From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 28 11:02:25 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F0E516A4CE for ; Mon, 28 Feb 2005 11:02:25 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 855FA43D5C for ; Mon, 28 Feb 2005 11:02:25 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1SB2PZQ007157 for ; Mon, 28 Feb 2005 11:02:25 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1SB2O2V007151 for ipfw@freebsd.org; Mon, 28 Feb 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 28 Feb 2005 11:02:24 GMT Message-Id: <200502281102.j1SB2O2V007151@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 11:02:25 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 28 13:42:52 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E27316A4CE for ; Mon, 28 Feb 2005 13:42:52 +0000 (GMT) Received: from nm01omta029.dion.ne.jp (sns01-61-51.dion.ne.jp [61.117.3.79]) by mx1.FreeBSD.org (Postfix) with SMTP id 79B7643D2D for ; Mon, 28 Feb 2005 13:42:50 +0000 (GMT) (envelope-from hongying.liu@s8.dion.ne.jp) Received: from [127.0.0.1] (unknown[222.6.131.156]) by nm01mta029.dion.ne.jp; Mon, 28 Feb 2005 22:42:48 +0900 Date: Mon, 28 Feb 2005 22:40:56 +0900 From: Hongying Liu To: freebsd-ipfw@freebsd.org Message-Id: <20050228222930.3702.HONGYING.LIU@s8.dion.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.20 [ja] Subject: Can anybody help me with understanding how IPFW works X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 13:42:52 -0000 Hi, I think the packets is checked by using rules in kernel. I am reading the code of IPFW. but I still can't understand how the rules are passed from userland to kernel. I found sysctl is used to pass some info. but I don't think rules also are passed by using sysctl because there may be too many data. I also found raw socket is used in the userland source code. is raw socket is used to pass rules from userland to kernel? Thanks Liu From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 28 13:52:24 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 741D616A4CE for ; Mon, 28 Feb 2005 13:52:24 +0000 (GMT) Received: from nm01omta023.dion.ne.jp (sns01-31-51.dion.ne.jp [61.117.3.73]) by mx1.FreeBSD.org (Postfix) with SMTP id 0D4C543D46 for ; Mon, 28 Feb 2005 13:52:23 +0000 (GMT) (envelope-from hongying.liu@s8.dion.ne.jp) Received: from [127.0.0.1] (unknown[222.6.131.156]) by nm01mta022.dion.ne.jp; Mon, 28 Feb 2005 22:52:20 +0900 Date: Mon, 28 Feb 2005 22:50:29 +0900 From: Hongying Liu To: freebsd-ipfw@freebsd.org Message-Id: <20050228225015.0EA3.HONGYING.LIU@s8.dion.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.20 [ja] Subject: Can anybody help me with understanding how IPFW works X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 13:52:24 -0000 Hi, I think the packets is checked by using rules in kernel. I am reading the code of IPFW. but I still can't understand how the rules are passed from userland to kernel. I found sysctl is used to pass some info. but I don't think rules also are passed by using sysctl because there may be too many data. I also found raw socket is used in the userland source code. is raw socket is used to pass rules from userland to kernel? Thanks Liu From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 28 14:08:41 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 720D316A4CE for ; Mon, 28 Feb 2005 14:08:41 +0000 (GMT) Received: from mail.your.biglobe.net (mdsv0622.ht.necidc.net [202.225.207.166]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D8B943D49 for ; Mon, 28 Feb 2005 14:08:39 +0000 (GMT) (envelope-from hongying.liu@fuji.waseda.jp) Message-ID: <20050228140837.10174.HONGYING.LIU@fuji.waseda.jp> Received: (biglobe-qmail 10173 invoked by uid 0); 28 Feb 2005 23:08:36 +0900 Received: from ems-mta1:25 [172.23.46.4] by biglobe-qmail with SMTP; 28 Feb 2005 23:08:36 +0900 From: Hongying Liu To: Date: Mon, 28 Feb 2005 23:08:36 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit cc: hongying.liu@fuji.waseda.jp Subject: Can anybody help me with understanding how IPFW works X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 14:08:41 -0000 Hi, I think the packets is checked by using rules in kernel. I am reading the code of IPFW. but I still can't understand how the rules are passed from