From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 03:08:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15C9516A550 for ; Mon, 23 Aug 2004 03:08:15 +0000 (GMT) Received: from expredir1.cites.uiuc.edu (expredir1.cites.uiuc.edu [128.174.5.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68D1543D1F for ; Mon, 23 Aug 2004 03:08:13 +0000 (GMT) (envelope-from dongxiang@fastmail.fm) Received: from fastmail.fm (desert-53.slip.uiuc.edu [130.126.26.53]) i7N389Aa024123 for ; Sun, 22 Aug 2004 22:08:11 -0500 (CDT) Date: Sun, 22 Aug 2004 22:08:05 -0500 Mime-Version: 1.0 (Apple Message framework v553) Content-Type: text/plain; charset=US-ASCII; format=flowed From: Dongxiang Liao To: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: Apple Mail (2.553) Subject: natd -redirect_port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 03:08:15 -0000 Hey there, I have been playing with ipfw and natd to setup firewall and port remap, but having problem with a seemingly trivial situation. I want to redirect the incoming traffic to port 995 to port 22 on the same machine. The man page of natd suggest natd -redirect_port should do it. But "natd -redirect_port tcp 22 995" indicate I am missing the target address and alias address. I don't quite understand the situation since I have only one machine itself here. I would appreciate any suggestions. Dong From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 06:14:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00AAB16A4CE for ; Mon, 23 Aug 2004 06:14:06 +0000 (GMT) Received: from mail.esoltani.com (baba.esoltani.com [67.120.127.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id C20C043D31 for ; Mon, 23 Aug 2004 06:14:05 +0000 (GMT) (envelope-from patrick@esoltani.com) Received: from localhost (localhost [127.0.0.1]) by mail.esoltani.com (Postfix) with ESMTP id 656CB8FC3C; Sun, 22 Aug 2004 23:14:05 -0700 (PDT) Received: from mail.esoltani.com ([127.0.0.1]) by localhost (baba.esoltani.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68518-03; Sun, 22 Aug 2004 23:14:02 -0700 (PDT) Received: from [192.168.1.105] (khanoom.esoltani.com [192.168.1.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.esoltani.com (Postfix) with ESMTP id 5E8248FC1F; Sun, 22 Aug 2004 23:14:02 -0700 (PDT) Message-ID: <41298C02.1020008@esoltani.com> Date: Sun, 22 Aug 2004 23:17:38 -0700 From: patrick User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dongxiang Liao References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at esoltani.com cc: freebsd-ipfw@freebsd.org Subject: Re: natd -redirect_port X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 06:14:06 -0000 Dongxiang Liao wrote: > Hey there, > > I have been playing with ipfw and natd to setup firewall and port remap, > but having problem with a seemingly trivial situation. > > I want to redirect the incoming traffic to port 995 to port 22 on the > same machine. The man page of natd suggest natd -redirect_port should > do it. But "natd -redirect_port tcp 22 995" indicate I am missing the > target address and alias address. I don't quite understand the > situation since I have only one machine itself here. > > I would appreciate any suggestions. > > Dong > Assuming you already setup "natd" and it's working then the following should work, provided your internal network/interface is numbered 192.168.1.1 and your external network/interface 1.2.3.4. redirect_port tcp 192.168.1.1:995 1.2.3.4:22 I have feeling you are attempting to make the pop3 access secure, if yes, take a look at: http://www.cs.duke.edu/csl/security/secure-email.php Regards, Patrick Soltani. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 07:49:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE3D116A4CE for ; Mon, 23 Aug 2004 07:49:40 +0000 (GMT) Received: from t3.etype.net (smtp.enet.ru [195.135.213.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 319F443D31 for ; Mon, 23 Aug 2004 07:49:38 +0000 (GMT) (envelope-from igor@garant.koenig.ru) Received: from localhost (t3.etype.net [127.0.0.1]) by t3.etype.net (Postfix) with ESMTP id B70F82381D7 for ; Mon, 23 Aug 2004 10:49:34 +0300 (EEST) Received: from t3.etype.net ([127.0.0.1]) by localhost (t3.etype.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06289-21 for ; Mon, 23 Aug 2004 10:49:30 +0300 (EEST) Received: from garant.koenig.ru (unknown [195.135.212.93]) by t3.etype.net (Postfix) with ESMTP for ; Mon, 23 Aug 2004 10:49:30 +0300 (EEST) Received: from igor.garant.koenig.ru (igor.garant.koenig.ru [100.100.100.156]) by garant.koenig.ru (8.12.10/8.12.10) with ESMTP id i7N7lC7W056384 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Mon, 23 Aug 2004 10:47:16 +0300 (EEST) (envelope-from igor@garant.koenig.ru) From: Igor Popov To: freebsd-ipfw@freebsd.org Date: Mon, 23 Aug 2004 10:46:57 +0200 User-Agent: KMail/1.5.4 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200408231046.57543.igor@garant.koenig.ru> X-Virus-Scanned: clamd / ClamAV version devel-20040726, clamav-milter version 0.74a on ns.garant.koenig.ru X-Virus-Status: Clean Subject: Too many droped packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 07:49:41 -0000 hi, I have FreeBSD-5.2.1-p9 on my network as inet gateway: fxp0 is my internal iface, fxp0:0 is alias for jail, where squid lives in and tun0 is my external iface. And there is my ruleset: #!/bin/sh # ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush ########### # Limit incoming traffic rate ${fwcmd} disable one_pass ${fwcmd} add 300 pipe 1 ip from any to any in recv fxp0 ${fwcmd} pipe 1 config bw 8MByte/s queue 50 gred 0.005/35/45/0.2 ########### # Antispoofing rule ${fwcmd} add deny log all from any to any not verrevpath in ########### # Bad packets ${fwcmd} add deny log all from any to any iplen 0-20 in ${fwcmd} add deny log all from any to any ipoptions ssrr,lsrr in ############ # Setup loppback # Only in rare cases do you want to change these rules ${fwcmd} add pass all from any to any via lo0 ${fwcmd} add deny all from any to 127.0.0.0/8 ${fwcmd} add deny ip from 127.0.0.0/8 to any ########### # Divert all packets through the tunnel interface. #${fwcmd} add divert natd ip from any to any via tun0 ########### # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. ${fwcmd} add check-state ${fwcmd} add deny log tcp from any to any established ########### # Allow all connections from my network card that I initiate ${fwcmd} add allow tcp from me to 192.168.0.0/24 out xmit fxp0 setup keep-state ${fwcmd} add deny tcp from me to 192.168.0.0/24 out xmit fxp0 ${fwcmd} add allow ip from me to 192.168.0.0/24 out xmit fxp0 keep-state ########### # Allow all connections from my inet ppp interface that I initiate ${fwcmd} add allow tcp from me to any out xmit tun0 setup keep-state ${fwcmd} add allow ip from me to any out xmit tun0 keep-state ############ # Everyone on the localnet is allowed to connect to the following # services on the machine. This string specifically allows connections # to sshd, smtp, dns, pop3, imap, squid. ${fwcmd} add allow tcp from 192.168.0.0/24 to me dst-port ssh,smtp,domain,pop3,imap,3128 in recv fxp0 setup keep-state ${fwcmd} add allow udp from 192.168.0.0/24 to me dst-port domain in recv fxp0 keep-state ############ # Enable ICMP # Deny and log all pings from inet and localnet ${fwcmd} add deny log icmp from any to any icmptypes 8,13 in recv any ${fwcmd} add allow icmp from me to any keep-state ${fwcmd} add allow icmp from 192.168.0.0/24 to me in recv fxp0 keep-state ########### #Allow IPSec (AH and ESP protocols with isakmp) ${fwcmd} add allow ah from me to 192.168.0.0/24 out via fxp0 keep-state ${fwcmd} add allow esp from me to 192.168.0.0/24 out via fxp0 keep-state ${fwcmd} add allow ah from 192.168.0.0/24 to me in via fxp0 keep-state ${fwcmd} add allow esp from 192.168.0.0/24 to me in via fxp0 keep-state ${fwcmd} add allow log udp from 192.168.0.0/24 to me src-port isakmp dst-port isakmp in recv fxp0 keep-state ############ # This sends a RESET to all ident packets. ${fwcmd} add reset log tcp from any to me 113 in recv fxp0 ############ # Deny all the rest. ${fwcmd} add deny log ip from any to any And problem that I see too many dropped conections via rule (${fwcmd} add deny log tcp from any to any established) from my squid via ext iface (tun0) -- Tonight's the night: Sleep in a eucalyptus tree. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 11:02:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E128E16A5A4 for ; Mon, 23 Aug 2004 11:02:29 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D69E143D1D for ; Mon, 23 Aug 2004 11:02:29 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7NB2TCp030247 for ; Mon, 23 Aug 2004 11:02:29 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7NB2Tgj030241 for ipfw@freebsd.org; Mon, 23 Aug 2004 11:02:29 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 23 Aug 2004 11:02:29 GMT Message-Id: <200408231102.i7NB2Tgj030241@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 11:02:30 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] i386/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/03/14] kern/64240 ipfw IPFW tee terminates rule processing 6 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/03/09] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 12 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 11:57:19 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB4E016A4CE for ; Mon, 23 Aug 2004 11:57:19 +0000 (GMT) Received: from pathfinder.roks.biz (roks.biz [82.207.80.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24A3443D3F for ; Mon, 23 Aug 2004 11:57:18 +0000 (GMT) (envelope-from padla@roks.biz) Received: from admin.office.roks.biz (admin.office.roks.biz [192.168.100.103]) by pathfinder.roks.biz (8.12.11/8.12.11) with ESMTP id i7NBvGKf073661; Mon, 23 Aug 2004 14:57:16 +0300 (EEST) (envelope-from padla@pathfinder.roks.biz) Received: from admin.office.roks.biz (localhost.roks.biz [127.0.0.1]) i7NBvIxP001361; Mon, 23 Aug 2004 14:57:18 +0300 (EEST) (envelope-from padla@admin.office.roks.biz) Received: (from padla@localhost) by admin.office.roks.biz (8.12.11/8.12.11/Submit) id i7NBvIX7001360; Mon, 23 Aug 2004 14:57:18 +0300 (EEST) (envelope-from padla) Date: Mon, 23 Aug 2004 14:57:17 +0300 From: Nikolay Pavlov To: Igor Popov Message-ID: <20040823115717.GA1311@roks.biz> Mail-Followup-To: Nikolay Pavlov , Igor Popov , freebsd-ipfw@freebsd.org References: <200408231046.57543.igor@garant.koenig.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200408231046.57543.igor@garant.koenig.ru> User-Agent: Mutt/1.4.2.1i cc: freebsd-ipfw@freebsd.org Subject: Re: Too many droped packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 11:57:19 -0000 Hi, Igor. On Monday, 23 August 2004 at 10:46:57 +0200, Igor Popov wrote: > > And problem that I see too many dropped conections via rule (${fwcmd} add > deny log tcp from any to any established) from my squid via ext iface (tun0) > > -- > Tonight's the night: Sleep in a eucalyptus tree. I think that this thread will explain the reasons of your problem: http://docs.FreeBSD.org/cgi/mid.cgi?40D3106A.9030403 Best regards, Nikolay Pavlov. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 16:57:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F215116A4CE; Mon, 23 Aug 2004 16:57:20 +0000 (GMT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43C9043D46; Mon, 23 Aug 2004 16:57:20 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id A1353ACAE6; Mon, 23 Aug 2004 18:57:18 +0200 (CEST) Date: Mon, 23 Aug 2004 18:57:18 +0200 From: Pawel Jakub Dawidek To: Pawel Malachowski Message-ID: <20040823165718.GQ30151@darkness.comp.waw.pl> References: <20040811163426.E06283474C2@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7vS62bsm3BVGCDKV" Content-Disposition: inline In-Reply-To: <20040811163426.E06283474C2@shellma.zin.lublin.pl> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: freebsd-ipfw@freebsd.org cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: bin/70311: ipfw(8) pipe/queue show N displays data not only for N X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 16:57:21 -0000 --7vS62bsm3BVGCDKV Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 11, 2004 at 06:34:26PM +0200, Pawel Malachowski wrote: +> 2. After patching: +> `ipfw pipe show N' displays data for pipe N and queues with parentpipe= =3DN. +> `ipfw queue show N' displays data for queue N and no pipes. +>=20 +> *** /usr/src/sbin/ipfw/ipfw2.c.orig Wed Aug 11 18:08:27 2004 +> --- /usr/src/sbin/ipfw/ipfw2.c Wed Aug 11 18:27:21 2004 +> *************** +> *** 1498,1504 **** +> next =3D (char *)p + l; +> nbytes -=3D l; +>=20 +> ! if (rulenum !=3D 0 && rulenum !=3D p->pipe_nr) +> continue; +>=20 +> /* +> --- 1498,1504 ---- +> next =3D (char *)p + l; +> nbytes -=3D l; +>=20 +> ! if ( (rulenum !=3D 0 && rulenum !=3D p->pipe_nr) || (do_= pipe=3D=3D2) ) +> continue; +>=20 +> /* +> *************** +> *** 1532,1537 **** +> --- 1532,1542 ---- +> l =3D sizeof(*fs) + fs->rq_elements * sizeof(*q); +> next =3D (char *)fs + l; +> nbytes -=3D l; +> + +> + if (rulenum !=3D 0 && ((rulenum !=3D fs->fs_nr && do_pip= e=3D=3D2) +> + || (rulenum !=3D fs->parent_nr && do_pipe=3D=3D1))) +> + continue; +> + +> q =3D (struct dn_flow_queue *)(fs+1); +> sprintf(prefix, "q%05d: weight %d pipe %d ", +> fs->fs_nr, fs->weight, fs->parent_nr); This patch doesn't work for me as expected. It shows all pipes and queues with parentpipe=3DN. Could you check this patch (it is against -CURRENT, but it should be easy to apply it to 4.x): Index: ipfw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /private/FreeBSD/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.54 diff -u -p -r1.54 ipfw2.c --- ipfw2.c 12 Aug 2004 22:06:55 -0000 1.54 +++ ipfw2.c 23 Aug 2004 16:51:26 -0000 @@ -1564,6 +1564,12 @@ list_pipes(void *data, uint nbytes, int=20 l =3D sizeof(*fs) + fs->rq_elements * sizeof(*q); next =3D (char *)fs + l; nbytes -=3D l; + + if (rulenum !=3D 0 && ((rulenum !=3D fs->fs_nr && do_pipe =3D=3D 2) || + (rulenum !=3D fs->parent_nr && do_pipe =3D=3D 1))) { + continue; + } + q =3D (struct dn_flow_queue *)(fs+1); sprintf(prefix, "q%05d: weight %d pipe %d ", fs->fs_nr, fs->weight, fs->parent_nr); Basically, it looks that first addition of 'do_pipe=3D=3D2' is bogus. PS. Could you use unified diff format for patches generation? --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --7vS62bsm3BVGCDKV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBKiHuForvXbEpPzQRAr79AKChjiIY5ShwiIU+KZO76i1LfXhOOACfTQAm +gD5Y8Oo0SVqDdg5d28LbGk= =mOse -----END PGP SIGNATURE----- --7vS62bsm3BVGCDKV-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 18:42:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7D6216A4CE; Mon, 23 Aug 2004 18:42:54 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 283BA43D2D; Mon, 23 Aug 2004 18:42:54 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 3EFFF347BA8; Mon, 23 Aug 2004 20:40:51 +0200 (CEST) Date: Mon, 23 Aug 2004 20:40:51 +0200 From: Pawel Malachowski To: Pawel Jakub Dawidek Message-ID: <20040823184051.GC42452@shellma.zin.lublin.pl> References: <20040811163426.E06283474C2@shellma.zin.lublin.pl> <20040823165718.GQ30151@darkness.comp.waw.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040823165718.GQ30151@darkness.comp.waw.pl> User-Agent: Mutt/1.4.2i cc: freebsd-ipfw@freebsd.org cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/70311: ipfw(8) pipe/queue show N displays data not only for N X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 18:42:54 -0000 On Mon, Aug 23, 2004 at 06:57:18PM +0200, Pawel Jakub Dawidek wrote: > This patch doesn't work for me as expected. It shows all pipes and queues > with parentpipe=N. > Could you check this patch (it is against -CURRENT, but it should be easy > to apply it to 4.x): Weird. For me, Your patch gives on my working RELENG_4 shaper setup: % ipfw pipe show 1 00001: unlimited 0 ms 12 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00110: weight 1 pipe 1 8 KB 0 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 q00120: weight 99 pipe 1 8 KB 0 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 // expected, show pipe 1 and every queue with parent=1 % ipfw queue show 1 00001: unlimited 0 ms 12 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 // not expected, there is no queue 1, but it shows pipe 1 here. // if I want pipe 1, I would type ipfw pipe show 1 % ipfw pipe show 110 // expected, there is no pipe 110 % ipfw queue show 110 q00110: weight 1 pipe 1 8 KB 0 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 // expected, there is queue 110. > Index: ipfw2.c > =================================================================== > RCS file: /private/FreeBSD/src/sbin/ipfw/ipfw2.c,v > retrieving revision 1.54 > diff -u -p -r1.54 ipfw2.c > --- ipfw2.c 12 Aug 2004 22:06:55 -0000 1.54 > +++ ipfw2.c 23 Aug 2004 16:51:26 -0000 > @@ -1564,6 +1564,12 @@ list_pipes(void *data, uint nbytes, int > l = sizeof(*fs) + fs->rq_elements * sizeof(*q); > next = (char *)fs + l; > nbytes -= l; > + > + if (rulenum != 0 && ((rulenum != fs->fs_nr && do_pipe == 2) || > + (rulenum != fs->parent_nr && do_pipe == 1))) { > + continue; > + } > + > q = (struct dn_flow_queue *)(fs+1); > sprintf(prefix, "q%05d: weight %d pipe %d ", > fs->fs_nr, fs->weight, fs->parent_nr); > > Basically, it looks that first addition of 'do_pipe==2' is bogus. Well, with this first 'do_pipe==2' check it works here like this: % ipfw pipe show 1 00001: unlimited 0 ms 12 