From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 7 01:20:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB85116A4BF for ; Sun, 7 Sep 2003 01:20:34 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14BFE4400B for ; Sun, 7 Sep 2003 01:20:34 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h878KXkN083192; Sun, 7 Sep 2003 01:20:33 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h878KXbk083191; Sun, 7 Sep 2003 01:20:33 -0700 (PDT) (envelope-from rizzo) Date: Sun, 7 Sep 2003 01:20:32 -0700 From: Luigi Rizzo To: Ivo Vachkov Message-ID: <20030907012032.B77367@xorpc.icir.org> References: <20030906200659.10411.qmail@bsdmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030906200659.10411.qmail@bsdmail.com>; from ivo@bsdmail.org on Sat, Sep 06, 2003 at 10:06:58PM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: Burst X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 08:20:34 -0000 the problem with your approach is that the user can easily overcome the limitation by splitting the connection into many small ones, each one below the allowed burst size. If you implement burst properly (which you may have done already), the max amount of traffic that gets out in T seconds is T * bandwidth + burst_size so you really have an advantage only if your traffic has a required throughput lower than the allowed bandwidth (that basically leaves out web browsing), and it has large burts (so the additional delay on each transmission, block_size/bandwidth, becomes noticeable). cheers luigi > Obviously I've understood terms wrong. > > When I said "burst" I was thinking of limitting the speed of active connection when some conditions apply. > > Example: ISP has 10Mbps connection to internet and every user/client has 1Mbps pipe to Internet. So every user has fast browsing, mail, news, ICQ/AIM/etc. But when a user tries to download a big file (.ISO/.AVI/.MPG) the connection, even active, is limitted to 64kbps whithout limitting other connections. So his download keeps running at low speed, while browsing/mail/etc is still fast. The software applies limits when some numbers of bytes passed throught the connection. > > NB!!! Other connections are NOT shaped until they reach the predefined condition. They became shaped only after that. > > My "workaround" is as follows: > ipfw add divert 8670 ip from any to $CLIENT_IP > + a daemon called *burstd* which binds to diverted port 8670, conunts the bytes for every connection to that IP and apply the limits when predefinied byte count is exceeded. It's far away from perfect, although quite accurate, so I was asking for another way to implement a solution to this situation. > > Ivo Vachkov > -- > _______________________________________________ > Get your free email from http://mymail.bsdmail.com > > Powered by Outblaze > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 7 02:31:14 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BC6F16A4BF for ; Sun, 7 Sep 2003 02:31:14 -0700 (PDT) Received: from hotmail.com (bay9-f11.bay9.hotmail.com [64.4.47.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A7A543FA3 for ; Sun, 7 Sep 2003 02:31:13 -0700 (PDT) (envelope-from cravietz@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 7 Sep 2003 02:31:13 -0700 Received: from 66.227.96.166 by by9fd.bay9.hotmail.msn.com with HTTP; Sun, 07 Sep 2003 09:31:13 GMT X-Originating-IP: [66.227.96.166] X-Originating-Email: [cravietz@hotmail.com] From: "dsa dsa" To: freebsd-ipfw@freebsd.org Date: Sun, 07 Sep 2003 09:31:13 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Sep 2003 09:31:13.0529 (UTC) FILETIME=[C7A47E90:01C37522] Subject: Crippled transparent firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 09:31:14 -0000 I have Freebsd 4.8 on P4 2.4, 1 gb DDR ram and two Intel EtherPro100 (fxp0,fxp1). I have setup transparent firewall/birdge on it. The purpose of doing that is only to relieve cpu load of cisco router (7200) which is getting hit pretty often by DDoS attacks. Line carries 100 mbps. Basically it looks like this: Cisco>--------------------100mbps------- Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36C4016A4BF for ; Sun, 7 Sep 2003 02:51:42 -0700 (PDT) Received: from bjpu.edu.cn (egw.bjpu.edu.cn [202.112.78.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9106943FE3 for ; Sun, 7 Sep 2003 02:51:40 -0700 (PDT) (envelope-from liukang@bjpu.edu.cn) Received: (eyou gateway send program); Sun, 07 Sep 2003 17:53:25 +0800 X-EYOU-ORIGINAL-IP: 61.51.121.237 X-EYOU-ENVELOPE-MAILFROM: liukang@bjpu.edu.cn Received: from unknown (HELO ssc) (unknown@61.51.121.237) by 202.112.78.77 with ; Sun, 07 Sep 2003 17:53:25 +0800 From: "Kang Liu" To: "'dsa dsa'" , Date: Sun, 7 Sep 2003 17:57:16 +0800 Message-ID: <000401c37526$6e8a72c0$0501a8c0@ssc> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: Subject: RE: Crippled transparent firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 09:51:42 -0000 > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of dsa dsa > Sent: Sunday, September 07, 2003 5:31 PM > To: freebsd-ipfw@freebsd.org > Subject: Crippled transparent firewall > Also is there any nice freebsd tool to precisely count > how many packets is box handling per second. Try "netstat 1" ? From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 7 04:13:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 952E416A4C0 for ; Sun, 7 Sep 2003 04:13:45 -0700 (PDT) Received: from spf13.us4.outblaze.com (205-158-62-67.outblaze.com [205.158.62.