From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 27 03:39:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C207D37B401 for ; Sun, 27 Jul 2003 03:39:49 -0700 (PDT) Received: from mail020.syd.optusnet.com.au (mail020.syd.optusnet.com.au [210.49.20.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13D1743F3F for ; Sun, 27 Jul 2003 03:39:48 -0700 (PDT) (envelope-from markhannon@optusnet.com.au) Received: from doorway.homeip.net (c211-28-121-120.sunsh3.vic.optusnet.com.au [211.28.121.120])h6RAdjG02082 for ; Sun, 27 Jul 2003 20:39:46 +1000 Received: from optusnet.com.au (tbird.home.lan [192.168.1.5]) by doorway.homeip.net (8.12.9/8.12.9) with ESMTP id h6RAdj86019081 for ; Sun, 27 Jul 2003 20:39:45 +1000 (EST) (envelope-from markhannon@optusnet.com.au) Message-ID: <3F23ABF3.1020905@optusnet.com.au> Date: Sun, 27 Jul 2003 20:39:47 +1000 From: Mark Hannon User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030719 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-ipfw@freebsd.org References: <3F212BF7.4060602@optusnet.com.au> <20030725103814.A54554@xorpc.icir.org> In-Reply-To: <20030725103814.A54554@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: using dummynet to simulate modem, dsl, etc X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 10:39:50 -0000 For those that are interested ... the following script and test results were obtained. My reasonings for the delay etc are partially included in the perl script. /mark #!/usr/bin/perl # # $Id: lnf-test.pl,v 1.1 2003/07/27 10:30:57 mark Exp $ # # ===================================================================== # Details of all of the networks to be simulated are stored in a hash: # # name => "descriptive text" # ip => "dotted ip number - will be aliased to lo0", # mtu => "mtu in octets", # us_bw => "upstream bandwidth in kbit/s", # us_queue => 0, # us_init_delay => "upstream processing delay only", # us_total_delay => "upstream total delay - calculated", # ds_bw => "downstream bandwidth in kbit/s", # ds_queue => o, # ds_init_delay => "downstream processing delay only", # ds_total_delay => "downstream total delay - calculated", $testnet = [ { name => "56k modem", ip => "127.0.0.101", mtu => 576, us_bw => 33, us_queue => 0, us_init_delay => 40, # V.90 processing, error correction etc. us_total_delay => 0, ds_bw => 56, ds_queue => 0, ds_init_delay => 40, # V.90 processing, error correction etc. ds_total_delay => 0 }, { name => "128k ISDN-BA", ip => "127.0.0.102", mtu => 576, us_bw => 128, us_queue => 0, us_init_delay => 20, # guesstimate us_total_delay => 0, ds_bw => 128, ds_queue => 0, ds_init_delay => 20, # guesstimate ds_total_delay => 0 }, { name => "512k/64k ADSL", ip => "127.0.0.103", mtu => 1500, us_bw => 64, us_queue => 0, us_init_delay => 15, # guesstimate us_total_delay => 0, ds_bw => 512, ds_queue => 0, ds_init_delay => 15, # guesstimate ds_total_delay => 0 }, { name => "1500k/256k ADSL", ip => "127.0.0.104", mtu => 1500, us_bw => 256, us_queue => 0, us_init_delay => 15, # guesstimate us_total_delay => 0, ds_bw => 1500, ds_queue => 0, ds_init_delay => 15, # guesstimate ds_total_delay => 0 }, { name => "8000k/1000k ADSL", ip => "127.0.0.105", mtu => 1500, us_bw => 1000, us_queue => 0, us_init_delay => 15, # guesstimate us_total_delay => 0, ds_bw => 8000, ds_queue => 0, ds_init_delay => 15, # guesstimate ds_total_delay => 0 }, ]; # ===================================================================== # Loop through $testnet and setup simulated networks $set_nr = 10; # the initial ipfw set number to use $pipe_nr = 10; # the initial ipfw pipe number to use $rule_nr = 10; # the initial ipfw rule number to use foreach $this (@$testnet){ # add serilization of 40 octet ACK to upsteam delay $us_serial_delay = (40 * 8 ) / $$this{us_bw}; $$this{us_total_delay} = int($$this{us_init_delay} + $us_serial_delay); # add serilization of MTU octet data to downstream delay $ds_serial_delay = ($$this{mtu} * 8 ) / $$this{ds_bw}; $$this{ds_total_delay} = int($$this{ds_init_delay} + $ds_serial_delay); printf "%s: %s kbit/s @ %s ms down and %s kbit/s @ %s ms up\n", $$this{name}, $$this{ds_bw}, $$this{ds_total_delay}, $$this{us_bw}, $$this{us_total_delay}; # add alias to lo0 for the address $ifconfig_command = "ifconfig lo0 alias $$this{ip}"; print $ifconfig_command, "\n"; `$ifconfig_command`; # setup an input pipe to simulate the upstream $ipfw_command = "ipfw -q add $rule_nr pipe $pipe_nr ip from any to $$this{ip} in"; $pipe_command = "ipfw -q pipe $pipe_nr config bw $$this{us_bw}kbit/s " . "queue $$this{us_queue} delay $$this{us_total_delay}ms"; print $ipfw_command, "\n"; `$ipfw_command`; print $pipe_command, "\n"; `$pipe_command`; $rule_nr++; $pipe_nr++; # setup an input pipe to simulate the downstream $ipfw_command = "ipfw -q add $rule_nr pipe $pipe_nr ip from $$this{ip} to any in"; $pipe_command = "ipfw -q pipe $pipe_nr config bw $$this{ds_bw}kbit/s " . "queue $$this{ds_queue} delay $$this{ds_total_delay}ms"; print $ipfw_command, "\n"; `$ipfw_command`; print $pipe_command, "\n"; `$pipe_command`; $rule_nr++; $pipe_nr++; } # SIGHUP inetd in order to listen on all new interfaces `killall -HUP inetd`; # ===================================================================== # Loop through $testnet and test performance foreach $this (@$testnet){ # print headers etc printf "===================================================================\n"; printf "%s: %s kbit/s @ %s ms down and %s kbit/s @ %s ms up\n", $$this{name}, $$this{ds_bw}, $$this{ds_total_delay}, $$this{us_bw}, $$this{us_total_delay}; printf "===================================================================\n"; $start_time = time; $ftp_command = "fetch ftp://$$this{ip}/pub/test_small"; printf "$ftp_command\n"; `$ftp_command`; $finish_time = time; $clock_time = $finish_time - $start_time; printf "Clock time for transfer = $clock_time seconds\n"; printf "\n"; } tbird:~/projects/lnf-test# ./lnf-test.pl 56k modem: 56 kbit/s @ 122 ms down and 33 kbit/s @ 49 ms up ifconfig lo0 alias 127.0.0.101 ipfw -q add 10 pipe 10 ip from any to 127.0.0.101 in ipfw -q pipe 10 config bw 