From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 13 04:00:48 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F26A16A4D3 for ; Sun, 13 Feb 2005 04:00:48 +0000 (GMT) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2668D43D53 for ; Sun, 13 Feb 2005 04:00:45 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] ([200.152.82.190]) by msrw.matik.com.br (8.13.1/8.12.11) with ESMTP id j19CV1kQ026763 for ; Wed, 9 Feb 2005 10:31:02 -0200 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org Date: Wed, 9 Feb 2005 10:27:23 -0200 User-Agent: KMail/1.7.2 References: <537516181.20050209020403@vkt.lt> In-Reply-To: <537516181.20050209020403@vkt.lt> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1364882.03BdSS6kl9"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502091027.31420.asstec@matik.com.br> X-Virus-Scanned: ClamAV 0.80/674/Tue Jan 18 18:27:28 2005 clamav-milter version 0.80j on msrw.matik.com.br X-Virus-Status: Clean X-Spam-Status: No, score=-102.2 required=5.0 tests=ALL_TRUSTED,ISO_7BITS, NO_RDNS2,TW_PF,TW_XF,USER_IN_WHITELIST autolearn=failed version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on msrw.matik.com.br Subject: Re: IPFW pipe v 4.10-stable vs 5.3-stable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2005 04:00:49 -0000 --nextPart1364882.03BdSS6kl9 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 08 February 2005 22:04, Jara wrote: > pipe 128 config mask src-ip 0xffffffff bw 128Kbit/s > add 53098 pipe 128 ip from any to table'(10)' in > > pipe 127 config mask dst-ip 0xffffffff bw 64Kbit/s > pipe 127 ip from table'(10)' to any in > > so ipfw -l shows: > 53098 pipe 128 ip from any to table(10) in > 53099 pipe 127 ip from table(10) to any in > > Now... > I u use this configuration under 4.10-stable everything is ok sure? probably you set one to "out" (pipe 127?) Hans > But when i try 5.3-stable download traffic (pipe 128) is reduced twise > - down to 64kbits > If i remove ' in' from the ipfw command - download grows up to > 128kbits. > (if i remove ' in' from upload (pipe 127) it stays untouched - > 64kbits) > > > Where I could make a mistake ? > > net.link.ether.ipfw is set to 0 > > > Thanks! > > Cheers, > Jarek > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" =2D-=20 Infomatik implementamos asas na sua rede. (18)3551.3591 (18)8112.7007 _______________________________________________________ Participe na lista de seguran=E7a,=20 recebendo as mais importantes not=EDcias na hora Entre em http://info.matik.com.br e participe. _______________________________________________________ Mensagens sem assinatura GPG n=E3o s=E3o nossas. Messages without GPG signature are not from us. _______________________________________________________ --nextPart1364882.03BdSS6kl9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCCgGz22x1wvvbslkRAtmoAJ4u1hJbDeR0s5yMKqVZjhMJq4WGSgCcCx8V cdTg/WANx+IbWR19Ykh45cE= =qI5z -----END PGP SIGNATURE----- --nextPart1364882.03BdSS6kl9-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 14 08:15:23 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8DB016A4CE for ; Mon, 14 Feb 2005 08:15:23 +0000 (GMT) Received: from aurynhome1sv1.zirakzigil.org (host48-93.pool8288.interbusiness.it [82.88.93.48]) by mx1.FreeBSD.org (Postfix) with SMTP id 341E243D58 for ; Mon, 14 Feb 2005 08:15:20 +0000 (GMT) (envelope-from auryn@zirakzigil.org) Received: (qmail 32242 invoked by uid 85); 14 Feb 2005 08:15:20 -0000 Received: from unknown (HELO zirakzigil.org) (gferro@giulioferro.it@192.168.0.122) by 0 with SMTP; 14 Feb 2005 08:15:19 -0000 Message-ID: <42105E0F.30204@zirakzigil.org> Date: Mon, 14 Feb 2005 09:15:11 +0100 From: Giulio Ferro User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Subject: ftp, cvsup, etc... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 08:15:24 -0000 Hassn't anybody thought yet of a way to manage thoso protocols which dynamically open more passive connections when the the first connection is established, like ftp or cvsup. Now you are forced to keep high ports open (let's say 20000-65535) to allow for dynamic connections, but I think that is a less than optimal solution. I would be great if ipfw actually "understood" those protocols and open up ports as need requires. A linked question is: doesn't anybody else think that protocol inspection would be a very desirable feature in ipfw? Maybe together with a virus scan for client-side code (activex, plugin, applet, etc...) Bye. From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 14 09:05:34 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7575116A4CE for ; Mon, 14 Feb 2005 09:05:34 +0000 (GMT) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E00843D31 for ; Mon, 14 Feb 2005 09:05:34 +0000 (GMT) (envelope-from asegu@borgtech.ca) Received: from asegulaptop (unknown [161.53.212.129]) by borgtech.ca (Postfix) with ESMTP id 1F67954AB; Mon, 14 Feb 2005 09:12:07 +0000 (GMT) From: "Andrew Seguin" To: Date: Mon, 14 Feb 2005 10:05:34 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 In-Reply-To: <42105E0F.30204@zirakzigil.org> Thread-Index: AcUSbkTOU6wdb76BRZOk6J4om6HY3AABLVhQ Message-Id: <20050214091207.1F67954AB@borgtech.ca> cc: 'Giulio Ferro' Subject: RE: ftp, cvsup, etc... