From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 04:17:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC1F037B401; Sun, 6 Apr 2003 04:16:58 -0700 (PDT) Received: from smtp.hotbox.ru (smtp.hotbox.ru [80.68.244.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7382443F85; Sun, 6 Apr 2003 04:16:57 -0700 (PDT) (envelope-from denb@mailru.com) Received: from 81.195.140.242 ([81.195.140.242]) (authenticated bits=0) by smtp.hotbox.ru (8.12.6/8.12.6) with ESMTP id h36B9MKl041571; Sun, 6 Apr 2003 15:09:27 +0400 (MSD) (envelope-from denb@mailru.com) Date: Sun, 6 Apr 2003 15:14:06 +0400 From: Denis Borisov X-Mailer: The Bat! (v1.62 Christmas Edition) Personal X-Priority: 3 (Normal) Message-ID: <12711765728.20030406151406@mailru.com> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org Subject: Problem with natd on ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Denis Borisov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 11:17:01 -0000 Why natd don't divert packets? *********screenshot*********************** #ipfw add divert 1111 tcp from any to any 7 #ipfw add divert 1111 tcp from any 7 to any #natd -v -p 1111 -a 172.16.0.102 -redirect_port tcp 172.16.0.253:7 7 In [TCP] [TCP] 172.16.0.104:49169 -> 172.16.0.102:7 aliased to [TCP] 172.16.0.104:49169 -> 172.16.0.253:7 In [TCP] [TCP] 172.16.0.104:49169 -> 172.16.0.102:7 aliased to [TCP] 172.16.0.104:49169 -> 172.16.0.253:7 ^C *********screenshot*********************** Where is Out[TCP]? This constructions fine work on FreeBSD4.7(ipfw1) but don't work on FreeBSD 5.0-CURRENT(ipfw2). What i am doing wrong? From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 08:24:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9D1137B401 for ; Sun, 6 Apr 2003 08:24:39 -0700 (PDT) Received: from refanut.nordiq.net (refanut.nordiq.net [212.217.248.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id E534843F75 for ; Sun, 6 Apr 2003 08:24:38 -0700 (PDT) (envelope-from neko@skebo.ac) Received: from skebo.ac (110.net90.skekraft.net [213.199.90.110]) by refanut.nordiq.net (Postfix) with ESMTP id 998656DEA7 for ; Sun, 6 Apr 2003 17:24:41 +0200 (CEST) Date: Sun, 6 Apr 2003 17:24:36 +0200 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v551) From: =?ISO-8859-1?Q?Frans_Gidl=F6f?= To: freebsd-ipfw@FreeBSD.ORG Content-Transfer-Encoding: quoted-printable In-Reply-To: <007001c2fb6a$4d276dd0$0a00000a@yes.no> Message-Id: X-Mailer: Apple Mail (2.551) Subject: Re: Prioritizing empty TCP ACKs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 15:24:40 -0000 > "Erik Paulsen Sk=E5lerud" : > >> Does anyone know if this can be done with ipfw and dummynet? >> >> http://www.benzedrine.cx/ackpri.html > > how about reading this article to the end, where a link is included > to further information about the exact question you asked? > > clemens Whow, aren't we smart. So how do you catch one of those tcp-ack-no-payload packets with IPFW?.= From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 09:18:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F342F37B401 for ; Sun, 6 Apr 2003 09:18:10 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB3F943FAF for ; Sun, 6 Apr 2003 09:18:08 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.55.147] (helo=mx4.freenet.de) by mout2.freenet.de with asmtp (Exim 4.14) id 192CqN-0004HU-E5 for freebsd-ipfw@freebsd.org; Sun, 06 Apr 2003 18:18:07 +0200 Received: from pd90559e3.dip.t-dialin.net ([217.5.89.227] helo=spotteswoode.dnsalias.org) by mx4.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.14 #2) id 192CqM-00047O-IF for freebsd-ipfw@freebsd.org; Sun, 06 Apr 2003 18:18:06 +0200 Received: (qmail 5005 invoked by uid 0); 6 Apr 2003 16:18:05 -0000 Date: 6 Apr 2003 18:18:05 +0200 Message-ID: From: "clemens fischer" To: "Sereciya Kurdistani" In-Reply-To: <20030405174853.GA94738@kurdistan.ath.cx> (Sereciya Kurdistani's message of "Sat, 5 Apr 2003 09:48:53 -0800") References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 16:18:12 -0000 Sereciya Kurdistani : > vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv > ipfw add NNNN check-state > ipfw add NNNN allow { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state > ipfw add NNNN allow log tcp from any to any dst-port smtp,smtps in via tun0 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > This way, you don't have to allow any ports open for any incoming traffic not matched > by the stateful rules, ;) are you sure this does what you want? i don't see the customary anti-spoofing rules and there's a lot to be said for keeping state especially on _incoming_ connections. if these are all your rules, then what about incoming SMTP and AUTH on port 113? i imagine your rules allowing _you_ to query others for AUTH data, but you don't allow others this privilege. clemens From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 09:27:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A887837B401 for ; Sun, 6 Apr 2003 09:27:37 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94E1E43F93 for ; Sun, 6 Apr 2003 09:27:36 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h36GRZY2014721; Sun, 6 Apr 2003 09:27:35 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h36GRZp6014720; Sun, 6 Apr 2003 09:27:35 -0700 (PDT) Date: Sun, 6 Apr 2003 09:27:35 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030406162735.GA2797@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4i Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 16:27:38 -0000 Clemens, Thank you for taking the time to respond to my posting ;) Your comments are greatly appreciated. On Sun, Apr 06, 2003 at 06:18:05PM +0200, clemens fischer wrote: > Sereciya Kurdistani : > > > vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv > > ipfw add NNNN check-state > > ipfw add NNNN allow { udp or tcp } from any to any dst-port smtp,auth,smtps out via tun0 keep-state > > ipfw add NNNN allow log tcp from any to any dst-port smtp,smtps in via tun0 > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > This way, you don't have to allow any ports open for any incoming traffic not matched > > by the stateful rules, ;) > > are you sure this does what you want? i don't see the customary > anti-spoofing rules and there's a lot to be said for keeping state > especially on _incoming_ connections. if these are all your rules, > then what about incoming SMTP and AUTH on port 113? I think this is what I want... Would you please show me an example of anti-spoofing rules? I'd greatly appreciate it ;) ...Actually, I do have some facility for anti-spoofing rules, here