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00110: weight 1 pipe 1 8 KB 0 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 q00120: weight 99 pipe 1 8 KB 0 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 // expected, shows pipe 1 and every queue with parent=1 % ipfw queue show 1 // expected, there is no queue 1 % ipfw pipe show 110 // expected, there is no pipe 110 % ipfw queue show 110 q00110: weight 1 pipe 1 8 KB 0 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 // expected, there is queue 110 So, for me it is not bogus. :) cheers, -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 19:23:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C0F116A4CE; Mon, 23 Aug 2004 19:23:42 +0000 (GMT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C96443D5C; Mon, 23 Aug 2004 19:23:42 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 0ED45ACAFE; Mon, 23 Aug 2004 21:23:41 +0200 (CEST) Date: Mon, 23 Aug 2004 21:23:41 +0200 From: Pawel Jakub Dawidek To: Pawel Malachowski Message-ID: <20040823192341.GT30151@darkness.comp.waw.pl> References: <20040811163426.E06283474C2@shellma.zin.lublin.pl> <20040823165718.GQ30151@darkness.comp.waw.pl> <20040823184051.GC42452@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RBdmpsAEjcqDYAXp" Content-Disposition: inline In-Reply-To: <20040823184051.GC42452@shellma.zin.lublin.pl> User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: freebsd-ipfw@freebsd.org cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: bin/70311: ipfw(8) pipe/queue show N displays data not only for N X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 19:23:42 -0000 --RBdmpsAEjcqDYAXp Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 23, 2004 at 08:40:51PM +0200, Pawel Malachowski wrote: +> On Mon, Aug 23, 2004 at 06:57:18PM +0200, Pawel Jakub Dawidek wrote: +>=20 +> > This patch doesn't work for me as expected. It shows all pipes and que= ues +> > with parentpipe=3DN. +> > Could you check this patch (it is against -CURRENT, but it should be e= asy +> > to apply it to 4.x): +>=20 +> Weird. +> For me, Your patch gives on my working RELENG_4 shaper setup: Ok, it looks that I fucked up somthing when I patches my ipfw2.c by hand at the first time. Everything works just fine. Sorry for the noice. Patch committed to -CURRENT (MFC after 3 days). Thanks! --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --RBdmpsAEjcqDYAXp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBKkQ8ForvXbEpPzQRAsWGAJ0Q1Jpn0AjVfUhszK6DCXH1bkq+kQCdHeif jW5AB10h+X5qgS1yD0tWOGI= =NQWW -----END PGP SIGNATURE----- --RBdmpsAEjcqDYAXp-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 21:53:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAFF716A4CE; Mon, 23 Aug 2004 21:53:24 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C925D43D1D; Mon, 23 Aug 2004 21:53:24 +0000 (GMT) (envelope-from pjd@FreeBSD.org) Received: from freefall.freebsd.org (pjd@localhost [127.0.0.1]) i7NLrOe7052020; Mon, 23 Aug 2004 21:53:24 GMT (envelope-from pjd@freefall.freebsd.org) Received: (from pjd@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7NLrOxx052016; Mon, 23 Aug 2004 21:53:24 GMT (envelope-from pjd) Date: Mon, 23 Aug 2004 21:53:24 GMT From: Pawel Jakub Dawidek Message-Id: <200408232153.i7NLrOxx052016@freefall.freebsd.org> To: eugen@grosbein.pp.ru, pjd@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46557: ipfw pipe show fails with lots of queues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 21:53:25 -0000 Synopsis: ipfw pipe show fails with lots of queues State-Changed-From-To: open->feedback State-Changed-By: pjd State-Changed-When: Mon Aug 23 21:50:27 GMT 2004 State-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=46557 From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 23 21:55:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37C9016A4CE; Mon, 23 Aug 2004 21:55:05 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C15B43D31; Mon, 23 Aug 2004 21:55:05 +0000 (GMT) (envelope-from pjd@FreeBSD.org) Received: from freefall.freebsd.org (pjd@localhost [127.0.0.1]) i7NLt5nM052090; Mon, 23 Aug 2004 21:55:05 GMT (envelope-from pjd@freefall.freebsd.org) Received: (from pjd@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7NLt4gF052086; Mon, 23 Aug 2004 21:55:04 GMT (envelope-from pjd) Date: Mon, 23 Aug 2004 21:55:04 GMT From: Pawel Jakub Dawidek Message-Id: <200408232155.i7NLt4gF052086@freefall.freebsd.org> To: pjd@FreeBSD.org, ipfw@FreeBSD.org, pjd@FreeBSD.org Subject: Re: kern/46557: ipfw pipe show fails with lots of queues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2004 21:55:05 -0000 Synopsis: ipfw pipe show fails with lots of queues Responsible-Changed-From-To: ipfw->pjd Responsible-Changed-By: pjd Responsible-Changed-When: Mon Aug 23 21:53:44 GMT 2004 Responsible-Changed-Why: I'll take this one. Here is prosposed patch against HEAD: Index: ip_dummynet.c =================================================================== RCS file: /private/FreeBSD/src/sys/netinet/ip_dummynet.c,v retrieving revision 1.82 diff -u -p -r1.82 ip_dummynet.c --- ip_dummynet.c 15 Jul 2004 08:26:07 -0000 1.82 +++ ip_dummynet.c 23 Aug 2004 21:41:06 -0000 @@ -1895,17 +1895,14 @@ dn_copy_set(struct dn_flow_set *set, cha return (char *)qp ; } -static int -dummynet_get(struct sockopt *sopt) +static size_t +dn_calc_size(void) { - char *buf, *bp ; /* bp is the "copy-pointer" */ - size_t size ; struct dn_flow_set *set ; struct dn_pipe *p ; - int error=0 ; + size_t size ; - /* XXX lock held too long */ - DUMMYNET_LOCK(); + DUMMYNET_LOCK_ASSERT(); /* * compute size of data structures: list of pipes and flow_sets. */ @@ -1915,8 +1912,35 @@ dummynet_get(struct sockopt *sopt) for (set = all_flow_sets ; set ; set = set->next ) size += sizeof ( *set ) + set->rq_elements * sizeof(struct dn_flow_queue); - buf = malloc(size, M_TEMP, M_NOWAIT); - if (buf == 0) { + return size ; +} + +static int +dummynet_get(struct sockopt *sopt) +{ + char *buf, *bp ; /* bp is the "copy-pointer" */ + size_t size ; + struct dn_flow_set *set ; + struct dn_pipe *p ; + int error=0, i ; + + /* XXX lock held too long */ + DUMMYNET_LOCK(); + /* + * XXX: Ugly, but we need to allocate memory with M_WAITOK flag and we + * cannot use this flag while holding a mutex. + */ + for (i = 0; i < 10; i++) { + size = dn_calc_size(); + DUMMYNET_UNLOCK(); + buf = malloc(size, M_TEMP, M_WAITOK); + DUMMYNET_LOCK(); + if (size == dn_calc_size()) + break; + free(buf, M_TEMP); + buf = NULL; + } + if (buf == NULL) { DUMMYNET_UNLOCK(); return ENOBUFS ; } http://www.freebsd.org/cgi/query-pr.cgi?pr=46557 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 09:32:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5000D16A4CE for ; Tue, 24 Aug 2004 09:32:30 +0000 (GMT) Received: from mk-smarthost-1.mail.uk.tiscali.com (mk-smarthost-1.mail.uk.tiscali.com [212.74.114.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C8E843D2F for ; Tue, 24 Aug 2004 09:32:29 +0000 (GMT) (envelope-from fbsd-ipfw@0x10.com) Received: from mk-webmail-1.b2b.uk.tiscali.com ([212.74.112.91]:4628) by mk-smarthost-1.mail.uk.tiscali.com with esmtp (Exim 4.30) id 1BzXfH-0007Pj-Ui for freebsd-ipfw@freebsd.org; Tue, 24 Aug 2004 10:32:27 +0100 Received: from exim by mk-webmail-1.b2b.uk.tiscali.com with local (Exim 4.24) id 1BzXfH-0003AQ-9n for freebsd-ipfw@freebsd.org; Tue, 24 Aug 2004 10:32:27 +0100 From: fbsd-ipfw@0x10.com To: freebsd-ipfw@freebsd.org Date: Tue, 24 Aug 2004 10:32:27 +0100 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: Subject: natd and ipfw problems...hope this is the right place=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 09:32:30 -0000 Diagram: .oO( Internet )Oo. || || [----DSL------] [ adsl router ] <- No Nat [-------------] | | | | | | B A [--------WL-------] [---BSD---] NAT -> [ wireless router ] [ bsd box ] [-----------------] [---------] X | | | | | | | |___________| Y [---------WEB--------] [ web server + media ] [--------------------] IP Addresses: A: External IP 82.*.*.A B: External IP 82.*.*.B X: Internal IP 192.168.1.101 Y: Internal IP 192.168.1.100 ### External Connectivity ### WEB -> WL -> (DSL) -> Internet [IP B] BSD -> (DSL) -> Internet [IP A] Require: Connection to A:80 forwarded to Y:80 ### Theoretical Solution ### Packet - [sourceip:port, destip:port] Packets IN [any:any, A:80] fwd/nat [A:80, X:80] [A:80, X:80] fwd/nat [X:80, Y:80] Packets OUT [Y:80, X:80] fwd/nat [X:80, A:80] [X:80, A:80] fwd/nat [A:80, any:any] ### Description ### Hiya, As you can hopefully see, i'm trying to port forward a connection to an external ip on my BSD be box to the internal ip address of a machine that sits behind a wireless router. Please advise as to whether my "Theoretical Solution" is indeed correct for this purpose. I've been playing around with NATD and IPFW for a while now, and just cannot get it to respond. Assuming my logic is correct, my problem seems to be translating it in to the require configs/rules for natd and ipfw. In an attempt to simplify the problem, i have set apache to run on all the IPs of the BSD box. A telnet to 82.