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 09:05:34 -0000 > -----Original Message----- > From: Giulio Ferro > Subject: ftp, cvsup, etc... > > Hassn't anybody thought yet of a way to manage thoso protocols which > dynamically open more passive connections when the the first connection > is established, like ftp or cvsup. > Now you are forced to keep high ports open (let's say 20000-65535) to > allow for dynamic connections, but I think that is a less than optimal > solution. > I would be great if ipfw actually "understood" those protocols and open up > ports as need requires. I'm far from an expert, so I don't really know about any solution to this. I agree that it would be "nice" but at same time, would it be possible? IPFW works at layers 2/3 correct? And for this, it would require something like layer 7 protocol analysis? That seems like something that would require a greater amount of work for ipfw. > > A linked question is: doesn't anybody else think that protocol inspection > would be a very desirable feature in ipfw? Maybe together with a virus > scan for client-side code (activex, plugin, applet, etc...) Maybe what is needed rather is a separate daemon running, and then in IPFW one could add a divert rule to this application layer firewall after initial filtering, somewhat like natd? I would be quite interested in such a feature/program if anybody knows of one which is free. Andrew -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005 From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 14 11:02:21 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E721516A4CE for ; Mon, 14 Feb 2005 11:02:21 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C573B43D1D for ; Mon, 14 Feb 2005 11:02:21 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1EB2LrN015605 for ; Mon, 14 Feb 2005 11:02:21 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1EB2Lvq015599 for ipfw@freebsd.org; Mon, 14 Feb 2005 11:02:21 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 14 Feb 2005 11:02:21 GMT Message-Id: <200502141102.j1EB2Lvq015599@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 11:02:22 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 14 20:32:56 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72FC016A4CE for ; Mon, 14 Feb 2005 20:32:56 +0000 (GMT) Received: from smtp208.mail.sc5.yahoo.com (smtp208.mail.sc5.yahoo.com [216.136.130.116]) by mx1.FreeBSD.org (Postfix) with SMTP id 3F47543D1D for ; Mon, 14 Feb 2005 20:32:56 +0000 (GMT) (envelope-from vitadiazlistas@yahoo.com.ar) Received: from unknown (HELO isca1) (vitadiazlistas@201.252.136.62 with login) by smtp208.mail.sc5.yahoo.com with SMTP; 14 Feb 2005 20:32:55 -0000 Message-ID: <022f01c512b3$102c45b0$0a0a1e0a@isca1> From: "vitadiazlistas" To: Date: Mon, 14 Feb 2005 17:34:30 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: To control accessos by MAC address of ethernets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 20:32:56 -0000 >From already thank you very much reading to me. This compiled ipfw2 and works everything except this I have ipfw2 very well walking but I need to validate the accesses of = the LAN by interval of the MAC of ethernets and I have not been able to = make walk this. Somebody can show to me like is that ipfw2 with the subject of the MAC = works Thanks=20 Can that the this not putting rules in the place which they go? that is = in the part of firewall where they funcionarian as filter. The same it happens to me with IPA adds paketes but it does not let to = me walk but the control of bandwith. Also it is rare. Says to me that there is to patch freebsd because in some cases it does = not walk that type of control. I do not want to use DHCP to validate I must make a control of accesses = by wireless and LAN via ipfw2, if it will be by better Web but I am = trying to do it i myself. My firewall ## rl0 NAT (LAN 1) ## ep1 conecction internet ipfw -f flush ipfw add divert natd all from any to any via ep1 ipfw add allow all from any to 192.168.1.56 MAC any 00:0d:88:ba:b9:40 = via rl0 (no add paketes) ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/16 to not = 192.168.0.0/16 80 ipfw add pipe 78 tcp from any 80 to 192.168.0.0/16 ipfw pipe 78 config mask src-ip 0x000000ff bw 80Kbit/s From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 14 20:52:05 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0967916A4CE for ; Mon, 14 Feb 2005 20:52:05 +0000 (GMT) Received: from pop-a065d19.pas.sa.earthlink.net (pop-a065d19.pas.sa.earthlink.net [207.217.121.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBD8243D2F for ; Mon, 14 Feb 2005 20:52:04 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from gonzo.psp.pas.earthlink.net ([207.217.78.242]) by pop-a065d19.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1D0nCL-0003CW-00; Mon, 14 Feb 2005 12:52:01 -0800 Message-ID: <25505810.1108414310082.JavaMail.root@gonzo.psp.pas.earthlink.net> Date: Mon, 14 Feb 2005 15:51:49 -0500 (GMT-05:00) From: "SPC Wigglesworth, Martes G" To: vitadiazlistas , freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Zoo Mail 1.0 Subject: Re: To control accessos by MAC address of ethernets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "SPC Wigglesworth, Martes G" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 20:52:05 -0000 I don't think that you can mix ip and mac addresses within level-2 rules. And you have to have the correct layer-2 sysctl set. I am not at my bsd box, so I cannot remember what that is, however it is listed within the sysctl section of the ipfw man. I think that a working rule would be: ipfw add pass MAC any ${MACADDRESS} {etc...