From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 23 16:05:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79D6A16A41F for ; Sun, 23 Oct 2005 16:05:47 +0000 (GMT) (envelope-from WD@US-Webmasters.com) Received: from usw2.natel.net (2b.bz [209.152.117.190]) by mx1.FreeBSD.org (Postfix) with SMTP id EB48B43D49 for ; Sun, 23 Oct 2005 16:05:46 +0000 (GMT) (envelope-from WD@US-Webmasters.com) Received: (qmail 53224 invoked from network); 23 Oct 2005 16:05:45 -0000 Received: from batv-01-192.dsl.netins.net (HELO Htebazile.US-Webmasters.com) (207.199.193.192) by us-webmasters.com with SMTP; 23 Oct 2005 16:05:45 -0000 Message-Id: <5.1.0.14.2.20051023110150.020a7b80@209.152.117.178> X-Sender: wd@209.152.117.178 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 23 Oct 2005 11:04:58 -0500 To: freebsd-ipfw@freebsd.org From: "W. D." In-Reply-To: <4358FCE7.5040803@foxchat.net> References: <4358899F.1090505@roamingsolutions.net> <435849B9.8040509@foxchat.net> <4358899F.1090505@roamingsolutions.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Cc: Daemon Subject: Re: ipfw firewall help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 16:05:47 -0000 At 09:36 10/21/2005, Daemon, wrote: >Great!. Thanks. One possibly stupid question. What is the "Deny >Spoof"? Is that like; ># Stop spoofing of your internal network range ># ${fwcmd} add deny ip from ${iif} to any in via ${oif} ># Stop spoofing from inside your private ip range ># ${fwcmd} add deny ip from not ${iif} to any in via ${iif} Hey Daemon, Your rules snippet looks great! I really like the way you have commented the lines. When you have debugged your=20 firewall, would you please post the entire set here? That way, newbies can understand better how the firewall works. I=20 haven't seen too many examples like this. Thanks! Start Here to Find It Fast!=99 ->= http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/ From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 23 16:46:22 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03FC616A41F for ; Sun, 23 Oct 2005 16:46:22 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C28543D48 for ; Sun, 23 Oct 2005 16:46:21 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 9EB15709E; Sun, 23 Oct 2005 18:33:22 +0200 (CEST) Received: from (165.146.215.66 [165.146.215.66]) by MailEnable Inbound Mail Agent with ESMTP; Sun, 23 Oct 2005 18:52:05 +0200 Message-ID: <435BBE80.7040009@roamingsolutions.net> Date: Sun, 23 Oct 2005 18:46:56 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en To: Daemon References: <435849B9.8040509@foxchat.net> <4358899F.1090505@roamingsolutions.net> <4358FCE7.5040803@foxchat.net> In-Reply-To: <4358FCE7.5040803@foxchat.net> Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0542-5, 2005/10/21), Outbound message X-Antivirus-Status: Clean MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw firewall help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 16:46:22 -0000 Yup - that would work. IPFW also has a built-in command that does the same: $cmd deny ip from any to any not antispoof in Daemon wrote: Great!. Thanks. One possibly stupid question. What is the "Deny Spoof"? Is that like; # Stop spoofing of your internal network range # ${fwcmd} add deny ip from ${iif} to any in via ${oif} # Stop spoofing from inside your private ip range # ${fwcmd} add deny ip from not ${iif} to any in via ${iif} G Bryant wrote: Hi, I found my rules worked best in this order: (You will need to correct the syntax - just typed up the order for you quickly) Deny spoofed Allow localhost Allow all from any to any via $iif divert natd all from any to any in via $oif #insert bandwidth shaping rules skipto 5000 all from $iip to any out via $oif #allow all from any to me in via $oif # if you want to receive traffic from internet to this box. Your decision if you need it. deny all from any to any out allow all from any to $iip in via $oif #allow all from me to any out via $oif # traffic from this box out to the internet. Your decision if you need it. deny all from any to any in 5000 nat all from any to any out via $oif allow all from any to any out This is a very "open" set of rules - your choice. Hope this helps. Regards, Graham Daemon wrote: I'm trying to build a firewall from scratch using man ipfw and what I can find on the net. I'm doing bandwidth shaping and I'm not quite sure where it goes as far as rule numbers. From what I can see, it matters and I'd like to do it right. I'm using an OPEN firewall with NATD because I'm on cable broadband with a static IP. Here is what I have. 00010 52 2446 pipe 1 ip from 172.16.140.0/24 to any xmit re0 00020 0 0 pipe 2 ip from any to 172.16.140.0/24 recv re0 00050 274 24955 divert 8668 ip from any to any via re0 00100 50 5642 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65535 4658 547779 allow ip from any to any The actual rule set for the bandwidth shaping is: # Traffic Shaping. # oif="re0" # ${oif} Public Interface. # iif="re1" # ${iif} Internal nic. # iip="172.16.140.0/24" # ${iip} ${fwcmd} add 10 pipe 1 all from ${iip} to any xmit ${oif} ${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes ${fwcmd} add 20 pipe 2 all from any to ${iip} recv ${oif} ${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes I've found lots of stuff on "how" to set it up but I can't seem to find anything on where the rules go. Any help would be greatly appreciated. Regards, Mark _______________________________________________ [1]freebsd-ipfw@freebsd.org mailing list [2]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [3]"freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ [4]freebsd-ipfw@freebsd.org mailing list [5]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [6]"freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ [7]freebsd-ipfw@freebsd.org mailing list [8]http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [9]"freebsd-ipfw-unsubscribe@freebsd.org" References 1. mailto:freebsd-ipfw@freebsd.org 2. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw 3. mailto:freebsd-ipfw-unsubscribe@freebsd.org 4. mailto:freebsd-ipfw@freebsd.org 5. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw 6. mailto:freebsd-ipfw-unsubscribe@freebsd.org 7. mailto:freebsd-ipfw@freebsd.org 8. http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw 9. mailto:freebsd-ipfw-unsubscribe@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 00:01:59 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27B7A16A41F for ; Mon, 24 Oct 2005 00:01:59 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxsurfer.com (dns1.foxsurfer.com [205.134.229.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id C98A843D45 for ; Mon, 24 Oct 2005 00:01:58 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from [24.172.9.74] (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by foxsurfer.com (8.13.3/8.13.3) with ESMTP id j9O01oeA094067 for ; Sun, 23 Oct 2005 17:01:51 -0700 (PDT) (envelope-from daemon@foxchat.net) Message-ID: <435C2473.3070408@foxchat.net> Date: Sun, 23 Oct 2005 20:01:55 -0400 From: Daemon User-Agent: Mozilla Thunderbird 1.0.7 (X11/20050930) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4358899F.1090505@roamingsolutions.net> <435849B9.8040509@foxchat.net> <4358899F.1090505@roamingsolutions.net> <5.1.0.14.2.20051023110150.020a7b80@209.152.117.178> In-Reply-To: <5.1.0.14.2.20051023110150.020a7b80@209.152.117.178> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.4 required=9.5 tests=ALL_TRUSTED,BAYES_40 autolearn=failed version=3.0.4 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on FoxSurfer.Com Subject: Re: ipfw firewall help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 00:01:59 -0000 W. D. wrote: > At 09:36 10/21/2005, Daemon, wrote: > >>Great!. Thanks. One possibly stupid question. What is the "Deny >>Spoof"? Is that like; >># Stop spoofing of your internal network range >># ${fwcmd} add deny ip from ${iif} to any in via ${oif} >># Stop spoofing from inside your private ip range >># ${fwcmd} add deny ip from not ${iif} to any in via ${iif} > > > > Hey Daemon, > > Your rules snippet looks great! I really like the way you > have commented the lines. When you have debugged your > firewall, would you please post the entire set here? That way, > newbies can understand better how the firewall works. I > haven't seen too many examples like this. > > Thanks! > > Start Here to Find It Fast!â„¢ -> http://www.US-Webmasters.com/best-start-page/ > $8.77 Domain Names -> http://domains.us-webmasters.com/ > > Sorry, I had to go out of town on Friday and just got back. This is what I have so far, however I can't seem to figure out the correct syntax for my rule #20000 for the rule Graham posted before. His rule was; 5000 nat all from any to any out via $oif Once I figure out the correct syntax, I'll be able to incorporate the rule set that Graham provided with some modifications. Right now it doesn't work correctly. Other than rule #20000, if there are any other rules that aren't correct or can be more streamlined, I'd welcome and appreciate any input/advice. By the way, thanks again Graham for the help. ############ nip="24.172.X.XX/30" # ${nip} oip="24.172.X.XX" # ${oip} Static IP oif="re0" # ${oif} Public interface name of nic # card facing the public Internet iif="re1" # ${iif} Internal nic. iip="172.16.140.0/24" # ${iip} Internal Subnet. ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush # Setup Lookback (not sure if these are in the # correct place). ${fwcmd} add 10 pass all from any to any via lo0 ${fwcmd} add 20 deny all from any to 127.0.0.0/8 ${fwcmd} add 30 deny all from 127.0.0.0/8 to any #------------------------------------------------------------- # Stop spoofing of your internal network range and # spoofing from inside your private ip range. ${fwcmd} add 40 deny ip from any to any not antispoof in #------------------------------------------------------------- # Natd rules. See Rule 300 ${fwcmd} add 50 allow all from any to any via ${iif} ${fwcmd} add 60 divert natd all from any to any in via ${oif} #------------------------------------------------------------- # Traffic Shaping for the internal network. ${fwcmd} add 70 pipe 1 all from ${iip} to any xmit ${oif} ${fwcmd} pipe 1 config mask src-ip 0xffffff00 bw 35Kbits/s queue 40Kbytes ${fwcmd} add 80 pipe 2 all from any to ${iip} recv ${oif} ${fwcmd} pipe 2 config mask dst-ip 0xffffff00 bw 4000Kbits/s queue 40Kbytes ${fwcmd} add 90 allow all from any to me in via ${oif} #------------------------------------------------------------- # Allow