From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 5 21:16:13 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACD0B16A41C for ; Sun, 5 Jun 2005 21:16:13 +0000 (GMT) (envelope-from bitchat@hotpop.com) Received: from smtp-out.hotpop.com (smtp-out.hotpop.com [38.113.3.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2688F43D64 for ; Sun, 5 Jun 2005 21:16:13 +0000 (GMT) (envelope-from bitchat@hotpop.com) Received: from hotpop.com (kubrick.hotpop.com [38.113.3.103]) by smtp-out.hotpop.com (Postfix) with SMTP id 2F673163958D for ; Sun, 5 Jun 2005 21:15:54 +0000 (UTC) Received: from [10.1.1.5] (unknown [201.6.255.86]) by smtp-1.hotpop.com (Postfix) with ESMTP id 0EE7E1A012D for ; Sun, 5 Jun 2005 21:15:52 +0000 (UTC) From: "Adolfo B. Ferreira" To: freebsd-ipfw@freebsd.org Date: Sun, 05 Jun 2005 18:09:59 -0300 Message-Id: <1118005800.18685.1.camel@notebook> Mime-Version: 1.0 X-Mailer: Evolution 2.2.2 X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Hi X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jun 2005 21:16:13 -0000 I searched google and tried @freenode but I have no result asking this: How do I set up uPnP with IpFW? I already have uPnP up and running but I think I have some mistake with ipFW. Thanks Adolfo Bravo Ferreira Admninistrador de Redes / Analista de Segurança / Desenvolvedor Grupo Ferreira Limitada Telefone: 11 50628877 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 6 11:01:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3629716A424 for ; Mon, 6 Jun 2005 11:01:49 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E656243D1F for ; Mon, 6 Jun 2005 11:01:48 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j56B1mbY065585 for ; Mon, 6 Jun 2005 11:01:48 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j56B1m7n065579 for freebsd-ipfw@freebsd.org; Mon, 6 Jun 2005 11:01:48 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 Jun 2005 11:01:48 GMT Message-Id: <200506061101.j56B1m7n065579@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2005 11:01:49 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca 2 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 6 11:02:22 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D55CF16A41C for ; Mon, 6 Jun 2005 11:02:22 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A192843D53 for ; Mon, 6 Jun 2005 11:02:22 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j56B2M9d066093 for ; Mon, 6 Jun 2005 11:02:22 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j56B2LXN066087 for ipfw@freebsd.org; Mon, 6 Jun 2005 11:02:21 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 Jun 2005 11:02:21 GMT Message-Id: <200506061102.j56B2LXN066087@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2005 11:02:22 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 6 16:50:25 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5D9516A41C; Mon, 6 Jun 2005 16:50:25 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B074843D53; Mon, 6 Jun 2005 16:50:25 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j56GoPm9015268; Mon, 6 Jun 2005 16:50:25 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j56GoPOl015264; Mon, 6 Jun 2005 16:50:25 GMT (envelope-from arved) Date: Mon, 6 Jun 2005 16:50:25 GMT From: Tilman Linneweh Message-Id: <200506061650.j56GoPOl015264@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/77570: [PATCH] ipfw: Multiple rules may have the same number. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2005 16:50:26 -0000 Synopsis: [PATCH] ipfw: Multiple rules may have the same number. Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: arved Responsible-Changed-When: Mon Jun 6 16:50:01 GMT 2005 Responsible-Changed-Why: Maxim suggested discussion on -ipfw Mailinglist. http://www.freebsd.org/cgi/query-pr.cgi?pr=77570 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 6 17:38:24 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6FF916A41C; Mon, 6 Jun 2005 17:38:24 +0000 (GMT) (envelope-from Nickolay.Kritsky@astra-sw.com) Received: from mail.astra-sw.com (mail.astra-sw.com [82.140.87.