From owner-freebsd-ipfw@FreeBSD.ORG Mon May 26 11:01:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29DAE37B401 for ; Mon, 26 May 2003 11:01:26 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B7543F3F for ; Mon, 26 May 2003 11:01:25 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4QI1PUp007908 for ; Mon, 26 May 2003 11:01:25 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4QI1PP9007902 for ipfw@freebsd.org; Mon, 26 May 2003 11:01:25 -0700 (PDT) Date: Mon, 26 May 2003 11:01:25 -0700 (PDT) Message-Id: <200305261801.h4QI1PP9007902@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 18:01:26 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw p [2003/04/28] kern/51485 ipfw "Fatal trap 12" from bridge code with ipf 3 problems total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/18] kern/51132 ipfw kernel part of ipfw1 processes 'to not me o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu o [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w f [2002/01/11] kern/33804 ipfw ipfw bug/problem o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) o [2003/02/06] bin/48015 ipfw make ipfw2 work with iplen ranges o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/04/20] kern/51182 ipfw ipfw2. -d list shows couters for dynamic o [2003/05/04] bin/51750 ipfw ipfw2.c typos 14 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 26 13:34:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 168CF37B401 for ; Mon, 26 May 2003 13:34:22 -0700 (PDT) Received: from refanut.nordiq.net (refanut.nordiq.net [212.217.248.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 375DA43F3F for ; Mon, 26 May 2003 13:34:21 -0700 (PDT) (envelope-from neko@skebo.ac) Received: from skebo.ac (nydalah003.sn.umu.se [130.239.118.252]) by refanut.nordiq.net (Postfix) with ESMTP id 0E18C6DBB6 for ; Mon, 26 May 2003 22:38:03 +0200 (CEST) Date: Mon, 26 May 2003 22:34:18 +0200 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Neko Chan To: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <6C815595-8FB9-11D7-A469-00039351C496@skebo.ac> X-Mailer: Apple Mail (2.552) Subject: Dummynet issues. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2003 20:34:22 -0000 /sbin/ipfw pipe 1 config bw 10Mbit /sbin/ipfw queue 1 config pipe 1 weight 1 /sbin/ipfw queue 2 config pipe 1 weight 100 /sbin/ipfw queue 3 config pipe 1 weight 50 # setup rules /sbin/ipfw add 50 divert 8668 ip from any to any via dc0 /sbin/ipfw add 400 queue 3 tcp from any to any 80 /sbin/ipfw add 500 queue 2 tcp from any to any 22 /sbin/ipfw add 600 queue 1 ip from any to any Are these totally off? Highest priority to ssh, second http, then everything else.. Or should i use the mask option when creating the queues?. Default to accept. 4.7 release, ipfw1+dummynet. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 26 18:30:44 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A502D37B401 for ; Mon, 26 May 2003 18:30:44 -0700 (PDT) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F01543F3F for ; Mon, 26 May 2003 18:30:43 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.12.3/8.9.3) with ESMTP id h4R1UYgC012742 for ; Tue, 27 May 2003 08:30:41 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA02341; Tue, 27 May 2003 08:32:10 +0700 (ICT) Date: Tue, 27 May 2003 08:32:10 +0700 (ICT) Message-Id: <200305270132.IAA02341@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: freebsd-ipfw@freebsd.org X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Subject: Strange count of dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 01:30:45 -0000 Hi, I am trying to install a standalone firewall between my LAN and my router to outside world. And I am puzzled with the number of dynamic rules that are installed. firewall125: ipfw -d list | grep "<->" | wc 1849 20651 157940 tells me that there are 1849 dynamic rules (both active and expired) but: firewall127: sysctl net.inet.ip.fw.dyn_count net.inet.ip.fw.dyn_count: 15910 tells me that there are 15910 dynamic rules. So where is the truth? Or is that something I missunderstand? Problem is that net.inet.ip.fw.dyn_count will never count down and reach the limit of 65535 very soon (coupleof hours), and then nothing can get through. BTW, I am running FreeBSD 4.8 with IPFW2 Best regards, Olivier