userland to kernel. I found sysctl is used to pass some info. but I don't think rules also are passed by using sysctl because there may be too many data. I also found raw socket is used in the userland source code. is raw socket is used to pass rules from userland to kernel? Thanks Liu From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 1 01:44:57 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 627F916A4CE for ; Tue, 1 Mar 2005 01:44:57 +0000 (GMT) Received: from web51908.mail.yahoo.com (web51908.mail.yahoo.com [206.190.39.51]) by mx1.FreeBSD.org (Postfix) with SMTP id D76DF43D4C for ; Tue, 1 Mar 2005 01:44:56 +0000 (GMT) (envelope-from chicoman341978@yahoo.com) Received: (qmail 75394 invoked by uid 60001); 1 Mar 2005 01:44:56 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=q4I7k2xuxJqc3NZqvzv6rjOLsQX5Qw+nIEwA6HNU9waE0UYzDZsbY/tvPicLL3wTzQDojPjMXJ78NJI0ALWwK63KaY/8b5asS3YeTxMy5bUVfGY843GC3+U3DNbfVMSxm7xv9NYrnayYFQUgsiae4PHDjxDuzvI+cYgNPgXAcpE= ; Message-ID: <20050301014456.75392.qmail@web51908.mail.yahoo.com> Received: from [69.243.104.7] by web51908.mail.yahoo.com via HTTP; Mon, 28 Feb 2005 17:44:56 PST Date: Mon, 28 Feb 2005 17:44:56 -0800 (PST) From: Chico To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: IPFW and NATD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2005 01:44:57 -0000 I am using IPFW and NATD. I am trying to allow users to terminal service into a computer on my LAN. This works using the "PASS" in my /etc/firewall.rules instead of allow. However, when I do this i can not connect to remote servers via terminal services. Can someone provide some insight on how this should be setup? /etc/firewall.rules: add 200 pass all from any to any via lo0 add 300 divert natd all from any to any via fxp0 add 400 allow all from any to any 3389 keep-state /etc/natd.conf interface fxp0 use_sockets yes same_ports yes dynamic yes redirect_port tcp 10.0.0.2:3389 3389 __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 2 08:29:35 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 110B616A4CF; Wed, 2 Mar 2005 08:29:35 +0000 (GMT) Received: from 216.31.99-84.rev.gaoland.net (216.31.99-84.rev.gaoland.net [84.99.31.216]) by mx1.FreeBSD.org (Postfix) with SMTP id F0F9843D66; Wed, 2 Mar 2005 08:29:28 +0000 (GMT) (envelope-from Marine8324RoseMary@macatawa.com) Received: from mail.jchengr.com (84.99.31.216) by 84.99.31.216 with Microsoft SMTP752(2.942.86.9); Wed, 02 Mar 2005 10:24:28 +0200 Received: from 84.99.31.216 (apache[84.99.31.216]) by mail.jchengr.com (im538) with SMTP id <679437274u48c> (Authid: 608015); Wed, 02 Mar 2005 14:28:28 +0600 Message-ID: From: "Faramarz Andrew" To: ports-committers@freebsd.org Date: Wed, 02 Mar 2005 03:26:28 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7Bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: reebsd-announce@freebsd.org cc: freebsd-announce@freebsd.org cc: owner-freebsd-ports@freebsd.org cc: freebsd-ipfw@freebsd.org cc: jobs@freebsd.org cc: glewis@freebsd.org Subject: Makes your Dreams come true X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Faramarz Andrew List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 08:29:35 -0000 Dear Homeowner, You have been pre-approved for a $450,000 Home at a low fixed rate. We noticed that your current rate is over 5%. We are willing to give you a fixed rate of 2.9%. Take Advantage of this Limited Time opportunity! Only takes a few minutes to see what you can save! Go here: http://wack.seaquote.com/?partid=aaks9 Best Regards, Faramarz Andrew, Account Manager Matio Group LLC. r.mv - http//seaquote.com/st.html From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 2 19:30:32 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E65F16A4CF for ; Wed, 2 Mar 2005 19:30:32 +0000 (GMT) Received: from smtp.ecr-consulting.se (1-1-8-13a.hud.sth.bostream.se [82.182.26.