet scheduler (Not sure if this is the correct terminology). In other words, something that would prioritize email over ftp over http and so forth, so that if all three were running email would get a large chunk of the bandwidth 66%, ftp would get 23%, and http would get 10%. This is just an example. Here is another (possibly similar) example. Three computers in an internal lan connected to a box with natd and an internet connection. Computer A gets 50% of available bandwidth and Computer B and C each get 25%. I'm guessing the second example would be easier to implement than the first. Any suggestions on getting out of the gate on this problem? Or any suggestions regarding a good website or text for more in-depth information on the subject? Thanks in advance for your help and insight! Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 11 7:21:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC28737B401 for ; Fri, 11 Oct 2002 07:21:36 -0700 (PDT) Received: from tiamat.astral-on.net (tiamat.astral-on.net [193.41.4.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EF5243E97 for ; Fri, 11 Oct 2002 07:21:34 -0700 (PDT) (envelope-from ad@odin.astral-on.net) Received: from odin.astral-on.net (odin.astral-on.net [193.41.4.6]) by tiamat.astral-on.net (8.12.5/8.12.5) with ESMTP id g9BELSoQ003091 for ; Fri, 11 Oct 2002 17:21:28 +0300 (EEST) Received: (from ad@localhost) by odin.astral-on.net (8.11.6/8.11.6) id g9BELQm45342 for freebsd-ipfw@freebsd.org; Fri, 11 Oct 2002 17:21:26 +0300 (EEST) (envelope-from ad) Date: Fri, 11 Oct 2002 17:21:26 +0300 From: Andrey Degtyaryov To: freebsd-ipfw@freebsd.org Subject: TOS matching in ipfw2 Message-ID: <20021011142125.GH32697@astral-on.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello! Why iptos takes only the limited set of "spec" values in ipfw2? It would be much more convenient, if "spec" could be any number. Why was it neccessary to apply such restriction? In This way it would be possible to implement flexible traffic shaping models according to the values of TOS. I've implemented netgraph node which changes packets' TOS values passed throw the interface (mark a traffic groups/clients) and ALTQ allocates a bandwidtch in compliance with ones. I know about traffic conditioners and use it on the routers which are running ALTQ. But i cannot / don't want install ALTQ on all routers upon many reasons. It would be much better to migrate from ALTQ to DUMMYNET (because of higher accuracy of DUMMYNET)... -- Andrew Degtiariov AD5898-RIPE | AD5-UANIC ad@astral-on.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 11 9:45:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC6FD37B401 for ; Fri, 11 Oct 2002 09:45:43 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1538B43E7B for ; Fri, 11 Oct 2002 09:45:43 -0700 (PDT) (envelope-from ddolson@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id <42S94XDS>; Fri, 11 Oct 2002 12:45:42 -0400 Message-ID: From: Dave Dolson To: "'freebsd-ipfw@freebsd.org'" Subject: Problem diverting bridged packets Date: Fri, 11 Oct 2002 12:45:35 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Is anyone aware of an ipfw1 issue with diverting packets from the bridge? I'm finding that a rule like the following will cause the packets to be dropped and not diverted. # ipfw add 400 accept icmp from 1.1.1.10 to 1.1.1.4 bridge (Addresses 1.1.1.10 and 1.1.1.4 are on opposite sides of the local machine.) I'm running -stable 4.6 code, but not quite the latest, so sorry if this is old news. 4.6-RELEASE FreeBSD 4.6-RELEASE #7 I know that my divert client is working properly because it properly reads and re-inserts packets for non-divert rules involving packets for the local host (not bridged). E.g., this works fine (1.1.1.1 is the local host) divert 9001 icmp from 1.1.1.10 to 1.1.1.1 Thanks, David Dolson Senior Software Engineer Sandvine Incorporated. Tel: 519-880-2400 x2737 