From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 9 00:24:58 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9597116A4CE for ; Sun, 9 Jan 2005 00:24:58 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id F14A443D45 for ; Sun, 9 Jan 2005 00:24:56 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 39530 invoked from network); 9 Jan 2005 00:24:55 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 9 Jan 2005 00:24:55 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sun, 9 Jan 2005 01:24:38 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> <200501082236.24796.4711@chello.at> In-Reply-To: <200501082236.24796.4711@chello.at> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501090124.55534.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 00:24:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 22:36, Christian Hiris wrote: > On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote: > > It's strange. > > I use two computer to test. > > One called A (00:e0:18:62:xx:xx) > > another called B. > > > > And the rulesets is same as you said. > > I try reboot and use A to connect port 443 of one site. > > IPFW output are below: > > ============================================================ > > The diverted packets are not layer-2 packets, so they must be able to > bypass the layer-2 rules. In our case all diverted packets match rule 30, > because none of the two layer-2 rules (10 and 20) applies. > So please add the rule below to your ruleset. If this doesn't work, I will > try to reproduce this on one of my boxes. Sorry, I'm kinda braindead today ... 00030 3 144 deny tcp from any to any dst-port 443 The above rule will not work, because at ip_input, the layer-2 headers already striped off and the packet will be treated as layer-3 packet. Good news are: I tested another solution on one of my boxen. The result is that all filtering on MAC _and_ port must be done on layer-2. I also forgot to add the necessary rules to allow layer-2 packets in the last example (shame on me). So here are the rules I tested, but I did not test them with natd enabled and the divert rule. # Bypass all packets w/o layer-2 headers ipfw add 10 skipto 30 all from any to any not layer2 # Branch to MAC filter, if we find layer-2 and dst-port 443 ipfw add 11 skipto 20 all from any to any 443 layer2 # For all other layer-2 packets jump to rule 30 ipfw add 12 skipto 30 MAC any any # MAC filter for layer-2 packets we got from rule 11 ipfw add 20 deny MAC any 00:e0:18:62:xx:xx # Allow rest of layer-2 packets ipfw add 30 pass MAC any any # Process packets as usual 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any ============================================================ PS: I would also think about users that try to circumvent the rules by using proxies and/or users that are smart enough to spoof their MAC addresses. - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq 87O4RZ1U19Hh4vznXIgYksg= =Z5yx -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 9 04:11:00 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB37516A4CF for ; Sun, 9 Jan 2005 04:11:00 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45E3343D1D for ; Sun, 9 Jan 2005 04:11:00 +0000 (GMT) (envelope-from heath0504@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so63063wri for ; Sat, 08 Jan 2005 20:10:59 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=CxAa4YvKW4p12dAyTz8hlY81fJ0je8KraeU7yqnTdCsS15Rn+zlf2YNQnpVoMzulKndOWhfr3+04yEASUtLLpsJOW4YuLGtuC0oSL32eb758LavYhfxqNc9PKN3YjAPjaraoud+CMt3xe7tYCCIvQxtjRdqxO0SoIdqG+tI+QWs= Received: by 10.54.27.65 with SMTP id a65mr282097wra; Sat, 08 Jan 2005 20:10:59 -0800 (PST) Received: from linuxlmx20ji5l ([61.59.129.248]) by smtp.gmail.com with ESMTP id d6sm417136wra.2005.01.08.20.10.58; Sat, 08 Jan 2005 20:10:59 -0800 (PST) Message-ID: <018201c4f601$407b9e60$f8813b3d@linuxlmx20ji5l> From: "heath, Chia Hui Chen" To: "Christian Hiris" <4711@chello.at> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> <200501082236.24796.4711@chello.at> <200501090124.55534.4711@chello.at> Date: Sun, 9 Jan 2005 12:11:07 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 04:11:01 -0000 It's work, thank you