} or switch any and the ${ } -----Original Message----- From: vitadiazlistas Sent: Feb 14, 2005 11:34 AM To: freebsd-ipfw@freebsd.org Subject: To control accessos by MAC address of ethernets >From already thank you very much reading to me. This compiled ipfw2 and works everything except this I have ipfw2 very well walking but I need to validate the accesses of the LAN by interval of the MAC of ethernets and I have not been able to make walk this. Somebody can show to me like is that ipfw2 with the subject of the MAC works Thanks Can that the this not putting rules in the place which they go? that is in the part of firewall where they funcionarian as filter. The same it happens to me with IPA adds paketes but it does not let to me walk but the control of bandwith. Also it is rare. Says to me that there is to patch freebsd because in some cases it does not walk that type of control. I do not want to use DHCP to validate I must make a control of accesses by wireless and LAN via ipfw2, if it will be by better Web but I am trying to do it i myself. My firewall ## rl0 NAT (LAN 1) ## ep1 conecction internet ipfw -f flush ipfw add divert natd all from any to any via ep1 ipfw add allow all from any to 192.168.1.56 MAC any 00:0d:88:ba:b9:40 via rl0 (no add paketes) ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/16 to not 192.168.0.0/16 80 ipfw add pipe 78 tcp from any 80 to 192.168.0.0/16 ipfw pipe 78 config mask src-ip 0x000000ff bw 80Kbit/s _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 15 04:46:46 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD26516A4CE for ; Tue, 15 Feb 2005 04:46:46 +0000 (GMT) Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71B7143D39 for ; Tue, 15 Feb 2005 04:46:46 +0000 (GMT) (envelope-from lists@jnielsen.net) Received: from stealth.local (jn@c-24-2-72-123.client.comcast.net [24.2.72.123]) (authenticated bits=0) by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id j1F4kjXI074780; Mon, 14 Feb 2005 20:46:46 -0800 (PST) (envelope-from lists@jnielsen.net) From: John Nielsen To: freebsd-ipfw@freebsd.org Date: Mon, 14 Feb 2005 21:47:26 -0700 User-Agent: KMail/1.7.2 References: <022f01c512b3$102c45b0$0a0a1e0a@isca1> In-Reply-To: <022f01c512b3$102c45b0$0a0a1e0a@isca1> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200502142147.27072.lists@jnielsen.net> X-Virus-Scanned: ClamAV 0.80/627/Sun Dec 12 11:53:11 2004 clamav-milter version 0.80j on ns1.jnielsen.net X-Virus-Status: Clean cc: vitadiazlistas Subject: Re: To control accessos by MAC address of ethernets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 04:46:46 -0000 On Monday 14 February 2005 09:34 am, vitadiazlistas wrote: > Somebody can show to me like is that ipfw2 with the subject of the MAC > works Thanks If you have net.link.ether.ipfw enabled, routed/natted packets can potentially hit the firewall up to four times, and each case ought to be considered (see the PACKET FLOW section of the ipfw manpage). You want a pair of "layer2" rules (which may or may not include any IP addresses) and a pair of "not layer2" rules (which will include IP but not MAC addresses). I have a working setup that only allows traffic through from assigned MAC/IP pairs on the network. Here are the basics: Add to /etc/sysctl.conf: net.link.ether.ipfw=1 net.inet.ip.fw.one_pass=0 # (note that I don't remember exactly why this # was necessary for my setup, but it might be relevant) Firewall rules: [flush, pipe flush, etc] add allow layer2 not mac-type ip # You need this or you will break ARP, # among other things [pipe / queue definitions if using dummynet] [natd, localhost, etc] # user list: add allow layer2 src-ip 10.0.0.5 mac any 00:11:22:33:44:55 add allow layer2 dst-ip 10.0.0.5 mac 00:11:22:33:44:55 any add allow all from 10.0.0.5 to any not layer2 add allow all from any to 10.0.0.5 not layer2 # ... repeat the above four rules for each MAC/IP pair Note that if you are using dummynet for IP traffic shaping then you probably want to specify "not layer2" on any rule that adds packets to a pipe or queue, or else packets might be inserted twice. JN From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 15 08:37:53 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7960116A4CE for ; Tue, 15 Feb 2005 08:37:53 +0000 (GMT) Received: from mail.albury.net.au (giroc.albury.NET.AU [203.15.244.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AA6443D39 for ; Tue, 15 Feb 2005 08:37:52 +0000 (GMT) (envelope-from mallen@albury.net.au) Received: from babylon5.albury.net.au (max1-p43.albury.NET.AU [203.17.235.235]) by mail.albury.net.au (8.11.1/8.11.1) with ESMTP id j1F8bnF77974 for ; Tue, 15 Feb 2005 19:37:49 +1100 (EST) X-Delivered-To: Message-Id: <5.1.0.14.2.20050215192926.00ae2f98@pop3.frontgate.mail> X-Sender: mallen/mail.albury.net.au:110@pop3.frontgate.mail X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 15 Feb 2005 19:37:39 +1100 To: freebsd-ipfw@freebsd.org From: Mark Allen Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Logging daily report problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 08:37:53 -0000 Hi All, I'm hoping someone here can help me with a logging problem. I have ipfw logging the packets that get to the bottom of my rules, and are denied passage. I can see the packets being logged in /var/security. Previously I was running FreeBSD 4.4, and the details of the denied packets for each 24 hour period were in the daily security report. Since upgrading to 5.3, I find that the details are no longer shown in the daily report. I'm still using the same ruleset that I was using with 4.4, and the ruleset is working fine. The report does have a summary of the denied packets, but I would like to see the details of the denied packets. Could someone be kind enough to point me in the right direction to fix this problem, I would be most appreciative. Regards Mark From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 15 12:30:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E7B716A4CE for ; Tue, 15 Feb 2005 12:30:51 +0000 (GMT) Received: from grsu.by (grsu.by [194.158.202.