33kbit/s queue 0 delay 49ms ipfw -q add 11 pipe 11 ip from 127.0.0.101 to any in ipfw -q pipe 11 config bw 56kbit/s queue 0 delay 122ms 128k ISDN-BA: 128 kbit/s @ 56 ms down and 128 kbit/s @ 22 ms up ifconfig lo0 alias 127.0.0.102 ipfw -q add 12 pipe 12 ip from any to 127.0.0.102 in ipfw -q pipe 12 config bw 128kbit/s queue 0 delay 22ms ipfw -q add 13 pipe 13 ip from 127.0.0.102 to any in ipfw -q pipe 13 config bw 128kbit/s queue 0 delay 56ms 512k/64k ADSL: 512 kbit/s @ 38 ms down and 64 kbit/s @ 20 ms up ifconfig lo0 alias 127.0.0.103 ipfw -q add 14 pipe 14 ip from any to 127.0.0.103 in ipfw -q pipe 14 config bw 64kbit/s queue 0 delay 20ms ipfw -q add 15 pipe 15 ip from 127.0.0.103 to any in ipfw -q pipe 15 config bw 512kbit/s queue 0 delay 38ms 1500k/256k ADSL: 1500 kbit/s @ 23 ms down and 256 kbit/s @ 16 ms up ifconfig lo0 alias 127.0.0.104 ipfw -q add 16 pipe 16 ip from any to 127.0.0.104 in ipfw -q pipe 16 config bw 256kbit/s queue 0 delay 16ms ipfw -q add 17 pipe 17 ip from 127.0.0.104 to any in ipfw -q pipe 17 config bw 1500kbit/s queue 0 delay 23ms 8000k/1000k ADSL: 8000 kbit/s @ 16 ms down and 1000 kbit/s @ 15 ms up ifconfig lo0 alias 127.0.0.105 ipfw -q add 18 pipe 18 ip from any to 127.0.0.105 in ipfw -q pipe 18 config bw 1000kbit/s queue 0 delay 15ms ipfw -q add 19 pipe 19 ip from 127.0.0.105 to any in ipfw -q pipe 19 config bw 8000kbit/s queue 0 delay 16ms =================================================================== 56k modem: 56 kbit/s @ 122 ms down and 33 kbit/s @ 49 ms up =================================================================== fetch ftp://127.0.0.101/pub/test_small Receiving test_small (40960 bytes): 100% 40960 bytes transferred in 6.1 seconds (6.58 kBps) Clock time for transfer = 8 seconds =================================================================== 128k ISDN-BA: 128 kbit/s @ 56 ms down and 128 kbit/s @ 22 ms up =================================================================== fetch ftp://127.0.0.102/pub/test_small Receiving test_small (40960 bytes): 100% 40960 bytes transferred in 2.7 seconds (15.06 kBps) Clock time for transfer = 4 seconds =================================================================== 512k/64k ADSL: 512 kbit/s @ 38 ms down and 64 kbit/s @ 20 ms up =================================================================== fetch ftp://127.0.0.103/pub/test_small Receiving test_small (40960 bytes): 100% 40960 bytes transferred in 0.7 seconds (57.42 kBps) Clock time for transfer = 1 seconds =================================================================== 1500k/256k ADSL: 1500 kbit/s @ 23 ms down and 256 kbit/s @ 16 ms up =================================================================== fetch ftp://127.0.0.104/pub/test_small Receiving test_small (40960 bytes): 100% 40960 bytes transferred in 0.3 seconds (126.33 kBps) Clock time for transfer = 1 seconds =================================================================== 8000k/1000k ADSL: 8000 kbit/s @ 16 ms down and 1000 kbit/s @ 15 ms up =================================================================== fetch ftp://127.0.0.105/pub/test_small Receiving test_small (40960 bytes): 100% 40960 bytes transferred in 0.2 seconds (202.97 kBps) Clock time for transfer = 1 seconds From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 27 08:40:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DABC37B401 for ; Sun, 27 Jul 2003 08:40:54 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id B4F7243F75 for ; Sun, 27 Jul 2003 08:40:53 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 40671 invoked from network); 27 Jul 2003 15:40:50 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 27 Jul 2003 15:40:50 -0000 Message-ID: <3F23F282.5020605@tenebras.com> Date: Sun, 27 Jul 2003 08:40:50 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Darren References: <13347545536.20030726003910@dazdaz.org> In-Reply-To: <13347545536.20030726003910@dazdaz.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: no keep-state and and unpredictable ssh connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 15:40:54 -0000 You may need to fiddle with the default values for these net.inet.ip.fw.dyn_ack_lifetime net.inet.ip.fw.dyn_syn_lifetime net.inet.ip.fw.dyn_fin_lifetime net.inet.ip.fw.dyn_rst_lifetime net.inet.ip.fw.dyn_udp_lifetime net.inet.ip.fw.dyn_short_lifetime and you want /sbin/sysctl net.inet.ip.fw.dyn_keepalive=1 Anyway, try it this way. #!/bin/sh fwcmd="/sbin/ipfw -q" $fwcmd -f flush $fwcmd add allow ip from any to any via lo0 $fwcmd add check-state $fwcmd add deny ip from 127.0.0.8 to any $fwcmd add deny ip from any to 127.0.0.8 $fwcmd add deny tcp from any to any established # antispoofing rules $fwcmd add deny ip from 10.0.0.0/8 to any in recv xl0 $fwcmd add deny ip from 172.16.0.0/12 to any in recv xl0 $fwcmd add deny ip from 192.168.0.0/16 to any in recv xl0 $fwcmd add deny ip from me to any in recv xl0 # some ICMP types you musn't block -- esp. 3 for PMTU, etc. $fwcmd add allow icmp from any to any icmptype 0,3,11 # allow local net traffic $fwcmd add allow ip from $mynet to $mynet # from me to anywhere $fwcmd add allow tcp from me to any setup keep-state $fwcmd add allow udp from me to any keep-state $fwcmd add allow icmp from me to any # Separate rules for SSH and HTTP, etc. $fwcmd add count log logamount 0 tcp from any to me ssh in recv xl0 setup $fwcmd add allow tcp from any to me ssh in recv xl0 keep-state setup $fwcmd add count log logamount 0 tcp from any to me http in recv xl0 setup $fwcmd add allow tcp from any to me http in recv xl0 keep-state setup $fwcmd add deny log logamount 0 ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 27 08:45:21 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A563D37B401 for ; Sun, 27 Jul 2003 08:45:21 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 0113343F93 for ; Sun, 27 Jul 2003 08:45:21 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 40697 invoked from network); 27 Jul 2003 15:45:20 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 27 Jul 2003 15:45:20 -0000 Message-ID: <3F23F390.2030600@tenebras.com> Date: Sun, 27 Jul 2003 08:45:20 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Darren References: <13347545536.20030726003910@dazdaz.org> <3F23F282.5020605@tenebras.com> In-Reply-To: <3F23F282.5020605@tenebras.