very much. :) ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: Cc: "heath, Chia Hui Chen" Sent: Sunday, January 09, 2005 8:24 AM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 22:36, Christian Hiris wrote: > > The diverted packets are not layer-2 packets, so they must be able to > > bypass the layer-2 rules. In our case all diverted packets match rule 30, > > because none of the two layer-2 rules (10 and 20) applies. > > So please add the rule below to your ruleset. If this doesn't work, I will > > try to reproduce this on one of my boxes. > > Sorry, I'm kinda braindead today ... > > 00030 3 144 deny tcp from any to any dst-port 443 > > The above rule will not work, because at ip_input, the layer-2 headers already > striped off and the packet will be treated as layer-3 packet. > > Good news are: I tested another solution on one of my boxen. The result is > that all filtering on MAC _and_ port must be done on layer-2. I also forgot > to add the necessary rules to allow layer-2 packets in the last example > (shame on me). > > So here are the rules I tested, but I did not test them with natd enabled and > the divert rule. > > > # Bypass all packets w/o layer-2 headers > ipfw add 10 skipto 30 all from any to any not layer2 > > # Branch to MAC filter, if we find layer-2 and dst-port 443 > ipfw add 11 skipto 20 all from any to any 443 layer2 > > # For all other layer-2 packets jump to rule 30 > ipfw add 12 skipto 30 MAC any any > > # MAC filter for layer-2 packets we got from rule 11 > ipfw add 20 deny MAC any 00:e0:18:62:xx:xx > > # Allow rest of layer-2 packets > ipfw add 30 pass MAC any any > > # Process packets as usual > > 00050 divert 8668 ip from any to any via fxp0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > ============================================================ > > PS: I would also think about users that try to circumvent the rules by using > proxies and/or users that are smart enough to spoof their MAC addresses. > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq > 87O4RZ1U19Hh4vznXIgYksg= > =Z5yx > -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 9 07:48:57 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8461F16A4CE for ; Sun, 9 Jan 2005 07:48:57 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id 09E6E43D2F for ; Sun, 9 Jan 2005 07:48:56 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 41504 invoked from network); 9 Jan 2005 07:48:54 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 9 Jan 2005 07:48:54 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sun, 9 Jan 2005 08:48:35 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501090124.55534.4711@chello.at> <018201c4f601$407b9e60$f8813b3d@linuxlmx20ji5l> In-Reply-To: <018201c4f601$407b9e60$f8813b3d@linuxlmx20ji5l> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501090848.54123.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 07:48:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 09 January 2005 05:11, heath, Chia Hui Chen wrote: > It's work, thank you very much. > > :) Great! I just did some more testing. On 5.3-STABLE things work as easy as: ipfw add 10 skipto 50 all from any to any not layer2 ipfw add 20 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx ipfw add 30 pass MAC any any 00050 divert 8668 ip from any to any via fxp0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any ============================================================ I think the rules should also work for 5.2.1. The solution I posted in the previous message has the advantage that you can build blocks of ports and MACs, which are easily to maintain. However, it has the disadvantage that it consists of more rules (esp. slowly skipto rules) than the above solution (which I derived from your question). I read the ipfw manpage about 20 times in the last two years, and I ever thought it explains that it's not possible to mix up layer-2 and layer-3 filtering ... Cheers, ch > ----- Original Message ----- > From: "Christian Hiris" <4711@chello.at> > To: > Cc: "heath, Chia Hui Chen" > Sent: Sunday, January 09, 2005 8:24 AM > Subject: Re: ipfw + MAC nothing happens? > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Saturday 