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id A638043D48 for ; Wed, 2 Mar 2005 19:30:31 +0000 (GMT) (envelope-from urban.engemyr@ecr-consulting.se) Received: from [192.168.0.3] (helo=ecrex01.ecr-consulting.se) by ecrfw01.ecr-consulting.se with esmtp (Exim 4.43) id 1D6ZYD-0005c8-AT for freebsd-ipfw@freebsd.org; Wed, 02 Mar 2005 20:30:29 +0100 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Wed, 2 Mar 2005 20:28:06 +0100 Message-ID: <03A9E4B63BABC943BEC0C8A8EE428947016780@ecrex01.ecr-consulting.se> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: time policies Thread-Index: AcUfXfX+BYJfW1v8TPe9rwt3PrsLXQ== From: "Urban Engemyr" To: Subject: time policies X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 19:30:32 -0000 Hi, Is it possible to have ipfw rules that are enabled during certain times only? Regards Urban From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 2 19:32:00 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A023716A51E for ; Wed, 2 Mar 2005 19:31:58 +0000 (GMT) Received: from ctb-mesg1.saix.net (ctb-mesg1.saix.net [196.25.240.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF2A443D4C for ; Wed, 2 Mar 2005 19:31:57 +0000 (GMT) (envelope-from savage@savage.za.org) Received: from netsphere.cenergynetworks.com (wblv-146-245-156.telkomadsl.co.za [165.146.245.156]) by ctb-mesg1.saix.net (Postfix) with ESMTP id 3717E56DF for ; Wed, 2 Mar 2005 21:31:53 +0200 (SAST) Received: from pmx.ournet.co.za ([198.19.0.73] helo=netsphere.cenergynetworks.com) by netsphere.cenergynetworks.com with smtp (Exim 4.41) id 1D6ZZY-00014r-qd for freebsd-ipfw@freebsd.org; Wed, 02 Mar 2005 21:31:52 +0200 Received: from [192.168.1.10] (helo=netphobia) by netsphere.cenergynetworks.com with smtp (Exim 4.41) id 1D6ZZX-00014n-r3 for freebsd-ipfw@freebsd.org; Wed, 02 Mar 2005 21:31:51 +0200 Message-ID: <000c01c51f5e$890db150$0a01a8c0@ops.cenergynetworks.com> From: "Chris Knipe" To: References: <03A9E4B63BABC943BEC0C8A8EE428947016780@ecrex01.ecr-consulting.se> Date: Wed, 2 Mar 2005 21:32:12 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Broken-Reverse-DNS: 192.168.1.10 X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.2.0, Antispam-Data: 2005.2.8.1 Subject: Re: time policies X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Knipe List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 19:32:01 -0000 Crontab? ----- Original Message ----- From: "Urban Engemyr" To: Sent: Wednesday, March 02, 2005 9:28 PM Subject: time policies Hi, Is it possible to have ipfw rules that are enabled during certain times only? Regards Urban _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 2 21:05:01 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49E9716A4CE for ; Wed, 2 Mar 2005 21:05:01 +0000 (GMT) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3541B43D1D for ; Wed, 2 Mar 2005 21:05:00 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.195.31.236] ([200.195.31.236]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j22L5aju069314 for ; Wed, 2 Mar 2005 18:05:37 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org Date: Wed, 2 Mar 2005 18:04:36 -0300 User-Agent: KMail/1.7.2 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart18848302.eMqGPm2vJN"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200503021804.41942.asstec@matik.com.br> X-Virus-Scanned: ClamAV 0.80/730/Sat Feb 26 22:56:54 2005 clamav-milter version 0.80j on msrv.matik.com.br X-Virus-Status: Clean X-Spam-Status: No, score=-99.4 required=5.0 tests=ISO_7BITS,NO_RDNS2,TW_PF, USER_IN_WHITELIST autolearn=no version=3.0.1 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on msrv.matik.com.br X-Filter-Version: 1.11a (msrv.matik.com.br) Subject: ipfw and download accelerator plus X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 21:05:01 -0000 --nextPart18848302.eMqGPm2vJN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi freebsd's ipfw pipes on 5.2.1 are not able to limit DAP traffic you have some similar experience or an idea/solution? My pipes are ok for any kind of traffic but not for DAP downloads as example I configure 256/128 Kbit/s but DAP gets 300KB/s or more dependi= ng=20 on what it gets from the remote site. Hans _______________________________________________________ Mensagens sem assinatura GPG n=E3o s=E3o nossas. Messages without GPG signature are not from us. _______________________________________________________ --nextPart18848302.eMqGPm2vJN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCJipp22x1wvvbslkRArmXAJ9q59n66B+XaPZHZo0Az1oEEA5kMQCfdtMr nMp5ZjVetl4WB8Zm361qSyU= =bsPv -----END PGP SIGNATURE----- --nextPart18848302.eMqGPm2vJN-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 