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3261843D48; Mon, 6 Jun 2005 17:38:23 +0000 (GMT) (envelope-from Nickolay.Kritsky@astra-sw.com) Received: from exchange.stardevelopers4msi.com (exchange.stardevelopers4msi.com [10.1.2.201] (may be forged)) by mail.astra-sw.com (8.12.11/8.12.11) with ESMTP id j56HcLsa018451; Mon, 6 Jun 2005 21:38:21 +0400 (MSD) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 6 Jun 2005 21:38:38 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FREEBSD between two trunks Thread-Index: AcVpMW2rMXJCuRrfSjSsXL0PRh7iuABjI88A From: "Nickolay Kritsky" To: "John-Mark Gurney" , Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: RE: FREEBSD between two trunks X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2005 17:38:24 -0000 There was an old funny thing about bridging vlans: if you bridge vlanXX interfaces without bridging parents - do not forget to put parent in up and promiscuous mode. For 4.6 kernel it also required some patching. What version are you running? Nick -----Original Message----- From: John-Mark Gurney [mailto:gurney_j@resnet.uoregon.edu]=20 Sent: Saturday, June 04, 2005 10:15 PM To: sferreira@comcast.net Cc: freebsd-ipfw@freebsd.org; freebsd-net@freebsd.org Subject: Re: FREEBSD between two trunks sferreira@comcast.net wrote this message on Fri, Jun 03, 2005 at 20:44 +0000: > I'm trying to setup DUMMYNET to emulate long delays, such as those encountered in satellite links. The problem is that I have to place my freebsd host between two trunks passing vlans (2,3,4,5,6). >=20 > So the setup is: >=20 > cisco swictch trunks vlan 2,3,4,5,6 <-> freebsd <--> cisco switch trunks vlan 2,3,4,5,6 >=20 >=20 > All the documents I could find related to this subject matter has the freebsd as an endpoint and not connecting two trunks. Also the freebsd has to be an invisible hop on the network, so it can not route this traffic. I had setup my freebsd in bridge mode but I could not get this setup to work. You may need to increase your mtu to allow the full sized packets to pass through... or you could setup a vlan w/ and id that isn't used and let that adjust the mtu for you.. --=20 John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 6 18:23:54 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA19616A41C; Mon, 6 Jun 2005 18:23:54 +0000 (GMT) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (gate.funkthat.com [69.17.45.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 805C143D1F; Mon, 6 Jun 2005 18:23:54 +0000 (GMT) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (localhost.funkthat.com [127.0.0.1]) by hydrogen.funkthat.com (8.13.3/8.13.3) with ESMTP id j56INgrw068998; Mon, 6 Jun 2005 11:23:42 -0700 (PDT) (envelope-from jmg@hydrogen.funkthat.com) Received: (from jmg@localhost) by hydrogen.funkthat.com (8.13.3/8.13.3/Submit) id j56INdL7068997; Mon, 6 Jun 2005 11:23:39 -0700 (PDT) (envelope-from jmg) Date: Mon, 6 Jun 2005 11:23:39 -0700 From: John-Mark Gurney To: Nickolay Kritsky Message-ID: <20050606182338.GE655@funkthat.com> Mail-Followup-To: Nickolay Kritsky , sferreira@comcast.net, freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 5.4-RELEASE-p1 i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html Cc: sferreira@comcast.net, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: FREEBSD between two trunks X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: John-Mark Gurney List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2005 18:23:55 -0000 Nickolay Kritsky wrote this message on Mon, Jun 06, 2005 at 21:38 +0400: > There was an old funny thing about bridging vlans: if you bridge vlanXX > interfaces without bridging parents - do not forget to put parent in up > and promiscuous mode. For 4.6 kernel it also required some patching. > What version are you running? What I was thinking he was going to due was not bridge the vlans themselves, but the two interfaces, and let dummynet handle the vlan packets just as any other normal packet.. He didn't say he needed each