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: no keep-state and and unpredictable ssh connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 15:45:21 -0000 > $fwcmd add deny ip from 127.0.0.8 to any > $fwcmd add deny ip from any to 127.0.0.8 Ack.Ppppt. Hairball typo. $fwcmd add deny ip from 127.0.0.0/8 to any $fwcmd add deny ip from any to 127.0.0.0/8 From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 27 08:57:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DB2E37B404 for ; Sun, 27 Jul 2003 08:57:36 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CB2E43F75 for ; Sun, 27 Jul 2003 08:57:35 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h6RFvZkN089269; Sun, 27 Jul 2003 08:57:35 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h6RFvYHm089268; Sun, 27 Jul 2003 08:57:34 -0700 (PDT) (envelope-from rizzo) Date: Sun, 27 Jul 2003 08:57:34 -0700 From: Luigi Rizzo To: Mark Hannon Message-ID: <20030727085734.A89225@xorpc.icir.org> References: <3F212BF7.4060602@optusnet.com.au> <20030725103814.A54554@xorpc.icir.org> <3F23ABF3.1020905@optusnet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F23ABF3.1020905@optusnet.com.au>; from markhannon@optusnet.com.au on Sun, Jul 27, 2003 at 08:39:47PM +1000 cc: freebsd-ipfw@freebsd.org Subject: Re: using dummynet to simulate modem, dsl, etc X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jul 2003 15:57:37 -0000 On Sun, Jul 27, 2003 at 08:39:47PM +1000, Mark Hannon wrote: > For those that are interested ... the following script and test results > were obtained. My > reasonings for the delay etc are partially included in the perl script. ... > # add serilization of 40 octet ACK to upsteam delay > $us_serial_delay = (40 * 8 ) / $$this{us_bw}; ... > # add serilization of MTU octet data to downstream delay > $ds_serial_delay = ($$this{mtu} * 8 ) / $$this{ds_bw}; why are you adding this extra delay ? dummynet already does that -- a packet only comes out of a pipe after what you call the "serialization" delay (of the packet itself and any other packet queued in front of it). cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 27 21:59:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F13A37B401 for ; Sun, 27 Jul 2003 21:59:08 -0700 (PDT) Received: from ish7.ericsson.com.au (ish7.ericsson.com.au [61.88.9.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25A5F43F93 for ; Sun, 27 Jul 2003 21:59:07 -0700 (PDT) (envelope-from markhannon@optusnet.com.au) Received: from eaubrnt019.epa.ericsson.se ([146.11.31.193]) h6S4uRb12996; Mon, 28 Jul 2003 14:56:27 +1000 (EST) Received: from optusnet.com.au (3LL6201K2P3DQCF [146.11.235.78]) by eaubrnt019.epa.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id PY06FG2T; Mon, 28 Jul 2003 14:59:12 +1000 Message-ID: <3F24AD6A.8060504@optusnet.com.au> Date: Mon, 28 Jul 2003 14:58:18 +1000 From: Mark Hannon User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <3F212BF7.4060602@optusnet.com.au> <20030725103814.A54554@xorpc.icir.org> <3F23ABF3.1020905@optusnet.com.au> <20030727085734.A89225@xorpc.icir.org> In-Reply-To: <20030727085734.A89225@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: using dummynet to simulate modem, dsl, etc X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 04:59:08 -0000 Luigi Rizzo wrote: >> # add serilization of 40 octet ACK to upsteam delay >> $us_serial_delay = (40 * 8 ) / $$this{us_bw}; >> >> >... > > >> # add serilization of MTU octet data to downstream delay >> $ds_serial_delay = ($$this{mtu} * 8 ) / $$this{ds_bw}; >> >> > >why are you adding this extra delay ? dummynet already does that -- >a packet only comes out of a pipe after what you call the "serialization" >delay (of the packet itself and any other packet queued in front of >it). > Thanks for clarifying that - for some (probably stupid) reason I thought that dummynet simply limited the maximum bandwidth used by a pipe but that it was still clocked at the line rate of the original interface. That should improve the results a bit. Regards/Mark From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 28 11:01:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79A3937B409 for ; Mon, 28 Jul 2003 11:01:42 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DA1143F3F for ; Mon, 28 Jul 2003 11:01:42 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h6SI1fUp082178 for ; Mon, 28 Jul 2003 11:01:41 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h6SI1f8X082172 for freebsd-ipfw@freebsd.org; Mon, 28 Jul 2003 11:01:41 -0700 (PDT) Date: Mon, 28 Jul 2003 11:01:41 -0700 (PDT) Message-Id: <200307281801.h6SI1f8X082172@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 18:01:42 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/09/02] bin/42318 ipfw NATD redirect limitations 1 problem total. Non-critical problems From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 28 11:01:59 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FF4D37B401 for ; Mon, 28 Jul 2003 11:01:59 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0654543F3F for ; Mon, 28 Jul 2003 11:01:59 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h6SI1wUp082543 for ; Mon, 28 Jul 2003 11:01:58 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h6SI1wCp082537 for ipfw@freebsd.org; Mon, 28 Jul 2003 11:01:58 -0700 (PDT) Date: Mon, 28 Jul 2003 11:01:58 -0700 (PDT) Message-Id: <200307281801.h6SI1wCp082537@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2003 18:01:59 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 2 problems total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo 8 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 29 12:47:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA9F337B401 for ; Tue, 29 Jul 2003 12:47:02 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73F2F43F3F for ; Tue, 29 Jul 2003 12:47:02 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id PAA05676; Tue, 29 