3 00:04:17 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B90516A4CF for ; Thu, 3 Mar 2005 00:04:17 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4AD443D49 for ; Thu, 3 Mar 2005 00:04:16 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [81.5.165.126] (helo=[192.168.1.102]) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwpI-1D6dp92jOg-0003H1; Thu, 03 Mar 2005 01:04:15 +0100 Message-ID: <42265479.4080707@lineone.net> Date: Thu, 03 Mar 2005 00:04:09 +0000 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050217 MIME-Version: 1.0 To: Chico , freebsd-ipfw@freebsd.org References: <20050301014456.75392.qmail@web51908.mail.yahoo.com> In-Reply-To: <20050301014456.75392.qmail@web51908.mail.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de login:2550fd8a06644f5f76caeae9aa9f8da2 Subject: Re: IPFW and NATD X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 00:04:17 -0000 Chico wrote: >/etc/firewall.rules: >add 200 pass all from any to any via lo0 >add 300 divert natd all from any to any via fxp0 >add 400 allow all from any to any 3389 keep-state > Well, I stopped using IPFW last month (month before?) and changed to PF because it is quite feature-filled and fairly nicely documented (apart from the gritty details of HFSC queuing). And I never ran any publically-accessible services from my machine. But having said that... I think the problem may be that you are using NAT but you are not reflecting this in your ruleset. You see, NAT works by changing the source port addresses of packets from your local network on the way out, and it changes the destination port addresses of packets on the way back into your local network. This happens at the point of the divert rule. So when you say "any to any 3389", packets coming into your machine, you have already activated NAT diversion, and the packets have been changed. Which means that packets from the Internet destined for your port 3389 will have their destination port changed by NAT so that the public IP address can be matched to a local IP address. So your rule to match port 3389 may never be matched, even by packets that the rule was created to allow in. I recommend you read up on how NAT works, so you bear it in mind in future, and then look for the IPFW skipto 800 trick that I used to use to get around NAT. The trick is shown in the very last example on this page in The Handbook, http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html Basically, the "divert natd" rule is split into two: an inbound and an outbound rule. The inbound NAT occurs early in the ruleset, so that you can refer to local IP addresses correctly. For each rule that you want to allow an outbound packet, you use "skipto 800" instead of "allow", and at rule 800 you have the outbound NAT rule, so that outbound packets are correctly re-addressed for the Internet. After that outbound NAT rule, you allow all. This means you need a deny all rule just before rule 800, so that anything that doesn't match is denied rather than NATd and allowed. Pretty nifty, but also pretty inelegant compared to the ruleset you'd end up with if you were using PF. Having said that, IPFW served me well for over a year before my itchy feet made me try out the alternative. -- Bob From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 3 22:27:14 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B8CE16A4CE for ; Thu, 3 Mar 2005 22:27:14 +0000 (GMT) Received: from ms-smtp-02-eri0.texas.rr.com (ms-smtp-02.texas.rr.com [24.93.47.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B0E643D46 for ; Thu, 3 Mar 2005 22:27:13 +0000 (GMT) (envelope-from rylwin@houston.rr.com) Received: from [192.168.1.40] (cpe-67-10-38-25.houston.res.rr.com [67.10.38.25])j23MRA8H021887 for ; Thu, 3 Mar 2005 16:27:10 -0600 (CST) Message-ID: <42278F2C.1050604@houston.rr.com> Date: Thu, 03 Mar 2005 16:26:52 -0600 From: Ryan Winograd User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20050303120033.5E23C16A4E6@hub.freebsd.org> In-Reply-To: <20050303120033.5E23C16A4E6@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: time policies X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 22:27:14 -0000 Urban Engemyr, Chris is right. Crontab is your answer._BSD HACKS_ (published by O'Reilly) explains how to automatically change firewalls rules at certain times in hack #64 "Script IP Firewall Rulesets." Let's assume a very simple situation: you either allow traffic or block it. step 1: create to rulesets - /etc/ipf.rules.allow - /etc/ipf.rules.block step 2: the first script (block access) #!