vlan to have a seperate delay or bandwidth limit.. I've never done any bridging of vlans, so I don't know the specifics.. I am using vlans so my firewall only has to have one interface.. :) It seems just setup the two interfaces to bridge, increase the mtu so that they accept the larger vlan packets, configure dummynet properly, and then route all packets through dummynet.. just my thoughts.. > -----Original Message----- > From: John-Mark Gurney [mailto:gurney_j@resnet.uoregon.edu] > Sent: Saturday, June 04, 2005 10:15 PM > To: sferreira@comcast.net > Cc: freebsd-ipfw@freebsd.org; freebsd-net@freebsd.org > Subject: Re: FREEBSD between two trunks > > sferreira@comcast.net wrote this message on Fri, Jun 03, 2005 at 20:44 > +0000: > > I'm trying to setup DUMMYNET to emulate long delays, such as those > encountered in satellite links. The problem is that I have to place my > freebsd host between two trunks passing vlans (2,3,4,5,6). > > > > So the setup is: > > > > cisco swictch trunks vlan 2,3,4,5,6 <-> freebsd <--> cisco switch > trunks vlan 2,3,4,5,6 > > > > > > All the documents I could find related to this subject matter has the > freebsd as an endpoint and not connecting two trunks. Also the freebsd > has to be an invisible hop on the network, so it can not route this > traffic. I had setup my freebsd in bridge mode but I could not get this > setup to work. > > You may need to increase your mtu to allow the full sized packets to > pass > through... or you could setup a vlan w/ and id that isn't used and let > that > adjust the mtu for you.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 7 17:14:22 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13B8F16A41C; Tue, 7 Jun 2005 17:14:22 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6FFB43D4C; Tue, 7 Jun 2005 17:14:21 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j57HELM2030256; Tue, 7 Jun 2005 17:14:21 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j57HELJi030252; Tue, 7 Jun 2005 17:14:21 GMT (envelope-from arved) Date: Tue, 7 Jun 2005 17:14:21 GMT From: Tilman Linneweh Message-Id: <200506071714.j57HELJi030252@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/80913: /sbin/ipfw2 silently discards MAC addr arg with improper X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2005 17:14:22 -0000 Synopsis: /sbin/ipfw2 silently discards MAC addr arg with improper Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: arved Responsible-Changed-When: Tue Jun 7 17:14:03 GMT 2005 Responsible-Changed-Why: Assign to ipfw Mailinglist http://www.freebsd.org/cgi/query-pr.cgi?pr=80913 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 8 02:12:01 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88CCF16A41C for ; Wed, 8 Jun 2005 02:12:01 +0000 (GMT) (envelope-from beaverm@corp.earthlink.net) Received: from smtpauth05.mail.atl.earthlink.net (smtpauth05.mail.atl.earthlink.net [209.86.89.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F15043D58 for ; Wed, 8 Jun 2005 02:12:01 +0000 (GMT) (envelope-from beaverm@corp.earthlink.net) Received: from [207.69.180.148] (helo=[207.69.180.148]) by smtpauth05.mail.atl.earthlink.net with asmtp (Exim 4.34) id 1Dfq2y-00037P-PU for ipfw@freebsd.org; Tue, 07 Jun 2005 22:12:00 -0400 Message-ID: <42A653C8.2050104@corp.earthlink.net> Date: Tue, 07 Jun 2005 22:11:20 -0400 From: Mark Beaver User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.6) Gecko/20050405 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: 83936d1c7f8fa5c39649176a89d694c0f43c108795ac4507ce7c6a35ad35a2c41af0347086eff702350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 207.69.180.148 Cc: Subject: natd/ipfw question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2005 02:12:01 -0000 I'm looking to have a specific setup that I need to be dynamic without restarting natd. FreeBSD Machine would have 1 external interface with multiple external IP addresses. I want an external IP/Port to map to differing machines in that: I may have AddressA:80 going to machineA behind the NAT, and 81 going to another. I already have this part setup. Here is the key... I want to know if it's possible to do this more dynamically without shutting natd down and restarting it (thus disconnecting everyone) each time I want to change where the IP addresses go on the internal network. Does anyone know how I can do this? Mark From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 8 03:28:45 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C26116A41F for ; Wed, 8 Jun 2005 03:28:45 +0000 (GMT) (envelope-from vini@fugspbr.org) Received: from server1.ebkp.com (66-194-238-14.dimenoc.com [66.194.238.