From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 17 01:47:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 994F837B401 for ; Sun, 17 Aug 2003 01:47:38 -0700 (PDT) Received: from mps5.plala.or.jp (c148004.vh.plala.or.jp [210.150.148.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2896E43FE1 for ; Sun, 17 Aug 2003 01:47:37 -0700 (PDT) (envelope-from e-kamo@trio.plala.or.jp) Received: from msvc1.plala.or.jp ([172.23.8.209]) by mps5.plala.or.jp with SMTP id <20030817084736.LXEF1109.mps5.plala.or.jp@msvc1.plala.or.jp> for ; Sun, 17 Aug 2003 17:47:36 +0900 Received: ( 21524 invoked from network); 17 Aug 2003 17:50:09 +0900 Received: from unknown (HELO mpb2.plala.or.jp) (172.23.8.17) by msvc1 with SMTP; 17 Aug 2003 17:50:09 +0900 Received: from trio.plala.or.jp ([219.25.148.120]) by mpb2.plala.or.jp with ESMTP id <20030817084725.DMAN24509.mpb2.plala.or.jp@trio.plala.or.jp> for ; Sun, 17 Aug 2003 17:47:25 +0900 Message-ID: <3F3F411D.2090704@trio.plala.or.jp> Date: Sun, 17 Aug 2003 17:47:25 +0900 From: Eitarou Kamo User-Agent: Mozilla/5.0 (Windows; U; Win98; ja-JP; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: ja MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.75.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Subject: test X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Aug 2003 08:47:38 -0000 this is test mail. Ignore, please. From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 17 01:54:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6126537B401 for ; Sun, 17 Aug 2003 01:54:29 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-107-97.dsl.lsan03.pacbell.net [64.169.107.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3C4A43F75 for ; Sun, 17 Aug 2003 01:54:28 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 5FA0666D9C; Sun, 17 Aug 2003 01:54:24 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 35D328E7; Sun, 17 Aug 2003 01:54:24 -0700 (PDT) Date: Sun, 17 Aug 2003 01:54:24 -0700 From: Kris Kennaway To: Denis Borisov Message-ID: <20030817085424.GA49865@rot13.obsecurity.org> References: <200308121426.11858.denb@front.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline In-Reply-To: <200308121426.11858.denb@front.ru> User-Agent: Mutt/1.4.1i cc: ipfw@freebsd.org Subject: Re: When will implemented in-kernel NAT? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Aug 2003 08:54:29 -0000 --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 12, 2003 at 02:26:11PM +0400, Denis Borisov wrote: > In comments in file ip_fw2.c i read:=20 > * Dynamic rules can be used for different purposes: > * + stateful rules; > * + enforcing limits on the number of sessions; > * + in-kernel NAT (not implemented yet) >=20 > When will implemented in-kernel NAT? Don't know about ipfw, but ipfilter apparently supports it (man ipnat). Kris --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/P0K/Wry0BWjoQKURAvuyAJ4gXsKkwKQnLTQQzJUHuX9DNIud8QCdGPec heHuajd4JufYUcyRJYp/5/Q= =y+G4 -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 17 08:11:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CD8437B426 for ; Sun, 17 Aug 2003 08:11:16 -0700 (PDT) Received: from mps5.plala.or.jp (c148049.vh.plala.or.jp [210.150.148.49]) by mx1.FreeBSD.org (Postfix) with ESMTP id E455543F93 for ; Sun, 17 Aug 2003 08:11:14 -0700 (PDT) (envelope-from e-kamo@trio.plala.or.jp) Received: from msvc1.plala.or.jp ([172.23.8.209]) by mps5.plala.or.jp with SMTP id <20030817151114.YSPE1109.mps5.plala.or.jp@msvc1.plala.or.jp> for ; Mon, 18 Aug 2003 00:11:14 +0900 Received: ( 29443 invoked from network); 18 Aug 2003 00:13:47 +0900 Received: from unknown (HELO mpb2.plala.or.jp) (172.23.8.17) by msvc1 with SMTP; 18 Aug 2003 00:13:47 +0900 Received: from trio.plala.or.jp ([219.25.148.120]) by mpb2.plala.or.jp with ESMTP id <20030817151103.DSJB24509.mpb2.plala.or.jp@trio.plala.or.jp> for ; Mon, 18 Aug 2003 00:11:03 +0900 Message-ID: <3F3F9B0C.4030002@trio.plala.or.jp> Date: Mon, 18 Aug 2003 00:11:08 +0900 From: Eitarou Kamo User-Agent: Mozilla/5.0 (Windows; U; Win98; ja-JP; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: ja MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.75.