interal network in/out via the outside nic. ${fwcmd} add 100 allow all from any to ${iip} in via ${oif} ${fwcmd} add 200 allow all from me to any out via ${oif} #------------------------------------------------------------- # See Rule 20000 ${fwcmd} add 300 skipto 20000 all from ${iip} to any out via ${oif} #------------------------------------------------------------- # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 ${fwcmd} add 400 deny { tcp or udp } from any to any 137,138,139,445,1080 ${fwcmd} add 500 deny { tcp or udp } from any to any 1243,6776,8998,12345,31337 ${fwcmd} add 600 deny icmp from any to me in icmptype 5,9,13,14,15,16,17 ${fwcmd} add 700 deny icmp from any to any iplen 92 #------------------------------------------------------------- # Block malicious connects to ssh, ftp, mail(pop/smtp/imap), and identd. ${fwcmd} add 800 deny all from "table(2,0)" to me 20-25,110,113,143 ${fwcmd} add 900 deny all from "table(3,0)" to me 20-25,110,113,143 # Block malicious conects to web server ports. ${fwcmd} add 1000 deny all from "table(4,0)" to me 80,443 #------------------------------------------------------------- # Deny any late arriving packets ${fwcmd} add 2000 deny all from any to any frag in via ${oif} #------------------------------------------------------------- # 5000 nat all from any to any out via $oif # ^^^ Rule provided by Graham. ${fwcmd} add 20000 divert natd ip from any to any out via $oif ${fwcmd} add 65000 allow all from any to any out From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 04:38:40 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65A7D16A41F; Mon, 24 Oct 2005 04:38:40 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23E1E43D49; Mon, 24 Oct 2005 04:38:40 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9O4ceR8098747; Mon, 24 Oct 2005 04:38:40 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9O4ce4g098743; Mon, 24 Oct 2005 04:38:40 GMT (envelope-from gnats) Date: Mon, 24 Oct 2005 04:38:40 GMT From: GNU GNATS Message-Id: <200510240438.j9O4ce4g098743@freefall.freebsd.org> To: gnats@FreeBSD.org, ipfw@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/48172: [ipfw] [patch] ipfw does not log size and flags X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 04:38:40 -0000 Old Synopsis: ipfw does not log size and flags New Synopsis: [ipfw] [patch] ipfw does not log size and flags Responsible-Changed-From-To: ipfw->freebsd-ipfw Responsible-Changed-By: gnats Responsible-Changed-When: Mon Oct 24 04:38:05 GMT 2005 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=48172 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 04:38:40 2005 Return-Path: X-Original-To: ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65A7D16A41F; Mon, 24 Oct 2005 04:38:40 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23E1E43D49; Mon, 24 Oct 2005 04:38:40 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9O4ceR8098747; Mon, 24 Oct 2005 04:38:40 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9O4ce4g098743; Mon, 24 Oct 2005 04:38:40 GMT (envelope-from gnats) Date: Mon, 24 Oct 2005 04:38:40 GMT From: GNU GNATS Message-Id: <200510240438.j9O4ce4g098743@freefall.freebsd.org> To: gnats@FreeBSD.org, ipfw@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/48172: [ipfw] [patch] ipfw does not log size and flags X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 04:38:40 -0000 Old Synopsis: ipfw does not log size and flags New Synopsis: [ipfw] [patch] ipfw does not log size and flags Responsible-Changed-From-To: ipfw->freebsd-ipfw Responsible-Changed-By: gnats Responsible-Changed-When: Mon Oct 24 04:38:05 GMT 2005 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=48172 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 05:11:00 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2023716A41F; Mon, 24 Oct 2005 05:11:00 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE99543D48; Mon, 24 Oct 2005 05:10:59 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9O5AxQi005343; Mon, 24 Oct 2005 05:10:59 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9O5Ax5t005339; Mon, 24 Oct 2005 05:10:59 GMT (envelope-from linimon) Date: Mon, 24 Oct 2005 05:10:59 GMT From: Mark Linimon Message-Id: <200510240510.j9O5Ax5t005339@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 05:11:00 -0000 Old Synopsis: [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it New Synopsis: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Oct 24 05:10:01 GMT 2005 Responsible-Changed-Why: Over to mailing list for review. http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 05:11:38 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03BCA16A41F; Mon, 24 Oct 2005 05:11:38 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F2CA43D5C; Mon, 24 Oct 2005 05:11:35 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9O5BZEu005446; Mon, 24 Oct 2005 05:11:35 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9O5BZ88005442; Mon, 24 Oct 2005 05:11:35 GMT (envelope-from linimon) Date: Mon, 24 Oct 2005 05:11:35 GMT From: Mark Linimon Message-Id: <200510240511.j9O5BZ88005442@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/78785: [ipfw] [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 05:11:38 -0000 Synopsis: [ipfw] [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Oct 