they are: ipfw add NNNN skipto NEXT_BLOCK all from ${myhost} to not ${myhost} out via ${oif_1} ipfw add NNNN skipto NEXT_BLOCK all from not ${myhost} to ${myhost} in via ${oif_1} Do you mean I should check/filter for the private IP Addresses also? I'm not opening incoming AUTH because it seems unnecessary ; everything is running fine without opening that port. Incoming SMTP is handled with a rule like: ipfw add NNNN pipe N log tcp from any to any smtp,smtps in via ${oif} > i imagine your rules allowing _you_ to query others for AUTH data, > but you don't allow others this privilege. That's correct. Am I breaking a netiquette rule that I may not be familiar with? Thank you for your participation ;) -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+ From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 09:44:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC75237B401 for ; Sun, 6 Apr 2003 09:44:34 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 277F643F93 for ; Sun, 6 Apr 2003 09:44:34 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h36GiXY2015104 for ; Sun, 6 Apr 2003 09:44:33 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h36GiX26015103 for freebsd-ipfw@freebsd.org; Sun, 6 Apr 2003 09:44:33 -0700 (PDT) Date: Sun, 6 Apr 2003 09:44:33 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030406164433.GC2797@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4i Subject: Sereciya :: OpenBSD pf ported to FreeBSD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 16:44:35 -0000 Hello Folks, Quick Question for you guys &| gals... Can anyone confirm the following: vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv History April 4, 2003 Pyun YongHyeon has ported pf to FreeBSD, and Max Laier is working on the port and maintains this page with installation instructions. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I'm pulling this directly from: http://www.benzedrine.cx/pf.html If that is the case, where will I find "pf", in the ports collection? or... ? Also... has anybody tried "pf" out yet (on FreeBSD). TIA, -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+ From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 09:55:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDA0437B401 for ; Sun, 6 Apr 2003 09:55:31 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id E587D43FE1 for ; Sun, 6 Apr 2003 09:55:30 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h36GtUY2015364 for ; Sun, 6 Apr 2003 09:55:30 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h36GtUgX015363 for freebsd-ipfw@freebsd.org; Sun, 6 Apr 2003 09:55:30 -0700 (PDT) Date: Sun, 6 Apr 2003 09:55:30 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030406165530.GA15115@kurdistan.ath.cx> References: <20030406164433.GC2797@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030406164433.GC2797@kurdistan.ath.cx> User-Agent: Mutt/1.4i Subject: Re: Sereciya :: OpenBSD pf ported to FreeBSD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 16:55:32 -0000 Oooops! "pf" is quickly starting to look like IPFILTER... Is it the same? different? > Hello Folks, > > Quick Question for you guys &| gals... > > Can anyone confirm the following: > > vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv > History > April 4, 2003 > > Pyun YongHyeon has ported pf to FreeBSD, and Max Laier is working on > the port and maintains this page with installation instructions. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > I'm pulling this directly from: http://www.benzedrine.cx/pf.html > > If that is the case, where will I find "pf", in the ports collection? > or... ? > > Also... has anybody tried "pf" out yet (on FreeBSD). > > TIA, > -- > +--------------------------------------------------------------+ > | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | > | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | > | nêzîk e. | > | | > | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | > | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | > | kesên xwînperest, ne jî ji yên din. | > | | > | -Sêrêciya Kurdistanî | > +--------------------------------------------------------------+ From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 10:41:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD54D37B401 for ; Sun, 6 Apr 2003 10:41:17 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07FCC43FBF for ; Sun, 6 Apr 2003 10:41:17 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h36HfGY2016396 for ; Sun, 6 Apr 2003 10:41:16 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h36HfGYL016395 for freebsd-ipfw@freebsd.org; Sun, 6 Apr 2003 10:41:16 -0700 (PDT) Date: Sun, 6 Apr 2003 10:41:16 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030406174116.GC15115@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4i Subject: Sereciya :: Prioritizing empty TCP ACKs... OpenBSD pf -> FreeBSD ipfw Translation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 17:41:18 -0000 Hello, I'm trying to translate the following code designed to set Prioritizing for empty TCP ACKs (taken from: http://www.benzedrine.cx/ackpri.html): Suggestions, recommendations & corrections gladly accepted; send em over! OpenBSD pf: ^^^^^^^^^^ ext_if="kue0" altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ keep state queue (q_def, q_pri) pass in on $ext_if proto tcp from any to $ext_if flags S/SA \ keep state queue (q_def, q_pri) FreeBSD ipfw: ^^^^^^^^^^^^^ oif_1="tun0" ipfw pipe 1 config bw 100Kbyte/s noerror ipfw queue 1 config weight 1 pipe 1 ipfw queue 2 config weight 7 pipe 1 ipfw add NNNN check-state ipfw add NNNN queue 1 tcp from any to any out via ${oif_1} keep-state iptos lowdelay tcpflags ack ## ??? tcpack ack ??? ipfw add NNNN queue 1 tcp from any to any in via ${oif_1} tcpflags ack Is this correct? -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+ From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 13:07:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB04137B401 for ; Sun, 6 Apr 2003 13:07:20 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD1ED43F85 for ; Sun, 6 Apr 2003 13:07:19 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 5844F10BF82; Sun, 6 Apr 2003 22:07:18 +0200 (CEST) Date: Sun, 6 Apr 2003 22:07:18 +0200 From: "Simon L. Nielsen" To: Sereciya Kurdistani Message-ID: <20030406200717.GA379@nitro.dk> References: <20030406164433.GC2797@kurdistan.ath.cx> <20030406165530.GA15115@kurdistan.ath.