From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 5 11:42:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BDB716A4B3 for ; Sun, 5 Oct 2003 11:42:09 -0700 (PDT) Received: from mps3.plala.or.jp (c146240.vh.plala.or.jp [210.150.146.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 224CA44005 for ; Sun, 5 Oct 2003 11:42:07 -0700 (PDT) (envelope-from e-kamo@trio.plala.or.jp) Received: from msvc2.plala.or.jp ([172.23.8.210]) by mps3.plala.or.jp with SMTP id <20031005184205.BIHN27445.mps3.plala.or.jp@msvc2.plala.or.jp> for ; Mon, 6 Oct 2003 03:42:05 +0900 Received: ( 25435 invoked from network); 6 Oct 2003 03:43:40 +0900 X-SVCK: Received: from unknown (HELO mpb2.plala.or.jp) (172.23.8.17) by msvc2 with SMTP; 6 Oct 2003 03:43:39 +0900 Received: from trio.plala.or.jp ([219.25.148.120]) by mpb2.plala.or.jp with ESMTP id <20031005184204.CNPP28000.mpb2.plala.or.jp@trio.plala.or.jp> for ; Mon, 6 Oct 2003 03:42:04 +0900 Message-ID: <3F806600.3050605@trio.plala.or.jp> Date: Mon, 06 Oct 2003 03:42:08 +0900 From: Eitarou Kamo User-Agent: Mozilla/5.0 (Windows; U; Win98; ja-JP; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: ja MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.75.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Subject: ipfw2 + natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2003 18:42:09 -0000 Hi, all I have a few questions about ipfw2+natd. Any suggestion would be appreciated. I would like to add a line like "ipfw add divert natd ....."in my ipfw script. But I'm wondering where I should add the line in the script. I don't know the critical timing when I divert the IP address. Does anyone know it or Is there any reference about it? Thanks in advance. Eitarou From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 6 10:25:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92BB716A4B3 for ; Mon, 6 Oct 2003 10:25:12 -0700 (PDT) Received: from marlborough.cnchost.com (marlborough.concentric.net [207.155.248.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id A429943FE1 for ; Mon, 6 Oct 2003 10:25:11 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by marlborough.cnchost.com id NAA12032; Mon, 6 Oct 2003 13:25:11 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Date: Mon, 6 Oct 2003 10:25:09 -0700 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Sean Hafeez To: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: <09049768-F822-11D7-AFEF-003065F1EE08@edgefocus.com> X-Mailer: Apple Mail (2.552) Subject: Not using NATD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2003 17:25:12 -0000 OK so normally I use NATD for the users behind the BSD box. ipfw -f flush /sbin/natd -interface rl0 ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s rl1 is the inside 192.168.x.x network. So strange question - I do not want to NAT anymore. I am going to be building a site that I want to us real IP's on the internal network. So if I configure the box as a gateway (and make sure my upstream router has a route to the external interface of the BSD for the network behind) will it work? Do I need to do anything else or will the -bash-2.05b$ cat /etc/rc.conf gateway_enable="YES" Just work? Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 6 10:58:01 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A73116A4BF for ; Mon, 6 Oct 2003 10:58:01 -0700 (PDT) Received: from mta2.adelphia.net (mta2.adelphia.net [68.168.78.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C45643FB1 for ; Mon, 6 Oct 2003 10:58:00 -0700 (PDT) (envelope-from tscrum@1wisp.com) Received: from wolf ([24.50.16.89]) by mta2.adelphia.net (InterMail vM.5.01.05.32 201-253-122-126-132-20030307) with ESMTP id <20031006175802.YNLC15142.mta2.adelphia.net@wolf>; Mon, 6 Oct 2003 13:58:02 -0400 From: "Thomas S. Crum" To: "'Sean Hafeez'" , Date: Mon, 6 Oct 2003 13:57:54 -0400 Organization: 1WISP, Inc. Message-ID: <002e01c38c33$613aa580$59103218@wolf> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 In-Reply-To: <09049768-F822-11D7-AFEF-003065F1EE08@edgefocus.com> Importance: Normal Subject: RE: Not using NATD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2003 17:58:01 -0000 Yes that will work. Here is a snippet from bsd hb. Best, Tom 19.2.4 Building a Router A network router is simply a system that forwards packets from one interface to another. Internet standards and good engineering practice prevent the FreeBSD Project from enabling this by default in FreeBSD. You can enable this feature by changing the following variable to YES in rc.conf(5): gateway_enable=YES # Set to YES if this host will be a gateway This option will set the sysctl(8) variable net.inet.ip.forwarding to 1. If you should need to stop routing temporarily, you can reset this to 0 temporarily. Your new router will need routes to know where to send the traffic. If your network is simple enough you can use static routes. FreeBSD also comes with the standard BSD routing daemon routed(8), which speaks RIP (both version 1 and version 2) and IRDP. Support for BGP v4, OSPF v2, and other sophisticated routing protocols is available with the net/zebra package. Commercial products such as gated are also available for more complex network routing solutions. Even when FreeBSD is configured in this way, it does not completely comply with the Internet standard requirements for routers. It comes close enough for ordinary use, however. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Sean Hafeez Sent: Monday, October 06, 2003 1:25 PM To: freebsd-ipfw@freebsd.org Subject: Not using NATD? OK so normally I use NATD for the users behind the BSD box. ipfw -f flush /sbin/natd -interface rl0 ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s rl1 is the inside 192.168.x.x network. So strange question - I do not want to NAT anymore. I am going to be building a site that I want to us real IP's on the internal network. So if I configure the box as a gateway (and make sure my upstream router has a route to the external interface of the BSD for the network behind) will it work? Do I need to do anything else or will the -bash-2.05b$ cat /etc/rc.conf gateway_enable="YES" Just work? Thanks! _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 6 11:01:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4184016A4B3 for ; Mon, 6 Oct 2003 11:01:46 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD08F43FDD for ; Mon, 6 Oct 2003 11:01:44 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h96I1iFY061055 for ; Mon, 6 Oct 2003 11:01:44 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h96I1i6I061049 for ipfw@freebsd.org; Mon, 6 Oct 2003 11:01:44 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 Oct 2003 11:01:44 -0700 (PDT) Message-Id: <200310061801.h96I1i6I061049@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2003 18:01:46 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 6 14:23:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD1A816A4BF for ; Mon, 6 Oct 2003 14:23:34 -0700 (PDT) Received: from mx1.purplecat.net (mx1.purplecat.net [12.150.157.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9977A43FB1 for ; Mon, 6 Oct 2003 14:23:33 -0700 (PDT) (envelope-from peter@purplecat.net) Received: (qmail 65389 invoked by uid 89); 6 Oct 2003 21:23:32 -0000 Received: from rack2.purplecat.net (HELO ssl.purplecat.net) (peter@purplecat.net@12.150.157.31) by mx1.purplecat.net with SMTP; 6 Oct 2003 21:23:32 -0000 Received: from 12.150.157.66 (SquirrelMail authenticated user peter@purplecat.net) by ssl.purplecat.net with HTTP; Mon, 6 Oct 2003 17:23:32 -0400 (EDT) Message-ID: <3152.12.150.157.66.1065475412.squirrel@ssl.purplecat.net> Date: Mon, 6 Oct 2003 17:23:32 -0400 (EDT) From: "Peter Brezny" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.0 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 X-Priority: 3 Importance: Normal Subject: dummynet bw limit problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pbrezny@purplecat.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2003 21:23:34 -0000 Greetings, I'm having difficulties with dummynet limiting connections when I set the bw limit to anything greater than around 900 Kbit/sec. Using pipes 1-8 below, even mixed and matched for asymmetric control work fine, except when i bring in a pipe numbered 9 or greater. I've tried changing the queue size from between 20Kbytes to 50Kbytes I've tried increasing the buckets to 256 But no luck. Interestingly, with the configuration below, if I ping a host on the internet, tcpdump shows the request and the reply, but I get nothing on the console. If I mix and match the in and outbound pipes, I'll either get nothing on the console, or: ping: sendto: No buffer space available On the system i'm testing from i've got: sysctl net.inet.ip.fw.one_pass=0 Any suggestions are greatly appreciated. # traffic shaping test $fwcmd add pipe 9 all from any to any out via $oif $fwcmd add pipe 10 all from any to any in via $oif # # pipe configuration. # odd pipes are for outbound connections # even pipes are for inbound connections $fwcmd pipe 1 config bw .064Mbit/s $fwcmd pipe 2 config bw .064Mbit/s $fwcmd pipe 3 config bw .128Mbit/s $fwcmd pipe 4 config bw .128Mbit/s $fwcmd pipe 5 config bw .256Mbit/s $fwcmd pipe 6 config bw .256Mbit/s $fwcmd pipe 7 config bw 512Kbit/s $fwcmd pipe 8 config bw 512Kbit/s $fwcmd pipe 9 config bw 990Kbit/s $fwcmd pipe 10 config bw 990Kbit/s $fwcmd pipe 11 config bw 2048kbit/s $fwcmd pipe 12 config bw 2048kbit/s Peter Brezny purplecat.net From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 6 16:18:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63D4316A4B3 for ; Mon, 6 Oct 2003 16:18:35 -0700 (PDT) Received: from gateway.posi.net (adsl-63-201-92-171.dsl.snfc21.pacbell.net [63.201.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 12F1B43FFD for ; Mon, 6 Oct 2003 16:18:34 -0700 (PDT) (envelope-from kbyanc@posi.net) Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (8.12.9/8.12.8) with ESMTP id h96NIUe7049044; Mon, 6 Oct 2003 16:18:32 -0700 (PDT) (envelope-from kbyanc@posi.net) Date: Mon, 6 Oct 2003 16:18:30 -0700 (PDT) From: Kelly Yancey To: Luigi Rizzo In-Reply-To: <20030922160744.A61711@xorpc.icir.org> Message-ID: <20031006160422.H48937-100000@gateway.posi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: ipfw@freebsd.org Subject: Re: [PATCH FOR REVIEW] layer2 ipfw 'fwd' support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2003 23:18:35 -0000 On Mon, 22 Sep 2003, Luigi Rizzo wrote: > hi, > for those interested in using ipfw 'fwd' instructions in a bridge > (e.g. to create a transparent proxy with a bridge) here is a patch > to try for ip_fw2.c (and a trivial one-line change in ip_input.c) > > The change to ip_input.c matches more closely what the comment says: > if the packet is tagged by the firewall as 'PACKET_TAG_IPFORWARD' > than you skip the pass through the firewall, but still check to see > where the packet goes. > > The ip_fw2.c change does the following: when the bridge detects a > layer2 packet, it passes it to ip_input() [!!!layering violation!!!] > with a proper tag so that the packet is subject to the same processing > it would have in a router. > > [BTW i believe the same approach could be used to implement 'divert' > within a bridge if we only care for IP packets -- i.e. we tag the > packet and pass it to the upper layer] > When I implemented this functionality in our company's local tree, I used a check like: if (args->eh && oif != NULL) { /* ignore outbound layer2 pkts */ goto next_rule; } in the O_FORWARD_IP case to prevent loops when the 'fwd' target was on the same machine. In that case, reply packets from the application forwarded to would get forwarded to itself unless you explicitely added a 'in' qualifier to the 'fwd' rule. The other issue I ran into when I implemented 'fwd' and 'divert' from layer-2 were spl issues since the layer-2 firewall runs at splimp() while everything at layer-3 is splnet(), so if the target application was on the same machine, it could corrupt the socket buffers reading/writing while packets were added/removed at splimp(). With -current this might not be much of an issue since mutexes are used for protection, but in our codebase build on -stable I had to do some mild hackery to get the packet into the NETISP_IP queue. Kelly -- Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} -- kelly@nttmcl.com From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 6 17:27:57 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC7EE16A4B3 for ; Mon, 6 Oct 2003 17:27:56 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3897B43FE1 for ; Mon, 6 Oct 2003 17:27:56 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id h970Rtsd071447; Mon, 6 Oct 2003 17:27:55 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id h970Rt19071446; Mon, 6 Oct 2003 17:27:55 -0700 (PDT) (envelope-from rizzo) Date: Mon, 6 Oct 2003 17:27:55 -0700 From: Luigi Rizzo To: pbrezny@purplecat.net Message-ID: <20031006172755.A71328@xorpc.icir.org> References: <3152.12.150.157.66.1065475412.squirrel@ssl.purplecat.