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 277EE43D58 for ; Tue, 15 Feb 2005 12:30:39 +0000 (GMT) (envelope-from grog@grsu.by) Received: (qmail 64703 invoked from network); 15 Feb 2005 12:27:58 -0000 Received: from unknown (HELO ?10.31.16.99?) (grog@10.31.16.99) by grsu.by with SMTP; 15 Feb 2005 12:27:57 -0000 Message-ID: <4211E982.1040102@grsu.by> Date: Tue, 15 Feb 2005 14:22:26 +0200 From: Yury Tarasievich User-Agent: Mozilla Thunderbird 1.0 (X11/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20050215120057.C947716A4D7@hub.freebsd.org> In-Reply-To: <20050215120057.C947716A4D7@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: To control accessos by MAC address of ethernets [freebsd-ipfw Digest, Vol 99, Issue 2] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 12:30:51 -0000 freebsd-ipfw-request@freebsd.org wrote: > I have ipfw2 very well walking but I need to validate the accesses of the LAN by interval of the MAC of ethernets and I have not been able to make walk this. > > Somebody can show to me like is that ipfw2 with the subject of the MAC works Thanks <...> > My firewall > ## rl0 NAT (LAN 1) > ## ep1 conecction internet > > ipfw -f flush > > ipfw add divert natd all from any to any via ep1 > > ipfw add allow all from any to 192.168.1.56 MAC any 00:0d:88:ba:b9:40 via rl0 > (no add paketes) > > ipfw add fwd 127.0.0.1,3128 tcp from 192.168.0.0/16 to not 192.168.0.0/16 80 > > ipfw add pipe 78 tcp from any 80 to 192.168.0.0/16 > > ipfw pipe 78 config mask src-ip 0x000000ff bw 80Kbit/s Like it was already advised to you (but better structured, I hope :) a) do ``sysctl net.link.ether.ipfw=1'' this enables ipfw to see layer2 packets at all b) you may or may not want to do ``ipfw disable one_pass'' if done, this enables packet to travel through several "accepting" rules like "pipe" or "queue" etc. After going to pipe packet gets reinjected. c) explicitly qualify everything using ``MAC'' argument with ``layer2'' argument d) allow passing of the ARP broadcasts, selecting them either with advised directive or with ``dst-addr 0xffffffff'' I understand you aren't using bridging. Then this should suffice. --regards From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 15 15:51:56 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 541C516A4CE for ; Tue, 15 Feb 2005 15:51:56 +0000 (GMT) Received: from mercure.esigetel.fr (mercure.esigetel.fr [192.134.106.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 169B743D58 for ; Tue, 15 Feb 2005 15:51:54 +0000 (GMT) (envelope-from teva.avril@esigetel.fr) Received: from mercure.ecampus.fr (mercure [127.0.0.1]) by mercure.esigetel.fr (8.12.8/8.12.8) with ESMTP id j1FGd5D0008714 for ; Tue, 15 Feb 2005 17:39:05 +0100 Received: (from apache@localhost) by mercure.ecampus.fr (8.12.8/8.12.8/Submit) id j1FGd5RT008712; Tue, 15 Feb 2005 17:39:05 +0100 Received: from 193.49.124.107 (proxying for unknown) (SquirrelMail authenticated user avril) by mercure.esigetel.fr with HTTP; Tue, 15 Feb 2005 17:39:05 +0100 (CET) Message-ID: <38831.193.49.124.107.1108485545.squirrel@mercure.esigetel.fr> Date: Tue, 15 Feb 2005 17:39:05 +0100 (CET) From: "Teva AVRIL" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 1 Importance: High Subject: forwarding between two interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: teva.avril@esigetel.fr List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 15:51:56 -0000 hi, i have a station under FreeBSD 5.3 with an ethernet card and an atm card. each cards have an IP address . I'd like to forward all traffic coming on the atm card to the ethernet card. Is it possible with ipfw? best regards, Teva AVRIL From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 15 17:08:49 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8879816A4CE; Tue, 15 Feb 2005 17:08:49 +0000 (GMT) Received: from f23.mail.ru (f23.mail.ru [194.67.57.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id A489843D49; Tue, 15 Feb 2005 17:08:48 +0000 (GMT) (envelope-from vip3r@inbox.ru) Received: from mail by f23.mail.ru with local id 1D16Br-000F4G-00; Tue, 15 Feb 2005 20:08:47 +0300 Received: from [194.105.194.164] by win.mail.ru with HTTP; Tue, 15 Feb 2005 20:08:47 +0300 From: Mikhail To: freebsd-security@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [194.105.194.164] Date: Tue, 15 Feb 2005 20:08:47 +0300 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: cc: freebsd-ipfw@freebsd.org Subject: weird queue keep-state behavior X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mikhail List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 17:08:49 -0000 I'm just one of those weirdos, who wanna make a powerfull queues shaper (not QoS but near) with ipfw2 on their freebsd 4.x-stable. My server is using frequently used configuration with NAT+FW ADSL router with one external ip on external network interface (we're using ADSL modem in bringe mode). I've