08 January 2005 22:36, Christian Hiris wrote: > > > The diverted packets are not layer-2 packets, so they must be able to > > > bypass the layer-2 rules. In our case all diverted packets match rule > > 30, > > > > because none of the two layer-2 rules (10 and 20) applies. > > > So please add the rule below to your ruleset. If this doesn't work, I > > will > > > > try to reproduce this on one of my boxes. > > > > Sorry, I'm kinda braindead today ... > > > > 00030 3 144 deny tcp from any to any dst-port 443 > > > > The above rule will not work, because at ip_input, the layer-2 headers > > already > > > striped off and the packet will be treated as layer-3 packet. > > > > Good news are: I tested another solution on one of my boxen. The result > > is that all filtering on MAC _and_ port must be done on layer-2. I also > > forgot > > > to add the necessary rules to allow layer-2 packets in the last example > > (shame on me). > > > > So here are the rules I tested, but I did not test them with natd enabled > > and > > > the divert rule. > > > > > > # Bypass all packets w/o layer-2 headers > > ipfw add 10 skipto 30 all from any to any not layer2 > > > > # Branch to MAC filter, if we find layer-2 and dst-port 443 > > ipfw add 11 skipto 20 all from any to any 443 layer2 > > > > # For all other layer-2 packets jump to rule 30 > > ipfw add 12 skipto 30 MAC any any > > > > # MAC filter for layer-2 packets we got from rule 11 > > ipfw add 20 deny MAC any 00:e0:18:62:xx:xx > > > > # Allow rest of layer-2 packets > > ipfw add 30 pass MAC any any > > > > # Process packets as usual > > > > 00050 divert 8668 ip from any to any via fxp0 > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > ============================================================ > > > > PS: I would also think about users that try to circumvent the rules by > > using > > > proxies and/or users that are smart enough to spoof their MAC addresses. > > > > - -- > > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (FreeBSD) > > > > iD8DBQFB4HnX09WjGjvKU74RAnQwAJ9RtKX62xok8yIxSJDN1a8sJmaBLQCeOmJq > > 87O4RZ1U19Hh4vznXIgYksg= > > =Z5yx > > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB4OHm09WjGjvKU74RApwqAJ9TSgOGztX2Ss9jLGYKsIDO3V+SZgCdH5vT g4HWzPCWkqOUWsavDN3exkI= =zlv4 -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 10 05:41:31 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CECD16A4CE for ; Mon, 10 Jan 2005 05:41:31 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A35E43D1F for ; Mon, 10 Jan 2005 05:41:30 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1CnsIk-0006Un-00; Mon, 10 Jan 2005 07:41:14 +0200 To: martes.wigglesworth@earthlink.net From: Ian FREISLICH In-Reply-To: Message from Martes Wigglesworth <1105221596.683.387.camel@Mobile1.276NET> Date: Mon, 10 Jan 2005 07:41:14 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: Christian Hiris <4711@chello.at> cc: "heath, Chia Hui Chen" cc: ipfw-mailings Subject: Re: Viable FreeBSD Network Access Server projects...? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 05:41:31 -0000 Martes Wigglesworth wrote: > Also, to supply, 56K service, would I be able to use the multi-modem > approach, or do I need to have the DSL with digital "modems" and all > that jazz? I am reading about the digital "RAS" setups, and all the You need digital modems to provide a 56K service. You might (or might not) have noticed that the 56K connection is asymetric: 33.6K max from the dial-in to the network access server (NAS) and 56K max from the NAS to the dial-in. The reason for this is there is a low pass filter cut-off at 4000Hz on the input to the ADC on the end of the local loop to prevent aliasing in the analog to digital conversion. A voice connection over the PSTN is usually provisioned over a 64kbit/s PCM channel internally in the exchange and between exchanges. This means that the highest frequency that can be accurately transmitted is 4KHz, half the sampling frequeny of 8KHz. This roughly translates to 33.6Kbit/s of modulated data hence the upper bound of an analog connection. The 56K server modem has a digital connection to the exchange normally over channelised E1/T1 providing ISDN or