*.*.A 80 gets an index file showing "default", whereas a telnet to 192.168.1.101 80 gets an index file showing "192.168.1.101", the obvious trick being to get a telnet to 82.*.*.A to display "192.168.1.101" As this is failing badly too, i assume i am doing some really wrong. As you will see, i have a /29 external subnet but we're only really interested in 82.*.*.A rl0 -> external NIC going to ADSL Router xl0 -> internal NIC going to Wireless Router IP Connectivity between all "hosts" is fine Details are as follows: Freebsd 4.10 stable ----- rc.conf ----- defaultrouter="82.*.*.*" hostname="XXX" ifconfig_rl0="inet 82.*.*.* netmask 255.255.255.248" ifconfig_rl0_alias0="inet 82.*.*.A netmask 255.255.255.255" ifconfig_rl0_alias1="inet 82.*.*.* netmask 255.255.255.255" ifconfig_rl0_alias2="inet alias 82.*.*.* netmask 255.255.255.255" ifconfig_xl0="inet 192.168.1.101 netmask 255.255.255.0" ifconfig_xl0_alias0="inet 192.168.1.111 netmask 255.255.255.255" gateway_enable="YES" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" portmap_enable="YES" firewall_enable="YES" firewall_type="/etc/ipfw.rules/default" firewall_quiet="NO" ----- natd.conf ----- interface rl0 same_ports yes redirect_port tcp 192.168.1.101:80 80 ----- KERNAL ----- options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFILTER options IPFILTER_LOG options IPDIVERT Cheers for the help!!! From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 16:17:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C086B16A4CE for ; Tue, 24 Aug 2004 16:17:44 +0000 (GMT) Received: from makeworld.com (makeworld.com [198.92.228.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F98643D1D for ; Tue, 24 Aug 2004 16:17:44 +0000 (GMT) (envelope-from racerx@makeworld.com) Received: from localhost (localhost.com [127.0.0.1]) by makeworld.com (Postfix) with ESMTP id 7813C62E1; Tue, 24 Aug 2004 11:17:43 -0500 (CDT) Received: from makeworld.com ([127.0.0.1]) by localhost (makeworld.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49624-04; Tue, 24 Aug 2004 11:17:41 -0500 (CDT) Received: from [198.92.228.34] (racerx.makeworld.com [198.92.228.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by makeworld.com (Postfix) with ESMTP id E95A36299; Tue, 24 Aug 2004 11:17:40 -0500 (CDT) Message-ID: <412B6A23.1000708@makeworld.com> Date: Tue, 24 Aug 2004 11:17:39 -0500 From: Chris User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040809) X-Accept-Language: en-us, en MIME-Version: 1.0 To: FreeBSD - ipfw Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at makeworld.com - Isn't it ironic Subject: Denying multiple IP's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 16:17:44 -0000 I'm working with a friend of mine w/ipfw. Below are IP's that are trying to hack in via ssh. I suggested to use something in the form of: # Allow in SFTP, SSH, and SCP from public Internet ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup limit src-addr 4 But he mentions that he needs access to his box from potential client sites where the IP is unknown. There has to be a better way to block the below - suggestions? # # IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs. # ${fwcmd} add 300 deny tcp from 24.79.68.179 to any ${fwcmd} add 301 deny udp from 24.79.68.179 to any ${fwcmd} add 302 deny tcp from 64.246.20.123 to any ${fwcmd} add 303 deny udp from 64.246.20.123 to any ${fwcmd} add 304 deny tcp from 81.223.99.90 to any ${fwcmd} add 305 deny udp from 81.223.99.90 to any ${fwcmd} add 306 deny tcp from 140.112.124.123 to any ${fwcmd} add 307 deny udp from 140.112.124.123 to any ${fwcmd} add 308 deny tcp from 193.145.87.3 to any ${fwcmd} add 309 deny udp from 193.145.87.3 to any ${fwcmd} add 310 deny tcp from 203.186.157.37 to any ${fwcmd} add 311 deny udp from 203.186.157.37 to any ${fwcmd} add 312 deny tcp from 210.204.129.11 to any ${fwcmd} add 313 deny udp from 210.204.129.11 to any ${fwcmd} add 314 deny tcp from 211.60.219.250 to any ${fwcmd} add 315 deny udp from 211.60.219.250 to any ${fwcmd} add 316 deny tcp from 211.252.9.126 to any ${fwcmd} add 317 deny udp from 211.252.9.126 to any ${fwcmd} add 318 deny tcp from 218.21.129.105 to any ${fwcmd} add 319 deny udp from 218.21.129.105 to any ${fwcmd} add 320 deny tcp from 218.49.183.17 to any ${fwcmd} add 321 deny udp from 218.49.183.17 to any ${fwcmd} add 322 deny tcp from 218.102.19.78 to any ${fwcmd} add 323 deny udp from 218.102.19.78 to any ${fwcmd} add 324 deny tcp from 218.237.66.152 to any ${fwcmd} add 325 deny udp from 218.237.66.152 to any ${fwcmd} add 326 deny tcp from 221.3.131.80 to any ${fwcmd} add 327 deny udp from 221.3.131.80 to any # Everything else is denied by default -- Best regards, Chris The one time in the day that you lean back and relax is the one time the boss walks through the office. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 18:01:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A84A316A4CE; Tue, 24 Aug 2004 18:01:42 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B2FC43D45; Tue, 24 Aug 2004 18:01:42 +0000 (GMT) (envelope-from andre@FreeBSD.org) Received: from freefall.freebsd.org (andre@localhost [127.0.0.1]) i7OI1g89037056; Tue, 24 Aug 2004 18:01:42 GMT (envelope-from andre@freefall.freebsd.org) Received: (from andre@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7OI1gVd037052; Tue, 24 Aug 2004 18:01:42 GMT (envelope-from andre) Date: Tue, 24 Aug 2004 18:01:42 GMT From: Andre Oppermann Message-Id: <200408241801.i7OI1gVd037052@freefall.freebsd.org> To: andre@FreeBSD.org, ipfw@FreeBSD.org, andre@FreeBSD.org Subject: Re: kern/46564: IPFilter and IPFW processing order is not sensible> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 18:01:42 -0000 Synopsis: IPFilter and IPFW processing order is not sensible> Responsible-Changed-From-To: ipfw->andre Responsible-Changed-By: andre Responsible-Changed-When: Tue Aug 24 18:01:21 GMT 2004 Responsible-Changed-Why: Take over. http://www.freebsd.org/cgi/query-pr.cgi?pr=46564 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 18:11:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B88C516A4CE; Tue, 24 Aug 2004 18:11:39 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B3AD43D55; Tue, 24 Aug 2004 18:11:39 +0000 (GMT) (envelope-from andre@FreeBSD.org) Received: from freefall.freebsd.org (andre@localhost [127.0.0.1]) i7OIBdXM041349; Tue, 24 Aug 2004 18:11:39 GMT (envelope-from andre@freefall.freebsd.org) Received: (from andre@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7OIBd1q041345; Tue, 24 Aug 2004 18:11:39 GMT (envelope-from andre) Date: Tue, 24 Aug 2004 18:11:39 GMT From: Andre Oppermann Message-Id: <200408241811.i7OIBd1q041345@freefall.freebsd.org> To: andre@FreeBSD.org, ipfw@FreeBSD.org, andre@FreeBSD.org Subject: Re: kern/61259: [patch] make "ipfw tee" work as intended under freebsd-5 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 18:11:39 -0000 Synopsis: [patch] make "ipfw tee" work as intended under freebsd-5 Responsible-Changed-From-To: ipfw->andre Responsible-Changed-By: andre Responsible-Changed-When: Tue Aug 24 18:11:24 GMT 2004 Responsible-Changed-Why: Take over. http://www.freebsd.org/cgi/query-pr.cgi?pr=61259 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 18:31:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D529D16A4CE; Tue, 24 Aug 2004 18:31:00 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACC0743D41; Tue, 24 Aug 2004 18:31:00 +0000 (GMT) (envelope-from andre@FreeBSD.org) Received: from freefall.freebsd.org (andre@localhost [127.0.0.1]) i7OIV0E3043341; Tue, 24 Aug 2004 18:31:00 GMT (envelope-from andre@freefall.freebsd.org) Received: (from andre@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7OIV0fH043337; Tue, 24 Aug 2004 18:31:00 GMT (envelope-from andre) Date: Tue, 24 Aug 2004 18:31:00 GMT From: Andre Oppermann Message-Id: <200408241831.i7OIV0fH043337@freefall.freebsd.org> To: andre@FreeBSD.org, ipfw@FreeBSD.org, andre@FreeBSD.org Subject: Re: kern/64240: IPFW tee terminates rule processing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 18:31:01 -0000 Synopsis: IPFW tee terminates rule processing Responsible-Changed-From-To: ipfw->andre Responsible-Changed-By: andre Responsible-Changed-When: Tue Aug 24 18:30:41 GMT 2004 Responsible-Changed-Why: Take over. http://www.freebsd.org/cgi/query-pr.cgi?pr=64240 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 19:03:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE09316A4CE; Tue, 