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D7CE43D1D for ; Wed, 8 Jun 2005 03:28:44 +0000 (GMT) (envelope-from vini@fugspbr.org) Received: from 203-217-64-247.dyn.iinet.net.au ([203.217.64.247] helo=[192.168.0.2]) by server1.ebkp.com with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.51 (FreeBSD)) id 1DfrFJ-0001Rf-Ut for ipfw@freebsd.org; Wed, 08 Jun 2005 00:28:50 -0300 Message-ID: <42A665EF.3050501@fugspbr.org> Date: Wed, 08 Jun 2005 13:28:47 +1000 From: Vini User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus-Scanner: Clean mail though you should still use an Antivirus X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server1.ebkp.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - fugspbr.org X-Source: X-Source-Args: X-Source-Dir: Cc: Subject: Natd grows, takes too much memory and stops working. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2005 03:28:45 -0000 Hi guys, I am just writing to describe and interesting issue that I have had with natd. I have a FreeBSD 4.9-Stable doing firewalling and nat for my network (about 250 clients, 1.5Mbps), it has run fine for a long time but since a while ago natd has behaved strangely. For example if I start up the natd process now it will work fine for about 5 to 7 days. However, it seems not to be freeing the memory that it takes, consequently growing indefinitely until it takes the whole memory and stops working. It is really interesting when it stops working because there seems not to be any activity on none of the network interfaces, what makes the possibilities of the problem being caused by attack to be dramatically reduced. In the meantime while I don't have a definitive solution for the problem, I have been restarting the natd process once or twice a week. It is far to be the solution but at least prevents my network from stop working. Has any of you had any similar issue with natd before? Regards, Vini From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 8 20:30:43 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66FF816A41C for ; Wed, 8 Jun 2005 20:30:43 +0000 (GMT) (envelope-from linux@giboia.org) Received: from lda.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 70DA343D48 for ; Wed, 8 Jun 2005 20:30:42 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 15327 invoked by uid 98); 8 Jun 2005 20:30:41 -0000 Received: from linux@giboia.org by lda.dilk.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.4.00/v4443. Clear:RC:1(200.250.23.66):. Processed in 0.033411 secs); 08 Jun 2005 20:30:41 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@200.250.23.66) by lda.dilk.com.br with SMTP; 8 Jun 2005 20:30:41 -0000 Date: Wed, 8 Jun 2005 17:30:38 -0300 From: Gilberto Villani Brito To: freebsd-ipfw@freebsd.org Message-ID: <20050608173038.2327b73f@giboia> In-Reply-To: <429DC31C.4020000@centtech.com> References: <43866.62.2.21.164.1117631913.squirrel@www.gwch.net> <429DB9B2.70405@t-hosting.hu> <429DC1FB.5000606@tech-21.com.hk> <429DC31C.4020000@centtech.com> X-Mailer: Sylpheed-Claws 0.9.13 (GTK+ 1.2.10; i586-mandrake-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2005 20:30:43 -0000 Hi, How can I make a nat for many different networks using different real IPs using natd? Thanks Gilberto From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 8 20:35:46 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38DA016A41C for ; Wed, 8 Jun 2005 20:35:46 