Jul 2003 15:47:02 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3F26CF32.2060307@edgefocus.com> Date: Tue, 29 Jul 2003 12:46:58 -0700 From: Sean Hafeez User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: radius and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 19:47:03 -0000 i have a network (10.0.0.x) that is nat'd to the external interface of the firewall. everything works great. the kernel was compiled with the leave everything open opition. the only rules are: /sbin/natd -interface rl0 ipfw add divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s rl0 is the external. rl1 is the internal 10.0.0.x network. i have a device on the internal network 10.0.0.4 that needs to query an radius server on the internet. i can see the request come in from the device on rl1 (tcpdump -i rl1) but i see nothing leave and never see the packet hit the server. is nat the problem? is there away around this? i googled but did not find anything that worked. remember this is a wide open box that is just being used for nat and shapping with no rules. thanks! From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 29 13:55:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3168B37B401; Tue, 29 Jul 2003 13:55:02 -0700 (PDT) Received: from kwiatek.eu.org (116-moc-8.acn.waw.pl [212.76.59.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F38743F75; Tue, 29 Jul 2003 13:54:59 -0700 (PDT) (envelope-from kwiatek@tpi.pl) Received: from localhost (localhost [127.0.0.1]) by kwiatek.eu.org (Postfix) with ESMTP id 01CEC14A6; Tue, 29 Jul 2003 22:54:45 +0200 (CEST) Date: Tue, 29 Jul 2003 22:54:45 +0200 (CEST) From: Andrzej Kwiatkowski X-X-Sender: kwiatek@kwiatek.eu.org To: freebsd-ipfw@freebsd.org In-Reply-To: <410-220037229204050796@M2W031.mail2web.com> Message-ID: <20030729224930.L7243@kwiatek.eu.org> References: <410-220037229204050796@M2W031.mail2web.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: ipfw ruleset question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jul 2003 20:55:02 -0000 Helo. I've got a bit strange problem.. My freeBSD works as NAT with natd. Whene rule divert 8668 ip from any to any via fxp0 is first everything is ok,but when i try to move this rule after some blocking spamer rules, my Nat won't work properly. Incoming traffic is well nated, but outgoing looks like not nated. sysctl net.inet.ip.fw.one_pass is set to 1. I try to set to 0 but nothings changed . Have any Idea ?? thanks in advance Andrzej Kwiatkowski From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 31 03:46:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5AA937B401 for ; Thu, 31 Jul 2003 03:46:15 -0700 (PDT) Received: from web12705.mail.yahoo.com (web12705.mail.yahoo.com [216.136.173.242]) by mx1.FreeBSD.org (Postfix) with SMTP id 6FF3543F85 for ; Thu, 31 Jul 2003 03:46:15 -0700 (PDT) (envelope-from dsurovtsev@yahoo.com) Message-ID: <20030731104615.30508.qmail@web12705.mail.yahoo.com> Received: from [217.27.144.5] by web12705.mail.yahoo.com via HTTP; Thu, 31 Jul 2003 03:46:15 PDT Date: Thu, 31 Jul 2003 03:46:15 -0700 (PDT) From: dmitry surovtsev To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: radius and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 10:46:16 -0000 try ipfw add divert tcp from 10.0.0.4 to $addr_of_radius via rl1 ipfw add divert tcp from $radius to $ip_of_rl1 via rl1 ipfw add allow tcp from $ip_of_rl1 to $radius out xmit via rl1 ipfw add allow tcp from $radius to 10.0.0.4 in recv via rl1 dmitry Message: 1 Date: Tue, 29 Jul 2003 12:46:58 -0700 From: Sean Hafeez Subject: radius and natd To: freebsd-ipfw@freebsd.org Message-ID: <3F26CF32.2060307@edgefocus.com> Content-Type: text/plain; charset=us-ascii; format=flowed i have a network (10.0.0.x) that is nat'd to the external interface of the firewall. everything works great. the kernel was compiled with the leave everything open opition. the only rules are: /sbin/natd -interface rl0 ipfw add divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s rl0 is the external. rl1 is the internal 10.0.0.x network. i have a device on the internal network 10.0.0.4 that needs to query an radius server on the internet. i can see the request come in from the device on rl1 (tcpdump -i rl1) but i see nothing leave and never see the packet hit the server. is nat the problem? is there away around this? i googled but did not find anything that worked. remember this is a wide open box that is just being used for nat and shapping with no rules. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 17 04:35:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03C6837B404 for ; Thu, 17 Jul 2003 04:35:05 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9532743F93 for ; Thu, 17 Jul 2003 04:35:03 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout2.freenet.de with asmtp (Exim 4.20) id 19d72M-0005JO-2E for freebsd-ipfw@freebsd.org; Thu, 17 Jul 2003 13:35:02 +0200 Received: from p3ee27da9.dip.t-dialin.net ([62.226.125.169] helo=spotteswoode.dnsalias.org) by mx2.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.20 #1) id 19d72L-0008Ia-Py for freebsd-ipfw@freebsd.org; Thu, 17 Jul 2003 13:35:01 +0200 Received: (qmail 4026 invoked by uid 0); 17 Jul 2003 11:34:55 -0000 Date: 17 Jul 2003 13:34:55 +0200 Message-ID: <4r1lfktc.fsf@ID-23066.news.dfncis.de> From: "clemens fischer" To: "Corey Frang" In-Reply-To: (Corey Frang's message of "Sun, 13 Jul 2003 21:36:06 -0500") References: User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Using IPFW as a traffic limiting solution? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2003 11:35:05 -0000 * 2003-07-14 Corey Frang: > I have looked into dummynet, and it seems to be what I want to do, > however I am going a bit out of my league with this one. Here is a > description of the system I want to set up: http://info.iet.unipi.it/~luigi/ip_dummynet/ and you can google for pages linking to this one. clemens From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 31 12:21:47 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16ECF37B405 for ; Thu, 31 Jul 2003 12:21:47 -0700 (PDT) Received: from dreadnought.cnchost.com (dreadnought.cnchost.com [207.155.248.