R2-MFC signalling. The server modem can then transmit a 64Kbit/s to the exchange which when outut to the local loop via the DAC which gives a frequency up to 8KHz because there is no low-pass filter on the analog output path. You could I guess theoretically get a 64K connection, but due to losses on the local loop, the upper bound is 56K when conditions are good. When ran the dialup service for a large ISP (something I'm pleased to be rid of) we used a combination of equipment from 3Com (Total Control chasis), Ascend and Cisco AS5300. These systems provided the total dial-in service. You might find an ISDN modem capable of terminating an analog connection, but as far as I can recal, there was some liscencing fee and special software required for the 56K server modem although that might have chaged - it's been years since I've done dialup. Depending how many users you have you might want to consider an external RADIUS or TACACS server. I personally would put that threshold somewhere between 5 and 20. Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 10 09:03:24 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10FB516A503; Mon, 10 Jan 2005 09:03:24 +0000 (GMT) Received: from smtpauth06.mail.atl.earthlink.net (smtpauth06.mail.atl.earthlink.net [209.86.89.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC09A43D45; Mon, 10 Jan 2005 09:03:23 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.1.55]) (TLSv1:DES-CBC3-SHA:168) (Exim 4.34) id 1CnvSG-0006qw-6D; Mon, 10 Jan 2005 04:03:18 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=test1; d=earthlink.net; h=Subject:From:Reply-To:To:Cc:In-Reply-To:References:Content-Type:Organization:Message-Id:Mime-Version:X-Mailer:Date:Content-Transfer-Encoding; b=C2t2B4rVcV79RAeZEBzLsZVkoWbwn9Q8axJKMif8Iaq4p3Klw7fk5KAc9ZtFNYIO; From: Martes Wigglesworth To: Ian FREISLICH , freebsd-isp list In-Reply-To: References: Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1105347792.3320.130.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 10 Jan 2005 12:03:39 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd480de9df706756f570d7f699cce738970f8483c75118a9a15a350badd9bab72f9c X-Originating-IP: 83.170.20.46 cc: ipfw-mailings Subject: Re: Viable FreeBSD Network Access Server projects...? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 09:03:24 -0000 Good lord. Thanks for all the information. I was thinking of using dedicated hardware, and it almost seems that it would be much simpler to just purchase a Total Control, AS5400, or other PRI appliance, and see how it works, then attempt my project, as a side experiment. I am good with the theories, however, I have yet to actually see how to gateway the digital channelized lines, to the dialup analog lines. Or Would the Channelized T1 simply be used as call-in lines to my data center, then I just have the RAS/NAS connect to the rest of my backbone, via the Radius server (FreeRadius on FreeBSD/OpenBSD) then to my other network resources? I still don't quite have a good picture of why you would need an analog phone line, when you already have channelized service, to supply the 56K 64kbit/s pipe. Or am I just missunderstanding what has been said? Has anyone considered using Asterisk for some sort of telephony gateway solution to this type of topology? I know you can do VOIP, however that is much more advanced than what I am currently attempting to grasp. Also, are there any PRI/Analog/Channelized modem pool resources that anyone can point me to? I have been able to locate a bit of information, however, no one ever actually discloses how the line provisioning can actually be setup. Thanks a bunch, for the information, Ian. -- Respectfully, M.G.W. System: PCChips K7SOM MB AMD K7 Pro 1800 256MB RAM 40GB HD 10/100 NIC FreeBSD-5.2.1-RELEASE From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 10 11:04:08 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C06616A4CE for ; Mon, 10 Jan 2005 11:04:08 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED2A143D5C for ; Mon, 10 Jan 2005 11:04:07 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j0AB47Om095976 for ; Mon, 10 Jan 2005 11:04:07 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j0AB46u3095970 for ipfw@freebsd.org; Mon, 10 Jan 2005 11:04:06 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 10 Jan 2005 11:04:06 GMT Message-Id: <200501101104.j0AB46u3095970@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 11:04:08 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 10 21:22:08 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 431CF16A4ED for ; Mon, 10 Jan 2005 21:22:08 +0000 (GMT) Received: from hotmail.com (bay21-f11.bay21.hotmail.com [65.54.233.