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Subject: smtp forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Aug 2003 15:11:17 -0000 Hi, I'm new to this list. I have some questions. I would appreciate any suggestion. I'm using freebsd4.7 and 2 qmail server as the smtp server on it. Needless to say, 2 qmail server are duplicate server primary and secondary. Now then, I'm also using ipfw2. I would like to forward the smtp packet to the current(alive) mail server with priority. I mean that I'd like to forward the smtp packet to the secondary server when the primary server is down or panic. Is it possible? I'm wondering if ipfw can know the status of the mail server (dead or alive) in advance. And if possible, I expect the solution of the ipfw rules. Assumption: mail domain is "@hoge.com(global)" primary mail server address is "192.168.100.4 (private)" secondary mail address is "192.168.100.5(private)" ipfw interface is "fxp0" Thanks in advance. Eitarou From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 18 01:31:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DC7A37B401 for ; Mon, 18 Aug 2003 01:31:27 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BE2543F85 for ; Mon, 18 Aug 2003 01:31:26 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id B4D9C54875 for ; Mon, 18 Aug 2003 09:31:23 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id 6976221155; Mon, 18 Aug 2003 08:31:23 +0000 (GMT) Date: Mon, 18 Aug 2003 08:31:23 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030818083123.GJ4269@rfc-networks.ie> References: <3F3F9B0C.4030002@trio.plala.or.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F3F9B0C.4030002@trio.plala.or.jp> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: smtp forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2003 08:31:27 -0000 Eitarou Kamo 38 lines of wisdom included: > Now then, I'm also using ipfw2. I would like to forward the smtp packet > to the > current(alive) mail server with priority. I mean that I'd like to > forward the smtp > packet to the secondary server when the primary server is down or panic. > Is it possible? I'm wondering if ipfw can know the status of the mail > server > (dead or alive) in advance. And if possible, I expect the solution of > the ipfw rules. > > Assumption: > mail domain is "@hoge.com(global)" > primary mail server address is "192.168.100.4 (private)" > secondary mail address is "192.168.100.5(private)" > ipfw interface is "fxp0" This can only be done properly at the application layer. IIRC, Postfix can do something similar, with fallback_relay, although I haven't looked into Postfix and load balancing since early 1.x snapshots. I'm not sure how qmail has developed on this front. Regards, -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 18 11:03:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A0037B409 for ; Mon, 18 Aug 2003 11:02:37 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21CE743FDD for ; Mon, 18 Aug 2003 11:02:35 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7II2ZUp069184 for ; Mon, 18 Aug 2003 11:02:35 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7II2YcT069178 for ipfw@freebsd.org; Mon, 18 Aug 2003 11:02:34 -0700 (PDT) Date: Mon, 18 Aug 2003 11:02:34 -0700 (PDT) Message-Id: <200308181802.h7II2YcT069178@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Aug 2003 18:03:35 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo 8 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 21 14:18:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A93916A4BF for ; Thu, 21 Aug 2003 14:18:05 -0700 (PDT) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4549943F93 for ; Thu, 21 Aug 2003 14:18:04 -0700 (PDT) (envelope-from mg@fork.pl) Received: from localhost (localhost.math.uni.lodz.pl [127.0.0.1]) 5D7F72525 for ; Thu, 21 Aug 2003 23:17:26 +0200 (CEST) Received: from by localhost (amavisd-new, port ) id 5CxxRDKq for ; Thu, 21 Aug 2003 23:17:04 +0200 (CEST) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) 9BC23201A for ; Thu, 21 Aug 2003 22:50:01 +0200 (CEST) Message-ID: <3F4530A0.8020704@fork.pl> Date: Thu, 21 Aug 2003 22:50:40 +0200 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at math.uni.lodz.pl Subject: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2003 21:18:05 -0000 Hi I encountered small problem when using DNS names in ipfw rules (I'm using ipfw2 on 4-STABLE). The ipfw resolves name to *first* ip assigned