From owner-freebsd-ipfw@FreeBSD.ORG Tue May 27 02:27:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEE7C37B401 for ; Tue, 27 May 2003 02:27:02 -0700 (PDT) Received: from outmta.abv.bg (gw.netinfo.bg [194.153.145.125]) by mx1.FreeBSD.org (Postfix) with SMTP id 8821543F93 for ; Tue, 27 May 2003 02:27:00 -0700 (PDT) (envelope-from eivanov@abv.bg) Received: (qmail 18421 invoked from network); 27 May 2003 09:26:58 -0000 Received: from storage.ni.bg (HELO webmail.gyuvetch.bg) (192.168.151.33) by 0 with SMTP; 27 May 2003 09:26:58 -0000 Received: (qmail 30132 invoked from network); 27 May 2003 09:26:56 -0000 Received: from storage.ni.bg (192.168.151.33) by 0 with SMTP; 27 May 2003 09:26:56 -0000 Message-ID: <1365537713.1054027616171.JavaMail.nobody@storage.ni.bg> Date: Tue, 27 May 2003 12:26:56 +0300 (EEST) From: Evgeny Ivanov To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Mailer: abvmail X-Originating-IP: 212.116.151.18 Subject: IPFW Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 09:27:03 -0000 Hello Again , I want to ask you a very very simple question. I have a rule which sets speed limit for range of nets that looks like this : ipfw add pipe 10 ip from ${nets} to 192.168.1.1 via rl0 I want to add a rule that sets limit for all other networks Is there a way to set rule like : add pipe 20 that will match to all network exept those from ${nets} . There was something but I couldnot find it in man page . Thanks in advance . ----------------------------------------------------------------- http://sport.netinfo.bg - Ñïîðòíè íîâèíè è ñòàòèñòèêà From owner-freebsd-ipfw@FreeBSD.ORG Tue May 27 05:01:04 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8000137B404 for ; Tue, 27 May 2003 05:01:04 -0700 (PDT) Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA02243F85 for ; Tue, 27 May 2003 05:01:02 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by mail.cs.ait.ac.th (8.12.3/8.9.3) with ESMTP id h4RC02gC024991; Tue, 27 May 2003 19:00:24 +0700 (ICT) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id TAA02777; Tue, 27 May 2003 19:01:38 +0700 (ICT) Date: Tue, 27 May 2003 19:01:38 +0700 (ICT) Message-Id: <200305271201.TAA02777@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: eivanov@abv.bg In-reply-to: <1365537713.1054027616171.JavaMail.nobody@storage.ni.bg> (message from Evgeny Ivanov on Tue, 27 May 2003 12:26:56 +0300 (EEST)) References: <1365537713.1054027616171.JavaMail.nobody@storage.ni.bg> X-Virus-Scanned: by amavisd-milter (http://amavis.org/) cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 12:01:04 -0000 > I want to add a rule that sets limit for all other networks > Is there a way to set rule like : > > add pipe 20 that will match to all network exept those from ${nets} . What about: ipfw add 100 pipe 10 ip from ${nets} to 192.168.1.1 via rl0 ipfw add 200 skipto 400 ip from ${nets} to 192.168.1.1 via rl0 ipfw add 300 pipe 20 any... On first thought it should do the trick. Olivier From owner-freebsd-ipfw@FreeBSD.ORG Tue May 27 07:28:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A94937B401 for ; Tue, 27 May 2003 07:28:09 -0700 (PDT) Received: from tokyo.ccrle.nec.de (tokyo.ccrle.nec.de [195.37.70.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9436143F85 for ; Tue, 27 May 2003 07:28:08 -0700 (PDT) (envelope-from Martin.Stiemerling@ccrle.nec.de) Received: from venus.office (venus.office [10.1.1.11]) by tokyo.ccrle.nec.de (8.12.9/8.12.8) with ESMTP id h4RES7VI015130 for ; Tue, 27 May 2003 16:28:07 +0200 (CEST) Received: from ccrle.nec.de (n-stiemerling.office [10.1.1.109]) id 82F6BA7374 for ; Tue, 27 May 2003 16:17:21 +0200 (CEST) Message-ID: <3ED3755E.5000700@ccrle.nec.de> Date: Tue, 27 May 2003 16:25:34 +0200 From: Martin Stiemerling Organization: NEC -- Network Labs Europe User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc3) Gecko/20020619 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW and IP6FW behaviour: Deleting multiple rules with same number X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 14:28:09 -0000 Hi, I'm using FreeBSD 4.4-RELEASE with ipfw and ip6fw. ipfw and ip6fw have a different behaviour when deleting firewall rules that share the same number id: In ipfw all rules with the same number are deleted upon a delete request. In ip6fw only one rule, not all, is delete upon a delete request. Is this the intended behaviour? Thanks in advance Martin -- Martin Stiemerling NEC Europe Ltd. -- Network Laboratories Stiemerling@ccrle.nec.de IPv4: http://www.ccrle.nec.de IPv6: http://www.ipv6.ccrle.nec.de From owner-freebsd-ipfw@FreeBSD.ORG Tue May 27 07:42:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7588037B401 for ; Tue, 27 May 2003 07:42:06 -0700 (PDT) Received: from tokyo.ccrle.nec.de (tokyo.ccrle.nec.de [195.37.70.