24 05:11:22 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=78785 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 05:12:35 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17E9516A41F; Mon, 24 Oct 2005 05:12:35 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9E9443D5F; Mon, 24 Oct 2005 05:12:34 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9O5CYtG005586; Mon, 24 Oct 2005 05:12:34 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9O5CYt7005582; Mon, 24 Oct 2005 05:12:34 GMT (envelope-from linimon) Date: Mon, 24 Oct 2005 05:12:34 GMT From: Mark Linimon Message-Id: <200510240512.j9O5CYt7005582@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/86957: [ipfw] [patch] ipfw mac logging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 05:12:35 -0000 Synopsis: [ipfw] [patch] ipfw mac logging Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Oct 24 05:12:25 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=86957 From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 11:02:08 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDE4E16A41F for ; Mon, 24 Oct 2005 11:02:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EF3943D45 for ; Mon, 24 Oct 2005 11:02:08 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9OB28hR061977 for ; Mon, 24 Oct 2005 11:02:08 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9OB27Ch061971 for freebsd-ipfw@freebsd.org; Mon, 24 Oct 2005 11:02:07 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Oct 2005 11:02:07 GMT Message-Id: <200510241102.j9OB27Ch061971@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 11:02:08 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 9 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple 16 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 24 20:45:21 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9BEB16A41F for ; Mon, 24 Oct 2005 20:45:21 +0000 (GMT) (envelope-from Tyrone@telecity.se) Received: from psmtp.com (s200aog4.obsmtp.com [207.126.144.88]) by mx1.FreeBSD.org (Postfix) with SMTP id C889543D49 for ; Mon, 24 Oct 2005 20:45:20 +0000 (GMT) (envelope-from Tyrone@telecity.se) Received: from source ([195.149.172.5]) by eu1sys200aob004.obsmtp.com ([207.126.147.11]) with SMTP; Mon, 24 Oct 2005 20:45:19 UTC Date: Mon, 24 Oct 2005 21:40:19 +0100 MIME-Version: 1.0 Message-ID: Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: shaping Thread-Index: AcXY2yX6yIfAsF24Tm+vWStpXMmcPw== From: To: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: shaping X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2005 20:45:21 -0000 Hi, I'm having trouble shaping not sure if my commands are correct want to = run it here just in case I'm missing something: I have a freebsd 5.4-Release router with two network cards one connected = to my upstream provider and one connected to my vLAN enabled switch, = traffic between my vLANS and the internet are up and running without any = problems. I need to shape traffic for each vLAN connecting to the internet.I will = NOT be firewalling at all, just shaping the vLANS at this stage nothing = more. Here is what I have configured: =20 #traffic pipes setup ipfw pipe 1 config bw 2mbit/s ipfw pipe 2 config bw 10mbit/s=20 ipfw pipe 3 config bw 20mbit/s =20 #limit incoming/outgoing traffic ipfw add 100 pipe 1 ip from any to any in recv vlan0 ipfw add 100 pipe 1 ip from any to any out xmit vlan0 ipfw add 200 pipe 2 ip from any to any in recv vlan1 ipfw add 200 pipe 2 ip from any to any out xmit vlan1 ipfw add 300 pipe 3 ip from any to any in recv vlan2 ipfw add 300 pipe 3 ip from any to any out xmit vlan2 =20 #My kernel configuration options IPFIREWALL =20 options IPFIREWALL_VERBOSE =20 options IPFIREWALL_FORWARD =20 options IPFIREWALL_VERBOSE_LIMIT=3D100 =20 options IPFIREWALL_DEFAULT_TO_ACCEPT =20 options IPV6FIREWALL =20 options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT=3D100 options IPV6FIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #divert sockets options DUMMYNET options BRIDGE =20 Regards Tyrone DISCLAIMER This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than TeleCity or the addressees of its existence or contents. If you have received this e-mail in error, please contact the TeleCity IT department on +44 (0) 161 232 3220 or by email at techsupport@telecity.com. Internet communications cannot be guaranteed 100% secure, you should therefore take this potential lack of security into consideration when emailing us as we do not accept legal responsibility for the security of the contents of this or other = emails. Whilst TeleCity take measures to prevent any virus contamination of our computer systems, recipients of emails should always ensure that they take their own precautions to avoid virus contamination. =0D From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 25 02:13:14 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B42916A41F; Tue, 25 Oct 2005 02:13:14 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5788443D48; Tue, 25 Oct 2005 02:13:14 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9P2DEKS096652; Tue, 25 Oct 2005 02:13:14 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9P2DEKT096648; Tue, 25 Oct 2005 02:13:14 GMT (envelope-from linimon) Date: Tue, 25 Oct 