configured single pipe, configured queues to use that pipe, add queues with different weights distinct on destination ports. //i'm doing nat with that rules: 03400 divert 8668 ip from { 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 or me } to any out via bfe0 03600 divert 8668 ip from any to me in via bfe0 //here are defined queues 09600 queue 1 udp from me to any dst-port 53,123 out via bfe0 keep-state 09800 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay iplen 32-68 established 10000 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay established 10200 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay setup keep-state 10400 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 iplen 32-68 established 10600 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 established 10800 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 setup keep-state 11000 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 iplen 32-68 established 11200 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 established 11400 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 setup keep-state 11600 queue 5 tcp from any 1024-65535 to any out via bfe0 iplen 32-68 established 11800 queue 5 tcp from any 1024-65535 to any out via bfe0 established 12000 queue 5 tcp from any 1024-65535 to any out via bfe0 setup keep-state 12200 queue 6 udp from any 1024-65535 to any out via bfe0 keep-state 12400 allow tcp from any to 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 in via bfe0 established //last rule is for weird packets that natd is pushing to the stack When client is downloading file via passive ftp from nat'ed internal network he has ${ADSL_INBOUND_SPEED} speed (55KByte/s) Here is the problem: When i ssh'ing to server and starting the SAME connection with wget i'm having only 14KByte/s. Hitting many times "ipfw show" i've discovered that in the first case counters of 12000 rule are incrementing slowly and counters of rule 12400 are incrementing very fast. In the second case only counters of rule number 12000 are incrementing relative to the first case fast. So here is the question: Should I remove "keep-state" statement and use stateless firewall with adding "esatablished" rules or this is bug (that tracking state of data flow in queue in both directions is bad, because in that case we limiting speed of inbound connection and outbound too (last is desired)). Thanks beforehand. PS: I can post here my rc.firewall on demand or exec what you want me to exec. From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 16 08:23:01 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E75016A4CE for ; Wed, 16 Feb 2005 08:23:01 +0000 (GMT) Received: from mercure.esigetel.fr (mercure.esigetel.fr [192.134.106.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC6643D2F for ; Wed, 16 Feb 2005 08:23:00 +0000 (GMT) (envelope-from teva.avril@esigetel.fr) Received: from mercure.ecampus.fr (mercure [127.0.0.1]) by mercure.esigetel.fr (8.12.8/8.12.8) with ESMTP id j1G9AMgA002291 for ; Wed, 16 Feb 2005 10:10:22 +0100 Received: (from apache@localhost) by mercure.ecampus.fr (8.12.8/8.12.8/Submit) id j1G9AMGF002289; Wed, 16 Feb 2005 10:10:22 +0100 Received: from 193.49.124.107 (proxying for unknown) (SquirrelMail authenticated user avril) by mercure.esigetel.fr with HTTP; Wed, 16 Feb 2005 10:10:22 +0100 (CET) Message-ID: <19326.193.49.124.107.1108545022.squirrel@mercure.esigetel.fr> Date: Wed, 16 Feb 2005 10:10:22 +0100 (CET) From: "Teva AVRIL" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 1 Importance: High Subject: forwarding between two interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: teva.avril@esigetel.fr List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2005 08:23:01 -0000 hi, i have a station under FreeBSD 5.3 with an ethernet card and an atm card. each cards have an IP address . I'd like to forward all traffic coming on the atm card to the ethernet card. Is it possible with ipfw? best regards, Teva AVRIL From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 17 13:42:57 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D5FA16A4CE for ; Thu, 17 Feb 2005 13:42:57 +0000 (GMT) Received: from nadi-it.com (mx1.nadi-it.com [219.94.101.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id E609D43D39 for ; Thu, 17 Feb 2005 13:42:56 +0000 (GMT) (envelope-from rasfan@nadi-it.com) Received: from localhost (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 612BC7C5C3 for ; Thu, 17 Feb 2005 21:49:07 +0800 (MYT) Received: from nadi-it.com ([127.0.0.1]) by localhost (nadi-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 53606-03 for ; Thu, 17 Feb 2005 21:49:07 +0800 (MYT) Received: from webmail.nadi-it.com (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 3A32C7C5B6 for ; Thu, 17 Feb 2005 21:49:01 +0800 (MYT) Received: from 219.94.101.37 (SquirrelMail authenticated user rasfan); by webmail.nadi-it.com with HTTP; Thu, 17 Feb 2005 21:49:07 +0800 (MYT) Message-ID: <1999.219.94.101.37.1108648147.squirrel@219.94.101.37> Date: Thu, 17 Feb 2005 21:49:07 +0800 (MYT) From: "Mohd Rasfan" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.nadi-it.com Subject: Freebsd througput firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rasfan@nadi-it.