24 Aug 2004 19:03:09 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC0D443D2D; Tue, 24 Aug 2004 19:03:09 +0000 (GMT) (envelope-from andre@FreeBSD.org) Received: from freefall.freebsd.org (andre@localhost [127.0.0.1]) i7OJ39BS045040; Tue, 24 Aug 2004 19:03:09 GMT (envelope-from andre@freefall.freebsd.org) Received: (from andre@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7OJ39i7045036; Tue, 24 Aug 2004 19:03:09 GMT (envelope-from andre) Date: Tue, 24 Aug 2004 19:03:09 GMT From: Andre Oppermann Message-Id: <200408241903.i7OJ39i7045036@freefall.freebsd.org> To: andre@FreeBSD.org, ipfw@FreeBSD.org, andre@FreeBSD.org Subject: Re: bin/49959: ipfw tee port rule skips parsing next rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 19:03:10 -0000 Synopsis: ipfw tee port rule skips parsing next rules Responsible-Changed-From-To: ipfw->andre Responsible-Changed-By: andre Responsible-Changed-When: Tue Aug 24 19:02:55 GMT 2004 Responsible-Changed-Why: Take over. http://www.freebsd.org/cgi/query-pr.cgi?pr=49959 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 20:19:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D02F16A4CE; Tue, 24 Aug 2004 20:19:59 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F63D43D53; Tue, 24 Aug 2004 20:19:59 +0000 (GMT) (envelope-from csjp@freebsd.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) i7OKJxjR062439; Tue, 24 Aug 2004 20:19:59 GMT (envelope-from csjp@freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7OKJxcw062438; Tue, 24 Aug 2004 20:19:59 GMT (envelope-from csjp@freebsd.org) X-Authentication-Warning: freefall.freebsd.org: csjp set sender to csjp@freebsd.org using -f Date: Tue, 24 Aug 2004 20:19:59 +0000 From: "Christian S.J. Peron" To: Andre Oppermann Message-ID: <20040824201958.GA61912@freefall.freebsd.org> References: <412B8799.4020808@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <412B8799.4020808@freebsd.org> User-Agent: Mutt/1.4.1i cc: myself@rojer.pp.ru cc: ipfw@freebsd.org Subject: Re: Could you have a look at kern/63961 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 20:19:59 -0000 Hey Andre, I took a quick look at the PR and I dont think this is a bug. If you want to match setup packets for TCP connections it does work, but only if the connection has a PCB associated with it. For instance, outgoing setup would have a PCB associated with it, so ipfw could match on that: dev0# ipfw show 00400 1 64 count tcp from any to any dst-port 4296 setup uid csjp It should be noted that all the "setup" keyword does is set the O_TCPFLAGS opcode and set the operand to TH_SYN for SYN packets. I dont think Incoming TCP connection requests would not have a PCB associated with it, so there is no-way that ipfw can look up the credential associated with it. However the UID negation problem looks like it could be a bug either in how ipfw(8) reports the rule or how the kernel is processing it. In either case I will look into it. -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 20:38:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D59116A4D0 for ; Tue, 24 Aug 2004 20:38:21 +0000 (GMT) Received: from mail.esoltani.com (fwnat.esoltani.com [67.120.127.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4BC543D55 for ; Tue, 24 Aug 2004 20:38:20 +0000 (GMT) (envelope-from patrick@esoltani.com) Received: from localhost (localhost [127.0.0.1]) by mail.esoltani.com (Postfix) with ESMTP id 403C28FC3C; Tue, 24 Aug 2004 13:38:20 -0700 (PDT) Received: from mail.esoltani.com ([127.0.0.1]) by localhost (baba.esoltani.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77560-02; Tue, 24 Aug 2004 13:38:17 -0700 (PDT) Received: from [192.168.1.105] (khanoom.esoltani.com [192.168.1.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.esoltani.com (Postfix) with ESMTP id 402F88FC1F; Tue, 24 Aug 2004 13:38:17 -0700 (PDT) Message-ID: <412BA814.9060406@esoltani.com> Date: Tue, 24 Aug 2004 13:41:56 -0700 From: patrick User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: fbsd-ipfw@0x10.com References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at esoltani.com cc: freebsd-ipfw@freebsd.org Subject: Re: natd and ipfw problems...hope this is the right place=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 20:38:21 -0000 fbsd-ipfw@0x10.com wrote: > Diagram: > .oO( Internet )Oo. > || > || > [----DSL------] > [ adsl router ] <- No Nat > [-------------] > | | > | | > | | > B A > [--------WL-------] [---BSD---] > NAT -> [ wireless router ] [ bsd box ] > [-----------------] [---------] > X > | | | > | | | > | |___________| > Y > [---------WEB--------] > [ web server + media ] > [--------------------] > IP Addresses: > A: External IP 82.*.*.A > B: External IP 82.*.*.B > X: Internal IP 192.168.1.101 > Y: Internal IP 192.168.1.100 Hi, How the wireless is configured? i.e., does it accept incoming requests from Internet for the webserver? If the wireless IS NOT accepting any incoming requests for the web server from the Internet then something like the following should do the trick: *BSD* box: build it as NATD and IPFW machine. - Assign your public web IP as an alias to the external NIC, so the outside world will hit your BSD box for the web pages. In /etc/rc.conf add; assuming your public web server is at 82.82.82.82. Note the netmask which is what ALL the aliased ips should have. Also assuming you have fxp0 as your External Interface on the BSD box. ifconfig_fxp0_alias0="inet 82.82.82.82 netmask 255.255.255.255" natd_enable="YES" natd_interface="fxp0" natd_flags="-f /etc/natd.conf" - In your /etc/natd.conf add redirect_port tcp 192.168.1.100:80 82.82.82.82:80 -Adjust your ipfw rules to allow port 80 for the public ip and private ip to your liking. *WEB* box: make it's default gateway the BSD box, i.e., the internal interface on the BSD box will be the default route for the WEB box. Since the Wireless and the BSD box are on the same LAN/network, your wireless clients should have no problem reaching the web server. I am sure there are other ways of doing this, but this a good start. Regards, Patrick Soltani. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 20:52:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1916116A4DB for ; Tue, 24 Aug 2004 20:52:09 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 420AE43D55 for ; Tue, 24 Aug 2004 20:52:08 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 35660 invoked from network); 24 Aug 2004 20:51:16 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 24 Aug 2004 20:51:16 -0000 Message-ID: <412BAA78.68218D09@freebsd.org> Date: Tue, 24 Aug 2004 22:52:08 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "Christian S.J. Peron" References: <412B8799.4020808@freebsd.org> <20040824201958.GA61912@freefall.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: myself@rojer.pp.ru cc: ipfw@freebsd.org Subject: Re: Could you have a look at kern/63961 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 20:52:09 -0000 Christian, thanks for your quick response. Could you please take over the PR and get directly in touch with the Originator. -- Andre "Christian S.J. Peron" wrote: > > Hey Andre, > > I took a quick look at the PR and I dont think this is a bug. > If you want to match setup packets for TCP connections it > does work, but only if the connection has a PCB associated with it. > For instance, outgoing setup would have a PCB associated with it, > so ipfw could match on that: > > dev0# ipfw show > 00400 1 64 count tcp from any to any dst-port 4296 setup uid csjp > > It should be noted that all the "setup" keyword does is set the > O_TCPFLAGS opcode and set the operand to TH_SYN for SYN packets. > I dont think Incoming TCP connection requests would not have a > PCB associated with it, so there is no-way that ipfw can look > up the credential associated with it. > > However the UID negation problem looks like it could be a bug > either in how ipfw(8) reports the rule or how the kernel is > processing it. In either case I will look into it. > > -- > Christian S.J. Peron > csjp@FreeBSD.ORG > FreeBSD Committer From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 20:55:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7907816A4E0 for ; Tue, 24 Aug 2004 20:55:15 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id C39B043D4C for ; Tue, 24 Aug 2004 20:55:14 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id D8DEA11AB1; Tue, 24 Aug 2004 22:55:13 +0200 (CEST) Date: Tue, 24 Aug 2004 22:55:13 +0200 From: "Simon L. Nielsen" To: Chris Message-ID: <20040824205513.GJ760@zaphod.nitro.dk> References: <412B6A23.1000708@makeworld.