to the name - but I expect to have *all* ip addresses in the rule. eg. # ipfw add 10000 allow tcp from any to smtp.o2.pl smtp setup 10000 allow tcp from any to 212.126.20.58 dst-port 25 setup # host smtp.o2.pl smtp.o2.pl has address 212.126.20.60 smtp.o2.pl has address 212.126.20.61 smtp.o2.pl has address 212.126.20.58 Quick search thru ipfw2.c shows that static int lookup_host (char *host, struct in_addr *ipaddr) is the responsible function, but it's also used in 'forward' rules where resolving name into many ips wouldn't make sense (I guess). I don't know the ipfw internals and evolution and development rules so I could provide robust patch now - but I could try if somebody lead me (or at least I can help testing). regards -- Marcin Gryszkalis http://fork.pl <>< From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 21 16:38:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAEE916A4BF for ; Thu, 21 Aug 2003 16:38:37 -0700 (PDT) Received: from traven9.uol.com.br (traven9.uol.com.br [200.221.29.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBFB543F75 for ; Thu, 21 Aug 2003 16:38:35 -0700 (PDT) (envelope-from antonio.torres@newspace.net.br) Received: from thinkpad.newspace.net.br ([200.221.55.15]) by traven9.uol.com.br (8.9.1/8.9.1) with ESMTP id UAA11208 for ; Thu, 21 Aug 2003 20:38:33 -0300 (BRT) Message-Id: <6.0.0.14.0.20030821203538.025c0440@mail.newspace.net.br> X-Sender: antonio@mail.newspace.net.br X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.14 (Beta) Date: Thu, 21 Aug 2003 20:38:18 -0300 To: freebsd-ipfw@freebsd.org From: Antonio Torres In-Reply-To: <3F4530A0.8020704@fork.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2003 23:38:38 -0000 At 17:50 21/8/2003, you wrote: >Hi > >I encountered small problem when using DNS names in ipfw rules >(I'm using ipfw2 on 4-STABLE). The ipfw resolves name to >*first* ip assigned to the name - but I expect to have *all* >ip addresses in the rule. eg. >... the "name to IP" feature only aplies at rule load ! i.e. when, and only when, the ipfw rule is loaded the name is translated to IP... look on `man ipfw` for "me" clause (me= my IP address)... []s Antonio Torres antonio.torres@newspace.net.br From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 22 06:45:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2042F16A4BF for ; Fri, 22 Aug 2003 06:45:29 -0700 (PDT) Received: from www3.hotbox.ru (www3.hotbox.ru [80.68.244.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id D126C43FD7 for ; Fri, 22 Aug 2003 06:45:27 -0700 (PDT) (envelope-from nev@hotbox.ru) Received: by HotBOX.Ru WebMail v2.1 id h7MDjLUQ076142 for ; Date: Fri, 22 Aug 2003 17:45:21 +0400 (MSD) Message-Id: <200308221345.h7MDjLUQ076142@www3.hotbox.ru> From: Andrew To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit X-Mailer: Free WebMail HotBOX.ru X-Originating-IP: [193.220.59.72] Subject: Surviving HUGE DDoS X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 13:45:29 -0000 Hi, Is it possible to have FreeBSD firewall setup on 1Gb network to survive huge DDoS attacks. We are being dosed with syn flood about 1,500,000 packets/sec with traffic more than 500Mb/s? From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 22 10:48:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBE9116A4BF for ; Fri, 22 Aug 2003 10:48:13 -0700 (PDT) Received: from mail.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43C3643FE1 for ; Fri, 22 Aug 2003 10:48:13 -0700 (PDT) (envelope-from freebsd@soith.com) Received: from www.fastmail.fm (localhost [127.0.0.1]) by localhost.localdomain (Postfix) with ESMTP id 53A341262BC; Fri, 22 Aug 2003 13:45:14 -0400 (EDT) Received: from 10.202.2.132 ([10.202.2.132] helo=www.fastmail.fm) by messagingengine.com with SMTP; Fri, 22 Aug 2003 13:45:14 -0400 Received: by www.fastmail.fm (Postfix, from userid 99) id 4DA9838266; Fri, 22 Aug 2003 13:45:12 -0400 (EDT) Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="ISO-8859-1" MIME-Version: 1.0 X-Mailer: MIME::Lite 1.2 (F2.71; T1.001; A1.51; B2.12; Q2.03) From: "Aaron Wohl" To: "Andrew" , freebsd-ipfw@freebsd.org Date: Fri, 22 Aug 2003 11:45:12 -0600 X-Epoch: 1061574314 X-Sasl-enc: YsJgHZ9xJ1GVGuwQvmnmpA References: <200308221345.h7MDjLUQ076142@www3.hotbox.ru> In-Reply-To: <200308221345.h7MDjLUQ076142@www3.hotbox.ru> Message-Id: <20030822174512.4DA9838266@www.fastmail.fm> Subject: Re: Surviving HUGE DDoS X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 17:48:19 -0000 One thing thats of some help with syn flood is to allocate a fixed amount of bandwith for new connections from rc.firewall: ${fwcmd} pipe 2 config bw 32Kbit/s queue 25KBytes ${fwcmd} add 2800 pipe 2 tcp from any to me setup in That at least makes it so the rest of your existing and out going connections arent disrupted. If the dos attacks are from fixed IP addresses you can add filters for those before the above bandwidth limit. Sounds like the attackers machine has a great network connection... do they do colocation? On Fri, 22 Aug 2003 17:45:21 +0400 (MSD), "Andrew" said: > Hi, > > Is it possible to have FreeBSD firewall setup on 1Gb network > to survive huge DDoS attacks. > We are being dosed with syn flood about 1,500,000 packets/sec > with traffic more than 500Mb/s? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 22 12:21:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E26B16A4BF for ; Fri, 22 Aug 2003 12:21:52 -0700 (PDT) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B67343F93 for ; Fri, 22 Aug 2003 12:21:51 -0700 (PDT) (envelope-from mg@fork.pl) Received: from localhost (localhost.math.uni.lodz.pl [127.0.0.1]) 159F9251A for ; Fri, 22 Aug 2003 21:21:11 +0200 (CEST) Received: from by localhost (amavisd-new, port ) id O2Fv9pA0 for ; Fri, 22 Aug 2003 21:20:47 +0200 (CEST) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) DDADF219E for ; Fri, 22 Aug 2003 21:20:43 +0200 (CEST) Message-ID: <3F466D3B.9090406@fork.pl> Date: Fri, 22 Aug 2003 21:21:31 +0200 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <6.0.0.14.0.20030821203538.025c0440@mail.newspace.net.br> In-Reply-To: <6.0.0.14.0.20030821203538.025c0440@mail.newspace.net.br> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at math.uni.lodz.pl Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 19:21:52 -0000 On 2003-08-22 01:38, Antonio Torres wrote: >> (I'm using ipfw2 on 4-STABLE). The ipfw resolves name to >> *first* ip assigned to the name - but I expect to have *all* >> ip addresses in the rule. eg. > the "name to IP" feature only aplies at rule load ! > i.e. when, and only when, the ipfw rule is loaded the name is translated > to IP... > > look on `man ipfw` for "me" clause (me= my IP address)... yes, I know that - but - isn't my question/description clear? Maybe I'll extend the example. I issue follownig command: # ipfw add 10000 allow tcp from any to smtp.o2.pl smtp setup Current result is that following rule is loaded: 10000 allow tcp from any to 212.126.20.58 dst-port 25 setup Expected result is following: 10000 allow tcp from any to 212.126.20.58, 212.126.20.60, 212.126.20.61 dst-port 25 setup (the name smtp.o2.pl has 3 IP addresses assigned) regards -- Marcin Gryszkalis http://fork.pl <>< From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 22 20:11:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8624116A4BF for ; Fri, 22 Aug 2003 20:11:49 -0700 (PDT) Received: from gateway.posi.net (adsl-63-201-95-236.dsl.snfc21.pacbell.net [63.201.95.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79DA343FE5 for ; Fri, 22 Aug 2003 20:11:46 -0700 (PDT) (envelope-from kbyanc@posi.net) Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (8.12.6/8.12.8) with ESMTP id h7N3B4Yl084924; Fri, 22 Aug 2003 20:11:08 -0700 (PDT) (envelope-from kbyanc@posi.net) Date: Fri, 22 Aug 2003 20:11:04 -0700 (PDT) From: Kelly Yancey To: Marcin Gryszkalis In-Reply-To: <3F466D3B.9090406@fork.pl> Message-ID: <20030822200153.V84903-100000@gateway.posi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2003 03:11:49 -0000 On Fri, 22 Aug 2003, Marcin Gryszkalis wrote: > On 2003-08-22 01:38, Antonio Torres wrote: > >> (I'm using ipfw2 on 4-STABLE). The ipfw resolves name to > >> *first* ip assigned to the name - but I expect to have *all* > >> ip addresses in the rule. eg. > > > the "name to IP" feature only aplies at rule load ! > > i.e. when, and only when, the ipfw rule is loaded the name is translated > > to IP... > > > > look on `man ipfw` for "me" clause (me= my IP address)... > > yes, I know that - but - isn't my question/description clear? > Maybe I'll extend the example. > > I issue follownig command: > > # ipfw add 10000 allow tcp from any to smtp.o2.pl smtp setup > > Current result is that following rule is loaded: > > 10000 allow tcp from any to 212.126.20.58 dst-port 25 setup > > Expected result is following: > > 10000 allow tcp from any to 212.126.20.58, 212.126.20.60, 212.126.20.61 dst-port 25 setup > > (the name smtp.o2.pl has 3 IP addresses assigned) > The name resolution feature is already questionable: if the DNS mapping changes, should the firewall rule somehow be magically updated? I mean, you *did* ask for packets to be allowed to smtp.o2.pl didn't you? The feature you are requesting would reinforce the notion that a name is being used as the identifer for the host(s), when in fact it is not. For example, what if the Akamai's servers are authoritative for the domain: you might get a different set of hosts depending on where the box was sitting. IPs are the unique identifiers for hosts; use those. If you change your DNS, you'll have to change your firewall either way; this way you won't be lulled into thinking you don't have to. Kelly -- Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} Visit the BSD driver database: http://www.posi.net/freebsd/drivers/ From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 23 06:45:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C82E16A4BF for ; Sat, 23 Aug 2003 06:45:51 -0700 (PDT) Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F46543F85 for ; Sat, 23 Aug 2003 06:45:50 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.136] (helo=mx3.freenet.de) by mout1.freenet.de with asmtp (Exim 4.21) id 19qYiD-0006Rv-9j for freebsd-ipfw@freebsd.org; Sat, 23 Aug 2003 15:45:49 +0200 Received: from pd90559e0.dip.t-dialin.net ([217.5.89.224] helo=spotteswoode.dnsalias.org) by mx3.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.21 #2) id 19qYiC-0006Xs-WD for freebsd-ipfw@freebsd.org; Sat, 23 Aug 2003 15:45:49 +0200 Received: (qmail 28016 invoked by uid 0); 23 Aug 2003 13:45:48 -0000 Date: 23 Aug 2003 15:45:47 +0200 Message-ID: From: "Clemens Fischer" To: "Kelly Yancey" In-Reply-To: <20030822200153.V84903-100000@gateway.posi.net> (Kelly Yancey's message of "Fri, 22 Aug 2003 20:11:04 -0700 (PDT)") References: <20030822200153.V84903-100000@gateway.posi.net> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org cc: Marcin Gryszkalis Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2003 13:45:51 -0000 * Kelly Yancey: > The name resolution feature is already questionable: if the DNS > mapping changes, should the firewall rule somehow be magically > updated? I mean, you *did* ask for packets to be allowed to > smtp.o2.pl didn't you? also, he could use the preprocessing feature to have "dynamic literals" in his rules. clemens From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 23 12:57:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE0BD16A4BF for ; Sat, 23 Aug 2003 12:57:49 -0700 (PDT) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B705B43F85 for ; Sat, 23 Aug 2003 12:57:48 -0700 (PDT) (envelope-from mg@fork.pl) Received: from localhost (localhost.math.uni.lodz.pl [127.0.0.1]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id 255F02151; Sat, 23 Aug 2003 21:57:05 +0200 (CEST) Received: from by localhost (amavisd-new, port ) id 7R24ldNq; Sat, 23 Aug 2003 21:57:04 +0200 (CEST) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id 7558A251C; Sat, 23 Aug 2003 21:39:04 +0200 (CEST) Message-ID: <3F47C30C.8070102@fork.pl> Date: Sat, 23 Aug 2003 21:39:56 +0200 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: Kelly Yancey References: <20030822200153.V84903-100000@gateway.posi.net> In-Reply-To: <20030822200153.V84903-100000@gateway.posi.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at math.uni.lodz.pl cc: freebsd-ipfw@freebsd.