From owner-freebsd-ipfw Sun Mar 2 7:17:44 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 163B637B401 for ; Sun, 2 Mar 2003 07:17:44 -0800 (PST) Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id C36D743FAF for ; Sun, 2 Mar 2003 07:17:42 -0800 (PST) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.136] (helo=mx3.freenet.de) by mout1.freenet.de with asmtp (Exim 4.12) id 18pVDh-0003HQ-00 for freebsd-ipfw@freebsd.org; Sun, 02 Mar 2003 16:17:41 +0100 Received: from p3e9baaba.dip.t-dialin.net ([62.155.170.186] helo=spotteswoode.dnsalias.org) by mx3.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.12 #2) id 18pVDg-0002pS-00 for freebsd-ipfw@freebsd.org; Sun, 02 Mar 2003 16:17:41 +0100 Received: (qmail 2465 invoked by uid 0); 2 Mar 2003 15:17:40 -0000 Date: 2 Mar 2003 16:17:40 +0100 Message-ID: From: "clemens fischer" To: "Eric Brunner-Williams in Portland Maine" Cc: freebsd-ipfw@freebsd.org Subject: Re: Starting out with IPFW on 5.0 References: <200303011619.h21GJVtY071364@nic-naa.net> In-Reply-To: <200303011619.h21GJVtY071364@nic-naa.net> (Eric Brunner-Williams in Portland Maine's message of "Sat, 01 Mar 2003 11:19:31 -0500") User-Agent: Gnus/5.090008 (Oort Gnus v0.08) Emacs/21.3.50 (i386-unknown-freebsd4.6.2) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Eric Brunner-Williams in Portland Maine : > This builds and runs, but there are no devices -- /dev/{ipauth,ipl,ipstate}, > so I've missed substantial clue. so maybe you should /dev/MAKEDEV them? clemens To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Mar 2 14:14:57 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6908E37B401 for ; Sun, 2 Mar 2003 14:14:55 -0800 (PST) Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EF5443F75 for ; Sun, 2 Mar 2003 14:14:54 -0800 (PST) (envelope-from yb@sainte-barbe.org) Received: from taz.hsc.fr (ogoun.hsc.fr [192.70.106.75]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "taz.hsc.fr", Issuer "HSC CA" (verified OK)) by itesec.hsc.fr (Postfix) with ESMTP id 3926420F3D for ; Sun, 2 Mar 2003 23:14:52 +0100 (CET) Received: by taz.hsc.fr (Postfix, from userid 1000) id EAB805EB; Sun, 2 Mar 2003 23:14:38 +0100 (CET) Date: Sun, 2 Mar 2003 23:14:38 +0100 From: Yann Berthier To: freebsd-ipfw@freebsd.org Subject: Re: Starting out with IPFW on 5.0 Message-ID: <20030302221438.GC768@hsc.fr> Mail-Followup-To: freebsd-ipfw@freebsd.org References: <200303011619.h21GJVtY071364@nic-naa.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200303011619.h21GJVtY071364@nic-naa.net> X-Organization: Herve Schauer Consultants X-Web: http://www.hsc.fr/ X-Operating-System: FreeBSD 5.0-CURRENT User-Agent: Mutt/1.5.3i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 01 Mar 2003, Eric Brunner-Williams in Portland Maine wrote: > Hi, > > I recently installed 5.0 on a set of boxes I'm deploying as part of an ISP. > > I'd like to install packet filter rule sets on these. > > I'm stumped by the change in device creation. In simpler times, MAKEDEV > wrapped the mknod(8) dirty work. This apparently isn't the case now. > > So, from the 5.0 source (no cvsup), I've made the following changes to > GENERIC: > > > # Firewall > > options IPFIREWALL #firewall > > options IPFIREWALL_VERBOSE #enable logging to syslogd(8) > > options IPFIREWALL_FORWARD #enable transparent proxy support > > options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > > options IPFIREWALL_DEFAULT_TO_ACCEPT #use ipf to close, not open > > > > # Do not decrement the ttl, hide firewall from traceroute class tools > > options IPSTEALTH #support for stealth forwarding > > This builds and runs, but there are no devices -- /dev/{ipauth,ipl,ipstate}, > so I've missed substantial clue. What do you want to use to do ip filtering ? with the options in your kernel file, it seems you want to use ipfw, so it's quite normal that there is no /dev/{ipauth,ipl,ipstate}. If you want to use ipfilter, add options IPFILTER and IPFILTER_LOG, the dev entries will be created accordingly As for MAKEDEV, this is no more relevant in a 5 land, you should really read UPDATING btw before considering deploying it in a production environment. regards, - yann To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Mar 2 14:23:56 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80F9C37B401 for ; Sun, 2 Mar 2003 14:23:55 -0800 (PST) Received: from nic-naa.net (216-220-241-233.midmaine.com [216.220.241.