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7767C43F93 for ; Tue, 27 May 2003 07:42:05 -0700 (PDT) (envelope-from Martin.Stiemerling@ccrle.nec.de) Received: from venus.office (venus.office [10.1.1.11]) by tokyo.ccrle.nec.de (8.12.9/8.12.8) with ESMTP id h4REg4VI015829 for ; Tue, 27 May 2003 16:42:04 +0200 (CEST) Received: from ccrle.nec.de (n-stiemerling.office [10.1.1.109]) id E49D2C1F2 for ; Tue, 27 May 2003 16:31:17 +0200 (CEST) Message-ID: <3ED378A2.3040902@ccrle.nec.de> Date: Tue, 27 May 2003 16:39:30 +0200 From: Martin Stiemerling Organization: NEC -- Network Labs Europe User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc3) Gecko/20020619 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <3ED3755E.5000700@ccrle.nec.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: IPFW and IP6FW behaviour: Deleting multiple rules with same number X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 14:42:06 -0000 Sorry for replying to my own email, but the problem was my program. Sorry again Martin Martin Stiemerling wrote: > Hi, > > I'm using FreeBSD 4.4-RELEASE with ipfw and ip6fw. > > ipfw and ip6fw have a different behaviour when deleting firewall rules > that share the same number id: > In ipfw all rules with the same number are deleted upon a delete request. > In ip6fw only one rule, not all, is delete upon a delete request. > > Is this the intended behaviour? > > Thanks in advance > Martin -- Martin Stiemerling NEC Europe Ltd. -- Network Laboratories Stiemerling@ccrle.nec.de IPv4: http://www.ccrle.nec.de IPv6: http://www.ipv6.ccrle.nec.de From owner-freebsd-ipfw@FreeBSD.ORG Tue May 27 15:50:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AF2C37B401 for ; Tue, 27 May 2003 15:50:41 -0700 (PDT) Received: from horsey.gshapiro.net (horsey.gshapiro.net [64.105.95.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07A0543F3F for ; Tue, 27 May 2003 15:50:41 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (localhost [127.0.0.1]) h4RMoeiR057401 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 27 May 2003 15:50:40 -0700 (PDT) Received: (from gshapiro@localhost)h4RMoeFD057400 for freebsd-ipfw@freebsd.org; Tue, 27 May 2003 15:50:40 -0700 (PDT) Date: Tue, 27 May 2003 15:50:40 -0700 From: Gregory Neil Shapiro To: freebsd-ipfw@freebsd.org Message-ID: <20030527225040.GV13285@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: IPFW V2 dynamic keepalives broken X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 22:50:41 -0000 Since enabling IPFW V2 on RELENG_4, I've had a fairly busy web/ftp server run out dynamic buckets for new rules. Stopping the web/ftp server processes and starting it helped allevaite the problem somewhat. When it gets in this state, there are thousands of connections in FIN_WAIT or FIN_WAIT_2. It takes about 2 weeks to collect enough of these FIN_WAIT* sockets to cause a problem. After about 5 days, the count is already up to 461: # netstat -anf inet | grep FIN_WAIT | wc -l 461 I discovered however that it is somehow dyn_keepalives that is causing the problem. If I turn them off, things return to normal: # sysctl net.inet.ip.fw.dyn_keepalive=0 net.inet.ip.fw.dyn_keepalive: 1 -> 0 (wait a few seconds) # netstat -anf inet | grep FIN_WAIT | wc -l 16 Here is a snapshot of how things looked before disabling dyn_keepalive: # sysctl -a | grep net.inet.ip.fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 497 net.inet.ip.fw.dyn_max: 2000 net.inet.ip.fw.static_count: 65 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 60 net.inet.ip.fw.dyn_keepalive: 1 Any ideas? Could enabling dyn_keepalives prevent the FIN_WAIT* process from completing? From owner-freebsd-ipfw@FreeBSD.ORG Tue May 27 16:02:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8559637B401 for ; Tue, 27 May 2003 16:02:18 -0700 (PDT) Received: from s-smtp-osl-01.bluecom.no (s-smtp-osl-01.bluecom.no [62.101.193.