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wac7ysb48OaltWcw" Content-Disposition: inline In-Reply-To: <20030406165530.GA15115@kurdistan.ath.cx> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org Subject: Re: Sereciya :: OpenBSD pf ported to FreeBSD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 20:07:21 -0000 --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.04.06 09:55:30 -0700, Sereciya Kurdistani wrote: >=20 > Oooops! "pf" is quickly starting to look like IPFILTER... The OpenBSD guys made pf because they didn't like the license on ipfilter. pf should the same rule syntax as ipfilter but I have never tried any of them. --=20 Simon L. Nielsen --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+kIj18kocFXgPTRwRAo6nAJ9n/B8PqFvWDxYBhA+vKlWcwu22XQCgt/xY sX9RZsA/JWjbhfe0CT3eoKE= =FUUa -----END PGP SIGNATURE----- --wac7ysb48OaltWcw-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 13:37:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E05537B401 for ; Sun, 6 Apr 2003 13:37:41 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 241EC43F93 for ; Sun, 6 Apr 2003 13:37:40 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.144] (helo=mx1.freenet.de) by mout2.freenet.de with asmtp (Exim 4.14) id 192GtX-00029f-4I for freebsd-ipfw@freebsd.org; Sun, 06 Apr 2003 22:37:39 +0200 Received: from pd9501614.dip.t-dialin.net ([217.80.22.20] helo=spotteswoode.dnsalias.org) by mx1.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.14 #2) id 192GtW-0006hf-EU for freebsd-ipfw@freebsd.org; Sun, 06 Apr 2003 22:37:38 +0200 Received: (qmail 1986 invoked by uid 0); 6 Apr 2003 20:37:37 -0000 Date: 6 Apr 2003 22:37:37 +0200 Message-ID: <1y0fl5v2.fsf@ID-23066.news.dfncis.de> From: "clemens fischer" To: "Sereciya Kurdistani" In-Reply-To: <20030406162735.GA2797@kurdistan.ath.cx> (Sereciya Kurdistani's message of "Sun, 6 Apr 2003 09:27:35 -0700") References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> <20030406162735.GA2797@kurdistan.ath.cx> User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=latin-iso8859-9 Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@freebsd.org Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 20:37:41 -0000 Sereciya Kurdistani : > ...Actually, I do have some facility for anti-spoofing rules, here they are: > > ipfw add NNNN skipto NEXT_BLOCK all from ${myhost} to not ${myhost} out via ${oif_1} > ipfw add NNNN skipto NEXT_BLOCK all from not ${myhost} to ${myhost} in via ${oif_1} > > Do you mean I should check/filter for the private IP Addresses also? i'm not familiar with ipfw2 and just can't get these rules into my head. to me this looks like they do nothing: no blocking or passing, this depends on what follows. i have this in old ipfw (edited for a single workstation): # # traffic from PPP peer? shouldn't happen! # add deny $Llog ip from any to ${opip} add deny $Llog ip from ${opip} to any # # Stop spoofing, allow internal traffic via loopback # add deny $Llog all from 127.0.0.0/8 to any via ${oif1} add deny $Llog all from any to 127.0.0.0/8 via ${oif1} add deny $Llog all from ${oip} to any in via lo0 # # Stop RFC1918 nets on the outside interface # Stop draft-manning-dsua-01.txt nets on the outside interface # Title: SANS Resources - Help Defeat Denial of Service Attacks: Step-by-Step # URL: http://www.sans.org/dosstep/index.htm # 169.254.0.0/16 - Link Local Networks # 172.16.0.0/12 - RFC 1918 Private Network # 192.0.2.0/24 - TEST-NET # 192.168.0.0/16 - RFC 1918 Private Network # 224.0.0.0/4 - Class D Multicast # 240.0.0.0/5 - Class E Reserved # 248.0.0.0/5 - Unallocated # 255.255.255.255/32 - Broadcast # add deny $Llog all from 0.0.0.0/8 to any via ${oif1} add deny $Llog all from any to 0.0.0.0/8 via ${oif1} add deny $Llog all from 169.254.0.0/16 to any via ${oif1} add deny $Llog all from any to 169.254.0.0/16 via ${oif1} add deny $Llog all from 172.16.0.0/12 to any via ${oif1} add deny $Llog all from any to 172.16.0.0/12 via ${oif1} add deny $Llog all from 192.0.2.0/24 to any via ${oif1} add deny $Llog all from any to 192.0.2.0/24 via ${oif1} add deny $Llog all from 192.168.0.0/16 to any via ${oif1} add deny $Llog all from any to 192.168.0.0/16 via ${oif1} add deny $Llog all from 224.0.0.0/4 to any via ${oif1} add deny $Llog all from any to 224.0.0.0/4 via ${oif1} add deny $Llog all from 240.0.0.0/5 to any via ${oif1} add deny $Llog all from any to 240.0.0.0/5 via ${oif1} add deny $Llog all from 248.0.0.0/5 to any via ${oif1} add deny $Llog all from any to 248.0.0.0/5 via ${oif1} add deny $Llog all from 255.255.255.255/32 to any via ${oif1} add deny $Llog all from any to 255.255.255.255/32 via ${oif1} # # outgoing packets _must_ have our source IP! add deny $Llog all from not ${oip} to any $Xmit # incoming packets _must_ have our destination IP! add deny $Llog all from any to not ${oip} $Recv Xmit is "xmit out $oif1", Recv the reverse. > Incoming SMTP is handled with a rule like: > > ipfw add NNNN pipe N log tcp from any to any smtp,smtps in via ${oif} where is the pipe handled? >> i imagine your rules allowing _you_ to query others for AUTH data, >> but you don't allow others this privilege. > > That's correct. Am I breaking a netiquette rule that I may not be > familiar with? that's entirely up to you, but paranoid users may deny doing business with you if you allow your setup to take security measures you deny them. > | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî... with a big signature like this, it's certainly netiquette to also provide an english translation. i asked you in private email for this, but you didn't reply. if you want to tell your fellow countrymen something, there are more appropriate channels. lists like this one keep politics and tech stuff apart. clemens From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 17:26:30 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08DFF37B401 for ; Sun, 6 Apr 2003 17:26:30 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4ED7243FBF for ; Sun, 6 Apr 2003 17:26:29 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h370QPY2027558; Sun, 6 Apr 2003 17:26:25 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h370QPjb027557; Sun, 6 Apr 2003 17:26:25 -0700 (PDT) Date: Sun, 6 Apr 2003 17:26:24 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030407002624.GA27284@kurdistan.ath.cx> References: <20030406164433.GC2797@kurdistan.ath.cx> <20030406165530.GA15115@kurdistan.ath.cx> <20030406200717.GA379@nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030406200717.GA379@nitro.dk> User-Agent: Mutt/1.4i Subject: Re: Sereciya :: OpenBSD pf ported to FreeBSD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 00:26:30 -0000 Simon, Thank you for replying... ;) > On 2003.04.06 09:55:30 -0700, Sereciya Kurdistani wrote: > > > > Oooops! "pf" is quickly starting to look like IPFILTER... > > The OpenBSD guys made pf because they didn't like the license on > ipfilter. pf should the same rule syntax as ipfilter but I have never > tried any of them. Do you by any chance know if in fact specificaly "pf" has been ported to FreeBSD*? * rumor from: http://www.benzedrine.cx/pf.html -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+ From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 17:44:07 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA28137B401 for ; Sun, 6 Apr 2003 17:44:07 -0700 (PDT) Received: from smtp.netcabo.pt (smtp.netcabo.pt [212.113.174.