/bin/sh # replace the ipf.rules file cp /etc/ipf.rules.block /etc/ipf.rules # now have ipf re-read the rules file ipf -Fa -f /etc/ip.rules For the other script, replace ipf.rules with ipf.rules.allow. This is, of course, a simple example, but feel free to make it as complicated as you wish Hope this is helpful! Ryan > >Message: 1 >Date: Wed, 2 Mar 2005 20:28:06 +0100 >From: "Urban Engemyr" >Subject: time policies >To: >Message-ID: > <03A9E4B63BABC943BEC0C8A8EE428947016780@ecrex01.ecr-consulting.se> >Content-Type: text/plain; charset="us-ascii" > >Hi, > >Is it possible to have ipfw rules that are enabled during certain times >only? > >Regards >Urban > > >------------------------------ > >Message: 2 >Date: Wed, 2 Mar 2005 21:32:12 +0200 >From: "Chris Knipe" >Subject: Re: time policies >To: >Message-ID: <000c01c51f5e$890db150$0a01a8c0@ops.cenergynetworks.com> >Content-Type: text/plain; format=flowed; charset="iso-8859-1"; > reply-type=original > >Crontab? > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:01:50 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4FD416A4CE for ; Fri, 4 Mar 2005 21:01:50 +0000 (GMT) Received: from hermes.niicommunications.com (hermes.niicommunications.com [207.207.35.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40B5F43D1D for ; Fri, 4 Mar 2005 21:01:50 +0000 (GMT) (envelope-from jhunt@akula.org) Received: from ASSP-nii (localhost.niicommunications.com [127.0.0.1]) id j24L1nti041366 for ; Fri, 4 Mar 2005 15:01:49 -0600 (CST) Received: from 207.207.35.35 ([207.207.35.35] helo=[192.168.2.5]) by ASSP-nii ; 4 Mar 05 21:01:49 -0000 User-Agent: Microsoft-Entourage/11.0.0.040405 Date: Fri, 04 Mar 2005 15:01:48 -0600 From: Jason Hunt To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Quick Firewall Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:01:50 -0000 Greetings, I have a machine that I need to quickly block outside access to (just internal access from 2nd NIC). Is there any quick examples of how I can add a rule to specifically block a port on specific IP? I don't need to do NAT or for this machine to act as a gateway, just need a few rules to block incoming connections from outside interface on. Thanks guys. From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:09:27 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 641C316A4CE for ; Fri, 4 Mar 2005 21:09:27 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EB5043D2D for ; Fri, 4 Mar 2005 21:09:27 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id j24L9J7a016902; Fri, 4 Mar 2005 13:09:23 -0800 (PST) Received: from [10.1.1.245] (nfw1.codefab.com [199.103.21.225]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id j24L9H3i018230; Fri, 4 Mar 2005 13:09:19 -0800 (PST) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <4e2234d5eae49964babe6b525612473a@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Fri, 4 Mar 2005 16:09:17 -0500 To: Jason Hunt X-Mailer: Apple Mail (2.619.2) cc: freebsd-ipfw@freebsd.org Subject: Re: Quick Firewall Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:09:27 -0000 On Mar 4, 2005, at 4:01 PM, Jason Hunt wrote: > Greetings, > > I have a machine that I need to quickly block outside access to (just > internal access from 2nd NIC). Is there any quick examples of how I > can add > a rule to specifically block a port on specific IP? ipfw add 100 deny tcp from 1.2.3.4 any to 192.168.1.2 11 This will block connections from IP 1.2.3.4 to your host's port 11, assuming your local IP was 192.168.1.2 -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:13:23 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9104816A503 for ; Fri, 4 Mar 2005 21:13:23 +0000 (GMT) Received: from hermes.niicommunications.com (hermes.niicommunications.com [207.207.35.