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2005 13:42:57 -0000 Hello all I want to know about freebsd firewall throughput..... ? From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 17 20:02:40 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8496B16A4CE for ; Thu, 17 Feb 2005 20:02:40 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A89543D2D for ; Thu, 17 Feb 2005 20:02:40 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1D1rrD-0003Er-00; Thu, 17 Feb 2005 21:02:39 +0100 Received: from [84.128.128.75] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1D1rrC-0004Mj-00; Thu, 17 Feb 2005 21:02:38 +0100 From: Max Laier To: freebsd-ipfw@freebsd.org, rasfan@nadi-it.com Date: Thu, 17 Feb 2005 21:02:30 +0100 User-Agent: KMail/1.7.2 References: <1999.219.94.101.37.1108648147.squirrel@219.94.101.37> In-Reply-To: <1999.219.94.101.37.1108648147.squirrel@219.94.101.37> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3519526.JXbTRA3dv8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502172102.37315.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: Freebsd througput firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2005 20:02:40 -0000 --nextPart3519526.JXbTRA3dv8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 17 February 2005 14:49, Mohd Rasfan wrote: > Hello all > > I want to know about freebsd firewall throughput..... ? It's fine, thanks for asking! ;) Or, to put it another way: What kind of information are you looking for? = =20 What kind of setup are you interested in? How many firewall rules are you= =20 excepting to use? Do you need any "fancy" stuff, such as stateful filterin= g? =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3519526.JXbTRA3dv8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCFPhdXyyEoT62BG0RAm11AJwJ2dLAHC/oPUKFBAZ4FjiiVllJnACfRQ1N 5wOFyNikJzEKQW/FPr3gO8g= =7Ld3 -----END PGP SIGNATURE----- --nextPart3519526.JXbTRA3dv8-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 18 11:05:56 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EB3E16A4CE for ; Fri, 18 Feb 2005 11:05:56 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7540843D31 for ; Fri, 18 Feb 2005 11:05:55 +0000 (GMT) (envelope-from mikhail.manuilov@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so492499rnf for ; Fri, 18 Feb 2005 03:05:55 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=kumTai63aRaxCJI/frEY7QAY8ImK9G3PziStoPy8PLUgTkT3uagsS749pkb9XfU/Q74KY8zpvpehOmOY9DFYoXm0aT7+W9hhdNHWGLCCI1xDLhASROYMHwKoQ7ZAwEW0hnnUxhSklkOsRi/LaprfQ3mFsTZjTd4pySCb6xaGWVo= Received: by 10.38.89.15 with SMTP id m15mr138875rnb; Fri, 18 Feb 2005 03:05:54 -0800 (PST) Received: by 10.38.88.56 with HTTP; Fri, 18 Feb 2005 03:05:54 -0800 (PST) Message-ID: <7ec6def9050218030531207c93@mail.gmail.com> Date: Fri, 18 Feb 2005 14:05:54 +0300 From: Mikhail Manuilov To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: queue with "keep-state" statement X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mikhail Manuilov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 11:05:56 -0000 Hello, I'm one of those, who want to make a powerful traffic shaper (not CBQ but ofcourse better that nothing) with ipfw2 on their freebsd 4.x-stable. My server is using frequently used configuration with NAT+FW, it's an ADSL router with one external ip on external network interface (we're using ADSL modem in bringe mode). I've configured single pipe, configured queues to use that pipe, add queues with different weights distinct on destination ports. //i'm doing nat with that rules: 03400 divert 8668 ip from { 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 or me } to any out via bfe0 03600 divert 8668 ip from any to me in via bfe0 //here are defined queues 09600 queue 1 udp from me to any dst-port 53,123 out via bfe0 keep-state 09800 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay iplen 32-68 established 10000 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay established 10200 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay setup keep-state 10400 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 iplen 32-68 established 10600 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 established 10800 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 setup keep-state 11000 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 iplen 32-68 established 11200 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 established 11400 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 setup keep-state 11600 queue 5 tcp from any 1024-65535 to any out via bfe0 iplen 32-68 established 11800 queue 5 tcp from any 1024-65535 to any out via bfe0 established 12000 queue 5 tcp from any 1024-65535 to any out via bfe0 setup keep-state 12200 queue 6 udp from any 1024-65535 to any out via bfe0 keep-state 12400 allow tcp from any to 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 in via bfe0 established //last rule is for weird packets that natd is pushing to the stack When client is downloading file via passive ftp from nat'ed internal network he has ${ADSL_INBOUND_SPEED} speed (55KByte/s) Here is the problem: When i ssh'ing to server and starting the SAME connection with wget i'm having only 14KByte/s. Hitting many times "ipfw show" i've discovered that in the first case counters of 12000 rule are incrementing slowly and counters of rule 12400 are incrementing very fast. In the second case only counters of rule number 12000 are incrementing relative to the first case fast. So here is the question: Should I remove "keep-state" statement and use stateless firewall with adding "established" rules or this is bug/feature (that tracking state of data flow in queue in both directions is bad, because in that case we limiting speed of inbound connection and outbound too (last is desired)). Thanks beforehand. PS: I can post here my rc.firewall on demand or exec what you want me to exec. From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 18 21:02:04 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70B9416A4CE for ; Fri, 18 Feb 2005 21:02:04 +0000 (GMT) Received: from ylpvm29.prodigy.net (ylpvm29-ext.prodigy.net [207.115.57.