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC2DE43FE0 for ; Sun, 7 Sep 2003 04:13:43 -0700 (PDT) (envelope-from ivo@bsdmail.org) Received: from 205-158-62-68.outblaze.com (205-158-62-68.outblaze.com [205.158.62.68]) by spf13.us4.outblaze.com (Postfix) with QMQP id DF4391800526 for ; Sun, 7 Sep 2003 11:13:43 +0000 (GMT) Received: (qmail 80971 invoked from network); 7 Sep 2003 11:13:43 -0000 Received: from unknown (HELO ws5-8.us4.outblaze.com) (205.158.62.74) by 205-158-62-153.outblaze.com with SMTP; 7 Sep 2003 11:13:43 -0000 Received: (qmail 26268 invoked by uid 1001); 7 Sep 2003 11:14:32 -0000 Message-ID: <20030907111432.26267.qmail@bsdmail.com> Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Received: from [193.68.7.67] by ws5-8.us4.outblaze.com with http for ivo@bsdmail.org; Sun, 07 Sep 2003 13:14:32 +0200 From: "Ivo Vachkov" To: freebsd-ipfw@freebsd.org Date: Sun, 07 Sep 2003 13:14:32 +0200 X-Originating-Ip: 193.68.7.67 X-Originating-Server: ws5-8.us4.outblaze.com Subject: Re: Burst X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 11:13:45 -0000 > the problem with your approach is that the user can easily overcome > the limitation by splitting the connection into many small ones, > each one below the allowed burst size. Indeed this is not a problem since I track src_ip and dst_ip ... and not tcp/udp ports. So even if someone starts many connection to a single host for my code they're all same, i.e. counting the traffic through all of them as one. -- _______________________________________________ Get your free email from http://mymail.bsdmail.com Powered by Outblaze From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 7 08:27:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C424F16A4BF for ; Sun, 7 Sep 2003 08:27:22 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1992344015 for ; Sun, 7 Sep 2003 08:27:22 -0700 (PDT) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id ; Sun, 7 Sep 2003 11:27:21 -0400 Message-ID: From: Don Bowman To: 'dsa dsa' , freebsd-ipfw@freebsd.org Date: Sun, 7 Sep 2003 11:27:20 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: RE: Crippled transparent firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 15:27:22 -0000 > From: dsa dsa [mailto:cravietz@hotmail.com] > > I have Freebsd 4.8 on P4 2.4, 1 gb DDR ram and two > Intel EtherPro100 (fxp0,fxp1). I have setup > transparent firewall/birdge on it. The purpose of > doing that is only to relieve cpu load of cisco router > (7200) which is getting hit pretty often by DDoS > attacks. Line carries 100 mbps. Basically it looks > like this: > > Cisco>--------------------100mbps------- > ok, now, let's put it this way..cisco is pushing about > 50mbps during off-peak hours but when i put this > BSD-based transparent firewall in front of the cisco > router it goes down to 15 mbps while the 'top' output > shows 90% idle. No firewall rules have been set so > far. > I would check netstat -m. If you are seeing denied mbufs, then i would increase NMBCLUSTERS/NMBUFS. I would check that your cisco and bsd & internet connection agree on duplex. e.g. if 1 is auto and the other is forced 100 full, the auto one will go to 100 half, which is useless :). Check for excessive collisions to see this. From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 7 16:50:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EB7616A4BF; Sun, 7 Sep 2003 16:50:10 -0700 (PDT) Received: from gateway.posi.net (adsl-63-201-90-66.dsl.snfc21.pacbell.net [63.201.90.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D82B43FAF; Sun, 7 Sep 2003 16:50:09 -0700 (PDT) (envelope-from kbyanc@posi.net) Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (8.12.6/8.12.8) with ESMTP id h87No7Yl035085; Sun, 7 Sep 2003 16:50:08 -0700 (PDT) (envelope-from kbyanc@posi.net) Date: Sun, 7 Sep 2003 16:50:07 -0700 (PDT) From: Kelly Yancey To: Clemens Fischer In-Reply-To: Message-ID: <20030907164709.K35080-100000@gateway.posi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@FreeBSD.org cc: luigi@FreeBSD.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 23:50:10 -0000 On 2 Sep 2003, Clemens Fischer wrote: > * Kelly Yancey: > > > On 30 Aug 2003, Clemens Fischer wrote: > > > >> that would not be my cup of tea, because by this ipfw(8) becomes > >> "unscriptable", ie. i'd have to grep(1) for messages and start from > >> scratch again. i guess this problem should be detected and handled > >> ahead of running ipfw(8). note that you can always use `-p > >> preprocessor' for this. > > > > No you don't, it just warns, not exits. You'll get warnings > > telling you that what you are doing is a Bad Idea, but you can send > > them to /dev/null if you don't care. > > i know, but this doesn't put me at ease. since hosts can choose do > implement DNS round-robin any time, this might not only be a bad idea, > it might well be plain wrong, and i wouldn't even know. the patch > should error-exit IMO, or people who need this feature should dream up > their own m4 macros to handle this "feature". > > clemens > And they can add new IPs to the existing name after you run your macros, how is it different? Hence the warning. I don't really care one way or the other, I don't abuse the DNS resolution misfeature of ipfw; adding the warnings would at least alert people to potential foot-shooting, since preventing it would mean removing the "feature". Arguably, the warning should be expanded to any use of names in rules. Kelly -- Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} Visit the BSD driver database: http://www.posi.net/freebsd/drivers/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 8 03:35:57 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4326816A4BF; Mon, 8 Sep 2003 03:35:57 -0700 (PDT) Received: from genesis.ridley.unimelb.edu.au (genesis.ridley.unimelb.edu.au [128.250.2.