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FB4F43FA3 for ; Sun, 2 Mar 2003 14:23:54 -0800 (PST) (envelope-from brunner@nic-naa.net) Received: from nic-naa.net (localhost.nic-naa.net [127.0.0.1]) by nic-naa.net (8.12.7/8.12.6) with ESMTP id h22MMFtY076879; Sun, 2 Mar 2003 17:22:15 -0500 (EST) (envelope-from brunner@nic-naa.net) Message-Id: <200303022222.h22MMFtY076879@nic-naa.net> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Yann Berthier Cc: freebsd-ipfw@FreeBSD.ORG, brunner@nic-naa.net Subject: Re: Starting out with IPFW on 5.0 In-Reply-To: Message from Yann Berthier of "Sun, 02 Mar 2003 23:14:38 +0100." <20030302221438.GC768@hsc.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 02 Mar 2003 17:22:15 -0500 From: Eric Brunner-Williams in Portland Maine Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > If you want to use ipfilter, > add options IPFILTER and IPFILTER_LOG, the dev entries will be > created accordingly thanks yann. yours is the first sensible answer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Mar 2 20:51:46 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF84537B401 for ; Sun, 2 Mar 2003 20:51:44 -0800 (PST) Received: from perrin.int.nxad.com (internal.ext.nxad.com [69.1.70.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id 531D243FBF for ; Sun, 2 Mar 2003 20:51:44 -0800 (PST) (envelope-from sean@perrin.int.nxad.com) Received: by perrin.int.nxad.com (Postfix, from userid 1001) id A428421089; Sun, 2 Mar 2003 20:51:38 -0800 (PST) Date: Sun, 2 Mar 2003 20:51:38 -0800 From: Sean Chittenden To: freebsd-ipfw@freebsd.org Subject: ACK+RST useful? Message-ID: <20030303045138.GQ79234@perrin.int.nxad.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IA03tywDYuoVKXrw" Content-Disposition: inline User-Agent: Mutt/1.4i X-PGP-Key: finger seanc@FreeBSD.org X-PGP-Fingerprint: 3849 3760 1AFE 7B17 11A0 83A6 DD99 E31F BC84 B341 X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --IA03tywDYuoVKXrw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm confused as to what the point of having a packet with the RST and ACK flags set. In legitimate use, an RST+ACK packet is only sent after the connection has been closed. With stateful firewalls, this can cause a great deal of logging of packets that are legit and apart of the spec, but are by and large worthless as far as I can tell. I've read through RFC 793 and as best as I can tell and with a stateful firewall, it strikes me as being _okay_ to have a drop rule (following the check-state rule) for packets that have the RST+ACK bits set. Am I wrong or missing something with this assertion? -sc --=20 Sean Chittenden --IA03tywDYuoVKXrw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iD8DBQE+Yt9a3ZnjH7yEs0ERAk9/AJ9RgPNQ1q4czOH/AuxLYnIugvN1hwCg1qf4 EDdKoHLw5rv/gft/fLTaJig= =rb5t -----END PGP SIGNATURE----- --IA03tywDYuoVKXrw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Mar 3 11: 2: 8 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D297A37B405 for ; Mon, 3 Mar 2003 11:02:07 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C31D43FE1 for ; Mon, 3 Mar 2003 11:02:07 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h23J27NS086171 for ; Mon, 3 Mar 2003 11:02:07 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h23J26sP086165 for ipfw@freebsd.org; Mon, 3 Mar 2003 11:02:06 -0800 (PST) Date: Mon, 3 Mar 2003 11:02:06 -0800 (PST) Message-Id: <200303031902.h23J26sP086165@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) o [2003/01/18] bin/47196 ipfw ipfw won't format correctly output from ' 4 problems total. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Mar 6 23:57:27 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EF8D37B401; Thu, 6 Mar 2003 23:57:25 -0800 (PST) Received: from www6.mailru.com (www6.mailru.com [80.68.244.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78DAB43FCB; Thu, 6 Mar 2003 23:57:24 -0800 (PST) (envelope-from denb@front.ru) Received: by HotBOX.Ru WebMail v2.1 id h2780hWF058395 for ; Date: Fri, 7 Mar 2003 11:00:43 +0300 (MSK) Message-Id: <200303070800.h2780hWF058395@www6.mailru.com> From: denb To: freebsd-net@FreeBSD.ORG Cc: ipfw@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Mailer: Free WebMail HotBOX.ru X-Proxy-IP: [212.1.229.5] X-Originating-IP: [172.16.0.103] Subject: Why natd don't divert packets? Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Why natd don't divert packets? *********screenshot*********************** #ipfw add divert 1111 tcp from any to any 7 #ipfw add divert 1111 tcp from any 7 to any #natd -v -p 1111 -a 172.16.0.102 -redirect_port tcp 172.16.0.253:7 7 In [TCP] [TCP] 172.16.0.104:49169 -> 172.16.0.102:7 aliased to [TCP] 172.16.0.104:49169 -> 172.16.0.253:7 In [TCP] [TCP] 172.16.0.104:49169 -> 172.16.0.102:7 aliased to [TCP] 172.16.0.104:49169 -> 172.16.0.253:7 ^C *********screenshot*********************** Where is Out[TCP]? Rules after natd running (why second rule has 0 in packets number?): *********screenshot*********************** #ipfw show 0001 6 180 divert 1111 tcp from any to any dst-port 7 0002 0 0 divert 1111 tcp from any 7 to any *********screenshot*********************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 7 8:44:10 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 341F737B401 for ; Fri, 7 Mar 2003 08:44:09 -0800 (PST) Received: from wycliffe.covenant.edu (zwingli.covenant.edu [66.255.16.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16BC843FA3 for ; Fri, 7 Mar 2003 08:44:08 -0800 (PST) (envelope-from tracy@covenant.edu) X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Subject: Bandwidth control and counters Date: Fri, 7 Mar 2003 11:44:07 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Bandwidth control and counters Thread-Index: AcLkyMUv65KeuXvfRY2Q6sZl0Nw7oQ== From: "Tracy, John" To: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Greetings all, We're putting together a firewall for the primary purpose of ensuring = fairness for a user base of around 600 students. We're looking at a copy = of different models for controlling bandwidth. We will have an 3 megabit = connection to our provider. We were looking at limiting connections to 128kbps, so each user could = download data at about a megabyte a minute. The only problem with this = is that it prevents students from using the full bandwidth potential = when it might otherwise be unobtrusively available. Are there any good = methods for permitting connections to use all available bandwidth unless = other requests are made--and then fairly divide the available bandwidth = so that it is equally (as much as possible) responsive for each user? And finally a last question... Were we to setup limits on = transfers--like 2gigs in a week per IP address, does anybody know of any = good FAQ's or guides of how to do this well? Thanks for your time, John Tracy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 7 9: 3:34 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF5C737B401 for ; Fri, 7 Mar 2003 09:03:32 -0800 (PST) Received: from wks.ch (lsne-dhcp-5-51.urbanet.ch [195.202.205.