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3152.12.150.157.66.1065475412.squirrel@ssl.purplecat.net>; from peter@purplecat.net on Mon, Oct 06, 2003 at 05:23:32PM -0400 cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet bw limit problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Oct 2003 00:27:57 -0000 ok, in random order: First, the bandwidth must be an integer. $fwcmd pipe 4 config bw .128Mbit/s + you should show us the entire config, because 'one_pass=0' means the 'pipe' rule will not terminate the processing of the packet, and you might hit some other pipe or rule; + the 'bandwidth' in dummynet pipes must be an integer (admittedly, the manpage does not specify it, and the parser does not complain as it shoud...); so a command like this $fwcmd pipe 5 config bw .256Mbit/s will effectively set an 'unlimited' bandwidth; even worse, something like $fwcmd pipe 5 config bw 2.56Mbit/s will parse the '2', then look for a unit specifier, and since the '.' is unrecognised it will silently assume bits/s which is not what you want...; + finally, i wonder if "via $oif" is really what you want. "in via $oif" means "in recv $oif"; "out via $oif" means "out { recv $oif or xmit $oif }" but perhaps you just want one of the two ? + tcpdump works at layer 2 so it will show packets on the device, before (on the input path) they are processed by dummynet; cheers luigi On Mon, Oct 06, 2003 at 05:23:32PM -0400, Peter Brezny wrote: > Greetings, > > I'm having difficulties with dummynet limiting connections when I set the > bw limit to anything greater than around 900 Kbit/sec. > Using pipes 1-8 below, even mixed and matched for asymmetric control work > fine, except when i bring in a pipe numbered 9 or greater. > > I've tried changing the queue size from between 20Kbytes to 50Kbytes > I've tried increasing the buckets to 256 > > But no luck. > > Interestingly, with the configuration below, if I ping a host on the > internet, tcpdump shows the request and the reply, but I get nothing on > the console. > > If I mix and match the in and outbound pipes, I'll either get nothing on > the console, or: > ping: sendto: No buffer space available > > On the system i'm testing from i've got: > sysctl net.inet.ip.fw.one_pass=0 > > Any suggestions are greatly appreciated. > > # traffic shaping test > $fwcmd add pipe 9 all from any to any out via $oif > $fwcmd add pipe 10 all from any to any in via $oif > # > # pipe configuration. > # odd pipes are for outbound connections > # even pipes are for inbound connections > $fwcmd pipe 1 config bw .064Mbit/s > $fwcmd pipe 2 config bw .064Mbit/s > $fwcmd pipe 3 config bw .128Mbit/s > $fwcmd pipe 4 config bw .128Mbit/s > $fwcmd pipe 5 config bw .256Mbit/s > $fwcmd pipe 6 config bw .256Mbit/s > $fwcmd pipe 7 config bw 512Kbit/s > $fwcmd pipe 8 config bw 512Kbit/s > $fwcmd pipe 9 config bw 990Kbit/s > $fwcmd pipe 10 config bw 990Kbit/s > $fwcmd pipe 11 config bw 2048kbit/s > $fwcmd pipe 12 config bw 2048kbit/s > > > Peter Brezny > purplecat.net > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 7 07:55:04 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 114F716A4B3 for ; Tue, 7 Oct 2003 07:55:04 -0700 (PDT) Received: from smtp1.euronet.nl (smtp1.euronet.nl [194.134.35.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4342443FD7 for ; Tue, 7 Oct 2003 07:55:03 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com (zp-c-13e65.mxs.adsl.euronet.nl [81.69.92.101]) by smtp1.euronet.nl (Postfix) with ESMTP id 56C316794E; Tue, 7 Oct 2003 16:54:59 +0200 (MEST) Message-ID: <3F82D35C.4090803@sitetronics.com> Date: Tue, 07 Oct 2003 16:53:16 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: pbrezny@purplecat.net References: <3152.12.150.157.66.1065475412.squirrel@ssl.purplecat.net> In-Reply-To: <3152.12.150.157.66.1065475412.squirrel@ssl.purplecat.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet bw limit problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Oct 2003 14:55:04 -0000 Well hey there, Peter ;) Peter Brezny wrote: >Greetings, > >I'm having difficulties with dummynet limiting connections when I set the >bw limit to anything greater than around 900 Kbit/sec. >Using pipes 1-8 below, even mixed and matched for asymmetric control work >fine, except when i bring in a pipe numbered 9 or greater. > >I've tried changing the queue size from between 20Kbytes to 50Kbytes >I've tried increasing the buckets to 256 > >But no luck. > >Interestingly, with the configuration below, if I ping a host on the >internet, tcpdump shows the request and the reply, but I get nothing on >the console. > >If I mix and match the in and outbound pipes, I'll either get nothing on >the console, or: >ping: sendto: No buffer space available > Apart from fixing the problems that Luigi pointed out, you might want to consider changing the amount of memory allocated to mbufs on your system. If you've set your net.inet.tcp.recvspace and/or net.inet.tcp.sendspace too high, you may not have enough memory allocated for network operations and packet operations will fail with the error message above. Good luck :) Devon H. O'Dell http://bsdportal.org From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 7 14:46:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5D0816A4B3 for ; Tue, 7 Oct 2003 