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBD2E43FB1; Mon, 8 Sep 2003 03:35:55 -0700 (PDT) (envelope-from grg@ridley.unimelb.edu.au) Received: (from root@localhost) by genesis.ridley.unimelb.edu.au (8.12.3p2/8.11.6) id h88AYvYo091347; Mon, 8 Sep 2003 20:34:57 +1000 (EST) (envelope-from grg@ridley.unimelb.edu.au) Received: from genesis.ridley.unimelb.edu.au (localhost [127.0.0.1]) h88AYmn3091332; Mon, 8 Sep 2003 20:34:48 +1000 (EST) (envelope-from grg@ridley.unimelb.edu.au) Received: from localhost (grg@localhost)id h88AYlgg091327; Mon, 8 Sep 2003 20:34:48 +1000 (EST) (envelope-from grg@ridley.unimelb.edu.au) X-Authentication-Warning: genesis.ridley.unimelb.edu.au: grg owned process doing -bs Date: Mon, 8 Sep 2003 20:34:44 +1000 (EST) From: Glen Gibb To: Peter Pentchev In-Reply-To: <20030905161915.GG556@straylight.oblivion.bg> Message-ID: <20030908203401.Q90999-100000@genesis.ridley.unimelb.edu.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 cc: ipfw@freebsd.org cc: bug-followup@freebsd.org Subject: Re: docs/56021: Documentation incorrect for mac in ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 10:35:57 -0000 The patch looks ok to me. Don't be surprised if I'm slow to reply for the next week or two - I'm currently travalling. Glen On Fri, 5 Sep 2003, Peter Pentchev wrote: > On Wed, Aug 27, 2003 at 11:07:21AM +1000, Glen Gibb wrote: > > > > >Number: 56021 > > >Category: docs > > >Synopsis: Documentation incorrect for mac in ipfw2 > > >Originator: Glen Gibb > > >Release: FreeBSD 5.1-CURRENT i386 > [snip] > > >Description: > > > > The man page for ipfw (IPFW2) is incomplete/misleading in regards to > > the "mac" option in the RULE OPTIONS section. > > > > The man page states that the address can be "optionally followed by a > > mask indicating how many bits are significant, as in MAC > > 10:20:30:40:50:60/33 any". This IS correct but it does not mention the > > second method of specifying a bit mask, that is by following the > > address with an ampersand (&) followed by the bitmask whcich is > > specified using the same format as the address. For example, if we > > wanted to match any mac address that ended with 60, we could use the > > following mask: > > > > MAC 00:00:00:00:50:60&00:00:00:00:00:ff > > What do you think about the following patch? > > G'luck, > Peter > > -- > Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 > This sentence was in the past tense. > > Index: src/sbin/ipfw/ipfw.8 > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/ipfw.8,v > retrieving revision 1.131 > diff -u -r1.131 ipfw.8 > --- src/sbin/ipfw/ipfw.8 22 Jul 2003 07:41:24 -0000 1.131 > +++ src/sbin/ipfw/ipfw.8 5 Sep 2003 16:12:41 -0000 > @@ -1046,11 +1046,31 @@ > .Cm any > keyword (matching any MAC address), or six groups of hex digits > separated by colons, > -and optionally followed by a mask indicating how many bits are > -significant, as in > +and optionally followed by a mask indicating the significant bits. > +The mask may be specified using either of the following methods: > +.Bl -enum -width indent > +.It > +A slash > +.Pq / > +followed by the number of significant bits. > +For example, an address with 33 significant bits could be specified as: > .Pp > .Dl "MAC 10:20:30:40:50:60/33 any" > .Pp > +.It > +An ampersand > +.Pq & > +followed by a bitmask specified as six groups of hex digits separated > +by colons. > +For example, an address in which the last 16 bits are significant could > +be specified as: > +.Pp > +.Dl "MAC 10:20:30:40:50:60&00:00:00:00:00:ff any" > +.Pp > +Note that the ampersand character has a special meaning in many shells > +and should generally be escaped. > +.Pp > +.El > Note that the order of MAC addresses (destination first, > source second) is > the same as on the wire, but the opposite of the one used for > From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 8 11:01:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC8D916A4C1 for ; Mon, 8 Sep 2003 11:01:51 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95BAD43F85 for ; Mon, 8 Sep 2003 11:01:50 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h88I1oUp097221 for ; Mon, 8 Sep 2003 11:01:50 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h88I1oiH097215 for ipfw@freebsd.org; Mon, 8 Sep 2003 11:01:50 -0700 (PDT) Date: Mon, 8 Sep 2003 11:01:50 -0700 (PDT) Message-Id: <200309081801.h88I1oiH097215@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 18:01:52 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 9 13:23:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F36616A4BF for ; Tue, 9 Sep 2003 13:23:20 -0700 (PDT) Received: from fep2.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4060A43FDF for ; Tue, 9 Sep 2003 13:23:15 -0700 (PDT) (envelope-from tom@dwyers.ca) Received: from tom (d235-131-219.home1.cgocable.net [24.235.131.219]) by fep2.cogeco.net (Postfix) with SMTP id 7DC951741 for ; Tue, 9 Sep 2003 16:21:56 -0400 (EDT) Message-ID: <000a01c37711$872b0a00$020010ac@protechnologies> From: "Thomas Dwyer" To: Date: Tue, 9 Sep 2003 16:32:45 -0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw - natd - Port Forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 20:23:20 -0000 Hello; I'm having a problem getting port forwarding working with FreeBSD 4.8. I have the following options compiled in the kernel: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=3D15 options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT My ipfw config is: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00500 divert 8668 ip from any to any via fxp0 65535 allow ip from any to any The applicable options I have specified in rc.conf are: firewall_enable=3D"YES" gateway_enable=3D"YES" firewall_type=3D"OPEN" natd_enable=3D"YES" natd_interface=3D"fxp0" natd_flags=3D"-f /etc/natd.conf" And in the natd.conf file I have: log yes interface fxp0 use_sockets yes same_ports yes redirect_port tcp 192.168.0.1:27015 27015 The workstation 192.168.0.1 is a Windows 2000 machine. The default = gateway is the internal IP address of the firewall which is = 192.168.0.254 All internet browsing, tracert, ping etc works from the Windows 2000 = machine out to the internet. I have telnet server running on the windows 2000 machine listening on = port 27015. I can telnet to it from another workstation on the LAN as = well as from the firewall directly through the LAN interface. When I try it from an outside source it looks like traffic is arriving = at the Windows 2000 machine (the little computer screens for the LAN = connection flash on the tray icon) but the connection doesn't complete = and it times out. Help! Tom From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 9 14:50:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B85D16A4BF for ; Tue, 9 Sep 2003 14:50:55 -0700 (PDT) Received: from mail.coreps.com (www.coreps.com [207.241.137.