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0029243FA3 for ; Thu, 31 Jul 2003 12:21:45 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com (064-186-254-102.custnet.redwired.net [64.186.254.102]) by dreadnought.cnchost.com id PAA02033; Thu, 31 Jul 2003 15:21:44 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Message-ID: <3F296C48.9020309@edgefocus.com> Date: Thu, 31 Jul 2003 12:21:44 -0700 From: Sean Hafeez User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ean Kingston , freebsd-ipfw@freebsd.org References: <3F26CF32.2060307@edgefocus.com> <1059617795.12631.22.camel@prosporo.hedron.org> In-Reply-To: <1059617795.12631.22.camel@prosporo.hedron.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: radius and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 19:21:47 -0000 thanks fixed it. the box was setup as default open in the kernel so i do not need the last default allow. turns out my upsteam had filters on radius. Ean Kingston wrote: > On Tue, 2003-07-29 at 15:46, Sean Hafeez wrote: > >>i have a network (10.0.0.x) that is nat'd to the external interface of >>the firewall. everything works great. the kernel was compiled with the >>leave everything open opition. the only rules are: >> >>/sbin/natd -interface rl0 >>ipfw add divert natd all from any to any via rl0 >>ipfw add pipe 1 ip from any to any in recv rl1 >>ipfw add pipe 2 ip from any to any out xmit rl1 >>ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s >>ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s > > Do you not need: > ipfw add allow all from any to any > at the very end of that? > >>rl0 is the external. rl1 is the internal 10.0.0.x network. >> >>i have a device on the internal network 10.0.0.4 that needs to query an >>radius server on the internet. i can see the request come in from the >>device on rl1 (tcpdump -i rl1) but i see nothing leave and never see the >>packet hit the server. is nat the problem? is there away around this? >> >>i googled but did not find anything that worked. remember this is a wide >>open box that is just being used for nat and shapping with no rules. >> >> >>thanks! >> >> >> >> >>_______________________________________________ >>freebsd-ipfw@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 31 13:17:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B99FF37B401 for ; Thu, 31 Jul 2003 13:17:58 -0700 (PDT) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68F1C43F93 for ; Thu, 31 Jul 2003 13:17:57 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem.epita.fr [10.42.42.5]) by epita.fr id h6VKHmA17139 Thu, 31 Jul 2003 22:17:48 +0200 (CEST) Date: Thu, 31 Jul 2003 22:17:47 +0200 From: jeremie le-hen To: Corey Frang Message-ID: <20030731201747.GD17861@carpediem.epita.fr> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i cc: freebsd-ipfw@freebsd.org Subject: Re: Using IPFW as a traffic limiting solution? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 20:17:59 -0000 > A) I want to be able to INSURE bandwidth without limiting it in dead > times. In other words, 10.1.0.0/16 should be able to always have > 250kbit/sec available, but if noone else is using bandwidth, allow it > to go as high as possible. AFAIK, dummynet(4) is not able to achieve this kind of requiements : you can set a higher threshold for traffic speed, you can prioritize traffic, but ensuring a minimum bandwidth is not possible. But Luigi will maybe stick out from his hat a cunning way to achieve this kind of stuff... ;-) Otherwise, ALTQ in conjunction with IPFilter will certainly be your friend, but I'm not aware of any documentation on this. > B) I want to be able to mark some clients as always limited. dummynet(4) is perfect for this. > C) I want to be able to set up multiple "classes" (right now using > 10.1, 10.2, 10.3, 10.4, etc) with their own insurance on bandwidth. See the "mask" keyword in DUMMYNET part from ipfw(8) manpage. -- Jeremie aka TtZ/TataZ jeremie.le-hen@epita.fr From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 07:46:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7585837B401 for ; Fri, 1 Aug 2003 07:46:00 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 52BF043F85 for ; Fri, 1 Aug 2003 07:45:59 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Fri, 1 Aug 2003 16:44:13 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFE@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Suggestion regarding a new option for IPFW2 Thread-Index: AcNYO55PmdJmPesMSuafB+0T+etkKg== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 14:46:00 -0000 I have a humble suggestion to an IPFW2 option. The option to send icmp error messages/tcp resets with src being the original destination of the offending packet.=20 I realize after looking at the src's that this might require a=20 separate icmp_error() - please correct me if i'm wrong! The intent is to "disguise" the source of the error message for forwarding firewalls protecting servers. Im thinking of a function like the one that is found in ipfilter. Is this an option the community would appreciate? Any thoughts and suggestions appreciated. -- Sten From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 08:15:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBD0937B404 for ; Fri, 1 Aug 2003 08:15:45 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 1C14543F75 for ; Fri, 1 Aug 2003 08:15:45 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 58784 invoked from network); 1 Aug 2003 15:15:42 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 1 Aug 2003 15:15:42 -0000 Message-ID: <3F2A841D.7050104@tenebras.com> Date: Fri, 01 Aug 2003 08:15:41 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= References: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFE@exchange.wanglobal.net> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFE@exchange.wanglobal.