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 968E743F85 for ; Tue, 27 May 2003 16:02:17 -0700 (PDT) (envelope-from erik@pentadon.com) Received: from erik (tromso-dhcp-234-175.bluecom.no [62.101.234.175]) by s-smtp-osl-01.bluecom.no (Postfix) with ESMTP id E0F0E1634F5 for ; Wed, 28 May 2003 01:02:15 +0200 (CEST) From: "Erik Paulsen Skålerud" To: Date: Wed, 28 May 2003 01:02:15 +0200 Message-ID: <006401c324a4$04356330$0a00000a@yes.no> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: Question about logging. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2003 23:02:18 -0000 Sorry for asking this, It's probably been asked before, but I've searched google for a while now with no results :( I'm wondering if it's possible to restrict ipfw to -only- log to /var/log/ipfw.log ? Seems like the only way to remove ipfw-logging from the console output (dmesg) is to disable the security messages to the console.. Is there really no other way? Thanks, erik. From owner-freebsd-ipfw@FreeBSD.ORG Wed May 28 01:32:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00E3F37B405; Wed, 28 May 2003 01:32:51 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18AEC43F75; Wed, 28 May 2003 01:32:51 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h4S8WoQg039397; Wed, 28 May 2003 01:32:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h4S8WoBZ039396; Wed, 28 May 2003 01:32:50 -0700 (PDT) (envelope-from rizzo) Date: Wed, 28 May 2003 01:32:50 -0700 From: Luigi Rizzo To: Gregory Neil Shapiro Message-ID: <20030528013250.A30254@xorpc.icir.org> References: <20030527225040.GV13285@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030527225040.GV13285@horsey.gshapiro.net>; from gshapiro@freebsd.org on Tue, May 27, 2003 at 03:50:40PM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW V2 dynamic keepalives broken X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 08:32:52 -0000 i imagine the following happens: + the client does not properly close the connection; + when a keepalive is sent (every 5 minutes), the the server's TCP responds (thus refreshing the rule), and the TCP timeout is reset so it stays in the FIN_WAIT[2] state for another cycle, whereas the client does not bother to send back a RST (which would cause the timeout for the dynamic rule go down to very low values). This would explain why the phenomenon is relatively rare (500 entries in 5 days). Maybe i should change the logic in the dynamic rules so that further keepalives are not sent unless a reply has been received from both sides. On Tue, May 27, 2003 at 03:50:40PM -0700, Gregory Neil Shapiro wrote: > Since enabling IPFW V2 on RELENG_4, I've had a fairly busy web/ftp > server run out dynamic buckets for new rules. Stopping the web/ftp ...` > I discovered however that it is somehow dyn_keepalives that is causing > the problem. If I turn them off, things return to normal: > > # sysctl net.inet.ip.fw.dyn_keepalive=0 > net.inet.ip.fw.dyn_keepalive: 1 -> 0 > (wait a few seconds) how "few" seconds ? I suppose in the order of 300 or so, enough to let the local session expire ? cheers luigi > # netstat -anf inet | grep FIN_WAIT | wc -l > 16 > > Here is a snapshot of how things looked before disabling dyn_keepalive: > > # sysctl -a | grep net.inet.ip.fw > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.autoinc_step: 100 > net.inet.ip.fw.one_pass: 1 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > net.inet.ip.fw.verbose_limit: 0 > net.inet.ip.fw.dyn_buckets: 256 > net.inet.ip.fw.curr_dyn_buckets: 256 > net.inet.ip.fw.dyn_count: 497 > net.inet.ip.fw.dyn_max: 2000 > net.inet.ip.fw.static_count: 65 > net.inet.ip.fw.dyn_ack_lifetime: 300 > net.inet.ip.fw.dyn_syn_lifetime: 20 > net.inet.ip.fw.dyn_fin_lifetime: 1 > net.inet.ip.fw.dyn_rst_lifetime: 1 > net.inet.ip.fw.dyn_udp_lifetime: 10 > net.inet.ip.fw.dyn_short_lifetime: 60 > net.inet.ip.fw.dyn_keepalive: 1 > > Any ideas? Could enabling dyn_keepalives prevent the FIN_WAIT* process > from completing? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed May 28 08:55:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA72837B401 for ; Wed, 28 May 2003 08:55:36 -0700 (PDT) Received: from horsey.gshapiro.net (horsey.gshapiro.net [64.105.95.