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A31043D1D for ; Mon, 10 Jan 2005 21:22:07 +0000 (GMT) (envelope-from carlmarkbsd@hotmail.co.uk) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 10 Jan 2005 13:22:02 -0800 Message-ID: Received: from 212.113.164.98 by by21fd.bay21.hotmail.msn.com with HTTP; Mon, 10 Jan 2005 21:21:55 GMT X-Originating-IP: [212.113.164.98] X-Originating-Email: [carlmarkbsd@hotmail.co.uk] X-Sender: carlmarkbsd@hotmail.co.uk From: "Carl Mark" To: freebsd-ipfw@freebsd.org Date: Mon, 10 Jan 2005 21:21:55 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 10 Jan 2005 21:22:02.0349 (UTC) FILETIME=[6D2539D0:01C4F75A] Subject: limiting connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 21:22:08 -0000 Hello folks, I'm trying to set up a ruleset that limits every user to X tcp connections, since I have 300 active users on each server. I've been trying to work it out with the ipfw limit but I really don't know how effective it is. For example: ipfw -q add 15 allow tcp from me to any 80 limit dst-port X keep-state out setup Will this limit the whole machine to X connections that match the rule? I wanted to build somehting that would limit every user to X conns without having one rule for each user using the "uid" directive. Thanks for your precious help. Regards, Carl _________________________________________________________________ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 10 22:35:47 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B69816A4CE for ; Mon, 10 Jan 2005 22:35:47 +0000 (GMT) Received: from mailserver.sandvine.com (sandvine.com [199.243.201.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB68643D2F for ; Mon, 10 Jan 2005 22:35:46 +0000 (GMT) (envelope-from don@SANDVINE.com) X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 10 Jan 2005 17:35:46 -0500 Message-ID: <2BCEB9A37A4D354AA276774EE13FB8C219AFB7@mailserver.sandvine.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: limiting connections Thread-Index: AcT3Wpe5M79yB7dmSZmHpTzoNOQSSAACgsvw From: "Don Bowman" To: "Carl Mark" , Subject: RE: limiting connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jan 2005 22:35:47 -0000 From: Carl Mark > Hello folks, >=20 > I'm trying to set up a ruleset that limits every user to X=20 > tcp connections, since I have 300 active users on each=20 > server. I've been trying to work it out with the ipfw limit=20 > but I really don't know how effective it is. >=20 > For example: >=20 > ipfw -q add 15 allow tcp from me to any 80 limit dst-port X=20 > keep-state out setup >=20 ipfw add 50 allow tcp from any to any setup limit src-addr 2 would limit any user to 2 concurrent TCP connections. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 11 15:53:04 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9553016A4CE for ; Tue, 11 Jan 2005 15:53:04 +0000 (GMT) Received: from hotmail.com (bay21-f23.bay21.hotmail.com [65.54.233.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5437543D4C for ; Tue, 11 Jan 2005 15:53:04 +0000 (GMT) (envelope-from carlmarkbsd@hotmail.co.uk) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 11 Jan 2005 07:53:03 -0800 Message-ID: Received: from 212.113.164.98 by by21fd.bay21.hotmail.msn.com with HTTP; Tue, 11 Jan 2005 15:52:16 GMT X-Originating-IP: [212.113.164.98] X-Originating-Email: [carlmarkbsd@hotmail.co.uk] X-Sender: carlmarkbsd@hotmail.co.uk From: "Carl Mark" To: freebsd-ipfw@freebsd.org Date: Tue, 11 Jan 2005 15:52:16 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 11 Jan 2005 15:53:03.0373 (UTC) FILETIME=[A23643D0:01C4F7F5] Subject: sysctl: unknown oid 'net.inet.ip.fw.dyn_keepalive' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 15:53:04 -0000 Hello folks, I have a machine running 4.10-STABLE with IPFW and i've been reading its manpage but im missing something here. The sysctl oid net.inet.ip.fw.dyn_keepalive does not exist in my system: sysctl: unknown oid 'net.inet.ip.fw.dyn_keepalive' Anyone has an ideia on why this is happening? Thanks _________________________________________________________________ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 11 17:02:19 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5F8716A4CE for ; Tue, 11 Jan 2005 17:02:19 +0000 (GMT) Received: from zaphod.