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SBT+cnFS/G3NVgv4" Content-Disposition: inline In-Reply-To: <412B6A23.1000708@makeworld.com> User-Agent: Mutt/1.5.6i cc: FreeBSD - ipfw Subject: Re: Denying multiple IP's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 20:55:15 -0000 --SBT+cnFS/G3NVgv4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004.08.24 11:17:39 -0500, Chris wrote: > I'm working with a friend of mine w/ipfw. Below are IP's that are trying= =20 > to hack in via ssh. I suggested to use something in the form of: >=20 > # Allow in SFTP, SSH, and SCP from public Internet > ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup= =20 > limit src-addr 4 >=20 > But he mentions that he needs access to his box from potential client=20 > sites where the IP is unknown. >=20 > There has to be a better way to block the below - suggestions? If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you could use the new table feature. Otherwise if you use ipfw2 you could use "or-blocks" e.g. ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any or something like that. In any case there is probably no need to have sperate tcp/udp rules, you could just use "ip" and block all traffic from the IP's. > # > # IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs. > # > > ${fwcmd} add 300 deny tcp from 24.79.68.179 to any > ${fwcmd} add 301 deny udp from 24.79.68.179 to any > ${fwcmd} add 302 deny tcp from 64.246.20.123 to any > ${fwcmd} add 303 deny udp from 64.246.20.123 to any > ${fwcmd} add 304 deny tcp from 81.223.99.90 to any > ${fwcmd} add 305 deny udp from 81.223.99.90 to any > ${fwcmd} add 306 deny tcp from 140.112.124.123 to any > ${fwcmd} add 307 deny udp from 140.112.124.123 to any > ${fwcmd} add 308 deny tcp from 193.145.87.3 to any > ${fwcmd} add 309 deny udp from 193.145.87.3 to any > ${fwcmd} add 310 deny tcp from 203.186.157.37 to any > ${fwcmd} add 311 deny udp from 203.186.157.37 to any > ${fwcmd} add 312 deny tcp from 210.204.129.11 to any > ${fwcmd} add 313 deny udp from 210.204.129.11 to any > ${fwcmd} add 314 deny tcp from 211.60.219.250 to any > ${fwcmd} add 315 deny udp from 211.60.219.250 to any > ${fwcmd} add 316 deny tcp from 211.252.9.126 to any > ${fwcmd} add 317 deny udp from 211.252.9.126 to any > ${fwcmd} add 318 deny tcp from 218.21.129.105 to any > ${fwcmd} add 319 deny udp from 218.21.129.105 to any > ${fwcmd} add 320 deny tcp from 218.49.183.17 to any > ${fwcmd} add 321 deny udp from 218.49.183.17 to any > ${fwcmd} add 322 deny tcp from 218.102.19.78 to any > ${fwcmd} add 323 deny udp from 218.102.19.78 to any > ${fwcmd} add 324 deny tcp from 218.237.66.152 to any > ${fwcmd} add 325 deny udp from 218.237.66.152 to any > ${fwcmd} add 326 deny tcp from 221.3.131.80 to any > ${fwcmd} add 327 deny udp from 221.3.131.80 to any >=20 > # Everything else is denied by default --=20 Simon L. Nielsen FreeBSD Documentation Team --SBT+cnFS/G3NVgv4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBK6sxh9pcDSc1mlERAj55AJ40hhW2updO7SXc8wV0w0meI9bLWwCfTT3q K/+hTV/Vv8aaq9JVjpbHuxQ= =32rK -----END PGP SIGNATURE----- --SBT+cnFS/G3NVgv4-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 20:58:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94E4316A4D1; Tue, 24 Aug 2004 20:58:49 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8257043D54; Tue, 24 Aug 2004 20:58:49 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) i7OKwnWk068929; Tue, 24 Aug 2004 20:58:49 GMT (envelope-from csjp@freefall.freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7OKwnuE068925; Tue, 24 Aug 2004 20:58:49 GMT (envelope-from csjp) Date: Tue, 24 Aug 2004 20:58:49 GMT From: "Christian S.J. Peron" Message-Id: <200408242058.i7OKwnuE068925@freefall.freebsd.org> To: csjp@FreeBSD.org, ipfw@FreeBSD.org, csjp@FreeBSD.org Subject: Re: kern/63961: ipfw2 uid matching doesn't work correctly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 20:58:49 -0000 Synopsis: ipfw2 uid matching doesn't work correctly Responsible-Changed-From-To: ipfw->csjp Responsible-Changed-By: csjp Responsible-Changed-When: Tue Aug 24 20:57:29 GMT 2004 Responsible-Changed-Why: I think this might not be a bug. If you want to match setup packets for TCP connections it does work, but only if the connection has a PCB associated with it. For instance, outgoing setup would have a PCB associated with it, so ipfw could match on that: dev0# ipfw show 00400 1 64 count tcp from any to any dst-port 4296 setup uid csjp It should be noted that all the "setup" keyword does is set the O_TCPFLAGS opcode and set the operand to TH_SYN for SYN packets. I dont think Incoming TCP connection requests would not have a PCB associated with it, so there is no-way that ipfw can look up the credential associated with it. However the UID negation problem looks like it could be a bug either in how ipfw(8) reports the rule or how the kernel is processing it. In either case I will look into it. http://www.freebsd.org/cgi/query-pr.cgi?pr=63961 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 24 21:14:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43A5616A4CE for ; Tue, 24 Aug 2004 21:14:27 +0000 (GMT) Received: from btsoftware.com (www.btsoftware.nl [213.84.82.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 9FE7943D39 for ; Tue, 24 Aug 2004 21:14:25 +0000 (GMT) (envelope-from bts@iae.nl) Received: from viper.office (viper.office [192.168.0.1] ) by btsoftware.com (Hethmon Brothers Smtpd) ; Tue, 24 Aug 2004 23:13:53 +0200 Message-Id: <200408242313.5343345.6@btsoftware.com> From: "Martin" To: "fbsd-ipfw@0x10.com" , "patrick" Date: Tue, 24 Aug 2004 23:13:51 +0200 (CEST) Priority: Normal X-Mailer: PMMail 2.20.2382 for OS/2 Warp 4.5 In-Reply-To: <412BA814.9060406@esoltani.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit cc: "freebsd-ipfw@freebsd.org" Subject: Re: natd and ipfw problems...hope this is the right place=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Aug 2004 21:14:27 -0000 On Tue, 24 Aug 2004 13:41:56 -0700, patrick wrote: >- In your /etc/natd.conf add >redirect_port tcp 192.168.1.100:80 82.82.82.82:80 Basic idea is pretty good, but you have to be aware the static NAT does seem to have a memory leak. Transfering a couple of Gigabytes through static NAT gives a memory footprint for NAT in "top" of something like 50 Mb. Not sure if this is TCP or UDP related, but it does happen with eMule/Overnet on 4462/4663. Martin. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 25 08:07:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5297516A4CE for ; Wed, 25 Aug 2004 08:07:16 +0000 (GMT) Received: from mk-smarthost-2.mail.uk.tiscali.com (mk-smarthost-2.mail.uk.tiscali.com [212.74.114.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id C540D43D5C for ; Wed, 25 Aug 2004 08:07:15 +0000 (GMT) (envelope-from fbsd-ipfw@0x10.com) Received: from mk-webmail-2.b2b.uk.tiscali.com ([212.74.112.92]:4933) by mk-smarthost-2.mail.uk.tiscali.com with esmtp (Exim 4.30) id 1BzsoM-000HvO-Ao; Wed, 25 Aug 2004 09:07:14 +0100 Received: from exim by mk-webmail-2.b2b.uk.tiscali.com with local (Exim 4.24) id 1BzsoM-00085W-98; Wed, 25 Aug 2004 09:07:14 +0100 References: <412BA814.9060406@esoltani.com> In-Reply-To: <412BA814.9060406@esoltani.com> From: fbsd-ipfw@0x10.com To: patrick Date: Wed, 25 Aug 2004 09:07:14 +0100 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: cc: freebsd-ipfw@freebsd.org Subject: Re: natd and ipfw problems...hope this is the rightplace=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 08:07:16 -0000 patrick writes: > fbsd-ipfw@0x10.com wrote: >> Diagram: >> .oO( Internet )Oo. >> || >> || >> [----DSL------] >> [ adsl router ] <- No Nat >> [-------------] >> | | >> | | >> | | >> B A >> [--------WL-------] [---BSD---] >> NAT -> [ wireless router ] [ bsd box ] >> [-----------------] [---------] >> X >> | | | >> | | | >> | |___________| >> Y >> [---------WEB--------] >> [ web server + media ] >> [--------------------] >> IP Addresses: >> A: External IP 82.*.*.A >> B: External IP 82.*.