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B10243FBF for ; Fri, 7 Mar 2003 09:03:30 -0800 (PST) (envelope-from wks@wks.ch) Received: from wks.ch (localhost [127.0.0.1]) by wks.ch (8.12.8/8.12.8) with ESMTP id h27H6HJR048832; Fri, 7 Mar 2003 18:06:17 +0100 (CET) Received: (from wks@localhost) by wks.ch (8.12.8/8.12.8/Submit) id h27H6HnB048829; Fri, 7 Mar 2003 18:06:17 +0100 (CET) Date: Fri, 7 Mar 2003 18:06:17 +0100 From: Claudio Eichenberger To: "Tracy, John" Cc: ipfw@FreeBSD.ORG Subject: Re: Bandwidth control and counters Message-ID: <20030307180617.A48731@wks.ch> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from tracy@covenant.edu on Fri, Mar 07, 2003 at 11:44:07AM -0500 X-Operating-System: FreeBSD Organisation: WKS Working Solutions GmbH Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2003.03.07 11:44:07, Tracy, John wrote: > Greetings all, > We're putting together a firewall for the primary purpose of ensuring fairness for a user base of around 600 students. We're looking at a copy of different models for controlling bandwidth. We will have an 3 megabit connection to our provider. > We were looking at limiting connections to 128kbps, so each user could download data at about a megabyte a minute. The only problem with this is that it prevents students from using the full bandwidth potential when it might otherwise be unobtrusively available. Are there any good methods for permitting connections to use all available bandwidth unless other requests are made--and then fairly divide the available bandwidth so that it is equally (as much as possible) responsive for each user? > > And finally a last question... Were we to setup limits on transfers--like 2gigs in a week per IP address, does anybody know of any good FAQ's or guides of how to do this well? please have a look at this http://info.iet.unipi.it/~luigi/ip_dummynet/ > > Thanks for your time, > John Tracy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > -- Claudio Eichenberger Tel +41 21 67 17 111 Fax +41 21 67 17 112 Mob +41 79 34 72 100 Http://YourShop.com/ Http://www.wks.ch/ "Come to me all who are weary and burdened and I will give you rest" -- Jesus Christ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Mar 7 11:27:22 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C77B837B401 for ; Fri, 7 Mar 2003 11:27:20 -0800 (PST) Received: from smtp04.wxs.nl (smtp04.wxs.nl [195.121.6.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C42C43F3F for ; Fri, 7 Mar 2003 11:27:19 -0800 (PST) (envelope-from akruijff@dds.nl) Received: from 192.168.31.50 ([213.10.151.186]) by smtp04.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id HBE8QA00.TUZ; Fri, 7 Mar 2003 20:27:46 +0100 Content-Type: text/plain; charset="iso-8859-1" From: Alex de Kruijff To: "Tracy, John" , Subject: Re: Bandwidth control and counters Date: Fri, 7 Mar 2003 20:23:18 +0100 User-Agent: KMail/1.4.3 References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200303072023.18345.akruijff@dds.nl> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Friday 07 March 2003 17:44, Tracy, John wrote: > Greetings all, > =09We're putting together a firewall for the primary purpose of > ensuring fairness for a user base of around 600 students. We're > looking at a copy of different models for controlling bandwidth. We > will have an 3 megabit connection to our provider. We were looking at > limiting connections to 128kbps, so each user could download data at > about a megabyte a minute. The only problem with this is that it > prevents students from using the full bandwidth potential when it > might otherwise be unobtrusively available. Are there any good > methods for permitting connections to use all available bandwidth > unless other requests are made--and then fairly divide the available > bandwidth so that it is equally (as much as possible) responsive for > each user? > > And finally a last question... Were we to setup limits on > transfers--like 2gigs in a week per IP address, does anybody know of > any good FAQ's or guides of how to do this well? I use ipa and ipfw for this all. The only problem i can come uit with is=20 that the configurations may be a bit large for you. I'm on a netwerk=20 with a small number of users so this doesn't bother me. I could send you a configurations sample if you like. Let me know. --=20 Best regards/Met vriendelijke groet, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message