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@freebsd.org Subject: Re: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 15:15:46 -0000 Sten Daniel Sørsdal wrote: > I have a humble suggestion to an IPFW2 option. > > The option to send icmp error messages/tcp resets with src being > the original destination of the offending packet. > > I realize after looking at the src's that this might require a > separate icmp_error() - please correct me if i'm wrong! > > The intent is to "disguise" the source of the error message for > forwarding firewalls protecting servers. This feature already exists. natd already does this. It does even better -- it correctly rewrites the *included* header (the one from the offending packet). That being said, it's certainly correct for an intermediate router (for example, a firewall) to issue an ICMP unreachable net-prohib, etc. or to issue a TCP reset, without rewriting. This works fine -- several mailing lists I subscribe to attempt to connect to auth/tcp when I post. My firewall issues a reset to these connection attempts, and it gives up and cheerfully accepts my message. From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 08:29:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BD3F37B401 for ; Fri, 1 Aug 2003 08:29:16 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C7AC43F93 for ; Fri, 1 Aug 2003 08:29:15 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Fri, 1 Aug 2003 17:27:29 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFF@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Suggestion regarding a new option for IPFW2 Thread-Index: AcNYP45WcuPCDEpWR/6tOAiac57A7AAAIz8Q From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Michael Sierchio" cc: freebsd-ipfw@freebsd.org Subject: RE: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 15:29:16 -0000 > > The option to send icmp error messages/tcp resets with src being > > the original destination of the offending packet. > > > > I realize after looking at the src's that this might require a > > separate icmp_error() - please correct me if i'm wrong! > > > > The intent is to "disguise" the source of the error message for > > forwarding firewalls protecting servers. >=20 > This feature already exists. I disagree > natd already does this. It does even better -- it correctly > rewrites the *included* header (the one from the offending > packet). who needs NAT? i got more IP's than i know what to do with. but it's certainly an idea to look what natd does to masquerade the=20 error messages properly. >=20 > That being said, it's certainly correct for an intermediate > router (for example, a firewall) to issue an ICMP unreachable > net-prohib, etc. or to issue a TCP reset, without rewriting. I'm sure it is, but the intent was to disguise the non-pnat firewall in=20 question. for example adding this to my dedicated firewall e.g. unreach port udp from any to MYSERVER as-dest would return a packet saying MYSERVER does not know of any such port. >=20 > This works fine -- several mailing lists I subscribe to > attempt to connect to auth/tcp when I post. My firewall > issues a reset to these connection attempts, and it > gives up and cheerfully accepts my message. are you by any chance using NAT? if you are, then the firewall does not need masking (it already has the public ip and this option would be of little/no use). if not, then you still have the issue of firewalls presence being=20 easily spotted. Thank you for your comments! - Sten From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 08:44:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2753337B401 for ; Fri, 1 Aug 2003 08:44:45 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 87ED343FD7 for ; Fri, 1 Aug 2003 08:44:44 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 58941 invoked from network); 1 Aug 2003 15:44:43 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 1 Aug 2003 15:44:43 -0000 Message-ID: <3F2A8AEB.10603@tenebras.com> Date: Fri, 01 Aug 2003 08:44:43 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= References: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFF@exchange.wanglobal.net> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F07DEFF@exchange.wanglobal.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@freebsd.org Subject: Re: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 15:44:45 -0000 Sten Daniel Sørsdal wrote: > are you by any chance using NAT? if you are, then the firewall > does not need masking (it already has the public ip and this option > would be of little/no use). > if not, then you still have the issue of firewalls presence being > easily spotted. > > Thank you for your comments! I can see value in using a firewall in bridging mode, in which case sending ICMP messages might use an alias address not associated with any interface -- if there are no IP addrs on the external interface, for example. From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 08:48:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDA9137B401 for ; Fri, 1 Aug 2003 08:48:11 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7428B43F93 for ; Fri, 1 Aug 2003 08:48:10 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Fri, 1 Aug 2003 17:46:24 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F1F3E26@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Suggestion regarding a new option for IPFW2 Thread-Index: AcNYQ5eQQCMxtZ0vQbiO63/so/Tx5QAAHGtQ From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Michael Sierchio" cc: freebsd-ipfw@freebsd.org Subject: RE: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 15:48:12 -0000 >=20 > I can see value in using a firewall in bridging mode, in which > case sending ICMP messages might use an alias address not associated > with any interface -- if there are no IP addrs on the=20 > external interface, > for example. >=20 I dont see how one could divert unreach host messages when unreach=20 host drops the message? It is the error messages generated by IPFW that i am referring to,=20 in case that was unclear. - Sten From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 09:07:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B99FD37B401 for ; Fri, 1 Aug 2003 09:07:38 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 0C9CE43FAF for ; Fri, 1 Aug 2003 09:07:38 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 59056 invoked from network); 1 Aug 2003 16:07:37 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 1 Aug 2003 16:07:37 -0000 Message-ID: <3F2A9047.9030808@tenebras.com> Date: Fri, 01 Aug 2003 09:07:35 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3.1) Gecko/20030425 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= References: <0AF1BBDF1218F14E9B4CCE414744E70F1F3E26@exchange.wanglobal.net> In-Reply-To: <0AF1BBDF1218F14E9B4CCE414744E70F1F3E26@exchange.wanglobal.