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CD4A43D1F for ; Wed, 8 Jun 2005 20:35:45 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin01-en2 [10.13.10.146]) by smtpout.mac.com (Xserve/8.12.11/smtpout11/MantshX 4.0) with ESMTP id j58KZjIN001300; Wed, 8 Jun 2005 13:35:45 -0700 (PDT) Received: from [192.168.1.6] (pool-68-161-69-6.ny325.east.verizon.net [68.161.69.6]) (authenticated bits=0) by mac.com (Xserve/smtpin01/MantshX 4.0) with ESMTP id j58KZe28026754; Wed, 8 Jun 2005 13:35:42 -0700 (PDT) In-Reply-To: <20050608173038.2327b73f@giboia> References: <43866.62.2.21.164.1117631913.squirrel@www.gwch.net> <429DB9B2.70405@t-hosting.hu> <429DC1FB.5000606@tech-21.com.hk> <429DC31C.4020000@centtech.com> <20050608173038.2327b73f@giboia> Mime-Version: 1.0 (Apple Message framework v730) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <365B62E6-8D2E-47E1-9F86-A9CC315F88ED@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Wed, 8 Jun 2005 16:35:39 -0400 To: Gilberto Villani Brito X-Mailer: Apple Mail (2.730) Cc: freebsd-ipfw@freebsd.org Subject: Re: natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2005 20:35:46 -0000 On Jun 8, 2005, at 4:30 PM, Gilberto Villani Brito wrote: > How can I make a nat for many different networks using different > real IPs using natd? People with many different networks using real IPs generally don't need natd, they simply use a router and/or firewall. This being said, you can use natd with real IPs exactly the same way as you would for RFC-1918 unroutable ones. You can run natd multiple times by incrementing the divert socket # for each and have each natd talk to a different divert socket. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 8 20:46:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4ABE16A41C for ; Wed, 8 Jun 2005 20:46:40 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id D20A943D1F for ; Wed, 8 Jun 2005 20:46:38 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.83.36] ([200.152.83.36]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j58Kke3U025180 for ; Wed, 8 Jun 2005 17:46:40 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org Date: Wed, 8 Jun 2005 17:46:15 -0300 User-Agent: KMail/1.8 References: <43866.62.2.21.164.1117631913.squirrel@www.gwch.net> <20050608173038.2327b73f@giboia> <365B62E6-8D2E-47E1-9F86-A9CC315F88ED@mac.com> In-Reply-To: <365B62E6-8D2E-47E1-9F86-A9CC315F88ED@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200506081746.16756.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.83, clamav-milter version 0.83 on msrv.matik.com.br X-Virus-Status: Clean Subject: Re: natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jun 2005 20:46:40 -0000 On Wednesday 08 June 2005 17:35, Charles Swiger wrote: > On Jun 8, 2005, at 4:30 PM, Gilberto Villani Brito wrote: > > How can I make a nat for many different networks using different > > real IPs using natd? > > People with many different networks using real IPs generally don't > need natd, they simply use a router and/or firewall. > > This being said, you can use natd with real IPs exactly the same > way as you would for RFC-1918 unroutable ones. You can run natd > multiple times by incrementing the divert socket # for each and > have each natd talk to a different divert socket. probably he wanted to say to use a different real[outside] ip for each inside-network so you can add -a OUTSIDE_IP -p PORT to each natd command and running each on another port instead of using natd_interface with -n Hans -- Infomatik http://info.matik.com.br A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 9 12:53:30 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B613216A41C for ; Thu, 9 Jun 2005 12:53:30 +0000 (GMT) (envelope-from linux@giboia.org) Received: from lda.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id D4F0943D4C for ; Thu, 9 Jun 2005 12:53:27 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 31974 invoked by uid 98); 9 Jun 2005 12:53:27 -0000 Received: from linux@giboia.org by lda.dilk.