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 009F443D48 for ; Fri, 4 Mar 2005 21:13:23 +0000 (GMT) (envelope-from jhunt@akula.org) Received: from ASSP-nii (localhost.niicommunications.com [127.0.0.1]) id j24LDJti042365; Fri, 4 Mar 2005 15:13:20 -0600 (CST) Received: from 207.207.35.35 ([207.207.35.35] helo=[192.168.2.5]) by ASSP-nii ; 4 Mar 05 21:13:19 -0000 User-Agent: Microsoft-Entourage/11.0.0.040405 Date: Fri, 04 Mar 2005 15:13:18 -0600 From: Jason Hunt To: Charles Swiger Message-ID: In-Reply-To: <4e2234d5eae49964babe6b525612473a@mac.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Quick Firewall Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:13:23 -0000 Chuck, Thanks for your quick response. What I really need to do is to block specific ports on my outside interface NIC. In fact, I need to keep the 2nd NIC which is internal open to those ports. > From: Charles Swiger > Date: Fri, 4 Mar 2005 16:09:17 -0500 > To: Jason Hunt > Cc: > Subject: Re: Quick Firewall Question > > On Mar 4, 2005, at 4:01 PM, Jason Hunt wrote: >> Greetings, >> >> I have a machine that I need to quickly block outside access to (just >> internal access from 2nd NIC). Is there any quick examples of how I >> can add >> a rule to specifically block a port on specific IP? > > ipfw add 100 deny tcp from 1.2.3.4 any to 192.168.1.2 11 > > This will block connections from IP 1.2.3.4 to your host's port 11, > assuming your local IP was 192.168.1.2 > > -- > -Chuck > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:17:20 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E5D316A4CE for ; Fri, 4 Mar 2005 21:17:20 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAD1F43D2D for ; Fri, 4 Mar 2005 21:17:19 +0000 (GMT) (envelope-from dot.sn1tch@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so952371wra for ; Fri, 04 Mar 2005 13:17:19 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=RP2WU2uBzYS8jkJUXKR3lmVsw48oGeh5/W+xlMZdW3EMq5IaqgeE1XIhFrIDKcoeqieILV68jhmm15AExVM818KhrUJ0Vi/RL5Ynytwa1GBlHdderf9eohvsATWSjNEFbNI0cENtUxN7UTl+sYuMjERAMY4qtPm5JIJw86+IcV0= Received: by 10.54.66.8 with SMTP id o8mr19722wra; Fri, 04 Mar 2005 13:17:08 -0800 (PST) Received: by 10.54.31.67 with HTTP; Fri, 4 Mar 2005 13:17:07 -0800 (PST) Message-ID: Date: Fri, 4 Mar 2005 16:17:07 -0500 From: sn1tch To: Jason Hunt In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <4e2234d5eae49964babe6b525612473a@mac.com> cc: freebsd-ipfw@freebsd.org Subject: Re: Quick Firewall Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sn1tch List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:17:20 -0000 you could try: $oip = outside IP $oif = outside interface ipfw add deny all from any to $oip 80 in via $oif or whatever port On Fri, 04 Mar 2005 15:13:18 -0600, Jason Hunt wrote: > Chuck, > > Thanks for your quick response. What I really need to do is to block > specific ports on my outside interface NIC. In fact, I need to keep the 2nd > NIC which is internal open to those ports. > > > From: Charles Swiger > > Date: Fri, 4 Mar 2005 16:09:17 -0500 > > To: Jason Hunt > > Cc: > > Subject: Re: Quick Firewall Question > > > > On Mar 4, 2005, at 4:01 PM, Jason Hunt wrote: > >> Greetings, > >> > >> I have a machine that I need to quickly block outside access to (just > >> internal access from 2nd NIC). Is there any quick examples of how I > >> can add > >> a rule to specifically block a port on specific IP? > > > > ipfw add 100 deny tcp from 1.2.3.4 any to 192.168.1.2 11 > > > > This will block connections from IP 1.2.3.4 to your host's port 11, > > assuming your local IP was 192.168.1.2 > > > > -- > > -Chuck > > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- You've officially been Gmailed From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:20:00 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2732616A4CE for ; Fri, 4 Mar 2005 21:20:00 +0000 (GMT) Received: from hermes.niicommunications.com (hermes.niicommunications.com [207.207.35.