2005 02:13:14 GMT From: Mark Linimon Message-Id: <200510250213.j9P2DEKT096648@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/72987: [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes (red|gred) [FLOAT]/[BYTES]/[BYTES]/[FLOAT]' parameter problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 02:13:14 -0000 Old Synopsis: ipfw/dummynet pipe/queue 'queue [BYTES]KBytes (red|gred) [FLOAT]/[BYTES]/[BYTES]/[FLOAT]' parameter problem New Synopsis: [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes (red|gred) [FLOAT]/[BYTES]/[BYTES]/[FLOAT]' parameter problem Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Oct 25 02:12:37 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=72987 From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 28 06:49:25 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5431F16A420; Fri, 28 Oct 2005 06:49:25 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 122B643D45; Fri, 28 Oct 2005 06:49:25 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9S6nO8e072296; Fri, 28 Oct 2005 06:49:24 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9S6nOej072292; Fri, 28 Oct 2005 06:49:24 GMT (envelope-from linimon) Date: Fri, 28 Oct 2005 06:49:24 GMT From: Mark Linimon Message-Id: <200510280649.j9S6nOej072292@freefall.freebsd.org> To: asstec@matik.com.br, linimon@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/75483: [ipfw] ipfw count does not count X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 06:49:25 -0000 Synopsis: [ipfw] ipfw count does not count State-Changed-From-To: feedback->closed State-Changed-By: linimon State-Changed-When: Fri Oct 28 06:49:08 GMT 2005 State-Changed-Why: Feedback timeout (4 months). http://www.freebsd.org/cgi/query-pr.cgi?pr=75483 From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 28 15:21:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A4CF16A41F; Fri, 28 Oct 2005 15:21:16 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A88B143D48; Fri, 28 Oct 2005 15:21:15 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 3115B6013; Fri, 28 Oct 2005 17:07:56 +0200 (CEST) Received: from (165.146.215.66 [165.146.215.66]) by MailEnable Inbound Mail Agent with ESMTP; Fri, 28 Oct 2005 17:26:55 +0200 Message-ID: <43624181.5010305@roamingsolutions.net> Date: Fri, 28 Oct 2005 17:19:29 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: daniel@dgnetwork.com.br References: <4361FE7E.50607@dgnetwork.com.br> In-Reply-To: <4361FE7E.50607@dgnetwork.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 0543-2, 2005/10/27), Outbound message X-Antivirus-Status: Clean Cc: freebsd-net@freebsd.org, FreeBSD , freebsd-pf@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 15:21:16 -0000 Daniel Dias Gonçalves wrote: > > Complicated ? Its possible ? > > TELECOM > LOAD SHARING PER PACKET > ------------------------------------------------------------------------------------------ > > | | | | > | | > | | | | > | | > ------------------------------------- > ------------------------------------- > CISCO 2600 (6mbps) HAUWEI (6mbps) > LOAD SHARING PER PACKET LOAD SHARING PER > PACKET > ------------------------------------- > ------------------------------------- > Ethernet (64.XX.XX.1/30) Ethernet > (65.XX.XX.1/30) > | | > | | > | | > XL0 (64.XX.XX.2/30) XL1 > (65.XX.XX.2/30) > ------------------------------------------------------------------------------------------ > > FREEBSD 5.4 + PF > ------------------------------------------------------------------------------------------ > > XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30) > | > | > ------------------ > SWITCH > ------------------------------- IP: 65.XX.XX.6/30 > > ------------------ GW: > 65.XX.XX.5 > / \ > / \ > IP: 192.168.0.10/24 IP: 64.XX.XX.6/30 > GW: 192.168.0.254 GW: 64.XX.XX.5 > and more clients ... > I need load balancing outgoing traffic from: > 192.168.0.0/24 ( NAT ) > and 64.XX.XX.0/24, 65.XX.XX.0/24 > > It is possible to make this balancing with the PF ? Exists some > software that I make this ? Zebra can help me? > This type of balancing gives to problems with the navigation of the > user of NAT or IP valid ? > If it is possible, wanted to see examples with rules. > > Thanks, > If you do not manage to come right with PF, I have a working example of a similar setup using IPFW & natd. Let me know if you would like the config files. Regards Graham From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 28 15:44:42 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F9516A41F; Fri, 28 Oct 2005 15:44:42 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from msmisps01.bonddesk.com (msmisps01.bonddesk.com [12.47.70.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 687B143D70; Fri, 28 Oct 2005 15:44:30 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Oct 2005 11:44:29 -0400 Received: from 10.133.16.35 ([10.133.16.35]) by mimail.bdg.local ([10.132.16.100]) with Microsoft Exchange Server HTTP-DAV ; Fri, 28 Oct 2005 15:44:28 +0000 Received: from csmith-dt.bdg.local by mimail.bonddesk.com; 28 Oct 2005 11:44:28 -0400 From: Corey Smith To: G Bryant In-Reply-To: <43624181.5010305@roamingsolutions.net> References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 28 Oct 2005 11:44:27 -0400 Message-Id: <1130514267.81705.101.