*.B >> X: Internal IP 192.168.1.101 >> Y: Internal IP 192.168.1.100 > Hi, > > How the wireless is configured? i.e., does it accept incoming requests > from Internet for the webserver? > > If the wireless IS NOT accepting any incoming requests for the web server > from the Internet then something like the following should do the trick: > > *BSD* box: build it as NATD and IPFW machine. > - Assign your public web IP as an alias to the external NIC, so the > outside world will hit your BSD box for the web pages. > > In /etc/rc.conf add; assuming your public web server is at 82.82.82.82. > Note the netmask which is what ALL the aliased ips should have. Also > assuming you have fxp0 as your External Interface on the BSD box. > > ifconfig_fxp0_alias0="inet 82.82.82.82 netmask 255.255.255.255" > natd_enable="YES" > natd_interface="fxp0" > natd_flags="-f /etc/natd.conf" > > - In your /etc/natd.conf add > redirect_port tcp 192.168.1.100:80 82.82.82.82:80 > > -Adjust your ipfw rules to allow port 80 for the public ip and private ip > to your liking. > > *WEB* box: make it's default gateway the BSD box, i.e., the internal > interface on the BSD box will be the default route for the WEB box. > > Since the Wireless and the BSD box are on the same LAN/network, your > wireless clients should have no problem reaching the web server. > > I am sure there are other ways of doing this, but this a good start. > > Regards, > Patrick Soltani. > > Thanks for the advise, aren't any fwd/divert rules required in ipfw? -Fraser From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 25 08:10:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3910C16A4CE for ; Wed, 25 Aug 2004 08:10:55 +0000 (GMT) Received: from mk-smarthost-1.mail.uk.tiscali.com (mk-smarthost-1.mail.uk.tiscali.com [212.74.114.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0537743D60 for ; Wed, 25 Aug 2004 08:10:55 +0000 (GMT) (envelope-from fbsd-ipfw@0x10.com) Received: from mk-webmail-2.b2b.uk.tiscali.com ([212.74.112.92]:4968) by mk-smarthost-1.mail.uk.tiscali.com with esmtp (Exim 4.30) id 1Bzsre-000GKa-3Q; Wed, 25 Aug 2004 09:10:38 +0100 Received: from exim by mk-webmail-2.b2b.uk.tiscali.com with local (Exim 4.24) id 1Bzsre-0008Mt-2Q; Wed, 25 Aug 2004 09:10:38 +0100 References: <200408242313.5343345.6@btsoftware.com> In-Reply-To: <200408242313.5343345.6@btsoftware.com> From: fbsd-ipfw@0x10.com To: Martin Date: Wed, 25 Aug 2004 09:10:37 +0100 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: cc: "freebsd-ipfw@freebsd.org" Subject: Re: natd and ipfw problems...hope this is the rightplace=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 08:10:55 -0000 Martin writes: > On Tue, 24 Aug 2004 13:41:56 -0700, patrick wrote: >>- In your /etc/natd.conf add >>redirect_port tcp 192.168.1.100:80 82.82.82.82:80 > > Basic idea is pretty good, but you have to be aware the static NAT > does seem to have a memory leak. Transfering a couple > of Gigabytes through static NAT gives a memory footprint for NAT in "top" > of something like 50 Mb. Not sure if this is TCP or UDP related, > but it does happen with eMule/Overnet on 4462/4663. > > Martin. > > Thanks for the heads-up. Lets just hope i can get far enough to start worrrying about it ;-) -Fraser From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 25 10:45:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4CE716A4CE; Wed, 25 Aug 2004 10:45:04 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DEBD43D2D; Wed, 25 Aug 2004 10:45:04 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 091493474C2; Wed, 25 Aug 2004 12:43:11 +0200 (CEST) Date: Wed, 25 Aug 2004 12:43:10 +0200 From: Pawel Malachowski To: Pawel Jakub Dawidek Message-ID: <20040825104310.GA57463@shellma.zin.lublin.pl> References: <200408232155.i7NLt4gF052086@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200408232155.i7NLt4gF052086@freefall.freebsd.org> User-Agent: Mutt/1.4.2i cc: ipfw@freebsd.org Subject: Re: kern/46557: ipfw pipe show fails with lots of queues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 10:45:04 -0000 On Mon, Aug 23, 2004 at 09:55:04PM +0000, Pawel Jakub Dawidek wrote: > Here is prosposed patch against HEAD: [...] > +static int > +dummynet_get(struct sockopt *sopt) > +{ > + char *buf, *bp ; /* bp is the "copy-pointer" */ > + size_t size ; > + struct dn_flow_set *set ; > + struct dn_pipe *p ; > + int error=0, i ; > + > + /* XXX lock held too long */ > + DUMMYNET_LOCK(); > + /* > + * XXX: Ugly, but we need to allocate memory with M_WAITOK flag and we > + * cannot use this flag while holding a mutex. > + */ > + for (i = 0; i < 10; i++) { > + size = dn_calc_size(); > + DUMMYNET_UNLOCK(); > + buf = malloc(size, M_TEMP, M_WAITOK); Wouldn't it be better to allocate size+something or size*i*something? Theoretically with dynamic pipes we can be so unlucky that even after 10 tries and with plenty of free memory we still can't hit this size because it floats all the time. (If so, next condition should be >=.) Right now, we will report ENOBUFS not only when there is no memory (BTW, shouldn't it be ENOMEM?) but also when we have ENOLUCK. ;) > + DUMMYNET_LOCK(); > + if (size == dn_calc_size()) > + break; > + free(buf, M_TEMP); > + buf = NULL; > + } > + if (buf == NULL) { > DUMMYNET_UNLOCK(); > return ENOBUFS ; > } -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 25 11:06:47 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69A5616A4CE for ; Wed, 25 Aug 2004 11:06:47 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D66443D31 for ; Wed, 25 Aug 2004 11:06:47 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 151903474C2; Wed, 25 Aug 2004 13:04:55 +0200 (CEST) Date: Wed, 25 Aug 2004 13:04:55 +0200 From: Pawel Malachowski To: ipfw@freebsd.org Message-ID: <20040825110455.GB57463@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.2i Subject: (not) Protecting of case IP_FW_GET. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 11:06:47 -0000 Hello, Let's look at netinet/ip_fw2.c, at ipfw_ctl(), case IP_FW_GET. We are computing size of rules. Size can float because rules can be dynamic. In RELENG_4, it is protected with splimp(). In HEAD, it is not protected at all. Is this correct? (Similar case in ip_dummynet, when computing size of pipes, is protected with mutexes). Another thing, in HEAD, there are three mallocs with M_WAITOK flag, only one of them checks if malloc succeed (lookup tables code) and returns ENOMEM, if not. Another two are assuming malloc will always succeed. In RELENG_4, result is checked and ENOBUFS (why not ENOMEM?) is returned if malloc failed. -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 25 11:19:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3806F16A4CE for ; Wed, 25 Aug 2004 11:19:11 +0000 (GMT) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FD1E43D49 for ; Wed, 25 Aug 2004 11:19:11 +0000 (GMT) (envelope-from mux@freebsd.org) Received: by elvis.mu.org (Postfix, from userid 1920) id 23DF75C8D8; Wed, 25 Aug 2004 04:19:11 -0700 (PDT) Date: Wed, 25 Aug 2004 13:19:11 +0200 From: Maxime Henrion To: Pawel Malachowski Message-ID: <20040825111911.GE92931@elvis.mu.org> References: <20040825110455.GB57463@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040825110455.GB57463@shellma.zin.lublin.pl> User-Agent: Mutt/1.4.2.1i cc: ipfw@freebsd.org Subject: Re: (not) Protecting of case IP_FW_GET. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 11:19:11 -0000 Pawel Malachowski wrote: > Another thing, in HEAD, there are three mallocs with M_WAITOK flag, only > one of them checks if malloc succeed (lookup tables code) and returns > ENOMEM, if not. Another two are assuming malloc will always succeed. > In RELENG_4, result is checked and ENOBUFS (why not ENOMEM?) is returned > if malloc failed. The case where it checks the return value of malloc() is wrong. When called with the M_WAITOK flag, malloc() is not supposed to return NULL. Cheers, Maxime From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 25 11:40:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C83B16A4CE; Wed, 25 Aug 2004 11:40:14 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53C6343D2D; Wed, 25 Aug 2004 11:40:14 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 5CE293474C2; Wed, 25 Aug 2004 13:38:22 +0200 (CEST) Date: Wed, 25 Aug 2004 13:38:22 +0200 From: Pawel Malachowski To: Maxime Henrion Message-ID: <20040825113822.GC57463@shellma.zin.lublin.pl> References: <20040825110455.GB57463@shellma.zin.lublin.pl> <20040825111911.GE92931@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040825111911.GE92931@elvis.mu.org> User-Agent: Mutt/1.4.2i cc: ipfw@freebsd.org Subject: Re: (not) Protecting of case IP_FW_GET. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 11:40:14 -0000 On Wed, Aug 25, 2004 at 01:19:11PM +0200, Maxime Henrion wrote: > > Another thing, in HEAD, there are three mallocs with M_WAITOK flag, only > > one of them checks if malloc succeed (lookup tables code) and returns > > ENOMEM, if not. Another two are assuming malloc will always succeed. > > In RELENG_4, result is checked and ENOBUFS (why not ENOMEM?) is returned > > if malloc failed. > > The case where it checks the return value of malloc() is wrong. When > called with the M_WAITOK flag, malloc() is not supposed to return NULL. malloc(9) states that. What would happen, if one tries to malloc more memory than we physically have, with M_WAITOK flag -- will it eat all available memory and wait forever for more? -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 25 17:42:08 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 720DD16A4D0 for ; Wed, 25 Aug 2004 17:42:08 +0000 (GMT) Received: from mail.esoltani.com (fwnat.esoltani.com [67.120.127.