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4E9443F85 for ; Sun, 6 Apr 2003 17:44:06 -0700 (PDT) (envelope-from brunomiguel@netcabo.pt) Received: from netcabo.pt ([213.22.34.47]) by smtp.netcabo.pt with Microsoft SMTPSVC(5.0.2195.5329); Mon, 7 Apr 2003 01:43:14 +0100 Message-ID: <3E90C988.5010506@netcabo.pt> Date: Mon, 07 Apr 2003 01:42:48 +0100 From: Bruno Afonso User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030313 Minotaur/0.1a X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20030406164433.GC2797@kurdistan.ath.cx> <20030406165530.GA15115@kurdistan.ath.cx> <20030406200717.GA379@nitro.dk> <20030407002624.GA27284@kurdistan.ath.cx> In-Reply-To: <20030407002624.GA27284@kurdistan.ath.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 07 Apr 2003 00:43:14.0543 (UTC) FILETIME=[AC4B17F0:01C2FC9E] Subject: Re: Sereciya :: OpenBSD pf ported to FreeBSD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 00:44:08 -0000 Sereciya Kurdistani wrote: >Simon, > > Thank you for replying... ;) > > > >>On 2003.04.06 09:55:30 -0700, Sereciya Kurdistani wrote: >> >> >>> Oooops! "pf" is quickly starting to look like IPFILTER... >>> >>> >>The OpenBSD guys made pf because they didn't like the license on >>ipfilter. pf should the same rule syntax as ipfilter but I have never >>tried any of them. >> >> > > Do you by any chance know if in fact specificaly "pf" has been ported > to FreeBSD*? > > * rumor from: http://www.benzedrine.cx/pf.html > > > It appears so. Why don't you try it out ? The best thing about pf on obsd is its altq integration... From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 17:48:23 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D13FE37B401 for ; Sun, 6 Apr 2003 17:48:23 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38E1243FB1 for ; Sun, 6 Apr 2003 17:48:22 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h370mIY2028034; Sun, 6 Apr 2003 17:48:18 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h370mHXK028033; Sun, 6 Apr 2003 17:48:17 -0700 (PDT) Date: Sun, 6 Apr 2003 17:48:17 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030407004817.GB27284@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> <20030406162735.GA2797@kurdistan.ath.cx> <1y0fl5v2.fsf@ID-23066.news.dfncis.de> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1y0fl5v2.fsf@ID-23066.news.dfncis.de> User-Agent: Mutt/1.4i Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 00:48:24 -0000 Clemens, Thank you for replying ;) > i'm not familiar with ipfw2 and just can't get these rules into my > head. to me this looks like they do nothing: no blocking or > passing, this depends on what follows. The skipto's are part of the rules, using them I can add more constraints to the following rules. > i have this in old ipfw (edited for a single workstation): Thank you for posting your sample ipfw script. ...snip... > # incoming packets _must_ have our destination IP! > add deny $Llog all from any to not ${oip} $Recv ...snip... > > > Incoming SMTP is handled with a rule like: > > > > ipfw add NNNN pipe N log tcp from any to any smtp,smtps in via ${oif} > > where is the pipe handled? fromt the skipto several lines up ;) > > >> i imagine your rules allowing _you_ to query others for AUTH data, > >> but you don't allow others this privilege. Yes, it's called paranoia ;) > > > > That's correct. Am I breaking a netiquette rule that I may not be > > familiar with? > > that's entirely up to you, but paranoid users may deny doing business > with you if you allow your setup to take security measures you deny > them. I suppose that's a risk I'll have to take ;) I hope I don't upset too many script-kiddies for not leaving more of my ports open. > > | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî... > > with a big signature like this, it's certainly netiquette to also > provide an english translation. The translation would make it at least twice as long! I can see the headlines now... "spammer sends mail with signature longer than the actual message contents" ;) > i asked you in private email for > this, but you didn't reply. I will be more than happy to provide you with a translation. Just the joy of having one person wonder what in the heck i've written in my signature is reason enough to provide it. | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | It says... "A country does not form by itself, help each other out, not your enemies The path to freedom is not an easy one, do not lose hope, our time is nearing Do not take advice from the backward and uneducated, do not make friends with those who have no compassion, morality or respect for human life" > if you want to tell your fellow > countrymen something, there are more appropriate channels. lists like > this one keep politics and tech stuff apart. Relax... just because it's in a foreign language, it doesn't necessarily mean that there's anything offensive there. --Sêrêciya Kurdistanî From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 6 17:59:04 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5991F37B401 for ; Sun, 6 Apr 2003 17:59:04 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-63-207-238-20.dsl.chic01.pacbell.net [63.207.238.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A36343F85 for ; Sun, 6 Apr 2003 17:59:03 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h370x3Y2028261; Sun, 6 Apr 2003 17:59:03 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h370x3jw028260; Sun, 6 Apr 2003 17:59:03 -0700 (PDT) Date: Sun, 6 Apr 2003 17:59:02 -0700 From: Sereciya Kurdistani To: freebsd-ipfw@freebsd.org Message-ID: <20030407005902.GA28151@kurdistan.ath.cx> References: <20030406164433.GC2797@kurdistan.ath.cx> <20030406165530.GA15115@kurdistan.ath.cx> <20030406200717.GA379@nitro.dk> <20030407002624.GA27284@kurdistan.ath.cx> <3E90C988.5010506@netcabo.pt> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3E90C988.5010506@netcabo.pt> User-Agent: Mutt/1.4i Subject: OpenBSD pf ported to FreeBSD 5.