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 056C743D49 for ; Tue, 11 Jan 2005 17:02:19 +0000 (GMT) (envelope-from simon@zaphod.nitro.dk) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id 5176011E13; Tue, 11 Jan 2005 18:02:17 +0100 (CET) Date: Tue, 11 Jan 2005 18:02:17 +0100 From: "Simon L. Nielsen" To: Carl Mark Message-ID: <20050111170216.GB773@zaphod.nitro.dk> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.6i cc: freebsd-ipfw@freebsd.org Subject: Re: sysctl: unknown oid 'net.inet.ip.fw.dyn_keepalive' X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 17:02:19 -0000 --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.01.11 15:52:16 +0000, Carl Mark wrote: > Hello folks, >=20 > I have a machine running 4.10-STABLE with IPFW and i've been reading its= =20 > manpage but im missing something here. >=20 > The sysctl oid net.inet.ip.fw.dyn_keepalive does not exist in my system: >=20 > sysctl: unknown oid 'net.inet.ip.fw.dyn_keepalive' >=20 > Anyone has an ideia on why this is happening? I think the dyn keepalive feature is only for IPFW2. The ipfw manual page describe how to use IPFW2 on 4-STABLE. --=20 Simon L. Nielsen --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB5AaYh9pcDSc1mlERAhCRAJ9GrixyfnAcvEgpg1uKuzJyF8oH5QCglsxI 750CuKRhIfGLzeFxIZ9bX2w= =vQ+e -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 11 19:05:39 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5303D16A4CE for ; Tue, 11 Jan 2005 19:05:39 +0000 (GMT) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8280243D2F for ; Tue, 11 Jan 2005 19:05:38 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from gateway.posi.net (adsl-68-120-137-197.dsl.snfc21.pacbell.net [68.120.137.197])j0BJ5ltv015020; Tue, 11 Jan 2005 14:05:47 -0500 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id 89FB375E1CC; Tue, 11 Jan 2005 12:07:55 -0800 (PST) Date: Tue, 11 Jan 2005 12:07:55 -0800 (PST) From: Kelly Yancey To: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= In-Reply-To: <41E04D6B.3020801@mr0vka.eu.org> Message-ID: <20050111115411.V40364@gateway.posi.net> References: <41E04D6B.3020801@mr0vka.eu.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw/verrevpath and source MAC logging - reloaded X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2005 19:05:39 -0000 On Sat, 8 Jan 2005, [ISO-8859-2] =A3ukasz Bromirski wrote: > Hi, > > I've asked few days ago (two weeks actually), about implementing > something like `log-input' keyword just like on Cisco IOS routers, > when the ACE with this argument is hit it logs also the source MAC > address, which is very valuable on multiaccess networks, like > Ethernet. As nobody responded, I've digged the sources for a moment, > and with my limited knowledge about mbuf's I'm stuck at the following > comment: > > ip_fw2.c: > > * args->eh The MAC header. It is non-null for a layer2 > * packet, it is NULL for a layer-3 packet. > > ...so, is there some good soul on the list that will point me > where to look for MAC source address when we're dealing with > `layer 3 packet' in ipfw nomenclature? > args->eh->ether_shost iff args->eh !