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44F8943F93 for ; Wed, 28 May 2003 08:55:36 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (localhost [127.0.0.1]) h4SFtZiR069133 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 May 2003 08:55:35 -0700 (PDT) Received: (from gshapiro@localhost)h4SFtZXG069132; Wed, 28 May 2003 08:55:35 -0700 (PDT) Date: Wed, 28 May 2003 08:55:35 -0700 From: Gregory Neil Shapiro To: Luigi Rizzo Message-ID: <20030528155535.GB13285@horsey.gshapiro.net> References: <20030527225040.GV13285@horsey.gshapiro.net> <20030528013250.A30254@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030528013250.A30254@xorpc.icir.org> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW V2 dynamic keepalives broken X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 15:55:37 -0000 > i imagine the following happens: > + the client does not properly close the connection; I tend to agree. > + when a keepalive is sent (every 5 minutes), But wouldn't a dyn_fin_lifetime of 1 mean it wouldn't reach 5 minutes? > the the server's TCP responds (thus refreshing the rule), and the Interestingly enough, the client can't respond. An upstream Nokia Checkpoint FW-1 firewall is rejecting the packets from the client to the server with "Unknown established connection". You are correct though, the server may be responding. > TCP timeout is reset so it stays in the FIN_WAIT[2] state for > another cycle, whereas the client does not bother to send back a > RST (which would cause the timeout for the dynamic rule go down to > very low values). > Maybe i should change the logic in the dynamic rules so that further > keepalives are not sent unless a reply has been received from both > sides. That does sound like a good solution. > > # sysctl net.inet.ip.fw.dyn_keepalive=0 > > net.inet.ip.fw.dyn_keepalive: 1 -> 0 > > (wait a few seconds) > > how "few" seconds ? I suppose in the order of 300 or so, enough > to let the local session expire ? Yes, sorry, that should have been "few minutes", not "few seconds". By the way, since sending the mail yesterday, 149 have collected in FIN_WAIT_2 on the server. I repeated the process and timed it. It started dropping them after about 6 minutes. From owner-freebsd-ipfw@FreeBSD.ORG Wed May 28 12:11:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2448137B401; Wed, 28 May 2003 12:11:48 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 579FD43F75; Wed, 28 May 2003 12:11:47 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h4SJBlQg010457; Wed, 28 May 2003 12:11:47 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h4SJBlKw010456; Wed, 28 May 2003 12:11:47 -0700 (PDT) (envelope-from rizzo) Date: Wed, 28 May 2003 12:11:47 -0700 From: Luigi Rizzo To: Gregory Neil Shapiro Message-ID: <20030528121147.B9434@xorpc.icir.org> References: <20030527225040.GV13285@horsey.gshapiro.net> <20030528013250.A30254@xorpc.icir.org> <20030528155535.GB13285@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030528155535.GB13285@horsey.gshapiro.net>; from gshapiro@freebsd.org on Wed, May 28, 2003 at 08:55:35AM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW V2 dynamic keepalives broken X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2003 19:11:48 -0000 On Wed, May 28, 2003 at 08:55:35AM -0700, Gregory Neil Shapiro wrote: > > i imagine the following happens: > > + the client does not properly close the connection; > > I tend to agree. > > > + when a keepalive is sent (every 5 minutes), To be precise -- a keepalive is sent in the last 30sec or so of the lifetime of a dynamic rule. If the timeput is bumped below this value (as it happens when both FIN or a RST comes in) then keepalives are disabled. But if only one FIN is received, and no RST arrive back, keepalives continue to flow. > But wouldn't a dyn_fin_lifetime of 1 mean it wouldn't reach 5 minutes? only if both FIN come in -- that is when the dyn_fin_lifetime takes effect. cheers luigi > > the the server's TCP responds (thus refreshing the rule), and the > > Interestingly enough, the client can't respond. An upstream Nokia > Checkpoint FW-1 firewall is rejecting the packets from the client to > the server with "Unknown