14:46:35 -0700 (PDT) Received: from tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id C3C6D43FCB for ; Tue, 7 Oct 2003 14:46:34 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 20798 invoked from network); 7 Oct 2003 21:46:31 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 7 Oct 2003 21:46:31 -0000 Message-ID: <3F833434.5090506@tenebras.com> Date: Tue, 07 Oct 2003 14:46:28 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Strange leakage of private source addresses w/ipfw and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Oct 2003 21:46:35 -0000 This doesn't have a (user-) noticeable impact on traffic, but installing a silent network recorder outside my firewall shows that some RFC 1918 addrs are getting through. My suspicion is that this has to do with my use of both static and dynamic nat, but I can't be sure. I also need to instrument my ruleset so I see which rule is allowing the traffic -- I'm a bit puzzled. I'll post details when I've got them, but I'm wondering if anyone else has seen this? Cheers, Michael From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 8 14:20:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FB0E16A4B3 for ; Wed, 8 Oct 2003 14:20:15 -0700 (PDT) Received: from bagira.apex.dp.ua (bagira.apex.dp.ua [195.24.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42C4E43FE0 for ; Wed, 8 Oct 2003 14:20:13 -0700 (PDT) (envelope-from zaretsky@apex.dp.ua) Received: from [212.3.110.34] (helo=apex.dp.ua) by volcano.apex.dp.ua with esmtp (Exim 4.12) id 1A7LjB-000A4i-00 for ipfw@freebsd.org; Thu, 09 Oct 2003 00:20:13 +0300 Message-ID: <3F847F8A.9030300@apex.dp.ua> Date: Thu, 09 Oct 2003 00:20:10 +0300 From: Valentine Zaretsky User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.1b) Gecko/20020722 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *1A7LjB-000A4i-00*4lgPeYsj7iQ* Subject: Limiting data size in tee rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2003 21:20:15 -0000 Hi! In some applications there is no need to send the whole packet to divert-socket (e.g. traffic accounting, where information contained in headers is enough) and it might be useful to have a setting for the length of data buffer that will be diverted from each matching packet. For example: ipfw add 1000 tee 4321 snaplen 68 ip from any to any via fxp0 # 68 bytes from each packet will be diverted to port 4321. It seems that such a trick will reduce overhead of data copying to userland, won't it? -- Regards, Valentine From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 9 08:54:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDA6816A4B3 for ; Thu, 9 Oct 2003 08:54:42 -0700 (PDT) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id F028B43FE1 for ; Thu, 9 Oct 2003 08:54:41 -0700 (PDT) (envelope-from openmac@comcast.net) Received: from [172.30.11.6] (c-67-161-74-255.client.comcast.net[67.161.74.255]) by comcast.net (sccrmhc11) with ESMTP id <2003100915544001100menlre>; Thu, 9 Oct 2003 15:54:41 +0000 Date: Thu, 09 Oct 2003 08:54:39 -0700 From: OpenMac Sender: OpenMac To: freebsd-ipfw@freebsd.org Message-ID: <2147483647.1065689679@[172.30.11.6]> X-Mailer: Mulberry/3.1.0b8 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Help Requested re: traffic "INs and OUTs" of Firewall vs.MailServer X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMac List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2003 15:54:42 -0000 hi all, in tweaking my ipfw rules i've turned on logging for just about all traffic ... ... and have noticed a mail transaction that has me confused a bit. The log entries of interest are as follows: (1) Oct 8 17:38:50 gateway mach_kernel: ipfw: 3800 Accept TCP aa.bb.cc.dd:21895 10.0.0.6:25 in via en1 (2) Oct 8 17:54:26 gateway mach_kernel: ipfw: 3800 Accept TCP aa.bb.cc.dd:21895 10.0.0.6:25 out via en2 where: aa.bb.cc.dd is some machine out on the internet 10.0.0.6 is my internal (nat'd) mail server. en1 is my external facing ethernet interface on my gateway en2 is my internal facing ethernet interface on my gateway The first log entry (1) is clear to me: External server aa.bb.cc.dd is attempting to send me email. My question is in reagrds to (2): Why are packets being sent *FROM* an EXTERNAL machine sending packets OUT *TO* an INTERNAL machine? IN from External, or OUT from Internal, as in (1) I can understand, but (2) has me suspicious/confused .... At first, I thought that the communication in (1) triggers/initiates the communication in (2). To test, I thought that if I DENY ALL access to/from aa.bb.cc.dd via en1 -- I'd expect that (1) would DENY, and since traffic would never get to 10.0.0.6, there would be no (2) triggered/logged. However, after DENY ALL as above, I get in my log: (1) Oct 8 17:38:50 gateway mach_kernel: ipfw: 3799 Deny TCP aa.bb.cc.dd:21895 10.0.0.6:25 in via en1 (2) Oct 8 17:54:26 gateway mach_kernel: ipfw: 3800 Accept TCP aa.bb.cc.dd:21895 10.0.0.6:25 out via en2 So, it seems to me that (2) is being externally triggered?! Hence my confusion & my question ... Any suggestions as to what's going on here, and what I'm misunderstanding? Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 9 10:28:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B5BF16A4B3 for ; Thu, 9 Oct 2003 10:28:08 -0700 (PDT) Received: from mail1.firstlink.com (mail3.firstlink.com [66.37.141.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id A961043FBD for ; Thu, 9 Oct 2003 10:28:05 -0700 (PDT) (envelope-from dvm@firstlink.com) Received: from shrex.asp.firstlink.com (shrex.firstlink.com [66.37.141.10]) by mail1.firstlink.com (Postfix) with ESMTP id 378001A4E97 for ; Thu, 9 Oct 2003 11:28:05 -0600 (MDT) Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 Date: Thu, 9 Oct 2003 11:28:05 -0600 Message-ID: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E78@shrex.asp.firstlink.