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F3C243D46 for ; Fri, 4 Mar 2005 21:19:59 +0000 (GMT) (envelope-from jhunt@akula.org) Received: from ASSP-nii (localhost.niicommunications.com [127.0.0.1]) id j24LJwti044538; Fri, 4 Mar 2005 15:19:59 -0600 (CST) Received: from 207.207.35.35 ([207.207.35.35] helo=[192.168.2.5]) by ASSP-nii ; 4 Mar 05 21:19:58 -0000 User-Agent: Microsoft-Entourage/11.0.0.040405 Date: Fri, 04 Mar 2005 15:19:57 -0600 From: Jason Hunt To: sn1tch Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Quick Firewall Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:20:00 -0000 Thanks, I will give it a shot.. > From: sn1tch > Reply-To: sn1tch > Date: Fri, 4 Mar 2005 16:17:07 -0500 > To: Jason Hunt > Cc: > Subject: Re: Quick Firewall Question > > you could try: > > $oip = outside IP > $oif = outside interface > > ipfw add deny all from any to $oip 80 in via $oif > > or whatever port > > > On Fri, 04 Mar 2005 15:13:18 -0600, Jason Hunt wrote: >> Chuck, >> >> Thanks for your quick response. What I really need to do is to block >> specific ports on my outside interface NIC. In fact, I need to keep the 2nd >> NIC which is internal open to those ports. >> >>> From: Charles Swiger >>> Date: Fri, 4 Mar 2005 16:09:17 -0500 >>> To: Jason Hunt >>> Cc: >>> Subject: Re: Quick Firewall Question >>> >>> On Mar 4, 2005, at 4:01 PM, Jason Hunt wrote: >>>> Greetings, >>>> >>>> I have a machine that I need to quickly block outside access to (just >>>> internal access from 2nd NIC). Is there any quick examples of how I >>>> can add >>>> a rule to specifically block a port on specific IP? >>> >>> ipfw add 100 deny tcp from 1.2.3.4 any to 192.168.1.2 11 >>> >>> This will block connections from IP 1.2.3.4 to your host's port 11, >>> assuming your local IP was 192.168.1.2 >>> >>> -- >>> -Chuck >>> >>> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > > -- > You've officially been Gmailed > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:22:05 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DED2016A4CE for ; Fri, 4 Mar 2005 21:22:05 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98CEC43D31 for ; Fri, 4 Mar 2005 21:22:05 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146])j24LM43T017651; Fri, 4 Mar 2005 13:22:04 -0800 (PST) Received: from [10.1.1.245] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)j24LM2PD027783; Fri, 4 Mar 2005 13:22:03 -0800 (PST) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <01fe51abafd48905144391271f4f9e31@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Fri, 4 Mar 2005 16:22:02 -0500 To: Jason Hunt X-Mailer: Apple Mail (2.619.2) cc: freebsd-ipfw@freebsd.org Subject: Re: Quick Firewall Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:22:06 -0000 On Mar 4, 2005, at 4:13 PM, Jason Hunt wrote: > Thanks for your quick response. What I really need to do is to block > specific ports on my outside interface NIC. In fact, I need to keep > the 2nd > NIC which is internal open to those ports. OK. You'd get better examples if you gave a little more information, such as the name or IP addr of this outside interface, by the way, but: ipfw add 110 deny tcp from any to me 11 in via fxp0 This would block any remote connection to port 11 coming in via the fxp0 interface. Replace "fxp0" with your external NIC, and consider replacing "me" with the IP addr of your outside interface... -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:35:31 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 955A916A4CE for ; Fri, 4 Mar 2005 21:35:31 +0000 (GMT) Received: from mx2.duracom.net (mx2.duracom.net [65.66.8.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CCD343D1F for ; Fri, 4 Mar 2005 21:35:31 +0000 (GMT) (envelope-from kmcelroy@duracom.net) Received: from duracom.net (mail.duracom.net [65.66.8.3]) by mx2.duracom.net (Postfix) with ESMTP id A5003D5507 for ; Fri, 4 Mar 2005 15:39:10 -0600 (CST) (envelope-from kmcelroy@duracom.net) Received: from KrisLaptop [65.66.11.103] by duracom.net with ESMTP (SMTPD32-8.05) id A49CC047010A; Fri, 04 Mar 2005 15:35:24 -0600 From: "Kris McElroy" To: Date: Fri, 4 Mar 2005 15:34:21 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcUhAe1L44t8XrtqTPyFLKyYBoNswg== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Message-Id: <20050304153503.SM01228@KrisLaptop> X-Declude-Sender: kmcelroy@duracom.net [65.66.11.103] X-Declude-Spoolname: Dd49cc047010a794a.SMD Subject: ipfw+dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:35:31 -0000 We are wanting to do Bandwidth Shaping for our wireless users, I have read that FreeBSD with ipfw+Dummynet is one way to do this. Is anyone on this list using IPFW + Dummynet in a WISP environment that has advice that they would like to share, should we go this route or