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id D699243D48 for ; Fri, 18 Feb 2005 21:02:03 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from gateway.posi.net (adsl-63-201-89-53.dsl.snfc21.pacbell.net [63.201.89.53])j1IL1hh2032151; Fri, 18 Feb 2005 16:01:44 -0500 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id 2206475E077; Fri, 18 Feb 2005 14:04:36 -0800 (PST) Date: Fri, 18 Feb 2005 14:04:35 -0800 (PST) From: Kelly Yancey To: Teva AVRIL In-Reply-To: <38831.193.49.124.107.1108485545.squirrel@mercure.esigetel.fr> Message-ID: <20050218135934.K12276@gateway.posi.net> References: <38831.193.49.124.107.1108485545.squirrel@mercure.esigetel.fr> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: forwarding between two interfaces X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 21:02:04 -0000 On Tue, 15 Feb 2005, Teva AVRIL wrote: > hi, > > i have a station under FreeBSD 5.3 with an ethernet card and an atm card. > each cards have an IP address . > I'd like to forward all traffic coming on the atm card to the ethernet card. > > Is it possible with ipfw? > You don't need ipfw for this. Try `sysctl net.inet.ip.forwarding=1` or put gateway_enable=YES in your /etc/rc.conf and reboot. Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com FreeBSD, The Power To Serve: http://www.freebsd.org/ From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 19 04:03:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31D1516A4CE for ; Sat, 19 Feb 2005 04:03:51 +0000 (GMT) Received: from nadi-it.com (mx1.nadi-it.com [219.94.101.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 594C643D49 for ; Sat, 19 Feb 2005 04:03:50 +0000 (GMT) (envelope-from rasfan@nadi-it.com) Received: from localhost (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id C27B37C60B for ; Sat, 19 Feb 2005 12:10:23 +0800 (MYT) Received: from nadi-it.com ([127.0.0.1]) by localhost (nadi-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58661-08 for ; Sat, 19 Feb 2005 12:10:23 +0800 (MYT) Received: from webmail.nadi-it.com (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 620047C5C3 for ; Sat, 19 Feb 2005 12:10:23 +0800 (MYT) Received: from 219.94.101.37 (SquirrelMail authenticated user rasfan); by webmail.nadi-it.com with HTTP; Sat, 19 Feb 2005 12:10:23 +0800 (MYT) Message-ID: <3828.219.94.101.37.1108786223.squirrel@219.94.101.37> Date: Sat, 19 Feb 2005 12:10:23 +0800 (MYT) From: "Mohd Rasfan" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.nadi-it.com Subject: Firewall Throughput Issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rasfan@nadi-it.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Feb 2005 04:03:51 -0000 Hello to all I Want to know freebsd firewall throughput can anybody help me there is two firewall in freebsd one is ipfw and pf can anybody help me how i want to chosse between ipfw anf ipf and what is the throughput benchmark From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 19 04:03:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 386CB16A4CF for ; Sat, 19 Feb 2005 04:03:51 +0000 (GMT) Received: from nadi-it.com (mx1.nadi-it.com [219.94.101.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5681C43D48 for ; Sat, 19 Feb 2005 04:03:50 +0000 (GMT) (envelope-from rasfan@nadi-it.com) Received: from localhost (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 66C7F7C5FF for ; Sat, 19 Feb 2005 12:10:23 +0800 (MYT) Received: from nadi-it.com ([127.0.0.1]) by localhost (nadi-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59416-02 for ; Sat, 19 Feb 2005 12:10:23 +0800 (MYT) Received: from webmail.nadi-it.com (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 7B5E07C5B6 for ; Sat, 19 Feb 2005 12:10:17 +0800 (MYT) Received: from 219.94.101.37 (SquirrelMail authenticated user rasfan); by webmail.nadi-it.com with HTTP; Sat, 19 Feb 2005 12:10:22 +0800 (MYT) Message-ID: <3827.219.94.101.37.1108786222.squirrel@219.94.101.37> Date: Sat, 19 Feb 2005 12:10:22 +0800 (MYT) From: "Mohd Rasfan" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.nadi-it.com Subject: Firewall Throughput Issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rasfan@nadi-it.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Feb 2005 04:03:51 -0000 Hello to all I Want to know freebsd firewall throughput can anybody help me there is two firewall in freebsd one is ipfw and pf can anybody help me how i want to chosse between ipfw anf ipf and what is the throughput benchmark From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 19 04:14:06 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44DA616A4CE for ; Sat, 19 Feb 2005 04:14:06 +0000 (GMT) Received: from nadi-it.com (mx1.nadi-it.com [219.94.101.