=3D NULL. What is confusing is that when the comments in ipfw say "layer 3 packet" they mean a packet being filtered from a layer 3 hook. When net.inet.ip.fw.enable=3D1, that doesn't *really* mean enable ipfw, but it actually means enable ipfw hooks from the IP layer (layer 3). In this case, args->eh is always NULL. When net.link.ether.ipfw=3D1 and net.inet.ip.fw.enable=3D0, that says enable ipfw hooks from the ethernet layer (layer 2). In this case args->eh is always non-NULL, so you can get the source MAC address. However, the packet itself may still be an IP packet, in which case any of the normal "layer 3" rules may still match the packet. Finally, when net.link.ether.ipfw=3D1 and net.inet.ip.fw.enable=3D1, that says enable ipfw hooks from both layer 2 and layer 3. I can't think of a good reason to ever do this offhand. Enabling hooks from both layers causes all of your firewall rules to be evaluated once at layer 2, then if the packet is an IP packet, all of the rules are checked again at layer 3. Repeat for the output path in the opposite order (layer 3 then layer 2). In any event, since you can't know which sysctls the user may enable, you just need to check whether args->eh is NULL first. If it is NULL, you don't have access to the MAC information so your new ipfw instruction won't match (will be a no-op). For your testing, you will want to set net.link.ether.ipfw=3D1 and net.inet.ip.fw.enable=3D0. Simiarly, any users who would want to use your new instruction, would also have to have net.link.ether.ipfw=3D1. Good luck, Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com Join distributed.net Team FreeBSD: http://www.posi.net/freebsd/Team-FreeBSD= / From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 16 00:00:22 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A30E16A4CF for ; Sun, 16 Jan 2005 00:00:22 +0000 (GMT) Received: from regulus.redepegasus.com.br (pegasus.com.br [200.195.111.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2806243D3F for ; Sun, 16 Jan 2005 00:00:21 +0000 (GMT) (envelope-from juliao@braga.eti.br) Received: from localhost (localhost.regulus.redepegasus.com.br [127.0.0.1]) by regulus.redepegasus.com.br (Postfix) with ESMTP id 372514BBFB; Sat, 15 Jan 2005 22:05:07 -0200 (BRST) Received: from regulus.redepegasus.com.br ([127.0.0.1])port 10024) with ESMTP id 87959-01; Sat, 15 Jan 2005 22:05:05 -0200 (BRST) Received: by regulus.redepegasus.com.br (Postfix, from userid 85) id CA1FC4BB7E; Sat, 15 Jan 2005 22:05:05 -0200 (BRST) Received: from ursa (200-168-20-220.dsl.telesp.net.br [200.168.20.220]) by regulus.redepegasus.com.br (Postfix) with ESMTP id 2579F4BAF2; Sat, 15 Jan 2005 22:05:04 -0200 (BRST) Message-ID: <007a01c4fb5d$631c8400$c4f5fea9@ursa> From: =?ISO-8859-2?Q?Juliao_Braga_-_PegasusR?= To: References: <41E04D6B.3020801@mr0vka.eu.org> <20050111115411.V40364@gateway.posi.net> Date: Sat, 15 Jan 2005 21:53:16 -0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 X-Sanitizer: Advosys mail filter MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-2" Content-Transfer-Encoding: 8bit cc: jatyr@funec.br Subject: ipfw: opcode 51 size 1 wrong X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jan 2005 00:00:22 -0000 Hi, FreeBSD Release 5.3 donīt recognize NAT. I'd search the list and found nothing about. The response is: "ipfw: getsockopt(IP_FW_ADD): Invalid argument" over the following divert rules: ... inti="rl0" ... # Nat ${cmd} 00300 divert natd all from 192.168.1.0/24 to any out via ${inti} ${cmd} 00310 divert natd all from any to 192.168.100.7 in via ${inti} ... This is the other box parameters: 1. Kernel: ... options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options IPSTEALTH options DUMMYNET options HZ=1000 ... 2. Nat (/usr/local/etc/rc.d): #!/bin/sh natd -interface rl0 3. # dmesg | egrep divert: ipfw2 initialized, divert enabled, rule-based forwarding disabled, default to accept, logging limited to 100 packets/entry by default 4. Last 2 lines of # dmesg: ipfw: opcode 51 size 1 wrong ipfw: opcode 51 size 1 wrong 5. # uname -a: FreeBSD gustavo.funec.br 5.3-STABLE FreeBSD 5.3-STABLE #0: Thu Dec 16 19:10:55 BRST 2004 root@gustavo.funec.br:/usr/obj/usr/src/sys/GUSTAVO i386 6. rc.conf: defaultrouter="192.168.100.1" gateway_enable="YES" hostname="gustavo.funec.br" #ifconfig_rl0="inet 192.168.100.7 netmask 255.255.255.0" ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0" linux_enable="NO" sshd_enable="YES" sendmail_enable="NONE" natd_enable="YES" # Enable NATD function natd_interface="rl0" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible Thank you for any help! Juliao --- Rede PegasusR http://www.redepegasus.com.br