www.sandvine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Oct 11 12:26:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C41B537B401 for ; Fri, 11 Oct 2002 12:26:51 -0700 (PDT) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F4FB43E91 for ; Fri, 11 Oct 2002 12:26:51 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9BJQpO2076589; Fri, 11 Oct 2002 12:26:51 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9BJQorG076588; Fri, 11 Oct 2002 12:26:50 -0700 (PDT) (envelope-from rizzo) Date: Fri, 11 Oct 2002 12:26:50 -0700 From: Luigi Rizzo To: Dave Dolson Cc: "'freebsd-ipfw@freebsd.org'" Subject: Re: Problem diverting bridged packets Message-ID: <20021011122650.B76519@carp.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ddolson@sandvine.com on Fri, Oct 11, 2002 at 12:45:35PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Oct 11, 2002 at 12:45:35PM -0400, Dave Dolson wrote: > Is anyone aware of an ipfw1 issue with diverting packets from the bridge? > > I'm finding that a rule like the following will cause the packets to be > dropped and not diverted. > # ipfw add 400 accept icmp from 1.1.1.10 to 1.1.1.4 bridge i suppose there are two typos here ? "bridge" is not a valid option, "bridged" is; "accept" has nothing to do with "divert". But if you read the manpage, you should see that divert actions are not supported on bridged packets. cheers luigi > (Addresses 1.1.1.10 and 1.1.1.4 are on opposite sides of the local machine.) > > I'm running -stable 4.6 code, but not quite the latest, so sorry if this is > old news. > 4.6-RELEASE FreeBSD 4.6-RELEASE #7 > > I know that my divert client is working properly because it properly reads > and re-inserts packets for non-divert rules involving packets for the local > host (not bridged). > E.g., this works fine (1.1.1.1 is the local host) > divert 9001 icmp from 1.1.1.10 to 1.1.1.1 > > Thanks, > > David Dolson > Senior Software Engineer > Sandvine Incorporated. > Tel: 519-880-2400 x2737 > www.sandvine.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Oct 12 10:16:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A42937B401 for ; Sat, 12 Oct 2002 10:16:37 -0700 (PDT) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17E7B43E97 for ; Sat, 12 Oct 2002 10:16:37 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9CHGUpJ090299; Sat, 12 Oct 2002 10:16:30 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9CHGSUY090298; Sat, 12 Oct 2002 10:16:28 -0700 (PDT) (envelope-from rizzo) Date: Sat, 12 Oct 2002 10:16:28 -0700 From: Luigi Rizzo To: Andrey Degtyaryov Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: TOS matching in ipfw2 Message-ID: <20021012101628.A90230@carp.icir.org> References: <20021011142125.GH32697@astral-on.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20021011142125.GH32697@astral-on.net>; from ad@astral-on.net on Fri, Oct 11, 2002 at 05:21:26PM +0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Oct 11, 2002 at 05:21:26PM +0300, Andrey Degtyaryov wrote: > Hello! > Why iptos takes only the limited set of "spec" values in ipfw2? It would > be much more convenient, if "spec" could be any number. Why was it neccessary > to apply such restriction? i think i just copied whatever ipfw1 did. I believe there are no problems extending the tos to match any number (or ranges, for what matters). Many are asking me if i intend to implement ipfw2 actions which actually modify the packet being processed. The answer is yes, but i would like first to come up with a good syntax for those actions, e.g.: ipfw add 100 accept "ip.dst = 1.2.3.4, ip.tos=25" ip from a to b Of course one would want the syntax for packet modifications to be as general as possible, but i'd rather not need a full blown compiler to compile such actions... Suggestions welcome cheers luigi > In This way it would be possible to implement flexible traffic > shaping models according to the values of TOS. > I've implemented netgraph node which changes packets' TOS values > passed throw the interface (mark a traffic groups/clients) and ALTQ allocates > a bandwidtch in compliance with ones. I know about traffic conditioners and > use it on the routers which are running ALTQ. But i cannot / don't want install > ALTQ on all routers upon many reasons. > It would be much better to migrate from ALTQ to DUMMYNET (because of > higher accuracy of DUMMYNET)... > > -- > Andrew Degtiariov > AD5898-RIPE | AD5-UANIC > ad@astral-on.