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id A053943D41 for ; Sat, 19 Feb 2005 04:14:05 +0000 (GMT) (envelope-from rasfan@nadi-it.com) Received: from localhost (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 713DE7C5C3 for ; Sat, 19 Feb 2005 12:20:39 +0800 (MYT) Received: from nadi-it.com ([127.0.0.1]) by localhost (nadi-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59416-04 for ; Sat, 19 Feb 2005 12:20:39 +0800 (MYT) Received: from webmail.nadi-it.com (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 8960A7C5B6 for ; Sat, 19 Feb 2005 12:20:34 +0800 (MYT) Received: from 219.94.101.37 (SquirrelMail authenticated user rasfan); by webmail.nadi-it.com with HTTP; Sat, 19 Feb 2005 12:20:39 +0800 (MYT) Message-ID: <3851.219.94.101.37.1108786839.squirrel@219.94.101.37> Date: Sat, 19 Feb 2005 12:20:39 +0800 (MYT) From: "Mohd Rasfan" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.nadi-it.com Subject: Firewall with VLAN Sharing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: rasfan@nadi-it.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Feb 2005 04:14:06 -0000 Hello Guys I want to share with u all about placing a firewall what is the best method ??? A) CLIENT MULTIPLE VLAN -----> SWITCH -----> FIREWALL ------> INTERNET B) CLIENT MULTIPLE VLAN -----> FIREWALL -----> SWITCH ------> INTERNET From the above drawing what is the best setup that u all use.... this comment must consider for attacking, virus and dll... what possibilities for hacking and so on..... I WANT TO SHARE THIS CAKE...... From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 19 04:56:30 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 173E416A4CE for ; Sat, 19 Feb 2005 04:56:30 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id A47DA43D46 for ; Sat, 19 Feb 2005 04:56:29 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so594857wri for ; Fri, 18 Feb 2005 20:56:26 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=MbK9x/lj/Tx1fxIuyCVuuRH6XtVZz4iYowahrQ1KuFm34nSUITJ6na3OseTFmWEdyPnDa76ibwGRM6H37bY8ti6rt1bnDxFsNDz3XyIywUKam3lh8hxLRE44Xr/jRDBU6D8v/NwiqdNwz/imjlGN5Qp4r9VBrPPU6MtadkflGdQ= Received: by 10.54.24.27 with SMTP id 27mr38840wrx; Fri, 18 Feb 2005 20:56:25 -0800 (PST) Received: by 10.54.39.34 with HTTP; Fri, 18 Feb 2005 20:56:25 -0800 (PST) Message-ID: <8eea040805021820565dfa3db1@mail.gmail.com> Date: Fri, 18 Feb 2005 20:56:25 -0800 From: Jon Simola To: rasfan@nadi-it.com In-Reply-To: <3828.219.94.101.37.1108786223.squirrel@219.94.101.37> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <3828.219.94.101.37.1108786223.squirrel@219.94.101.37> cc: freebsd-ipfw@freebsd.org Subject: Re: Firewall Throughput Issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Feb 2005 04:56:30 -0000 On Sat, 19 Feb 2005 12:10:23 +0800 (MYT), Mohd Rasfan wrote: > Hello to all > > I Want to know freebsd firewall throughput can anybody help me > there is two firewall in freebsd one is ipfw and pf > can anybody help me how i want to chosse between ipfw anf ipf > and what is the throughput benchmark Your question is worded very vaguely. I have 2 machines on identical hardware (2.4GHz P4, 512MB+ RAM), one running an ipfw bridge and the other pf routing. Both handle my traffic (peaks of 20Mbps and 4Kpps) with plenty of resources to spare. In testing, I've pushed more than 60Mbps of traffic through them. My only bottleneck is the FastEthernet port on the telco's Cisco router. With a 2GHz processor and good network cards (I've been using Intel Gig cards that probe as em0/1) you should have no problems with 100Mbps of traffic sustained, provided you have a well-written ruleset for ipfw or pf. I believe your time should be spent reading up on both and determining which matches your needs. I prefer pf for the easy to read ruleset, NAT features, and traffic shaping. I prefer ipfw for the layer2 filtering capabilities. In fact, on my pf-based router, I have ipfw filtering at layer2, and use pf for everything else. -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 19 05:05:34 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61E6616A4CE for ; Sat, 19 Feb 2005 05:05:34 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id F059F43D2F for ; Sat, 19 Feb 2005 05:05:33 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so595560wri for ; Fri, 18 Feb 2005 21:05:33 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=qFEru+GW2KiGByWlyAoBEBvtn8+rR002dhFzykFhlHI8xgeGJ9iGSlDaLj640Sha0wTupUEpn8Y2TE4ORIP9BzKxVrZTkgDSFmR8dUo6t+2DYjoH+TwIL4vaZxZt8oBcyMjfKCJ6AR8cUSudoqBI/B1eDGiNL0yPl35ZdBV2ra8= Received: by 10.54.2.9 with SMTP id 9mr97163wrb; Fri, 18 Feb 2005 21:05:33 -0800 (PST) Received: by 10.54.39.34 with HTTP; Fri, 18 Feb 2005 21:05:33 -0800 (PST) Message-ID: <8eea04080502182105430c6540@mail.gmail.com> Date: Fri, 18 Feb 2005 21:05:33 -0800 From: Jon Simola To: rasfan@nadi-it.com In-Reply-To: <3851.219.94.101.37.1108786839.squirrel@219.94.101.37> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <3851.219.94.101.37.1108786839.squirrel@219.94.101.37> cc: freebsd-ipfw@freebsd.org Subject: Re: Firewall with VLAN Sharing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Feb 2005 05:05:34 -0000 On Sat, 19 Feb 2005 12:20:39 +0800 (MYT), Mohd Rasfan wrote: > I want to share with u all about placing a firewall what is the best method ??? The best method is the one you understand and can support. I've done this many ways. Transparent bridges, routers, as few as one physical interface and as many as 30 virtual interfaces, with and without dedicated traffic shaping boxes, with and without vlan switches. A network for 5000 university students doesn't have much in common with a network for a handful of large business customers. -- Jon Simola Systems Administrator ABC Communications