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@freebsd.org Subject: Re: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 16:07:39 -0000 Sten Daniel Sørsdal wrote: > I dont see how one could divert unreach host messages when unreach > host drops the message? > It is the error messages generated by IPFW that i am referring to, > in case that was unclear. You want the source of a an 'unreach' message to be rewritten with the destination of the offending packet? So, a parameter to 'unreach' or 'reset' which is an IP address, and could take the keyword "dest" or something like that? ipfw add unreach host-prohib ip from any to any auth src-alias 10.0.0.1 or ipfw add unreach host-prohib ip from any to any auth src-alias target From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 09:33:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41A9437B401 for ; Fri, 1 Aug 2003 09:33:52 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45AB943FAF for ; Fri, 1 Aug 2003 09:33:51 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Fri, 1 Aug 2003 18:32:05 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F1F3E28@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Suggestion regarding a new option for IPFW2 Thread-Index: AcNYRsp1rLRcBSBjSViDnHjeijH36wAA6BPQ From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Michael Sierchio" cc: freebsd-ipfw@freebsd.org Subject: RE: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 16:33:52 -0000 > > I dont see how one could divert unreach host messages when unreach=20 > > host drops the message? > > It is the error messages generated by IPFW that i am referring to,=20 > > in case that was unclear. >=20 > You want the source of a an 'unreach' message to be rewritten > with the destination of the offending packet? So, a parameter > to 'unreach' or 'reset' which is an IP address, and could take > the keyword "dest" or something like that? >=20 > ipfw add unreach host-prohib ip from any to any auth=20 > src-alias 10.0.0.1 >=20 > or >=20 > ipfw add unreach host-prohib ip from any to any auth src-alias target >=20 Yes, like that. - Sten From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 11:23:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 070B437B401 for ; Fri, 1 Aug 2003 11:23:27 -0700 (PDT) Received: from rigel.pucrs.br (rigel.pucrs.br [200.132.10.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B027D43FBD for ; Fri, 1 Aug 2003 11:23:23 -0700 (PDT) (envelope-from security@pucrs.br) Received: (from root@localhost) by rigel.pucrs.br (8.12.9/8.12.9) id h71IFtZv056284 for freebsd-ipfw@freebsd.org; Fri, 1 Aug 2003 15:15:55 -0300 (EST) Received: from w134415.pucrs.br (cygnus.pucrs.br [10.40.40.171]) by rigel.pucrs.br (8.12.9/8.12.9) with ESMTP id h71IFsm6056274 for ; Fri, 1 Aug 2003 15:15:54 -0300 (EST) Message-Id: <5.2.0.9.0.20030801151745.02d1cc18@pop3.pucrs.br> X-Sender: security@pop3.pucrs.br X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Fri, 01 Aug 2003 15:21:37 -0300 To: freebsd-ipfw@freebsd.org From: CPD - Equipe de =?iso-8859-1?Q?Seguran=E7a?= Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-11 Subject: IPFW, Nat and transparent proxy ( on different machines ) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 18:23:27 -0000 Dear gentleman, So far I've been running a FreeBSD 4.7 machine which runs NAT, IPFW and Squid , acting like a transparent proxy/cache , NAT box and packet filter/firewall. Now, the load is getting too heavy, so I'd like to use a second machine (with a second WAN link ) as a separate proxy for the HTTP traffic. Question is, how can I set up IPFW/NAT to send all the HTTTP ( port 80 only ) traffic that comes on the internal interface ( 192.160.0.1 ) to the new proxy-only machine's internal interface ( 192.168.0.2), and still have the rest of the traffic flowing normally through the other gateway, which will now run only NAT and IPFW as firewall. It's confusing somehow, I hope I managed to be clear enough. Thanks for any insight, - Alexandre From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 11:39:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F25B337B401 for ; Fri, 1 Aug 2003 11:39:57 -0700 (PDT) Received: from insourcery.net (ns1.insourcery.net [198.93.171.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 445B143F3F for ; Fri, 1 Aug 2003 11:39:57 -0700 (PDT) (envelope-from eculp@encontacto.net) Received: from localhost (localhost [127.0.0.1]) (uid 80) by insourcery.net with local; Fri, 01 Aug 2003 11:39:57 -0700 Received: from customer-200-79-7-13.uninet.net.mxmail.encontacto.net (Horde) with HTTP for ; Fri, 1 Aug 2003 11:39:56 -0700 Message-ID: <1059763196.09a0e94757abe@mail.encontacto.net> X-Priority: 3 (Normal) Date: Fri, 1 Aug 2003 11:39:56 -0700 From: eculp@encontacto.net To: "CPD - Equipe de =?iso-8859-1?b?U2VndXJhbudh?