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Oct 12 11:11:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7F1037B401 for ; Sat, 12 Oct 2002 11:11:44 -0700 (PDT) Received: from tiamat.astral-on.net (tiamat.astral-on.net [193.41.4.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75B3543E6E for ; Sat, 12 Oct 2002 11:11:42 -0700 (PDT) (envelope-from ad@odin.astral-on.net) Received: from odin.astral-on.net (odin.astral-on.net [193.41.4.6]) by tiamat.astral-on.net (8.12.5/8.12.5) with ESMTP id g9CIBYoQ062849; Sat, 12 Oct 2002 21:11:34 +0300 (EEST) Received: (from ad@localhost) by odin.astral-on.net (8.11.6/8.11.6) id g9CIBRA89937; Sat, 12 Oct 2002 21:11:28 +0300 (EEST) (envelope-from ad) Date: Sat, 12 Oct 2002 21:11:17 +0300 From: Andrey Degtyaryov To: Luigi Rizzo Cc: freebsd-ipfw@freebsd.org Subject: Re: TOS matching in ipfw2 Message-ID: <20021012181117.GA88561@astral-on.net> References: <20021011142125.GH32697@astral-on.net> <20021012101628.A90230@carp.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021012101628.A90230@carp.icir.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Oct 12, 2002 at 10:16:28AM -0700, Luigi Rizzo wrote: > i think i just copied whatever ipfw1 did. I believe there are no problems > extending the tos to match any number (or ranges, for what matters). you mean you plan to do this? -- Andrew Degtiariov AD5898-RIPE | AD5-UANIC ad@astral-on.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Oct 12 12:45:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA54837B401 for ; Sat, 12 Oct 2002 12:45:43 -0700 (PDT) Received: from smurf.jnielsen.net (12-254-140-119.client.attbi.com [12.254.140.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 275B643ED4 for ; Sat, 12 Oct 2002 12:45:43 -0700 (PDT) (envelope-from john@jnielsen.net) Received: from buff.local (buff.local [192.168.0.10]) by smurf.jnielsen.net (8.12.6/8.12.6) with ESMTP id g9CJjYtu000248 for ; Sat, 12 Oct 2002 13:45:35 -0600 (MDT) (envelope-from john@jnielsen.net) Content-Type: text/plain; charset="us-ascii" From: John Nielsen To: ipfw@freebsd.org Subject: net.link.ether.ipfw + DHCP Date: Sat, 12 Oct 2002 13:48:37 -0600 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210121348.37931.john@jnielsen.net> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've been experimenting with ipfw2 rules to filter access based on both I= P=20 address and MAC address. I'm using ipfw2 on 4.7-RELEASE, and the kernel=20 has DEFAULT_TO_DENY. This particular server uses DHCP to obtain an IP=20 address from my cable provider. I've run into a bit of a catch-22 and=20 wanted to see if any of you have any suggestions (and I also want to veri= fy=20 that my analysis of the problem is correct). Basically, it seems that having net.link.ether.ipfw=3D1 in /etc/sysctl.co= nf=20 will prevent DHCP from working on a DEFAULT_TO_DENY firewall, due to the=20 order of the startup scripts. dhclient is being run after sysctl.conf is= =20 processed, but before the firewall script is run. So even though I have = an=20 "add allow layer2 not mac-type ip" rule at the beginning of my ruleset,=20 dhclient is blocked by the default deny rule of the firewall. Setting net.link.ether.ipfw from rc.local is probably an acceptable=20 workarount, but I'd still like to hear if you have any comments or=20 suggestions. Thanks, JN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message