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Welcome to the "freebsd-ipfw" mailing list thread-index: AcOOhI2VxdaY89UbQhWU193PQft3MgAAAg1g From: "Dan Vande More" To: Subject: Applying desired patches X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2003 17:28:08 -0000 Silly question, but probably not the worst;) I found Luigi Rizzo's recent patch under google groups and a few forums = for transparent bridge forwarding support. Ref: = http://groups.google.com/groups?q=3Dipfw%40freebsd.org+apply+patch&hl=3De= n&lr=3D&ie=3DUTF-8&oe=3DUTF-8&selm=3D48WJVb%24Nj7%40bbs.whnet.edu.cn&rnum= =3D5 Ref: http://www.freebsdforums.org/forums/showthread.php?threadid=3D14795 For one reason or another, I'm having problems figuring out how to get = it in my source code. I'm running 4.8 release, with src/ ready to build. However, I can't = quite figure it out.=20 What do I need to do to apply the patches?=20 My current ip_fw2.c is 1.6.2.11.=20 Do I need to jump up to the latest cvs, then apply the patch using patch = < bridge.patch? Thanks Dan From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 9 14:05:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF26016A4B3 for ; Thu, 9 Oct 2003 14:05:35 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 315B043F75 for ; Thu, 9 Oct 2003 14:05:35 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id h99L5Osd020887; Thu, 9 Oct 2003 14:05:24 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id h99L5NWw020886; Thu, 9 Oct 2003 14:05:23 -0700 (PDT) (envelope-from rizzo) Date: Thu, 9 Oct 2003 14:05:23 -0700 From: Luigi Rizzo To: Valentine Zaretsky Message-ID: <20031009140523.C19092@xorpc.icir.org> References: <3F847F8A.9030300@apex.dp.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F847F8A.9030300@apex.dp.ua>; from zaretsky@apex.dp.ua on Thu, Oct 09, 2003 at 12:20:10AM +0300 cc: ipfw@freebsd.org Subject: Re: Limiting data size in tee rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2003 21:05:35 -0000 On Thu, Oct 09, 2003 at 12:20:10AM +0300, Valentine Zaretsky wrote: > Hi! > > In some applications there is no need to send the whole packet to > divert-socket (e.g. traffic accounting, where information contained in > headers is enough) and it might be useful to have a setting for the > length of data buffer that will be diverted from each matching packet. for those cases, you might want to use the patches i posted some time ago, which send packets that match a 'log' rule to a bpf listener. This would also enable you to set the 'snaplen' at runtime, and use the vast amount of bpf-based tools instead to have to write your own. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 02:52:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9390C16A4B3 for ; Fri, 10 Oct 2003 02:52:09 -0700 (PDT) Received: from queue.unet.com.mk (queue.unet.com.mk [212.13.64.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 379B443FDD for ; Fri, 10 Oct 2003 02:52:04 -0700 (PDT) (envelope-from aleksandar@unet.com.mk) Received: from b166-er.unet.com.mk (ppp25.unet.com.mk [212.13.64.90] (may be forged)) by queue.unet.com.mk (8.11.6/8.11.6) with SMTP id h9A8b4X08471 for ; Fri, 10 Oct 2003 10:37:10 +0200 Date: Fri, 10 Oct 2003 11:54:24 +0200 From: Aleksandar Simonovski To: freebsd-ipfw@freebsd.org Message-Id: <20031010115424.6c5e9e79.aleksandar@unet.com.mk> In-Reply-To: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E78@shrex.asp.firstlink.com> References: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E78@shrex.asp.firstlink.com> Organization: Unet X-Mailer: Sylpheed version 0.9.5-gtk2-20030906 (GTK+ 2.2.4; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: freebsd shaper X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 09:52:09 -0000 Hi, This is my scenario, now it is working on Slackware 9.1 with CBQ but i wanna do it on FreeBSD 5.1 1.--------- | 2.--------- | <-------> HUB <-----> ETH1 <--- SHAPER ---> ETH0 <-----> INTERNET 3.--------- | 4.--------- 1,2,3 and 4 are all different networks 1 has 192.168.0.199/24 that is 192.168.0.199 is alias on ETH1 so a need NAT for this one. ETH1 has four aliases which are gateways for 1,2,3, and 4 this is working on the linux box but i have some troubles with limiting thr traffic with CBQ so am asking if anyone knows how to do this on FreeBSD 5.1 with IPFW and DUMMYNET thaks, Aleksandar From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 03:20:24 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C889D16A4C0 for ; Fri, 10 Oct 2003 03:20:24 -0700 (PDT) Received: from mail.zuto.de (prufz.de [217.160.140.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09BD743F85 for ; Fri, 10 Oct 2003 03:20:23 -0700 (PDT) (envelope-from jt@barfoos.de) Received: from localhost (localhost [127.0.0.1]) by mail.zuto.de (Postfix) with ESMTP id 870E41F043 for ; Fri, 10 Oct 2003 12:20:21 +0200 (CEST) Received: from mail.zuto.de ([127.0.0.1]) by localhost (badlands [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28048-09 for ; Fri, 10 Oct 2003 12:20:19 +0200 (CEST) Received: from anastasia.lan.barfoos.de (unknown [10.11.1.1]) by mail.zuto.de (Postfix) with SMTP id 17F9A1EF6D for ; Fri, 10 Oct 2003 12:20:19 +0200 (CEST) Received: (qmail 50555 invoked by uid 1001); 10 Oct 2003 10:20:18 -0000 Date: Fri, 10 Oct 2003 12:20:18 +0200 From: Jens Trzaska To: Dan Vande More Message-ID: <20031010102018.GA44753@anastasia.lan.barfoos.de> References: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E78@shrex.asp.firstlink.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline In-Reply-To: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E78@shrex.asp.firstlink.com> X-Operating-System: FreeBSD 4.8-RELEASE, i386 X-GPG-Key-ID: = 96FE36DB X-GPG-Key-Fingerprint: 1C9B 7EF8 1A22 1740 9F1B AB7B 17D2 64E1 96FE 36DB X-GPG-Key-Location: http://www.elug.de/schluessel/96FE36DB.asc X-Accept-Language: de,en User-Agent: Mutt/1.5.3i X-Virus-Scanned: by amavis at zuto.de cc: freebsd-ipfw@freebsd.org Subject: Re: Applying desired patches X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 10:20:24 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Dan Vande More [2003-10-09 19:28]: > Silly question, but probably not the worst;) >=20 > I found Luigi Rizzo's recent patch under google groups and a few forums f= or transparent bridge forwarding support. > Ref: http://groups.google.com/groups?q=3Dipfw%40freebsd.org+apply+patch&h= l=3Den&lr=3D&ie=3DUTF-8&oe=3DUTF-8&selm=3D48WJVb%24Nj7%40bbs.whnet.edu.cn&r= num=3D5 > Ref: http://www.freebsdforums.org/forums/showthread.php?threadid=3D14795 >=20 > For one reason or another, I'm having problems figuring out how to get it= in my source code. > I'm running 4.8 release, with src/ ready to build. However, I can't quite= figure it out.