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A8A443FA3 for ; Tue, 9 Sep 2003 14:50:53 -0700 (PDT) (envelope-from dhopp@coreps.com) Received: from dennis (dhopp.michix.net [207.241.136.9]) by mail.coreps.com (Postfix) with ESMTP id 8787E404B; Tue, 9 Sep 2003 17:57:19 -0500 (EST) From: "Dennis B. Hopp" To: "'Thomas Dwyer'" , Date: Tue, 9 Sep 2003 17:50:56 -0400 Message-ID: <000601c3771c$75a62c00$0201a8c0@dennis> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <000a01c37711$872b0a00$020010ac@protechnologies> Subject: RE: ipfw - natd - Port Forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 21:50:55 -0000 Your firewall rules need to let it through too....I think something like this should work (it needs to go after the ipdivert statement) 00501 allow tcp from any to 192.168.0.1 27015 in recv fxp0 keep-state --Dennis -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Thomas Dwyer Sent: Tuesday, September 09, 2003 4:33 PM To: freebsd-ipfw@freebsd.org Subject: ipfw - natd - Port Forwarding Hello; I'm having a problem getting port forwarding working with FreeBSD 4.8. I have the following options compiled in the kernel: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=15 options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT My ipfw config is: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00500 divert 8668 ip from any to any via fxp0 65535 allow ip from any to any The applicable options I have specified in rc.conf are: firewall_enable="YES" gateway_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="fxp0" natd_flags="-f /etc/natd.conf" And in the natd.conf file I have: log yes interface fxp0 use_sockets yes same_ports yes redirect_port tcp 192.168.0.1:27015 27015 The workstation 192.168.0.1 is a Windows 2000 machine. The default gateway is the internal IP address of the firewall which is 192.168.0.254 All internet browsing, tracert, ping etc works from the Windows 2000 machine out to the internet. I have telnet server running on the windows 2000 machine listening on port 27015. I can telnet to it from another workstation on the LAN as well as from the firewall directly through the LAN interface. When I try it from an outside source it looks like traffic is arriving at the Windows 2000 machine (the little computer screens for the LAN connection flash on the tray icon) but the connection doesn't complete and it times out. Help! Tom _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 9 16:10:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 771B716A4BF for ; Tue, 9 Sep 2003 16:10:03 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id 73A0A43FEA for ; Tue, 9 Sep 2003 16:10:01 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 3161 invoked from network); 9 Sep 2003 23:10:01 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 9 Sep 2003 23:10:01 -0000 Message-ID: <3F5E5DC3.1030005@tenebras.com> Date: Tue, 09 Sep 2003 16:09:55 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <000601c3771c$75a62c00$0201a8c0@dennis> In-Reply-To: <000601c3771c$75a62c00$0201a8c0@dennis> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw - natd - Port Forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 23:10:03 -0000 A. Laziness, incapacity, neglect, MS Outlook, etc. Q. Then why do people do it? A. No, it's not. Q. Is top-posting a good idea? Dennis B. Hopp wrote: > Your firewall rules need to let it through too....I think something like > this should work (it needs to go after the ipdivert statement) > > 00501 allow tcp from any to 192.168.0.1 27015 in recv fxp0 keep-state Unnecessary, the default rule 65535 (in this case) passes all traffic. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00500 divert 8668 ip from any to any via fxp0 > 65535 allow ip from any to any > When I try it from an outside source it looks like traffic is arriving > at the Windows 2000 machine (the little computer screens for the LAN > connection flash on the tray icon) but the connection doesn't complete > and it times out. What does a tcpdump on the natd box say? Do tcpdump -ln -i fxp0 host and then telnet 27015 -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 9 19:43:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84D1E16A4BF for ; Tue, 9 Sep 2003 19:43:22 -0700 (PDT) Received: from mail.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDC1B43FBD for ; Tue, 9 Sep 2003 19:43:21 -0700 (PDT) (envelope-from don@sandvine.com) Received: by mail.sandvine.com with Internet Mail Service (5.5.2653.19) id ; Tue, 9 Sep 2003 22:43:21 -0400 Message-ID: From: Don Bowman To: "'freebsd-ipfw@freebsd.org'" Date: Tue, 9 Sep 2003 22:43:16 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Subject: regex match in ipfw rule? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 02:43:22 -0000 has anyone ever considered adding a regular expression match type to ipfw? it seems like this might be very useful. To be efficient, and anchored, I guess it would need to be available for both IP and TCP and perhaps other protocols (e.g. ip payload, tcp payload). This could be used to match e.g. code-red style worms. one barrier is that there is not currently regex support in kernel, but pcre could probably be compiled for it. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 9 21:14:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 828FC16A4BF for ; Tue, 9 Sep 2003 21:14:27 -0700 (PDT) Received: from dart.sr.se (dart.SR.SE [134.25.0.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id E499A43FDF for ; Tue, 9 Sep 2003 21:14:25 -0700 (PDT) (envelope-from gunnar@oldie.sr.se) Received: from honken.sr.se (honken.sr.se [134.25.128.27]) by dart.sr.se (8.12.6p2/8.12.6) with ESMTP id h8A4EOYP099266 for ; Wed, 10 Sep 2003 06:14:24 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: from oldie.sr.se (oldie [134.25.200.100]) by honken.sr.se (8.12.3p2/8.12.3) with ESMTP id h8A4EObA080844 for ; Wed, 10 Sep 2003 06:14:24 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: from oldie.sr.se (localhost [127.0.0.1]) by oldie.sr.se (8.12.9/8.12.9) with ESMTP id h8A4EOOi080246 for ; Wed, 10 Sep 2003 06:14:24 +0200 (CEST) (envelope-from gunnar@oldie.sr.se) Received: (from gunnar@localhost) by oldie.sr.se (8.12.9/8.12.9/Submit) id h8A4ENZL080245 for freebsd-ipfw@freebsd.org; Wed, 10 Sep 2003 06:14:23 +0200 (CEST) Date: Wed, 10 Sep 2003 06:14:23 +0200 From: Gunnar Flygt To: freebsd-ipfw@freebsd.org Message-ID: <20030910041423.GA80152@sr.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: HowTo for ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gunnar Flygt List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 04:14:27 -0000 Is there somewhere a good HowTo for setting up ipfw2. I've only found at least 2 years old tips, not using the extended syntax and features in ipfw2. Please cc me! -- Gunnar Flygt OPC Data Sveriges Radio From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 06:57:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3EE016A4BF for ; Wed, 10 Sep 2003 06:57:02 -0700 (PDT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C8F843FBF for ; Wed, 10 Sep 2003 06:57:00 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id h8ADuxD19166 for ; Wed, 10 Sep 2003 09:56:59 -0400 Message-ID: <001501c377a3$694aa4e0$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: Date: Wed, 10 Sep 2003 09:57:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: dummynet help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 13:57:03 -0000 Hi List, I thank anyone, in advance, who might offer some light to my question below. At our office, we have a T1 circuit that I am trying to divy up bandwidth as you see below. I would like to give a greater amount of pipe to "web" associated ports and allow the rest of the traffic to fall into a default queue, both up and down. When I run this config it seems that the "web" associated ports are simply falling into the default queue, which of course slows everything to a crawl since the default queues are so small. Can anyone give me some insight as to why this is happening and offer a solution that will accomplish what I am attempting. I am running dummynet as a bridge behind my router and in front of everyhting elese on freebsd. My config is below. ################### # TOM'S PLAYGROUND # DO THIS CAUSE THEY SAY ITS GOOD add check-state # BLOCK BAD IP'S #add deny ip from 192.168.1.27 to any #add deny ip from any to 192.168.1.27 # Keep those nasty viruses, worms and critters away. add deny udp from any to any 8998 add deny tcp from any to any 135 add deny udp from any to any 69 add deny tcp from any to any 4444 add deny tcp from any to any 707 add deny tcp from any to any 137 add deny udp from any to any 137 add deny tcp from any to any 138 add deny udp from any to any 138 add deny tcp from any to any 139 add deny udp from any to any 139 add deny tcp from any to any 593 add deny udp from any to any 593 # GIVE ME FULL PIPE WHEN SSH FROM OUTSIDE add allow tcp from 66.255.6.221 to any 22 add allow tcp from any to 66.255.6.221 22 # ALLOW LOCAL IP'S TO PASS W/ EACH OTHER add allow ip from 192.168.1.0/24 to 192.168.1.0/24 add allow ip from 192.168.1.0/24 to 66.255.6.0/24 add allow ip from 66.255.6.0/24 to 66.255.6.0/24 add allow ip from 66.255.6.0/24 to 192.168.1.0/24 # MAILSERVER "DUPLEX" add queue 10 ip from any to 66.255.6.131 add queue 11 ip from 66.255.6.131 to any queue 10 config weight 1 pipe 10 mask src-ip 0xffffffff queue 11 config weight 1 pipe 10 mask dst-ip 0xffffffff pipe 10 config bw 50Kbit/s # EVERYBODY "DOWN 80, 443 AND 53 PORT" 80/20 add queue 30 tcp from any to 192.168.1.0/24 80 add queue 30 tcp from any to 66.255.6.0/24 80 add queue 30 tcp from any to 192.168.1.0/24 53 add queue 30 tcp from any to 66.255.6.0/24 53 add queue 30 udp from any to 192.168.1.0/24 53 add queue 30 udp from any to 66.255.6.0/24 53 add queue 30 tcp from any to 192.168.1.0/24 443 add queue 30 tcp from any to 66.255.6.0/24 443 add queue 30 udp from any to 192.168.1.0/24 443 add queue 30 udp from any to 66.255.6.0/24 443 queue 30 config weight 1 pipe 30 mask dst-ip 0xffffffff pipe 30 config bw 960Kbit/s # EVERYBODY "DOWN ALL PORTS" add queue 31 ip from any to 192.168.1.0/24 add queue 31 ip from any to 66.255.6.0/24 queue 31 config weight 1 pipe 31 mask dst-ip 0xffffffff pipe 31 config bw 240Kbit/s # EVERYBODY "UP 80, 443 AND 53 PORT" 60/40 add queue 32 tcp from 192.168.1.0/24 80 to any add queue 32 tcp from 66.255.6.0/24 80 to any add queue 32 tcp from 192.168.1.0/24 53 to any add queue 32 tcp from 66.255.6.0/24 53 to any add queue 32 udp from 192.168.1.0/24 53 to any add queue 32 udp from 66.255.6.0/24 53 to any add queue 32 tcp from 192.168.1.0/24 443 to any add queue 32 tcp from 66.255.6.0/24 443 to any add queue 32 udp from 192.168.1.0/24 443 to any add queue 32 udp from 66.255.6.0/24 