=" References: <5.2.0.9.0.20030801151745.02d1cc18@pop3.pucrs.br> In-Reply-To: <5.2.0.9.0.20030801151745.02d1cc18@pop3.pucrs.br> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) 4.0-cvs X-Originating-IP: 200.79.7.13 cc: "freebsd-ipfw@freebsd.org" Subject: Re: IPFW, Nat and transparent proxy ( on different machines ) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 18:39:58 -0000 Mensaje citado por CPD - Equipe de Seguran=E7a : | | Dear gentleman, | | | So far I've been running a FreeBSD 4.7 machine which runs NAT, IPFW and | Squid , acting like a transparent proxy/cache , NAT box and packet | filter/firewall. | | Now, the load is getting too heavy, so I'd like to use a second machine | (with a second WAN link ) as a separate proxy for the HTTP traffic. | | Question is, how can I set up IPFW/NAT to send all the HTTTP ( port 80 | only ) traffic that comes on the internal interface ( 192.160.0.1 ) to the | new proxy-only machine's internal interface ( 192.168.0.2), and still have | the rest of the traffic flowing normally through the other gateway, which | will now run only NAT and IPFW as firewall. I would try something like: 00400 fwd 192.168.0.2,3128 tcp from 192.168.0.0/24 to any 80 and see what and what the logs say. Good luck, ed | | It's confusing somehow, I hope I managed to be clear enough. | | Thanks for any insight, | | - Alexandre | | _______________________________________________ | freebsd-ipfw@freebsd.org mailing list | http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw | To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" | -- ------------------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 12:10:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2609437B401 for ; Fri, 1 Aug 2003 12:10:11 -0700 (PDT) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C7E843F3F for ; Fri, 1 Aug 2003 12:10:10 -0700 (PDT) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (#6@localhost [127.0.0.1]) by whizzo.transsys.com (8.12.9/8.12.9) with ESMTP id h71JA9RY033752; Fri, 1 Aug 2003 15:10:09 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200308011910.h71JA9RY033752@whizzo.transsys.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" References: <0AF1BBDF1218F14E9B4CCE414744E70F1F3E28@exchange.wanglobal.net> In-reply-to: Your message of "Fri, 01 Aug 2003 18:32:05 +0200." <0AF1BBDF1218F14E9B4CCE414744E70F1F3E28@exchange.wanglobal.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 01 Aug 2003 15:10:09 -0400 Sender: louie@TransSys.COM cc: freebsd-ipfw@freebsd.org Subject: Re: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 19:10:11 -0000 TCP resets MUST already come with the source address rewritten otherwise it won't match up with the connection attempt on the original host. If you look in ip_fw2.c: /* * Assume we are sending a RST (or a keepalive in the reverse * direction), swap src and destination addresses and ports. */ ip->ip_src.s_addr = htonl(id->dst_ip); ip->ip_dst.s_addr = htonl(id->src_ip); tcp->th_sport = htons(id->dst_port); tcp->th_dport = htons(id->src_port); appears in the send_pkt() function which appears to be called to send the reset segments. louie From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 1 16:16:07 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EEC537B401 for ; Fri, 1 Aug 2003 16:16:07 -0700 (PDT) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id 94E5043F75 for ; Fri, 1 Aug 2003 16:16:06 -0700 (PDT) (envelope-from darcy@wavefire.com) Received: (qmail 9866 invoked from network); 1 Aug 2003 23:39:46 -0000 Received: from dbitech.wavefire.com (HELO dbitech) (darcy@64.141.15.253) by radius.wavefire.com with SMTP; 1 Aug 2003 23:39:46 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Darcy Buskermolen Organization: Wavefire Technologies Corp. To: CPD - Equipe de =?iso-8859-1?q?Seguran=E7a?= , freebsd-ipfw@freebsd.org Date: Fri, 1 Aug 2003 16:16:05 -0700 User-Agent: KMail/1.4.3 References: <5.2.0.9.0.20030801151745.02d1cc18@pop3.pucrs.br> In-Reply-To: <5.2.0.9.0.20030801151745.02d1cc18@pop3.pucrs.br> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200308011616.05106.darcy@wavefire.com> Subject: Re: IPFW, Nat and transparent proxy ( on different machines ) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 23:16:07 -0000 On your curent box doing nat add the following rules: add skipto (skip over the next rule) tcp from squid.mynet to any dest-por= t 80 add fwd squid.mynet tcp from any to any dst-port 80 in via internaif make sure both those rules are found AFTER your nat divert rules. on your new squid box: add fwd 127.0.0.1,3128 tcp from internalnet to not me dst-port 80 via=20 internalif This is how I have mine running, and it works like a charm. =20 Hope this helps On Friday 01 August 2003 11:21, CPD - Equipe de Seguran=E7a wrote: > Dear gentleman, > > > So far I've been running a FreeBSD 4.7 machine which runs NAT, IPFW = and > Squid , acting like a transparent proxy/cache , NAT box and packet > filter/firewall. > > Now, the load is getting too heavy, so I'd like to use a second mach= ine > (with a second WAN link ) as a separate proxy for the HTTP traffic. > > Question is, how can I set up IPFW/NAT to send all the HTTTP ( port = 80 > only ) traffic that comes on the internal interface ( 192.160.0.1 ) to = the > new proxy-only machine's internal interface ( 192.168.0.2), and still h= ave > the rest of the traffic flowing normally through the other gateway, whi= ch > will now run only NAT and IPFW as firewall. > > It's confusing somehow, I hope I managed to be clear enough. > > Thanks for any insight, > > - Alexandre > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" --=20 Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 2 11:47:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2D4637B401 for ; Sat, 2 Aug 2003 11:47:03 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB1EC43FBD for ; Sat, 2 Aug 2003 11:47:02 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Sat, 2 Aug 2003 20:45:15 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F1F3E29@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Suggestion regarding a new option for IPFW2 Thread-Index: AcNYYE5M2mBgFj8ERV+E1hct+smoXAAxdysQ From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: "Louis A. Mamakos" cc: freebsd-ipfw@freebsd.org Subject: RE: Suggestion regarding a new option for IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Aug 2003 18:47:04 -0000 >=20 > TCP resets MUST already come with the source address rewritten=20 > otherwise it won't match up with the connection attempt on the > original host. If you look in ip_fw2.c: >=20 [snip] Yes, but if you read my original message i was referring to icmp=20 error messages as well, but thanks for clarifying/excluding the=20 tcp resets. - Sten