=20 > What do I need to do to apply the patches?=20 >=20 > My current ip_fw2.c is 1.6.2.11.=20 >=20 > Do I need to jump up to the latest cvs, then apply the patch using patch = < bridge.patch? Just write the patch into bridge.patch and=20 'cd /usr/src/sys/netinet && patch -p0 < bridge.patch'. That should do the trick. jens --=20 Jens Trzaska (__) \\\'',) \/ \= ^ GPG-Fingerprint 1C9B 7EF8 1A22 1740 9F1B AB7B 17D2 64E1 96FE 36DB .\._/= _) --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/hofiF9Jk4Zb+NtsRAm/CAJ41XRdKBnAOf8tGEJTRhOhsLKo3MwCfREia v8/wERnLaUmXqG8adBg2a6E= =63Zl -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 04:11:44 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DD7B16A4B3 for ; Fri, 10 Oct 2003 04:11:44 -0700 (PDT) Received: from labe.afribone.net.gn (kimbo.afribone.net.gn [216.252.183.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id D36B743FBF for ; Fri, 10 Oct 2003 04:11:40 -0700 (PDT) (envelope-from traore@afribone.net.gn) Received: from localhost (labe.afribone.net.gn [127.0.0.1]) by labe.afribone.net.gn (8.12.9/8.12.8) with ESMTP id h9AAtvu4013633 for ; Fri, 10 Oct 2003 10:55:57 GMT Received: from labe.afribone.net.gn ([127.0.0.1]) by localhost (labe.afribone.net.gn [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 13390-05 for ; Fri, 10 Oct 2003 10:55:55 +0000 (GMT) Received: from labe.afribone.net.gn (labe.afribone.net.gn [127.0.0.1]) by labe.afribone.net.gn (8.12.9/8.12.8) with ESMTP id h9AAt6MQ013617 for ; Fri, 10 Oct 2003 10:55:06 GMT Received: (from apache@localhost) by labe.afribone.net.gn (8.12.9/8.12.8/Submit) id h9AAt6oD013616 for ipfw@freebsd.org; Fri, 10 Oct 2003 10:55:06 GMT X-Authentication-Warning: labe.afribone.net.gn: apache set sender to traore@afribone.net.gn using -f Received: from 10.0.1.13 ([10.0.1.13]) by mail.afribone.net.gn (IMP) with HTTP for ; Fri, 10 Oct 2003 10:55:06 +0000 Message-ID: <1065783306.3f86900a74581@mail.afribone.net.gn> Date: Fri, 10 Oct 2003 10:55:06 +0000 From: traore@afribone.net.gn To: ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 X-Originating-IP: 10.0.1.13 X-Virus-Scanned: by Admin at afribone.net.gn Subject: ipfw2 with FreeBSD 4.7-Release X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 11:11:44 -0000 Hello I have FreeBSD 4.7-release and want to know how to get the IPFW2 running. I am runing IPFW/NAT right now. I don't mind reading the doc's and experimenting From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 04:19:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 863E116A4B3 for ; Fri, 10 Oct 2003 04:19:43 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4497543FD7 for ; Fri, 10 Oct 2003 04:19:38 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id h9ABJPsd095405; Fri, 10 Oct 2003 04:19:25 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id h9ABJPLE095404; Fri, 10 Oct 2003 04:19:25 -0700 (PDT) (envelope-from rizzo) Date: Fri, 10 Oct 2003 04:19:24 -0700 From: Luigi Rizzo To: traore@afribone.net.gn Message-ID: <20031010041924.B95245@xorpc.icir.org> References: <1065783306.3f86900a74581@mail.afribone.net.gn> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1065783306.3f86900a74581@mail.afribone.net.gn>; from traore@afribone.net.gn on Fri, Oct 10, 2003 at 10:55:06AM +0000 cc: ipfw@freebsd.org Subject: Re: ipfw2 with FreeBSD 4.7-Release X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 11:19:43 -0000 On Fri, Oct 10, 2003 at 10:55:06AM +0000, traore@afribone.net.gn wrote: > > > Hello > I have FreeBSD 4.7-release and want to know how to > get the IPFW2 running. I am runing IPFW/NAT right now. > > I don't mind reading the doc's and experimenting Then do read the ipfw manpage and you'll find the answer. It would help to read the manpage before posting requests like this... luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 04:26:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C3F116A50B for ; Fri, 10 Oct 2003 04:26:37 -0700 (PDT) Received: from www.banrisul.com.br (www.banrisul.com.br [200.248.254.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 0176943FAF for ; Fri, 10 Oct 2003 04:26:35 -0700 (PDT) (envelope-from renato_barreto@banrisul.com.br) Received: from no.name.available by www.banrisul.com.br ESMTP; Fri, 10 Oct 2003 08:26:34 -0300 Received: From n078.bergs ([10.0.64.29]) by n045.bergs (WebShield SMTP v4.5 MR1a); id 1065785370994; Fri, 10 Oct 2003 08:29:30 -0300 Received: by N078 with Internet Mail Service (5.5.2650.21) id <4GC9RQ6R>; Fri, 10 Oct 2003 08:23:32 -0300 Message-ID: <794C454376DCD6118B3200104B86ECFF03A5688F@n073.banrisul> From: Renato Barreto To: "'freebsd-ipfw@freebsd.org'" Date: Fri, 10 Oct 2003 08:20:33 -0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" cc: "'traore@afribone.net.gn'" Subject: RES: ipfw2 with FreeBSD 4.7-Release X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 11:26:37 -0000 Hi, To do this run /stand/sysinstall (as root), choose Configure -> Distributions, then src, and then lib, sbin and sys. To compile libalias: # cd /usr/src/lib/libalias # make -DIPFW2 # make install To compile ipfw: # cd /usr/src/sbin/ipfw # make -DIPFW2 # make install Build a Kernel with: options IPFW2 Renato -----Mensagem original----- De: traore@afribone.net.gn [mailto:traore@afribone.net.gn] Enviada em: sexta-feira, 10 de outubro de 2003 07:55 Para: ipfw@freebsd.org Assunto: ipfw2 with FreeBSD 4.7-Release Hello I have FreeBSD 4.7-release and want to know how to get the IPFW2 running. I am runing IPFW/NAT right now. I don't mind reading the doc's and experimenting _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 06:56:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9991316A4B3 for ; Fri, 10 Oct 2003 06:56:48 -0700 (PDT) Received: from queue.unet.com.mk (queue.unet.com.mk [212.13.64.