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port X-OriginalArrivalTime: 28 Oct 2005 15:44:29.0011 (UTC) FILETIME=[7B6C5A30:01C5DBD6] Cc: daniel@dgnetwork.com.br, freebsd-net@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 15:44:42 -0000 On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: > Daniel Dias Gon=E7alves wrote: >=20 > > > > It is possible to make this balancing with the PF ? Exists some=20 > > software that I make this ? Zebra can help me? > > This type of balancing gives to problems with the navigation of the=20 > > user of NAT or IP valid ? > > If it is possible, wanted to see examples with rules. > > It would be much better to do per flow load balancing then per packet. With per packet your TCP flows will arrive out of order which is a bad situation since it will lead to a large number of retransmissions and zero-window acknowledgments. The only tunable to help correct that is to allow selective acknowledgments. You are going to get much higher utilization on your load balanced lines by using per flow with multiple TCP connections. Anybody know how to implement per flow load balancing in FreeBSD? Are multiple default routes supported? It would be beautiful if you could put multiple routes with the same metric into the kernel and then the kernel would enable per flow load balancing of the routes... -Corey Smith From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 28 16:03:34 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C452116A420 for ; Fri, 28 Oct 2005 16:03:34 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: from zeus.yan.com.br (zeus.yan.com.br [200.202.253.10]) by mx1.FreeBSD.org (Postfix) with SMTP id DA1F543D45 for ; Fri, 28 Oct 2005 16:03:32 +0000 (GMT) (envelope-from daniel@dgnetwork.com.br) Received: (qmail 3671 invoked by uid 1023); 28 Oct 2005 16:03:04 -0000 Received: from daniel@dgnetwork.com.br by zeus by uid 1023 with qmail-scanner-1.22 (uvscan: v4.1.60/v4366. fsecure: 4.11/3190/2003-09-23/2002-12-17. 2003-09-22/. Clear:RC:1(201.19.130.165):. Processed in 0.570881 secs); 28 Oct 2005 16:03:04 -0000 Received: from unknown (HELO ?192.168.1.2?) (daniel@dgnetwork.com.br@201.19.130.165) by zeus.yan.com.br with SMTP; 28 Oct 2005 16:03:03 -0000 Message-ID: <43624BCE.6010907@dgnetwork.com.br> Date: Fri, 28 Oct 2005 14:03:26 -0200 From: =?ISO-8859-1?Q?Daniel_Dias_Gon=E7alves?= Organization: DGNET Network Solutions User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: pt-br, pt MIME-Version: 1.0 To: Corey Smith , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> In-Reply-To: <1130514267.81705.101.camel@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: daniel@dgnetwork.com.br List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 16:03:34 -0000 Corey Smith escreveu: >On Fri, 2005-10-28 at 17:19 +0200, G Bryant wrote: > > >>Daniel Dias Gonçalves wrote: >> >> >> >>>It is possible to make this balancing with the PF ? Exists some >>>software that I make this ? Zebra can help me? >>>This type of balancing gives to problems with the navigation of the >>>user of NAT or IP valid ? >>>If it is possible, wanted to see examples with rules. >>> >>> >>> > >It would be much better to do per flow load balancing then per packet. >With per packet your TCP flows will arrive out of order which is a bad >situation since it will lead to a large number of retransmissions and >zero-window acknowledgments. > >The only tunable to help correct that is to allow selective >acknowledgments. > >You are going to get much higher utilization on your load balanced lines >by using per flow with multiple TCP connections. > >Anybody know how to implement per flow load balancing in FreeBSD? Are >multiple default routes supported? > >It would be beautiful if you could put multiple routes with the same >metric into the kernel and then the kernel would enable per flow load >balancing of the routes... > > It would be very good if could make this. >-Corey Smith > > > > Which the solution? -- Daniel Dias Gonçalves DGNET Network Solutions daniel@dgnetwork.com.br (37) 99824809 From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 28 16:23:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B867816A41F; Fri, 28 Oct 2005 16:23:47 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from msmisps01.bonddesk.com (msmisps01.bonddesk.com [12.47.70.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 238A443D45; Fri, 28 Oct 2005 16:23:47 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Oct 2005 12:23:45 -0400 Received: from 10.133.16.35 ([10.133.16.35]) by mimail.bdg.local ([10.132.16.100]) with Microsoft Exchange Server HTTP-DAV ; Fri, 28 Oct 2005 16:23:44 +0000 Received: from csmith-dt.bdg.local by mimail.bonddesk.com; 28 Oct 2005 12:23:44 -0400 From: Corey Smith To: daniel@dgnetwork.com.br In-Reply-To: <43624BCE.6010907@dgnetwork.com.br> References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <1130514267.81705.101.camel@localhost> <43624BCE.6010907@dgnetwork.com.br> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Fri, 28 Oct 2005 12:23:44 -0400 Message-Id: <1130516624.81705.107.