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 00:59:04 -0000 Hello, > > Do you by any chance know if in fact specificaly "pf" has been ported > > to FreeBSD*? > > > >* rumor from: http://www.benzedrine.cx/pf.html > > > It appears so. Why don't you try it out ? The best thing about pf on > obsd is its altq integration... Sounds like good advice ;) For anybody else interested, there's more information to be found here: http://pf4freebsd.love2party.net/install.html (Installation- and testguide) Thank you. -- +--------------------------------------------------------------+ | Welat xwe ava nake, dest bidin hevdu, pist nedin tu dijminî | | Riya azadiyê ne hêsan e, hêviya xwe bernedin, dema me | | nêzîk e. | | | | Hevaltî bi kesên du rû nekin, hevaltî bi hevdu ra bikin | | Ne ji hevaltiya wan kesên pêxwas û rû dirêj, ne bi wan | | kesên xwînperest, ne jî ji yên din. | | | | -Sêrêciya Kurdistanî | +--------------------------------------------------------------+ From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 7 00:41:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECE5237B401 for ; Mon, 7 Apr 2003 00:41:40 -0700 (PDT) Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8C7C43F93 for ; Mon, 7 Apr 2003 00:41:39 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.55.147] (helo=mx4.freenet.de) by mout1.freenet.de with asmtp (Exim 4.14) id 192RG6-0007bh-PP for freebsd-ipfw@freebsd.org; Mon, 07 Apr 2003 09:41:38 +0200 Received: from p3e9baafe.dip.t-dialin.net ([62.155.170.254] helo=spotteswoode.dnsalias.org) by mx4.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.14 #2) id 192RG6-0002lo-DF for freebsd-ipfw@freebsd.org; Mon, 07 Apr 2003 09:41:38 +0200 Received: (qmail 1486 invoked by uid 0); 7 Apr 2003 07:41:34 -0000 Date: 7 Apr 2003 09:41:29 +0200 Message-ID: <4r5aoity.fsf@ID-23066.news.dfncis.de> From: "clemens fischer" To: "Sereciya Kurdistani" In-Reply-To: <20030406174116.GC15115@kurdistan.ath.cx> (Sereciya Kurdistani's message of "Sun, 6 Apr 2003 10:41:16 -0700") References: <20030406174116.GC15115@kurdistan.ath.cx> User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Sereciya :: Prioritizing empty TCP ACKs... OpenBSD pf -> FreeBSD ipfw Translation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 07:41:41 -0000 Sereciya Kurdistani : > Suggestions, recommendations & corrections gladly accepted; send > em over! i'd suggest you start with something different: spend some time setting up scripts allowing you test firewall rules with frequent changes. the more you invest in this, the better you can experiment. note that ipfw allows you to log every rule firing, it has options to list the rules together with the last time they fired. just found an example in /usr/share/examples/ipfw/change_rules.sh. you will find a lot more example especially on traffic shaping using dummynet(4) in the documentation for ipa, and you'll find examples for it in examples/ipa/. if you have this nifty tool installed, that is. clemens From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 7 00:48:07 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE8C137B401 for ; Mon, 7 Apr 2003 00:48:07 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8A8943FA3 for ; Mon, 7 Apr 2003 00:48:06 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.55.147] (helo=mx4.freenet.de) by mout2.freenet.de with asmtp (Exim 4.14) id 192RML-0002JA-EX for freebsd-ipfw@freebsd.org; Mon, 07 Apr 2003 09:48:05 +0200 Received: from p3e9baafe.dip.t-dialin.net ([62.155.170.254] helo=spotteswoode.dnsalias.org) by mx4.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.14 #2) id 192RMK-0008W3-Vi for freebsd-ipfw@freebsd.org; Mon, 07 Apr 2003 09:48:05 +0200 Received: (qmail 1645 invoked by uid 0); 7 Apr 2003 07:48:04 -0000 Date: 7 Apr 2003 09:48:03 +0200 Message-ID: From: "clemens fischer" To: "Sereciya Kurdistani" In-Reply-To: <20030407004817.GB27284@kurdistan.ath.cx> (Sereciya Kurdistani's message of "Sun, 6 Apr 2003 17:48:17 -0700") References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> <20030406162735.GA2797@kurdistan.ath.cx> <1y0fl5v2.fsf@ID-23066.news.dfncis.de> <20030407004817.GB27284@kurdistan.ath.cx> User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 07:48:08 -0000 Sereciya Kurdistani : >> where is the pipe handled? > > fromt the skipto several lines up ;) then it has no config params! >> >> i imagine your rules allowing _you_ to query others for AUTH data, >> >> but you don't allow others this privilege. > > Yes, it's called paranoia ;) ok, then setup your MTA to not query others. you don't answer questions, then don't ask any yourself, that would be fair. > It says... > > "A country does not form by itself, help each other out, not your > enemies The path to freedom is not an easy one, do not lose hope, > our time is nearing > > Do not take advice from the backward and uneducated, do not make > friends with those who have no compassion, morality or respect > for human life" ok, this getting way too off-topic, but could you tell me in private email where this is from? or is this your own opinion? clemens From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 7 04:36:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E08B537B401 for ; Mon, 7 Apr 2003 04:36:02 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11AA043FB1 for ; Mon, 7 Apr 2003 04:36:02 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout2.freenet.de with asmtp (Exim 4.14) id 192Uuv-0005UG-2L for freebsd-ipfw@FreeBSD.ORG; Mon, 07 Apr 2003 13:36:01 +0200 Received: from p3e9baafe.dip.t-dialin.net ([62.155.170.254] helo=spotteswoode.dnsalias.org) by mx2.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.14 #2) id 192Uuu-0005Cf-LR for freebsd-ipfw@FreeBSD.ORG; Mon, 07 Apr 2003 13:36:00 +0200 Received: (qmail 3601 invoked by uid 0); 7 Apr 2003 11:35:59 -0000 Date: 7 Apr 2003 13:35:59 +0200 Message-ID: From: "clemens fischer" To: "Frans =?iso-8859-15?q?Gidl=F6f?=" In-Reply-To: (Frans =?iso-8859-15?q?Gidl=F6f's?= message of "Sun, 6 Apr 2003 17:24:36 +0200") References: User-Agent: Gnus/5.090017 (Oort Gnus v0.17) Emacs/21.3.