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.4.00/v4443. Clear:RC:1(200.250.23.66):. Processed in 0.023151 secs); 09 Jun 2005 12:53:27 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@200.250.23.66) by lda.dilk.com.br with SMTP; 9 Jun 2005 12:53:27 -0000 Date: Thu, 9 Jun 2005 09:53:22 -0300 From: Gilberto Villani Brito To: freebsd-ipfw@freebsd.org Message-ID: <20050609095322.4fdeb73c@giboia> In-Reply-To: <200506081746.16756.asstec@matik.com.br> References: <43866.62.2.21.164.1117631913.squirrel@www.gwch.net> <20050608173038.2327b73f@giboia> <365B62E6-8D2E-47E1-9F86-A9CC315F88ED@mac.com> <200506081746.16756.asstec@matik.com.br> X-Mailer: Sylpheed-Claws 0.9.13 (GTK+ 1.2.10; i586-mandrake-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jun 2005 12:53:30 -0000 Thanks for help. I would like make nat from my networks like this example: 10.1.0.0/255.255.255.0 => 200.200.200.1 10.2.0.0/255.255.255.0 => 200.200.200.2 10.3.0.0/255.255.255.0 => 200.200.200.3 10.4.0.0/255.255.255.0 => 200.200.200.4 I think I will need run many natd, one for different network. Is this right?? Gilberto On Wed, 8 Jun 2005 17:46:15 -0300 Suporte Matik wrote: > On Wednesday 08 June 2005 17:35, Charles Swiger wrote: > > > On Jun 8, 2005, at 4:30 PM, Gilberto Villani Brito wrote: > > > How can I make a nat for many different networks using different > > > real IPs using natd? > > > > People with many different networks using real IPs generally don't > > need natd, they simply use a router and/or firewall. > > > > This being said, you can use natd with real IPs exactly the same > > way as you would for RFC-1918 unroutable ones. You can run natd > > multiple times by incrementing the divert socket # for each and > > have each natd talk to a different divert socket. > > > probably he wanted to say to use a different real[outside] ip for each > inside-network > > so you can add > -a OUTSIDE_IP -p PORT > > to each natd command and running each on another port instead of using > natd_interface with -n > > > Hans > > > -- > > > Infomatik > http://info.matik.com.br > > > > > > > > A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. > Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 9 14:08:48 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C00A716A41C for ; Thu, 9 Jun 2005 14:08:48 +0000 (GMT) (envelope-from gilberto@dilk.com.br) Received: from lda.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id CC55F43D49 for ; Thu, 9 Jun 2005 14:08:47 +0000 (GMT) (envelope-from gilberto@dilk.com.br) Received: (qmail 50089 invoked by uid 98); 9 Jun 2005 14:08:47 -0000 Received: from gilberto@dilk.com.br by lda.dilk.com.br by uid 82 with qmail-scanner-1.22 (uvscan: v4.4.00/v4443. Clear:RC:1(200.250.23.66):. Processed in 0.037799 secs); 09 Jun 2005 14:08:47 -0000 Received: from unknown (HELO giboia) (gilberto@dilk.com.br@200.250.23.66) by lda.dilk.com.br with SMTP; 9 Jun 2005 14:08:47 -0000 Date: Thu, 9 Jun 2005 11:08:43 -0300 From: Gilberto Villani Brito To: freebsd-ipfw@freebsd.org Message-ID: <20050609110843.18bdaa66@giboia> In-Reply-To: <20050609095322.4fdeb73c@giboia> References: <43866.62.2.21.164.1117631913.squirrel@www.gwch.net> <20050608173038.2327b73f@giboia> <365B62E6-8D2E-47E1-9F86-A9CC315F88ED@mac.com> <200506081746.16756.asstec@matik.com.br> <20050609095322.4fdeb73c@giboia> X-Mailer: Sylpheed-Claws 0.9.13 (GTK+ 1.2.10; i586-mandrake-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jun 2005 14:08:48 -0000 Why this rules works: /sbin/ipfw -f flush /sbin/ipfw add 00100 allow ip from any to any via lo0 /sbin/ipfw add 500 divert 8668 ip from any to any via sis0 /sbin/natd -a 200.200.200.2 /sbin/ipfw add 64002 pass all from any to any /sbin/ipfw add 65000 allow all from any to any and this rules doen't works: /sbin/ipfw -f flush /sbin/ipfw add 00100 allow ip from any to any via lo0 /sbin/ipfw add 500 divert 8668 ip from 10.0.0.2 to any via sis0 /sbin/natd -a 200.200.200.2 /sbin/ipfw add 64002 pass all from any to any /sbin/ipfw add 65000 allow all from any to any ???????????????????? My internal ip is 10.0.0.2. Gilberto