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port X-OriginalArrivalTime: 28 Oct 2005 16:23:46.0091 (UTC) FILETIME=[F85A37B0:01C5DBDB] Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 16:23:47 -0000 On Fri, 2005-10-28 at 14:03 -0200, Daniel Dias Gon=E7alves wrote: > It would be very good if could make this. > > Which the solution? Linux supports this feature if you build advanced routing options into the kernel. The only FreeBSD code I've seen to do something like this is at: http://www.dsm.fordham.edu/~tanzer/multipath/=20 Unfortunately it hasn't been updated past FreeBSD 4.8. Maybe a FreeBSD winter-of-code project? :) Any takers? -Corey Smith From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 28 17:02:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A15E016A41F; Fri, 28 Oct 2005 17:02:03 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from basillia.speedxs.net (basillia.speedxs.net [83.98.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8A2C43D45; Fri, 28 Oct 2005 17:02:02 +0000 (GMT) (envelope-from gbryant@roamingsolutions.net) Received: from ongers.net (ongers.speedxs.nl [83.98.237.210]) by basillia.speedxs.net (Postfix) with ESMTP id 9B75840C7; Fri, 28 Oct 2005 18:48:43 +0200 (CEST) Received: from (165.146.215.66 [165.146.215.66]) by MailEnable Inbound Mail Agent with ESMTP; Fri, 28 Oct 2005 19:07:43 +0200 Message-ID: <436259A1.3090704@roamingsolutions.net> Date: Fri, 28 Oct 2005 19:02:25 +0200 From: G Bryant User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: daniel@dgnetwork.com.br, FreeBSD , FreeBSD References: <4361FE7E.50607@dgnetwork.com.br> <43624181.5010305@roamingsolutions.net> <43624A5E.7010002@dgnetwork.com.br> In-Reply-To: <43624A5E.7010002@dgnetwork.com.br> Content-Type: multipart/mixed; boundary="------------090402040307030304090109" X-Antivirus: avast! (VPS 0543-2, 2005/10/27), Outbound message X-Antivirus-Status: Clean Cc: Subject: Re: Load Balancing Outgoing, its possible ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2005 17:02:03 -0000 This is a multi-part message in MIME format. --------------090402040307030304090109 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Daniel Dias Gonçalves wrote: > G Bryant escreveu: > >> Daniel Dias Gonçalves wrote: >> >>> >>> Complicated ? Its possible ? >>> >>> TELECOM >>> LOAD SHARING PER PACKET >>> ------------------------------------------------------------------------------------------ >>> >>> | | | | >>> | | >>> | | | | >>> | | >>> ------------------------------------- >>> ------------------------------------- >>> CISCO 2600 (6mbps) HAUWEI (6mbps) >>> LOAD SHARING PER PACKET LOAD SHARING PER >>> PACKET >>> ------------------------------------- >>> ------------------------------------- >>> Ethernet (64.XX.XX.1/30) Ethernet >>> (65.XX.XX.1/30) >>> | | >>> | | >>> | | >>> XL0 (64.XX.XX.2/30) XL1 >>> (65.XX.XX.2/30) >>> ------------------------------------------------------------------------------------------ >>> >>> FREEBSD 5.4 + PF >>> ------------------------------------------------------------------------------------------ >>> >>> XL2 (192.168.0.254/24, 64.XX.XX.5/30, 65.XX.XX.5/30) >>> | >>> | >>> ------------------ >>> SWITCH >>> ------------------------------- IP: 65.XX.XX.6/30 >>> >>> ------------------ >>> GW: 65.XX.XX.5 >>> / \ >>> / \ >>> IP: 192.168.0.10/24 IP: >>> 64.XX.XX.6/30 >>> GW: 192.168.0.254 GW: 64.XX.XX.5 >>> and more clients ... I need >>> load balancing outgoing traffic from: >>> 192.168.0.0/24 ( NAT ) >>> and 64.XX.XX.0/24, 65.XX.XX.0/24 >>> >>> It is possible to make this balancing with the PF ? Exists some >>> software that I make this ? Zebra can help me? >>> This type of balancing gives to problems with the navigation of the >>> user of NAT or IP valid ? >>> If it is possible, wanted to see examples with rules. >>> >>> Thanks, >>> >> If you do not manage to come right with PF, I have a working example >> of a similar setup using IPFW & natd. >> Let me know if you would like the config files. >> Regards >> Graham >> >> >> > Send me yours config and net scheme. > Thanks ;-) > A system I recently installed is up and running. here are the config files. netmon2.sh runs from crontab to monitor the links and switches the traffic to the good link if one link fails. Also uses squid proxy and bandwidth management for internal users. Regards Graham --------------090402040307030304090109 Content-Type: text/plain; name="rc.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc.conf" hostname="xx.yy.zz" # Configure the internal network ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0" # Configure the external networks (connected to the internet) #ifconfig_rl0="DHCP" ifconfig_rl0="inet 192.168.8.70 netmask 255.255.255.0" ifconfig_rl0_alias0="inet 192.168.0.99 netmask 255.255.255.0" defaultrouter="192.168.8.1" #ifconfig_rl1="inet 192.168.0.99 netmask 255.255.255.0" #ifconfig_rl1="DHCP" # - Enabling the FreeBSD Firewall, IPFirewall (IPFW)- gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" # - Enabling the specific NAT server for IPFW natd_enable="YES" natd_flags="-f /etc/natd1.conf" natd2_enable="YES" natd2_flags="-f /etc/natd2.conf" sshd_enable="YES" usbd_enable="NO" rwhod_enable="NO" dhcpd_enable="YES" dhcpd_flags="-cf /usr/local/etc/dhcpd.conf -q" #Enable the proxy server squid_enable="YES" ntpd_enable="YES" ntpd_flags="-c /etc/ntp.conf" # Bandwidth monitoring with html graphs bandwidthd_enable="YES" # jftpgw ftp proxy for anonymous ftp proxy-cache jftpgw_enable="YES" # Dynamic DNS Client ddclient_enable="YES" # Load the script to hook the two external nic's together netmon1_enable="YES" --------------090402040307030304090109 Content-Type: text/plain; name="netmon1.sh" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="netmon1.sh" #!