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=latin-iso8859-9 Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Prioritizing empty TCP ACKs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 11:36:03 -0000 Frans Gidlöf : > So how do you catch one of those tcp-ack-no-payload packets with > IPFW?. AFAIK ipfw doesn't (yet?) have that iplen thing, but ipfw2 has it, or will have it. you might experiment with `tcpoptions ...' and `established', though. i don't want to do that, but am still interested if these less powerful measures make a difference, so keep us posted, please. clemens From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 7 11:01:30 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5548137B407 for ; Mon, 7 Apr 2003 11:01:30 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69CD743FBD for ; Mon, 7 Apr 2003 11:01:29 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h37I1TUp043595 for ; Mon, 7 Apr 2003 11:01:29 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h37I1Sf2043584 for ipfw@freebsd.org; Mon, 7 Apr 2003 11:01:28 -0700 (PDT) Date: Mon, 7 Apr 2003 11:01:28 -0700 (PDT) Message-Id: <200304071801.h37I1Sf2043584@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 18:01:30 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) 3 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 9 14:24:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DB0C37B41B for ; Wed, 9 Apr 2003 14:24:34 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id B958543F75 for ; Wed, 9 Apr 2003 14:24:33 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by sccrmhc01.attbi.com (sccrmhc01) with ESMTP id <2003040921243200100ognque>; Wed, 9 Apr 2003 21:24:32 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h39LOVki000701; Wed, 9 Apr 2003 14:24:31 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h39LOS8B000700; Wed, 9 Apr 2003 14:24:28 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Wed, 9 Apr 2003 14:24:28 -0700 From: "Crist J. Clark" To: Shawn Barnhart Message-ID: <20030409212428.GA460@blossom.cjclark.org> References: <00b301c2fb7a$218b14a0$0201a8c0@twinstar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00b301c2fb7a$218b14a0$0201a8c0@twinstar> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: fwd and bridging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2003 21:24:35 -0000 On Sat, Apr 05, 2003 at 07:49:03AM -0600, Shawn Barnhart wrote: > The manpage states that fwd rules (like for transparent proxying) will not > match bridged packets. Will they ever, or is there some fundamental reason > they can't? Bridged packets are never processed at the IP layer, that is, they never get passed to the ip_input() function. All of the 'fwd' code lives in ip_input() and ip_output() at the IP layer and above. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 9 14:31:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D480737B401 for ; Wed, 9 Apr 2003 14:31:51 -0700 (PDT) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0990143FA3 for ; Wed, 9 Apr 2003 14:31:51 -0700 (PDT) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.9/8.12.9) with SMTP id h39LVldJ065065 for ; Wed, 9 Apr 2003 16:31:47 -0500 (CDT) (envelope-from swb@grasslake.net) Message-ID: <060f01c2fedf$6e911840$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: References: <00b301c2fb7a$218b14a0$0201a8c0@twinstar> <20030409212428.GA460@blossom.cjclark.org> Date: Wed, 9 Apr 2003 16:31:50 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: fwd and bridging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2003 21:31:52 -0000 ----- Original Message ----- From: "Crist J. Clark" > On Sat, Apr 05, 2003 at 07:49:03AM -0600, Shawn Barnhart wrote: > > The manpage states that fwd rules (like for transparent proxying) will not > > match bridged packets. Will they ever, or is there some fundamental reason > > they can't? > > Bridged packets are never processed at the IP layer, that is, they > never get passed to the ip_input() function. All of the 'fwd' code > lives in ip_input() and ip_output() at the IP layer and above. Thanks for the explanation. It's unfortunate they can't, it'd be ideal for a transparent proxying setup or other interception without having to alter clients routes. From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 06:52:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 725D537B401 for ; Thu, 10 Apr 2003 06:52:27 -0700 (PDT) Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7AD143F3F for ; Thu, 10 Apr 2003 06:52:26 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smmsp@localhost) by gate.killian.com (8.12.6/8.12.6) id h3ADqQFp053626 for ; Thu, 10 Apr 2003 06:52:26 -0700 (PDT) (envelope-from earl@killian.com) Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpdlrLVvL; Thu Apr 10 06:52:24 2003 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16021.30488.437183.530248@sax.killian.com> Date: Thu, 10 Apr 2003 06:52:24 -0700 From: "Earl A. Killian" To: freebsd-ipfw@freebsd.org Subject: nat vs. state X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 13:52:27 -0000 Is it safe to assume packets diverted to NAT are "safe" and don't need further checking? In particular, can the use of dynamic/stateful rules be skipped for NAT packets? It seems so, because NAT is already stateful. From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 06:53:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2537C37B401 for ; Thu, 10 Apr 2003 06:53:17 -0700 (PDT) Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 681B043F75 for ; Thu, 10 Apr 2003 06:53:16 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smmsp@localhost) by gate.killian.com (8.12.6/8.12.6) id h3ADrGVI053636 for ; Thu, 10 Apr 2003 06:53:16 -0700 (PDT) (envelope-from earl@killian.com) Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpdOsc8Ud; Thu Apr 10 06:53:11 2003 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16021.30535.469091.657659@sax.killian.com> Date: Thu, 10 Apr 2003 06:53:11 -0700 From: "Earl A. Killian" To: freebsd-ipfw@freebsd.org Subject: self-generated packet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 13:53:17 -0000 Do packets generated by the ipfw host get processed for both input and output or just output? If they are filtered on input, then it seems they can be detected with "in recv any", right? From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 06:55:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A457B37B401 for ; Thu, 10 Apr 2003 06:55:36 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A2CA43F3F for ; Thu, 10 Apr 2003 06:55:36 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h3ADtZBp065717; Thu, 10 Apr 2003 06:55:35 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h3ADtZOO065716; Thu, 10 Apr 2003 06:55:35 -0700 (PDT) (envelope-from rizzo) Date: Thu, 10 Apr 2003 06:55:35 -0700 From: Luigi Rizzo To: "Earl A. Killian" Message-ID: <20030410065535.B65586@xorpc.icir.org> References: <16021.30535.469091.657659@sax.killian.