443 to any queue 32 config weight 1 pipe 32 mask src-ip 0xffffffff pipe 32 config bw 150Kbit/s # EVERYBODY "UP ALL PORTS" add queue 33 ip from 192.168.1.0/24 to any add queue 33 ip from 66.255.6.0/24 to any queue 33 config weight 1 pipe 33 mask src-ip 0xffffffff pipe 33 config bw 100Kbit/s # THIS SHOULD MAKE DHCP WORK? PS. IT DID. add queue 250 ip from any to any queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff pipe 250 config bw 10Kbit/s From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 07:00:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AD9716A4BF for ; Wed, 10 Sep 2003 07:00:49 -0700 (PDT) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67AC343FBD for ; Wed, 10 Sep 2003 07:00:47 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from 1wispadmin ([192.168.1.94]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id h8AE0lD19191 for ; Wed, 10 Sep 2003 10:00:47 -0400 Message-ID: <002a01c377a3$f137dad0$5e01a8c0@1wispadmin> From: "Thomas S. Crum - 1WISP, Inc." To: Date: Wed, 10 Sep 2003 10:00:50 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: dummynet question / help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 14:00:49 -0000 Hi List, I thank anyone, in advance, who might offer some light to my question below. At our office, we have a T1 circuit that I am trying to divy up bandwidth as you see below. I would like to give a greater amount of pipe to "web" associated ports and allow the rest of the traffic to fall into a default queue, both up and down. When I run this config it seems that the "web" associated ports are simply falling into the default queue, which of course slows everything to a crawl since the default queues are so small. Can anyone give me some insight as to why this is happening and offer a solution that will accomplish what I am attempting. I am running dummynet as a bridge behind my router and in front of everyhting elese on freebsd. My config is below. ################### # TOM'S PLAYGROUND # DO THIS CAUSE THEY SAY ITS GOOD add check-state # BLOCK BAD IP'S #add deny ip from 192.168.1.27 to any #add deny ip from any to 192.168.1.27 # Keep those nasty viruses, worms and critters away. add deny udp from any to any 8998 add deny tcp from any to any 135 add deny udp from any to any 69 add deny tcp from any to any 4444 add deny tcp from any to any 707 add deny tcp from any to any 137 add deny udp from any to any 137 add deny tcp from any to any 138 add deny udp from any to any 138 add deny tcp from any to any 139 add deny udp from any to any 139 add deny tcp from any to any 593 add deny udp from any to any 593 # GIVE ME FULL PIPE WHEN SSH FROM OUTSIDE add allow tcp from 66.255.6.221 to any 22 add allow tcp from any to 66.255.6.221 22 # ALLOW LOCAL IP'S TO PASS W/ EACH OTHER add allow ip from 192.168.1.0/24 to 192.168.1.0/24 add allow ip from 192.168.1.0/24 to 66.255.6.0/24 add allow ip from 66.255.6.0/24 to 66.255.6.0/24 add allow ip from 66.255.6.0/24 to 192.168.1.0/24 # MAILSERVER "DUPLEX" add queue 10 ip from any to 66.255.6.131 add queue 11 ip from 66.255.6.131 to any queue 10 config weight 1 pipe 10 mask src-ip 0xffffffff queue 11 config weight 1 pipe 10 mask dst-ip 0xffffffff pipe 10 config bw 50Kbit/s # EVERYBODY "DOWN 80, 443 AND 53 PORT" 80/20 add queue 30 tcp from any to 192.168.1.0/24 80 add queue 30 tcp from any to 66.255.6.0/24 80 add queue 30 tcp from any to 192.168.1.0/24 53 add queue 30 tcp from any to 66.255.6.0/24 53 add queue 30 udp from any to 192.168.1.0/24 53 add queue 30 udp from any to 66.255.6.0/24 53 add queue 30 tcp from any to 192.168.1.0/24 443 add queue 30 tcp from any to 66.255.6.0/24 443 add queue 30 udp from any to 192.168.1.0/24 443 add queue 30 udp from any to 66.255.6.0/24 443 queue 30 config weight 1 pipe 30 mask dst-ip 0xffffffff pipe 30 config bw 960Kbit/s # EVERYBODY "DOWN ALL PORTS" add queue 31 ip from any to 192.168.1.0/24 add queue 31 ip from any to 66.255.6.0/24 queue 31 config weight 1 pipe 31 mask dst-ip 0xffffffff pipe 31 config bw 240Kbit/s # EVERYBODY "UP 80, 443 AND 53 PORT" 60/40 add queue 32 tcp from 192.168.1.0/24 80 to any add queue 32 tcp from 66.255.6.0/24 80 to any add queue 32 tcp from 192.168.1.0/24 53 to any add queue 32 tcp from 66.255.6.0/24 53 to any add queue 32 udp from 192.168.1.0/24 53 to any add queue 32 udp from 66.255.6.0/24 53 to any add queue 32 tcp from 192.168.1.0/24 443 to any add queue 32 tcp from 66.255.6.0/24 443 to any add queue 32 udp from 192.168.1.0/24 443 to any add queue 32 udp from 66.255.6.0/24 443 to any queue 32 config weight 1 pipe 32 mask src-ip 0xffffffff pipe 32 config bw 150Kbit/s # EVERYBODY "UP ALL PORTS" add queue 33 ip from 192.168.1.0/24 to any add queue 33 ip from 66.255.6.0/24 to any queue 33 config weight 1 pipe 33 mask src-ip 0xffffffff pipe 33 config bw 100Kbit/s # THIS SHOULD MAKE DHCP WORK? PS. IT DID. add queue 250 ip from any to any queue 250 config weight 1 pipe 250 mask src-ip 0xffffffff pipe 250 config bw 10Kbit/s From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 07:50:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4859016A4BF for ; Wed, 10 Sep 2003 07:50:27 -0700 (PDT) Received: from mail.coreps.com (www.coreps.com [207.241.137.