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17C0543F85 for ; Fri, 10 Oct 2003 06:56:44 -0700 (PDT) (envelope-from aleksandar@unet.com.mk) Received: from b166-er.unet.com.mk (ppp25.unet.com.mk [212.13.64.90] (may be forged)) by queue.unet.com.mk (8.11.6/8.11.6) with SMTP id h9ACfoX14896 for ; Fri, 10 Oct 2003 14:41:52 +0200 Date: Fri, 10 Oct 2003 15:59:11 +0200 From: Aleksandar Simonovski To: freebsd-ipfw@freebsd.org Message-Id: <20031010155911.31ae5f3a.aleksandar@unet.com.mk> In-Reply-To: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E78@shrex.asp.firstlink.com> References: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E78@shrex.asp.firstlink.com> Organization: Unet X-Mailer: Sylpheed version 0.9.5-gtk2-20030906 (GTK+ 2.2.4; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: freebsd shaper X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 13:56:48 -0000 Hi, This is my scenario, now it is working on Slackware 9.1 with CBQ but i wanna do it on FreeBSD 5.1 1.--------- | 2.--------- | <-------> HUB <-----> ETH1 <--- SHAPER ---> ETH0 <-----> INTERNET 3.--------- | 4.--------- 1,2,3 and 4 are all different networks 1 has 192.168.0.199/24 that is 192.168.0.199 is alias on ETH1 so a need NAT for this one. ETH1 has four aliases which are gateways for 1,2,3, and 4 this is working on the linux box but i have some troubles with limiting thr traffic with CBQ so am asking if anyone knows how to do this on FreeBSD 5.1 with IPFW and DUMMYNET thaks, Aleksandar From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 07:23:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A273A16A4B3 for ; Fri, 10 Oct 2003 07:23:54 -0700 (PDT) Received: from mail1.firstlink.com (mail3.firstlink.com [66.37.141.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id E947643FAF for ; Fri, 10 Oct 2003 07:23:53 -0700 (PDT) (envelope-from dvm@firstlink.com) Received: from shrex.asp.firstlink.com (shrex.firstlink.com [66.37.141.10]) by mail1.firstlink.com (Postfix) with ESMTP id 47A711A4D83 for ; Fri, 10 Oct 2003 08:23:53 -0600 (MDT) Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 Date: Fri, 10 Oct 2003 08:23:53 -0600 Message-ID: <6633DBDE6F5ED64D9D6AF3264AEE89146A7E7D@shrex.asp.firstlink.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Applying desired patches thread-index: AcOPGCe4nKzAZ2q6RumhmrRf1H9DEwAIctDw From: "Dan Vande More" To: "Jens Trzaska" , Subject: RE: Applying desired patches X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 14:23:54 -0000 I even tried applying this by hand, but was unsuccessful, nothing errored, it just still didn't work. I had to fall back to plan b of just natting using this box.=20 However, I do intend on figuring this out.=20 Thanks for your help Jens! Dan -----Original Message----- From: Jens Trzaska [mailto:jt@barfoos.de] Sent: Friday, October 10, 2003 4:20 AM To: Dan Vande More Cc: freebsd-ipfw@freebsd.org Subject: Re: Applying desired patches * Dan Vande More [2003-10-09 19:28]: > Silly question, but probably not the worst;) >=20 > I found Luigi Rizzo's recent patch under google groups and a few forums for transparent bridge forwarding support. > Ref: http://groups.google.com/groups?q=3Dipfw%40freebsd.org+apply+patch&hl=3De= n&l r=3D&ie=3DUTF-8&oe=3DUTF-8&selm=3D48WJVb%24Nj7%40bbs.whnet.edu.cn&rnum=3D= 5 > Ref: = http://www.freebsdforums.org/forums/showthread.php?threadid=3D14795 >=20 > For one reason or another, I'm having problems figuring out how to get it in my source code. > I'm running 4.8 release, with src/ ready to build. However, I can't quite figure it out.=20 > What do I need to do to apply the patches?=20 >=20 > My current ip_fw2.c is 1.6.2.11.=20 >=20 > Do I need to jump up to the latest cvs, then apply the patch using patch < bridge.patch? Just write the patch into bridge.patch and=20 'cd /usr/src/sys/netinet && patch -p0 < bridge.patch'. That should do the trick. jens --=20 Jens Trzaska (__) =20 \\\'',) \/ \ ^ GPG-Fingerprint 1C9B 7EF8 1A22 1740 9F1B AB7B 17D2 64E1 96FE 36DB .\._/_) From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 10 13:15:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E66A916A4B3 for ; Fri, 10 Oct 2003 13:15:26 -0700 (PDT) Received: from goliath.cnchost.com (goliath.cnchost.com [207.155.252.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 594BA43FDD for ; Fri, 10 Oct 2003 13:15:26 -0700 (PDT) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com ([12.106.69.222]) by goliath.cnchost.com id QAA25242; Fri, 10 Oct 2003 16:15:24 -0400 (EDT) [ConcentricHost SMTP Relay 1.15] Errors-To: Date: Fri, 10 Oct 2003 13:15:25 -0700 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Aleksandar Simonovski From: Sean Hafeez In-Reply-To: <20031010155911.31ae5f3a.aleksandar@unet.com.mk> Message-Id: <7BE7878D-FB5E-11D7-8CBD-003065F1EE08@edgefocus.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: freebsd-ipfw@freebsd.org Subject: Re: freebsd shaper X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 20:15:27 -0000 ipfw -f flush /sbin/natd -interface rl0 ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv rl1 ipfw add pipe 2 ip from any to any out xmit rl1 ipfw pipe 1 config mask src-ip 0xffffffff bw 1024kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 1024kbits/s this limits all users to 1mb, rl1 is internal. rl0 is external. you need to read the docs. very simple to use. On Friday, October 10, 2003, at 06:59 AM, Aleksandar Simonovski wrote: > Hi, > This is my scenario, now it is working on Slackware 9.1 with CBQ > but i wanna do it on FreeBSD 5.1 > > 1.--------- > | > 2.--------- > | <-------> HUB <-----> ETH1 <--- SHAPER ---> ETH0 <-----> INTERNET > 3.--------- > | > 4.--------- > > 1,2,3 and 4 are all different networks > 1 has 192.168.0.199/24 that is 192.168.0.199 is alias on ETH1 > so a need NAT for this one. > ETH1 has four aliases which are gateways for 1,2,3, and 4 > this is working on the linux box but i have some troubles with > limiting thr traffic with CBQ > so am asking if anyone knows how to do this on FreeBSD 5.1 with IPFW > and DUMMYNET > > thaks, > Aleksandar > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 11 02:41:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6786B16A4B3 for ; Sat, 11 Oct 2003 02:41:12 -0700 (PDT) Received: from pathfinder.roks.biz (roks.biz [212.110.133.