is there something that you would recommend over doing this? Thanks, Kris From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 21:43:22 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D8AE16A4CF for ; Fri, 4 Mar 2005 21:43:22 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67C7E43D49 for ; Fri, 4 Mar 2005 21:43:21 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so813671wri for ; Fri, 04 Mar 2005 13:43:20 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=PN/V3lNyDsZJBefq/hlXh4l1AkK2ULdJ6GK+mo392NSPC6yOI2HE1BKwzfmFTxkKZw5yxmTBL0nxaVyiFuwSnamMgrRNAWhQgnO2AJrgO18Auwvnaurqu7p4Vfz36/ISGjJxKIW3vSXnz5udF4MG7t4lrQHZbsB5sZOphD9VI30= Received: by 10.54.8.67 with SMTP id 67mr36312wrh; Fri, 04 Mar 2005 13:43:04 -0800 (PST) Received: by 10.54.39.34 with HTTP; Fri, 4 Mar 2005 13:43:04 -0800 (PST) Message-ID: <8eea040805030413431f2c1b03@mail.gmail.com> Date: Fri, 4 Mar 2005 13:43:04 -0800 From: Jon Simola To: Kris McElroy In-Reply-To: <20050304153503.SM01228@KrisLaptop> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20050304153503.SM01228@KrisLaptop> cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw+dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:43:22 -0000 On Fri, 4 Mar 2005 15:34:21 -0600, Kris McElroy wrote: > We are wanting to do Bandwidth Shaping for our wireless users, I have read > that FreeBSD with ipfw+Dummynet is one way to do this. Is anyone on this > list using IPFW + Dummynet in a WISP environment that has advice that they > would like to share, should we go this route or is there something that you > would recommend over doing this? I've done similar, and it works great. Just remember that you can't control the rate that the wireless customer sends, only how fast you send data to them. So if/when they get infected with a virus that blasts traffic out, it will render any traffic shaping at the head end worthless. If you've been doing wireless for a while, you probably already know that, though :) -- Jon Simola Systems Administrator ABC Communications From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 22:53:04 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13AEA16A4CE for ; Fri, 4 Mar 2005 22:53:04 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id A854143D31 for ; Fri, 4 Mar 2005 22:53:03 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so826301wri for ; Fri, 04 Mar 2005 14:53:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=loRP4qsjMKjD3ilC+mRvH9IsYdx8ND2s9CfabsotXENNTWAMHNKdsRgyuvXrEzUlzpJFM3jpylsKMch3kb7hMXmFa5WbAIq4XStWSzM3ZTE395TPmulYUF9H03nYQZAW+ckhnlXotYrQUHi4U0+63p/ni5RZ4bqsCc8EfcVn3Ao= Received: by 10.54.63.8 with SMTP id l8mr10992wra; Fri, 04 Mar 2005 14:53:03 -0800 (PST) Received: by 10.54.39.34 with HTTP; Fri, 4 Mar 2005 14:53:02 -0800 (PST) Message-ID: <8eea0408050304145319ffcecd@mail.gmail.com> Date: Fri, 4 Mar 2005 14:53:02 -0800 From: Jon Simola To: Kris McElroy In-Reply-To: <200503041547125.SM01228@KrisLaptop> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <8eea040805030413431f2c1b03@mail.gmail.com> <200503041547125.SM01228@KrisLaptop> cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw+dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 22:53:04 -0000 On Fri, 4 Mar 2005 15:46:34 -0600, Kris McElroy wrote: > So I can not throttle there upload speed, only download? Do you recommend > something else to use besides the above combo? You can throttle their upload speed as it passes through your traffic shaper, but not as they send traffic onto your wireless network. Cust <-> CustRadio <-> BaseRadio <-> Shaper <-> Internet If the customer saturates the wireless link between the radios with traffic, you can't do anything about that at the shaper. But you can control how fast traffic to or from the customer leaves the shaper in either direction. If you're trying to prevent saturation of the wireless link, you need a traffic shaper at each end of it to control traffic across the wireless shot. If you're just trying to keep track of customers bandwidth and not worried about your wireless shot (maybe you've got a full-duplex 100Mbps OFDM shot) then a single shaper would work. Depends a lot on your wireless network. Full mesh, one to many, one to one, etc... -- Jon Simola Systems Administrator ABC Communications