established connection". You are correct > though, the server may be responding. > > > TCP timeout is reset so it stays in the FIN_WAIT[2] state for > > another cycle, whereas the client does not bother to send back a > > RST (which would cause the timeout for the dynamic rule go down to > > very low values). > > > Maybe i should change the logic in the dynamic rules so that further > > keepalives are not sent unless a reply has been received from both > > sides. > > That does sound like a good solution. > > > > # sysctl net.inet.ip.fw.dyn_keepalive=0 > > > net.inet.ip.fw.dyn_keepalive: 1 -> 0 > > > (wait a few seconds) > > > > how "few" seconds ? I suppose in the order of 300 or so, enough > > to let the local session expire ? > > Yes, sorry, that should have been "few minutes", not "few seconds". > > By the way, since sending the mail yesterday, 149 have collected in > FIN_WAIT_2 on the server. I repeated the process and timed it. > It started dropping them after about 6 minutes. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu May 29 11:14:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F02F437B404 for ; Thu, 29 May 2003 11:14:45 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ACF443FCB for ; Thu, 29 May 2003 11:14:44 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id 480F554F4A for ; Thu, 29 May 2003 19:14:43 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id A126721150; Thu, 29 May 2003 18:14:42 +0000 (GMT) Date: Thu, 29 May 2003 18:14:42 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030529181442.GA24554@rfc-networks.ie> References: <1053676087.95fbe1caf5dcd@www.dannysplace.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1053676087.95fbe1caf5dcd@www.dannysplace.com> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: Strange natd problem. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2003 18:14:46 -0000 danny@dannysplace.net 69 lines of wisdom included: > Here is the strange bit... > rule 100 matches and (re-inserts) > rules 200 never match > rules 300 match and allow the quake packets through. > > I've tried the following protocols specifically. tcp,udp,icmp > But it will ONLY match when I say "ip" > > So could it be that the firewall on my home lan does something with natd, then > the firewall on the quake servers lan does something *else* to the packets > there by screwing them up? > > Or does quake just use some strange ip protocol?. Does it not use IPX/SPX -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Fri May 30 12:43:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F2AF37B401 for ; Fri, 30 May 2003 12:43:52 -0700 (PDT) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B8B843F75 for ; Fri, 30 May 2003 12:43:51 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by attbi.com (rwcrmhc52) with ESMTP id <2003053019435105200r26gue>; Fri, 30 May 2003 19:43:51 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h4UJhoki021339; Fri, 30 May 2003 12:43:50 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h4UJhbHs021338; Fri, 30 May 2003 12:43:37 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 30 May 2003 12:43:37 -0700 From: "Crist J. Clark" To: Erik Paulsen =?unknown-8bit?Q?Sk=E5lerud?= Message-ID: <20030530194337.GB20944@blossom.cjclark.org> References: <006401c324a4$04356330$0a00000a@yes.no> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <006401c324a4$04356330$0a00000a@yes.no> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: ipfw@freebsd.org Subject: Re: Question about logging. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2003 19:43:52 -0000 On Wed, May 28, 2003 at 01:02:15AM +0200, Erik Paulsen Skålerud wrote: > Sorry for asking this, It's probably been asked before, but I've searched > google for a while now with no results :( > I'm wondering if it's possible to restrict ipfw to -only- log to > /var/log/ipfw.log ? Seems like the only way to remove ipfw-logging from the > console output (dmesg) is to disable the security messages to the console.. > Is there really no other way? syslogd(8) gives you the ability to pipe its output through an arbitrary program. You can keep security messages sent to console, but use a filtering program to block ipfw(8) messages. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org