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F56443D1F for ; Wed, 25 Aug 2004 17:42:08 +0000 (GMT) (envelope-from patrick@esoltani.com) Received: from localhost (localhost [127.0.0.1]) by mail.esoltani.com (Postfix) with ESMTP id A52E98FC3C; Wed, 25 Aug 2004 10:42:07 -0700 (PDT) Received: from mail.esoltani.com ([127.0.0.1]) by localhost (baba.esoltani.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81954-08; Wed, 25 Aug 2004 10:41:57 -0700 (PDT) Received: from [192.168.1.105] (khanoom.esoltani.com [192.168.1.105]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.esoltani.com (Postfix) with ESMTP id F1A938FC1F; Wed, 25 Aug 2004 10:41:56 -0700 (PDT) Message-ID: <412CD042.8010800@esoltani.com> Date: Wed, 25 Aug 2004 10:45:38 -0700 From: patrick User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: fbsd-ipfw@0x10.com References: <412BA814.9060406@esoltani.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at esoltani.com cc: freebsd-ipfw@freebsd.org Subject: Re: natd and ipfw problems...hope this is the right place=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Aug 2004 17:42:08 -0000 fbsd-ipfw@0x10.com wrote: > > Thanks for the advise, aren't any fwd/divert rules required in ipfw? > -Fraser yes, and that is part of the initial natd setup. I have something like this: ${fwcmd} add divert natd all from any to any via ${oif} Once your nat is working, that's the only divert you need. Regards, Patrick Soltani. From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 26 07:58:19 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB57D16A4CE for ; Thu, 26 Aug 2004 07:58:19 +0000 (GMT) Received: from mk-smarthost-8.mail.uk.tiscali.com (mk-smarthost-8.mail.uk.tiscali.com [212.74.114.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 479A643D54 for ; Thu, 26 Aug 2004 07:58:19 +0000 (GMT) (envelope-from fbsd-ipfw@0x10.com) Received: from mk-webmail-1.b2b.uk.tiscali.com ([212.74.112.91]:3543) by mk-smarthost-8.mail.uk.tiscali.com with esmtp (Exim 4.30) id 1C0F7z-0006J4-Uq; Thu, 26 Aug 2004 08:56:59 +0100 Received: from exim by mk-webmail-1.b2b.uk.tiscali.com with local (Exim 4.24) id 1C0F9F-000MNW-Sj; Thu, 26 Aug 2004 08:58:17 +0100 References: <412BA814.9060406@esoltani.com> <412CD042.8010800@esoltani.com> In-Reply-To: <412CD042.8010800@esoltani.com> From: fbsd-ipfw@0x10.com To: patrick Date: Thu, 26 Aug 2004 08:58:17 +0100 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: cc: freebsd-ipfw@freebsd.org Subject: Re: natd and ipfw problems...hope this is the rightplace=) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Aug 2004 07:58:20 -0000 Okay cheers! patrick writes: > fbsd-ipfw@0x10.com wrote: > >> >> Thanks for the advise, aren't any fwd/divert rules required in ipfw? >> -Fraser > > yes, and that is part of the initial natd setup. > > I have something like this: > ${fwcmd} add divert natd all from any to any via ${oif} > > Once your nat is working, that's the only divert you need. > > Regards, > Patrick Soltani. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 27 10:23:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F6D916A4CF for ; Fri, 27 Aug 2004 10:23:06 +0000 (GMT) Received: from mail-charenton.netaktiv.com (netaktiv.net1.nerim.net [62.212.103.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id E020F43D66 for ; Fri, 27 Aug 2004 10:23:04 +0000 (GMT) (envelope-from pierre-gilles@staff.netaktiv.com) Received: from localhost (localhost [127.0.0.1]) by mail-charenton.netaktiv.com (Postfix) with ESMTP id 174C042AC8 for ; Fri, 27 Aug 2004 12:23:03 +0200 (CEST) Received: from mail-charenton.netaktiv.com ([127.0.0.1]) by localhost (aragon [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22127-09 for ; Fri, 27 Aug 2004 12:23:03 +0200 (CEST) Received: by mail-charenton.netaktiv.com (Postfix, from userid 1007) id E414E42A84; Fri, 27 Aug 2004 12:23:02 +0200 (CEST) Date: Fri, 27 Aug 2004 12:23:02 +0200 From: Pierre-Gilles Mialon To: freebsd-ipfw@freebsd.org Message-ID: <20040827102302.GE20492@staff.netaktiv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at netaktiv.com Subject: Limit the number of connection per host ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 10:23:06 -0000 Is it possible to limit the number of connection per host, on FreeBSD routeur using natd to share a connection. I want to limit the use of p2p programs so I want to limit at 120 the number of tcp connections opened per host, is it possible using Ipfw ? Thanks -- Pierre-Gilles Mialon mialon@netaktiv.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 27 12:59:02 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A23916A4CE for ; Fri, 27 Aug 2004 12:59:02 +0000 (GMT) Received: from mail-charenton.netaktiv.com (netaktiv.net1.nerim.net [62.212.103.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EDF143D5F for ; Fri, 27 Aug 2004 12:59:01 +0000 (GMT) (envelope-from pierre-gilles@staff.netaktiv.com) Received: from localhost (localhost [127.0.0.1]) by mail-charenton.netaktiv.com (Postfix) with ESMTP id 0740C42AC8 for ; Fri, 27 Aug 2004 14:59:00 +0200 (CEST) Received: from mail-charenton.netaktiv.com ([127.0.0.1]) by localhost (aragon [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23563-10 for ; Fri, 27 Aug 2004 14:58:59 +0200 (CEST) Received: by mail-charenton.netaktiv.com (Postfix, from userid 1007) id CE08642A84; Fri, 27 Aug 2004 14:58:59 +0200 (CEST) Date: Fri, 27 Aug 2004 14:58:59 +0200 From: Pierre-Gilles Mialon To: freebsd-ipfw@freebsd.org Message-ID: <20040827125859.GI20492@staff.netaktiv.com> References: <20040827102302.GE20492@staff.netaktiv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20040827102302.GE20492@staff.netaktiv.com> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at netaktiv.com Subject: Re: Limit the number of connection per host ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Aug 2004 12:59:02 -0000 Le Fri, Aug 27, 2004 at 12:23:02PM +0200, Pierre-Gilles Mialon a écrit: > Is it possible to limit the number of connection > per host, on FreeBSD routeur using natd to share a connection. > > I want to limit the use of p2p programs so I want to limit at > 120 the number of tcp connections opened per host, is it possible using > Ipfw ? Sorry I find it in "man ipfw" limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. Too easy to believe ! Thanks for your work, and for the quality of the documentation ! -- Pierre-Gilles Mialon mialon@netaktiv.com From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 28 18:30:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 048C216A4CE; Sat, 28 Aug 2004 18:30:36 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAF2043D46; Sat, 28 Aug 2004 18:30:35 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) i7SIUZsO011189; Sat, 28 Aug 2004 18:30:35 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7SIUZbU011185; Sat, 28 Aug 2004 18:30:35 GMT (envelope-from arved) Date: Sat, 28 Aug 2004 18:30:35 GMT From: Tilman Linneweh Message-Id: <200408281830.i7SIUZbU011185@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/62193: firewall klm fails to parse divert keyword properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2004 18:30:36 -0000 Synopsis: firewall klm fails to parse divert keyword properly Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: arved Responsible-Changed-When: Sat Aug 28 18:29:54 GMT 2004 Responsible-Changed-Why: Over to ipfw Mailinglist for review http://www.freebsd.org/cgi/query-pr.cgi?pr=62193 From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 28 19:00:07 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A69D16A4CE; Sat, 28 Aug 2004 19:00:07 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2887C43D54; Sat, 28 Aug 2004 19:00:07 +0000 (GMT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) i7SJ079F013373; Sat, 28 Aug 2004 19:00:07 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7SJ06W4013369; Sat, 28 Aug 2004 19:00:06 GMT (envelope-from maxim) Date: Sat, 28 Aug 2004 19:00:06 GMT From: Maxim Konovalov Message-Id: <200408281900.i7SJ06W4013369@freefall.freebsd.org> To: abowhill@blarg.net, maxim@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/62193: firewall klm fails to parse divert keyword properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Aug 2004 19:00:07 -0000 Synopsis: firewall klm fails to parse divert keyword properly State-Changed-From-To: open->closed State-Changed-By: maxim State-Changed-When: Sat Aug 28 18:56:40 GMT 2004 State-Changed-Why: >From divert(4) man page: :DETAILS : To enable divert sockets, your kernel must be compiled with the option : IPDIVERT. http://www.freebsd.org/cgi/query-pr.cgi?pr=62193