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94D3B43FB1 for ; Sat, 11 Oct 2003 02:41:03 -0700 (PDT) (envelope-from temp@roks.biz) Received: from admin.office.roks.biz (admin.office.roks.biz [192.168.100.103]) by pathfinder.roks.biz (8.12.9p2/8.12.9) with ESMTP id h9B9YFtL012243 for ; Sat, 11 Oct 2003 12:34:17 +0300 (EEST) (envelope-from temp@roks.biz) Date: Sat, 11 Oct 2003 12:34:15 +0300 From: Nikolay Pavlov X-Mailer: The Bat! (v1.61) X-Priority: 3 (Normal) Message-ID: <6312716335.20031011123415@roks.biz> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Sequence of dummynet rules whith net.inet.ip.fw.one_pass: 0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nikolay Pavlov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Oct 2003 09:41:12 -0000 Hi, folks. When I started to configure ipfw1 dummynet rules with net.inet.ip.fw.one_pass: 0 (my rule set is rather big and detailed, so I don't wont to reconfigure it), I have faced a problem with rule that describe "any other traffic" and have the lowest priority. I cannot place this rule after all others, like with net.inet.ip.fw.one_pass: 1, but where? Maybe in front of dummynet rule set (I think that, it will call some duplication and increase delays)? Could I use skipto construction something like this: ${fwcmd} add 1350 ...some queue... skipto 1400 ${fwcmd} add 1355 ...some queue... skipto 1400 ${fwcmd} add 1355 ...some queue... skipto 1400 ..... [snip] ..... ${fwcmd} add 1395 queue 100 ip from any to any via ${oif} where 1395 is the last dummynet rule and queue 100 config weight 1 pipe1 And the last one, what will be if I'll not specially establish this rule, is it means that "any other traffic" will have the lowest priority by default? Here my rc.firewall: ============================================================================================== # Let's configure some pipes and queues. Full-duplex configuration. ${fwcmd} pipe 1 config bw 32Kbit/s queue 6KBytes ${fwcmd} pipe 2 config bw 32Kbit/s queue 6KBytes ${fwcmd} queue 11 config weight 50 pipe 1 ${fwcmd} queue 12 config weight 50 pipe 2 ${fwcmd} queue 21 config weight 30 pipe 1 ${fwcmd} queue 22 config weight 30 pipe 2 ${fwcmd} queue 101 config weight 1 pipe 1 ${fwcmd} queue 102 config weight 1 pipe 2 # Ok. Let's start traffic shaper. NOTE: sysctl variable net.inet.ip.fw.one_pass is set to 0 # and don't forget about NATd # Interactive traffic ICQ, IRC, FTP-Commands, SSH ${fwcmd} add 1350 queue 11 ip from 192.168.100.0/24 to any 6667,5190,21,22 out xmit ${oif} ${fwcmd} add 1355 queue 12 ip from any 6667,5190,21,22 to me in recv ${oif} ${fwcmd} add 1360 queue 11 ip from me to any 6667,5190,21,22 out xmit ${oif} # My SSH daemon. Uncomment this and configure sshd.conf to listen on oif, when not at home :-) #${fwcmd} add 1365 queue 11 ip from me 22 to any out xmit ${oif} #${fwcmd} add 1370 queue 12 ip from any to me 22 in recv ${oif} # WWW traffic, parent SQUID, ICP. ${fwcmd} add 1375 queue 21 ip from me to any 80,3128,3130 out xmit ${oif} ${fwcmd} add 1380 queue 22 ip from any 80,3128,3130 to me in recv ${oif} # DNS requests and responses. UDP only ${fwcmd} add 1385 queue 21 udp from 192.168.100.0/24 to any 53 out xmit ${oif} ${fwcmd} add 1390 queue 22 udp from any 53 to me in recv ${oif} ${fwcmd} add 1395 queue 21 udp from me to any 53 out xmit ${oif} # Any other traffic #${fwcmd} add queue 101 ip from any to any out xmit ${oif} #${fwcmd} add queue 102 ip from any to any in recv ${oif} =============================================================================================== Note, please, that it is working server and I cannot be near the console, therefore so much questions :) P.S Please CC me, because I am in digest mode. Sorry for my English. Thanks, Nikolay. From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 11 15:56:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E7F616A4B3 for ; Sat, 11 Oct 2003 15:56:31 -0700 (PDT) Received: from hotmail.com (sea2-dav60.sea2.hotmail.com [207.68.164.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5DEC43F93 for ; Sat, 11 Oct 2003 15:56:30 -0700 (PDT) (envelope-from jetman516@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 11 Oct 2003 15:56:30 -0700 Received: from 216.66.58.184 by sea2-dav60.sea2.hotmail.com with DAV; Sat, 11 Oct 2003 22:56:29 +0000 X-Originating-IP: [216.66.58.184] X-Originating-Email: [jetman516@hotmail.com] From: "The Jetman" To: "FBSD IPFW" Date: Sat, 11 Oct 2003 18:26:04 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4922.1500 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4925.2800 Message-ID: X-OriginalArrivalTime: 11 Oct 2003 22:56:30.0537 (UTC) FILETIME=[E8DE5390:01C3904A] Subject: [4.8-R]Monitoring IP Usage.... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: The Jetman List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Oct 2003 22:56:31 -0000 Folks: I've been using NTOP to monitor IP usage on a relatively small (< a class-C net) network, which is serviced by a T-1. I've been using NTOP to track IP usage (per IP host), but even though it's operating on a bridge box, it (ie. NTOP) isn't seeing all of the hosts in the net. I *can* see the traffic for these hosts w/ TCPDUMP. Until (and *if*) the problem w/ NTOP is solved, I was wondering if there were any issues to using IPFW's pkt/byte count to satisfy the client's IP usage requirements. My scheme would have a Python script do an 'ipfw -a list', parse the contents, store the byte counts in a mySQL database, and zero out the byte counters after a periodic scan of all of the IPs. BTW, the IPFW rules for ea host put explicit limits on each every IP that passes thru the bridge. All other IPs in this network, are explicitly blocked. How does this sound ? Later....Jet =============== From the desk of Jethro Wright, III ================ + Nothing causes self-delusion quite so readily as power. = === jetman516@hotmail.com ========================= Liu Binyan ===