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <16021.30535.469091.657659@sax.killian.com>; from earl@killian.com on Thu, Apr 10, 2003 at 06:53:11AM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: self-generated packet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 13:55:36 -0000 On Thu, Apr 10, 2003 at 06:53:11AM -0700, Earl A. Killian wrote: > Do packets generated by the ipfw host get processed for both input and > output or just output? If they are filtered on input, then it seems they just output unless they are also directed to the local host, see the diagram in a recent ipfw manpage cheers luigi > can be detected with "in recv any", right? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 08:39:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 282A737B401 for ; Thu, 10 Apr 2003 08:39:29 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D6B343FB1 for ; Thu, 10 Apr 2003 08:39:28 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 89859 invoked from network); 10 Apr 2003 15:39:25 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 10 Apr 2003 15:39:25 -0000 Message-ID: <3E95902B.8030607@tenebras.com> Date: Thu, 10 Apr 2003 08:39:23 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, zh-cn, zh-tw MIME-Version: 1.0 To: "Earl A. Killian" References: <16021.30488.437183.530248@sax.killian.com> In-Reply-To: <16021.30488.437183.530248@sax.killian.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: nat vs. state X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 15:39:29 -0000 Earl A. Killian wrote: > Is it safe to assume packets diverted to NAT are "safe" and don't need > further checking? In particular, can the use of dynamic/stateful > rules be skipped for NAT packets? It seems so, because NAT is already > stateful. Safe? Define "safe." ;-) For *dynamic* nat, probably so. For static nat (port/addr redirect) you'll probably want to have robust rules after diverting to natd. From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 08:41:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D3EF37B401 for ; Thu, 10 Apr 2003 08:41:11 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id CD64143F75 for ; Thu, 10 Apr 2003 08:41:10 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 89876 invoked from network); 10 Apr 2003 15:41:10 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 10 Apr 2003 15:41:10 -0000 Message-ID: <3E959094.5040504@tenebras.com> Date: Thu, 10 Apr 2003 08:41:08 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, zh-cn, zh-tw MIME-Version: 1.0 To: "Earl A. Killian" References: <16021.30535.469091.657659@sax.killian.com> In-Reply-To: <16021.30535.469091.657659@sax.killian.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: self-generated packet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 15:41:11 -0000 Earl A. Killian wrote: > Do packets generated by the ipfw host get processed for both input and > output or just output? If they are filtered on input, then it seems they > can be detected with "in recv any", right? They aren't received on any interface, no. They can be filtered on output (from me to any, etc.) (presumably you already have an allow rule like allow ip from any to any via lo0). From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 10 09:07:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8502537B404 for ; Thu, 10 Apr 2003 09:07:45 -0700 (PDT) Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8207A43FB1 for ; Thu, 10 Apr 2003 09:07:44 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smmsp@localhost) by gate.killian.com (8.12.6/8.12.6) id h3AG7i3H054596; Thu, 10 Apr 2003 09:07:44 -0700 (PDT) (envelope-from earl@killian.com) Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpduHCev7; Thu Apr 10 09:07:35 2003 From: "Earl A. Killian" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16021.38598.528499.677743@sax.killian.com> Date: Thu, 10 Apr 2003 09:07:34 -0700 To: Michael Sierchio In-Reply-To: <3E959094.5040504@tenebras.com> References: <16021.30535.469091.657659@sax.killian.com> <3E959094.5040504@tenebras.com> X-Mailer: VM 7.07 under 21.4 (patch 6) "Common Lisp" XEmacs Lucid cc: freebsd-ipfw@freebsd.org Subject: Re: self-generated packet question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2003 16:07:45 -0000 Michael Sierchio writes: > Date: Thu, 10 Apr 2003 08:41:08 -0700 > From: Michael Sierchio > > They aren't received on any interface, no. They can be filtered > on output (from me to any, etc.) Thank you. Background: I'm writing a tool to generate an input to ipfw from a description of the interfaces/nets on a gateway. Since it has to be general enough to handle some unusual things about my own gateway, the existing firewalls in /etc/rc.firewall are not quite sufficient. > (presumably you already have an allow rule like allow ip from any to any via lo0). /etc/rc.firewall has such a rule, except when firewall_type is a filename. Since I'm using the latter, I need to generate something like that. One purpose of my question was to understand where such a rule had to go. I hope to have my generator generate both ipfw firewalls and ipchains firewalls. As such, the first statement was add skipto all from any to any out to mimic ipchains having separate input and output chains. So, from what you said, it appears that the "via lo0" is only required in the output rules. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 11 07:55:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C854437B401 for ; Fri, 11 Apr 2003 07:55:36 -0700 (PDT) Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6C2A43F93 for ; Fri, 11 Apr 2003 07:55:35 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smmsp@localhost) by gate.killian.com (8.12.6/8.12.6) id h3BEtYS0064957 for ; Fri, 11 Apr 2003 07:55:34 -0700 (PDT) (envelope-from earl@killian.com) Date: Fri, 11 Apr 2003 07:55:34 -0700 (PDT) Message-Id: <200304111455.h3BEtYS0064957@gate.killian.com> Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpdAxCvYo; Fri Apr 11 07:55:31 2003 From: "Earl A. Killian" To: freebsd-ipfw@freebsd.org Subject: dynamic rules, FIN lifetime X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 14:55:37 -0000 I am looking for suggestions on how to debug a firewall that uses dynamic rules and is generating some log messages that I don't expect. Briefly, I have the following snippet for packets orginating on the firewall host being output on the external interface xl1: add 3100 