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2003 19:57:50 -0000 On 2003-08-23 05:11, Kelly Yancey wrote: > The name resolution feature is already questionable: if the DNS mapping > changes, should the firewall rule somehow be magically updated? I mean, you > *did* ask for packets to be allowed to smtp.o2.pl didn't you? I understand the point of view that it's questionable, but - as it *is* implemented, it's just inconsistent. Relation between hosts and ips is treated as 1-to-1 where it's 1-to-many. I know I can just write ip=`host smtp.o2.pl | cut -f4 -d' ' | paste -s -d, -` ${ipfw} add tcp from any to ${ip} setup or something similar instead of changing ipfw code. But that's my just opinion - that command interface is inconsistent. > The feature you are requesting would reinforce the notion that a name is > being used as the identifer for the host(s), when in fact it is not. For > example, what if the Akamai's servers are authoritative for the domain: you > might get a different set of hosts depending on where the box was sitting. That's right - but again - it's not the point. -- Marcin Gryszkalis http://fork.pl <>< From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 23 13:22:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A17516A4BF for ; Sat, 23 Aug 2003 13:22:31 -0700 (PDT) Received: from mail102.csoft.net (lilly.csoft.net [63.111.22.101]) by mx1.FreeBSD.org (Postfix) with SMTP id 55A7B43FEA for ; Sat, 23 Aug 2003 13:22:30 -0700 (PDT) (envelope-from matt@popewax.com) Received: (qmail 49652 invoked from network); 23 Aug 2003 20:25:08 -0000 Received: from unknown (HELO matt) (63.111.26.110) by mail102.csoft.net with SMTP; 23 Aug 2003 20:25:08 -0000 From: "Matt H." To: Date: Sat, 23 Aug 2003 15:22:28 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: removing latency problems with queuing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2003 20:22:31 -0000 Hi, this is my first time posting so I hope I don't make an idiot of myself ;) I have a problem where whenever I saturate my upstream via bittorrent (or even ftp), my latency to even local routers spikes like crazy. su-2.05b# ping 12.244.69.73 PING 12.244.69.73 (12.244.69.73): 56 data bytes 64 bytes from 12.244.69.73: icmp_seq=0 ttl=253 time=27.544 ms 64 bytes from 12.244.69.73: icmp_seq=1 ttl=253 time=8.557 ms 64 bytes from 12.244.69.73: icmp_seq=2 ttl=253 time=122.327 ms 64 bytes from 12.244.69.73: icmp_seq=3 ttl=253 time=40.008 ms 64 bytes from 12.244.69.73: icmp_seq=4 ttl=253 time=16.521 ms 64 bytes from 12.244.69.73: icmp_seq=5 ttl=253 time=99.050 ms I'm on 1.8Mbit/256Kbit cable, so I read some manpages developed this queue system for ipfw: ipfw pipe 1 config bw 250Kbit/s ipfw pipe 2 config bw 1800Kbit/s ipfw queue 1 config weight 1 pipe 1 ipfw queue 2 config weight 99 pipe 1 ipfw queue 3 config weight 1 pipe 2 ipfw queue 4 config weight 99 pipe 2 ipfw add 600 queue 1 ip from any 6881-6889 to any out xmit rl0 ipfw add 610 queue 2 ip from any to any out ipfw add 620 queue 3 ip from any to any 6881-6889 in recv rl0 ipfw add 640 queue 4 ip from any to any in recv rl0 note that bittorrent uses ports 6881-6889. resulting in: su-2.05b# ipfw list 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00310 allow ip from 192.168.0.0/24 to me dst-port 22 via xl0 00320 allow ip from me to 192.168.0.0/24 via xl0 00600 queue 1 ip from any 6881-6889 to any out xmit rl0 00610 queue 2 ip from any to any out 00620 queue 3 ip from any to any dst-port 6881-6889 in recv rl0 00640 queue 4 ip from any to any in recv rl0 65000 allow ip from any to any 65535 deny ip from any to any Yet it still spikes? Am I doing something wrong here? rl0 is my WAN interface and xl0 is my LAN interface. 192.168.0.0/24 is my LAN. net.inet.ip.fw.one_pass is also 1 to prevent stuff from jumping through twice. Thanks for the help. From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 23 13:42:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E42AF16A4BF for ; Sat, 23 Aug 2003 13:42:20 -0700 (PDT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C13F43FD7 for ; Sat, 23 Aug 2003 13:42:20 -0700 (PDT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 15FEE5F103; Sat, 23 Aug 2003 22:51:49 +0200 (CEST) Date: Sat, 23 Aug 2003 22:51:48 +0200 From: Pawel Malachowski To: "Matt H." Message-ID: <20030823205148.GA61982@shellma.zin.lublin.pl> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.1i cc: freebsd-ipfw@freebsd.org Subject: Re: removing latency problems with queuing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Aug 2003 20:42:21 -0000 On Sat, Aug 23, 2003 at 03:22:28PM -0500, Matt H. wrote: > ipfw add 600 queue 1 ip from any 6881-6889 to any out xmit rl0 > note that bittorrent uses ports 6881-6889. It would be hard to check port for IP datagram, cause there are no ports. Try TCP or UDP. -- Paweł Małachowski