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE26143F93 for ; Wed, 10 Sep 2003 07:50:26 -0700 (PDT) (envelope-from dhopp@coreps.com) Received: from dennis (dhopp.michix.net [207.241.136.9]) by mail.coreps.com (Postfix) with ESMTP id 0A6293F65; Wed, 10 Sep 2003 10:56:55 -0500 (EST) From: "Dennis B. Hopp" To: "'Michael Sierchio'" , Date: Wed, 10 Sep 2003 10:50:17 -0400 Message-ID: <000201c377aa$dccf61b0$0201a8c0@dennis> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <3F5E5DC3.1030005@tenebras.com> Importance: Normal Subject: RE: ipfw - natd - Port Forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 14:50:27 -0000 > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd- > ipfw@freebsd.org] On Behalf Of Michael Sierchio > Sent: Tuesday, September 09, 2003 7:10 PM > To: freebsd-ipfw@freebsd.org > Subject: Re: ipfw - natd - Port Forwarding > > A. Laziness, incapacity, neglect, MS Outlook, etc. Yup I was lazy...aren't we all? > Q. Then why do people do it? > A. No, it's not. Since I didn't have to nit pick at a bunch of different details I don't think it really mattered in this case. > Q. Is top-posting a good idea? > > Dennis B. Hopp wrote: > > Your firewall rules need to let it through too....I think something like > > this should work (it needs to go after the ipdivert statement) > > > > 00501 allow tcp from any to 192.168.0.1 27015 in recv fxp0 keep-state > > Unnecessary, the default rule 65535 (in this case) passes all traffic. You are correct...I didn't read that the last rule was a allow all (I always change it to deny all)...damn laziness > > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00500 divert 8668 ip from any to any via fxp0 > > 65535 allow ip from any to any > > > When I try it from an outside source it looks like traffic is arriving > > at the Windows 2000 machine (the little computer screens for the LAN > > connection flash on the tray icon) but the connection doesn't complete > > and it times out. > > What does a tcpdump on the natd box say? Do > > tcpdump -ln -i fxp0 host > > and then telnet 27015 > > > -- > > "Well," Brahma said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent man requires only two thousand five hundred." > - The Mahabharata > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 07:54:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52E3316A4BF for ; Wed, 10 Sep 2003 07:54:18 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id BF82043FEC for ; Wed, 10 Sep 2003 07:54:17 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 14369 invoked from network); 10 Sep 2003 14:54:17 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 10 Sep 2003 14:54:17 -0000 Message-ID: <3F5F3B19.7040108@tenebras.com> Date: Wed, 10 Sep 2003 07:54:17 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 Cc: freebsd-ipfw@freebsd.org References: <000201c377aa$dccf61b0$0201a8c0@dennis> In-Reply-To: <000201c377aa$dccf61b0$0201a8c0@dennis> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw - natd - Port Forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 14:54:18 -0000 Dennis B. Hopp wrote: > Yup I was lazy...aren't we all? It explains our interest in computers. We can automate repetitive tasks, and are willing to stay up all night just to do so. I'm wondering if the OP solved his problem? From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 12:39:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 913A816A4BF for ; Wed, 10 Sep 2003 12:39:29 -0700 (PDT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 102BA43FDD for ; Wed, 10 Sep 2003 12:39:29 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 0AA1D2ED3F8; Wed, 10 Sep 2003 12:39:29 -0700 (PDT) Date: Wed, 10 Sep 2003 12:39:29 -0700 From: Bill Fumerola To: Don Bowman Message-ID: <20030910193928.GL57940@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD 4.8-MUORG-20030805 i386 cc: "'freebsd-ipfw@freebsd.org'" Subject: Re: regex match in ipfw rule? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 19:39:29 -0000 On Tue, Sep 09, 2003 at 10:43:16PM -0400, Don Bowman wrote: > has anyone ever considered adding a regular > expression match type to ipfw? it seems like > this might be very useful. To be efficient, > and anchored, I guess it would need to > be available for both IP and TCP and perhaps > other protocols (e.g. ip payload, tcp payload). > > This could be used to match e.g. code-red style > worms. there are several problems with doing this.. 1) you have to dig deep into the packet, which we already sorta do for l4 rules, but we don't get into the actual payload. 2) you have to reassemble frags(!), otherwise someone can just frag a packet to slip it through 3) regexp is going to be slow > one barrier is that there is not currently regex > support in kernel, but pcre could probably be > compiled for it. bpf rules would be easier, but for things like code red it would still suffer from the reassembly problem. -- - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 14:51:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD5D216A4C0 for ; Wed, 10 Sep 2003 14:51:33 -0700 (PDT) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id 7E83D43FBF for ; Wed, 10 Sep 2003 14:51:30 -0700 (PDT) (envelope-from darcy@wavefire.com) Received: (qmail 12913 invoked from network); 10 Sep 2003 22:16:57 -0000 Received: from dbitech.wavefire.com (HELO dbitech) (darcy@64.141.15.253) by radius.wavefire.com with SMTP; 10 Sep 2003 22:16:57 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Darcy Buskermolen Organization: Wavefire Technologies Corp. To: Don Bowman , "'freebsd-ipfw@freebsd.org'" Date: Wed, 10 Sep 2003 14:51:28 -0700 User-Agent: KMail/1.4.3 References: In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200309101451.28807.darcy@wavefire.com> Subject: Re: regex match in ipfw rule? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 21:51:33 -0000 On Tuesday 09 September 2003 19:43, Don Bowman wrote: > has anyone ever considered adding a regular > expression match type to ipfw? it seems like > this might be very useful. To be efficient, > and anchored, I guess it would need to > be available for both IP and TCP and perhaps > other protocols (e.g. ip payload, tcp payload). > > This could be used to match e.g. code-red style > worms. > > one barrier is that there is not currently regex > support in kernel, but pcre could probably be > compiled for it. You may want to look at hogwash, it uses the same packet analyse engine a= s=20 used by snort, this may do what you are after. I belive that it will als= o=20 let you handel things like frag reassembly ect. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" --=20 Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 16:14:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1961F16A4BF for ; Wed, 10 Sep 2003 16:14:00 -0700 (PDT) Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D11543FEA for ; Wed, 10 Sep 2003 16:13:59 -0700 (PDT) (envelope-from frums@hush.com) Received: from mailserver2.hushmail.com (mailserver2.hushmail.com [65.39.178.21]) by smtp3.hushmail.com (Postfix) with ESMTP id 1DA8D10E68E for ; Wed, 10 Sep 2003 16:13:57 -0700 (PDT) Received: from mailserver2.hushmail.com (localhost.hushmail.com [127.0.0.1]) h8ANDvKs066797 for ; Wed, 10 Sep 2003 16:13:57 -0700 (PDT) (envelope-from frums@hush.com) Received: (from nobody@localhost) by mailserver2.hushmail.com (8.12.6/8.12.3/Submit) id h8ANDurw066796 for freebsd-ipfw@freebsd.org; Wed, 10 Sep 2003 16:13:56 -0700 (PDT) Message-Id: <200309102313.h8ANDurw066796@mailserver2.hushmail.com> Date: Wed, 10 Sep 2003 16:13:55 -0700 To: freebsd-ipfw@freebsd.org Cc: From: Subject: ipfw2 shaper bottleneck X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 23:14:00 -0000 Im wondering if anybody has had any experience with traffic shaping a gigabit link. Im currently having lots of diffrent problems with the shaping, Im tryin to shape about 500 hosts via mac address to various speeds 5,10,15Mb/s etc and having varying results. I see a large diffrence in system performance after about 100/100 pipes/rules. The system will shape part of the network fine for many hours, then it stops passing traffic properly, all traffic becomes very slow or completely stops. Is there a limit on the amount of pipes ipfw can handle? Or do I have some sort of other bottleneck? I did have a problem with one of the nics constantly resetting, the only solution I found that worked was to change: if_bgereg.h:#define ETHER_ALIGN 2 to 0. This stopped the card from resetting constantly every few seconds. The system is currently running fbsd 4.9-pre cvs from sunday night on a dual xeon 2.2ghz, 1gb ram and dual 3com 3c996-SX (broadcom bcm5701tkhb chipset) bge0: mem 0xfc200000- 0xfc20ffff irq 11 at device 2.0 on pci2 bge0: Ethernet address: 00:0a:5e:01:00:00 bge1: mem 0xfc300000- 0xfc30ffff irq 12 at device 1.0 on pci3 bge1: Ethernet address: 00:0a:5e:00:00:00 These are the rules I am currently using. ipfw pipe 1 config bw 5Mbit/s ipfw add 1 pipe 1 MAC any 00:11:22:33:44:55:66 The max bandwidth is currenly 500MB/s and both nics are in 64bit PCI- X slots. And mbuf clusters was raised: 648/14624/262144 mbufs in use (current/peak/max): 642 mbufs allocated to data 6 mbufs allocated to packet headers 640/14270/65536 mbuf clusters in use (current/peak/max) 32196 Kbytes allocated to network (16% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines (taken w/o traffic flowing thru it, but has peaks from real traffic) I am currently only trying to limit in one direction. Any advice or help would be greatly appreciated Thanks. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 19:10:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96D4516A4BF for ; Wed, 10 Sep 2003 19:10:15 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2833D43F93 for ; Wed, 10 Sep 2003 19:10:15 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8B2AFUp088278 for ; Wed, 10 Sep 2003 19:10:15 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8B2AEvc088277; Wed, 10 Sep 2003 19:10:14 -0700 (PDT) Date: Wed, 10 Sep 2003 19:10:14 -0700 (PDT) Message-Id: <200309110210.h8B2AEvc088277@freefall.freebsd.org> To: ipfw@FreeBSD.org From: Don Bowman Subject: Re: kern/55984: [patch] time based firewalling support for ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Don Bowman List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2003 02:10:15 -0000 The following reply was made to PR kern/55984; it has been noted by GNATS. From: Don Bowman To: 'gnats' Cc: Subject: Re: kern/55984: [patch] time based firewalling support for ipfw2 Date: Wed, 10 Sep 2003 22:03:59 -0400 suggest using 'time_second' instead of microtime() in ipfw_chk(). case O_TIME: { u_long from, to, sum; long tzoff; tzoff = ((ipfw_insn_time *)cmd)->tzoff; from = ((ipfw_insn_time *)cmd)->from; to = ((ipfw_insn_time *)cmd)->to; sum = ipfw_calc_time_sum(time_second + t zoff); match = (sum >= from && sum <= to); } break; From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 10 19:17:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E166816A4C0 for ; Wed, 10 Sep 2003 19:17:41 -0700 (PDT) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95E3B43FF3 for ; Wed, 10 Sep 2003 19:17:40 -0700 (PDT) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (#6@localhost [127.0.0.1]) by whizzo.transsys.com (8.12.9/8.12.9) with ESMTP id h8B2HdJ7061822; Wed, 10 Sep 2003 22:17:39 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200309110217.h8B2HdJ7061822@whizzo.transsys.com> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Don Bowman X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" References: <200309110210.h8B2AEvc088277@freefall.freebsd.org> In-reply-to: Your message of "Wed, 10 Sep 2003 19:10:14 PDT." <200309110210.h8B2AEvc088277@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 10 Sep 2003 22:17:39 -0400 Sender: louie@TransSys.COM cc: ipfw@freebsd.org Subject: Re: kern/55984: [patch] time based firewalling support for ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2003 02:17:42 -0000 If there are not very many different time interval ranges, why not put rules for each range into a set, and just turn the whole set on and off with a cron job? louie