check-state add 3200 allow udp from any to any domain,ntp,kerberos,6277 keep-state add 3300 allow udp from any to any 33434-33494 keep-state add 3400 allow tcp from any to any setup keep-state add 3500 allow icmp from any to any keep-state add 3600 deny log all from any to any I am seeing ipfw log messages in /var/log/security such as Apr 11 00:08:11 gate /kernel: ipfw: 3600 Deny TCP 205.179.65.162:25 207.217.120.19:33296 out via xl1 Apr 11 00:08:42 gate last message repeated 4 times Apr 11 00:09:09 gate /kernel: ipfw: 3600 Deny TCP 205.179.65.162:25 216.187.127.114:40614 out via xl1 Apr 11 00:09:14 gate /kernel: ipfw: 3600 Deny TCP 205.179.65.162:25 207.217.120.19:33296 out via xl1 I picked the above because it is for SMTP, and so I can correlate with /var/log/maillog. (I run smtpd on port 25, not sendmail, so the log format may be unfamiliar.) Apr 11 00:08:07 gate smtpd[61280]: SMTP HELO from deathrow.mail.pas.earthlink.net(207.217.120.19) as "deathrow.mail.pas.earthlink.net" Apr 11 00:08:07 gate smtpd[61280]: mail from Apr 11 00:08:08 gate smtpd[61280]: smtp connection from UNKNOWN@deathrow.mail.pas.earthlink.net(207.217.120.19) MAIL FROM: RCPT TO: , allowed by line 127 of /etc/smtpd_check_rules Apr 11 00:08:08 gate smtpd[61280]: Recipient Apr 11 00:08:09 gate smtpd[61280]: Received 26296 bytes of message body from deathrow.mail.pas.earthlink.net(207.217.120.19) This was a spam delivery, as you might guess, but it is coming through earthlink, so it should be a reasonable SMTP implementation. The message was delivered to the recipient (email address excised above for privacy). So it appears at 00:08:07 a SMTP connection was started and it finished at 00:08:09 from the point of veiw of the application. At 00:08:11 the firewall started rejecting packets the gateway was still trying to send to the other side. Is this because the host tried to retransmit the FIN or something? Note that net.inet.ip.fw.dyn_fin_lifetime: 1 is set to the default value. Is this just too short? If so, why don't I see it when I run firewall_type=simple? Comments? Suggestions? From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 12 09:09:44 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2409E37B401 for ; Sat, 12 Apr 2003 09:09:44 -0700 (PDT) Received: from kurdistan.ath.cx (adsl-64-169-155-173.dsl.chic01.pacbell.net [64.169.155.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2208043FD7 for ; Sat, 12 Apr 2003 09:09:43 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: from kurdistan.ath.cx (ns1 [127.0.0.1]) by kurdistan.ath.cx (8.12.8/8.12.6) with ESMTP id h3CG9V04098241; Sat, 12 Apr 2003 09:09:32 -0700 (PDT) (envelope-from sereciya@kurdistan.ath.cx) Received: (from sereciya@localhost) by kurdistan.ath.cx (8.12.8/8.12.6/Submit) id h3CG9UaX098240; Sat, 12 Apr 2003 09:09:30 -0700 (PDT) Date: Sat, 12 Apr 2003 09:09:30 -0700 From: =?unknown-8bit?Q?S=EAr=EAciya_Kurdistan=EE?= To: freebsd-ipfw@freebsd.org Message-ID: <20030412160930.GA77466@kurdistan.ath.cx> References: <20030403182847.GC23675@kurdistan.ath.cx> <20030403135048.D92663-100000@diana.northnetworks.ca> <20030405174853.GA94738@kurdistan.ath.cx> <20030406162735.GA2797@kurdistan.ath.cx> <1y0fl5v2.fsf@ID-23066.news.dfncis.de> <20030407004817.GB27284@kurdistan.ath.cx> <20030407185359.32117@caamora.com.au> <20030407161429.GC29510@kurdistan.ath.cx> <20030412183432.65109@caamora.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030412183432.65109@caamora.com.au> User-Agent: Mutt/1.4i cc: jlm@caamora.com.au Subject: Re: Quick IPFW Question Concerning Sendmail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2003 16:09:44 -0000 Hello Jonathan, > sorry i took so long to reply, i am a disabled man, living i australia. Don't worry, I'm glad to hear you reply ;) > i spend a long time in bed some times, especially in winter. i have > severe arthritis there are other more serious complications but there > is no need to go preaching how hard teh world is . I hope you feel better. Now... how may I help you? > i've been watching your posts and keep up teh good work in freebsd we > need more people like you sereciaya. ok. Thank you! Such a wonderful compliment ;)) I know what it is not to know where to turn when you are stuck and looking for help ; I just want to return the favor in the spirit of open-source/net brotherhood ( and of course sisterhood, or Robin Hood Ooops! wrong hood ;) > thank you for your quick and most gracious responce .. and i got slack > with my responce, sometimes its just like that. I'm afraid I don't remember exactly what the question was, if you wouldn't mind refreshing my memory. > if i may ask, please ? Certainly! Anything! ;) > what sort of rig (ummm computer equipment do you run on your side of > teh wire ??? For my router, I have a 700 MHz AMD Duron, Hardware Raid 1, (2)120GB HD's, 256MB RAM. > i've got a small network in my spare bedroom (i recently moved into a > really nice govt 'project house' here in mascot right near australia > leading international air port, i'm right in teh middle of teh main > east-west runway .. the captains line up thier landing gear in teh roof > top ridges of my house big smile and laugh. Oh wow... I hope you don't wake up with any tire marks from the landing gear ;) Better keep a shotgun near so the "birds" land farther down the runway ;) > my network was untill recently a couple of 484dx33's (2 of them all > with 16 mb dram and 500 mb scsi hard drives) and a couple of 386dx33's > one with 16 mb dram and the other one with 8 mb dram and 354 mb esdi There's nothing wrong with legacy hardware, lots of people are making use of them ; turning once gigantic doorstops into servers, routers, and fileservers. Until very recently, my router had only one HD, a 1.2GB disk given to me by a friend. It died, and I was forced to make some changes running of a bootable cdrom with my firewall/router stuff on it. > hard drive it was my first computer and finally died. I offer my condolences. > the other 386 has > a couple of scsi drives (a mix of 300 and 500 mb drives). now i have a > 4'th hand 166 mhz p5 and a couple of pentium pros that need a bit of > work to get back into good running order. Wow. Good collection ;) Interested in clustering? > well thats me and mine .. sorry i got carried away bit., well there ya > go i've gobbled up a few lines again. I'm glad to be listening... only, if you would re-post your question, I would be more than happy to help you in any way possible ;) > with warm regards Good luck! --Sêrêciya Kurdistanî PS Always ready to help you out ;)