/bin/sh # Load the kernel modules kldload ng_ether kldload ng_one2many ifconfig rl0 down ifconfig rl1 down # Plumb nodes together ngctl mkpeer rl0: one2many upper one ngctl connect rl0: rl0:upper lower many0 ngctl connect rl1: rl0:upper lower many1 # Allow rl0 to xmit / recv rl0 frames ifconfig rl1 promisc ngctl msg rl1: setautosrc 0 # Configure to transmit ngctl msg rl0:upper setconfig "{xmitAlg=2 failAlg=1 enabledLinks =[ 1 1 ] }" echo "Now up the interfaces again" ifconfig rl0 up ifconfig rl1 up ifconfig rl0 inet 192.168.8.70 netmask 255.255.255.0 ifconfig rl0 inet 192.168.0.99 netmask 255.255.255.0 alias route delete default route add default 192.168.8.1 echo "Done" --------------090402040307030304090109 Content-Type: text/plain; name="netmon2.sh" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="netmon2.sh" #!/bin/sh target="196.7.0.138" ext_gw1="192.168.8.1" ext_gw2="192.168.0.1" # Setup route to ping through route -q add -host $target $ext_gw1 # Test link one through ext_gw1 ping1=$( ping -q -c 3 -f -s 8 -o -t 2 196.7.0.138 | grep "packet loss" | cut -c24-24 ) # Test link two through ext_gw2 route -q delete $target route -q add -host $target $ext_gw2 ping2=$( ping -q -c 3 -f -s 8 -o -t 2 196.7.0.138 | grep "packet loss" | cut -c24-24 ) # Remove route route -q delete $target # Configure the ipfw sets as per network route availability if [ "$ping1" != "0" ]; then if [ "$ping2" = "1" ]; then ipfw set enable 1 2 12 else ipfw set enable 1 ipfw set disable 2 12 fi else if [ "$ping2" != "0" ]; then ipfw set disable 1 12 ipfw set enable 2 else # echo "enabling everything to wait for network recovery" ipfw set enable 1 2 12 fi fi --------------090402040307030304090109 Content-Type: text/plain; name="natd1.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="natd1.conf" alias_address 192.168.8.70 pid_file /var/run/natd1.pid port natd1 --------------090402040307030304090109 Content-Type: text/plain; name="natd2.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="natd2.conf" alias_address 192.168.0.99 pid_file /var/run/natd2.pid port natd2 --------------090402040307030304090109 Content-Type: text/plain; name="ipfw.rules" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw.rules" #!/bin/sh ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" bwm="ipfw -q pipe" skip="skipto 8000" ext_if1="rl0" # public interface name of NIC ext_if2="rl0" int_if="vr0" # private interface name of NIC ext_ip1="192.168.8.70" ext_ip2="192.168.0.99" ext_gw1="192.168.8.1" ext_gw2="192.168.0.1" # Setup the different Sets to be used for different connection options ipfw -q set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # Initially only enable set 1 (and 2 and 12 when we have 2 WAN links) ipfw -q set enable 1 2 5 12 # Specify which ip addresses get what bandwidth # Can also tell this dhcp server to give certain addresses to selected mac # addresses in file /usr/local/etc/dhcpd.conf u512k="192.168.10.2" # Users given 512kb/s link u256k="192.168.1.0/24{2-254}" # Users given 256kb/s link u128k="192.168.10.2" # Users given 128kb/s link u64k="192.168.10.2" # Users given 64kb/s link (default from dhcp) $cmd 10 allow ip from any to any ################################################################# # Check and drop packets that are appearing to come from # the destination LAN i.e. a spoofed source ip address $cmd 100 deny ip from any to any not antispoof in ################################################################# # No restrictions on Loopback Interface # Protect spoofing to localhost $cmd allow ip from any to any via lo0 $cmd deny ip from any to 127.0.0.0/8 $cmd deny ip from 127.0.0.0/8 to any ################################################################# # check if packet is inbound and nat address if it is $cmd 1000 divert natd1 ip from any to $ext_ip1 in $cmd 1000 divert natd2 ip from any to $ext_ip2 in #$cmd skipto 5000 ip from any to any in via $ext_if1 #$cmd skipto 5000 ip from any to any in via $ext_if2 ################################################################ # Divert incoming http and ftp traffic to the proxy (squid and jftpgw) $cmd set 5 fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 in via $int_if #$cmd fwd 192.168.1.1,2370 tcp from 192.168.1.0/24 to any 21 via $int_if ################################################################# # Allow the rest of the LAN traffic in and out $cmd allow ip from any to any via $int_if ################################################################ ############## Bandwidth Management ############################ ################################################################ # Setup up pipes for each of the user groups ################################################################ # Users with 512Kb / 256Kb access (in / out) ################################################################ $cmd pipe 10 ip from any to $u512k in via $ext_if1 $cmd pipe 11 ip from $u512k to any out via $ext_if1 $bwm 10 config mask dst-ip 0x000000ff bw 512Kbit/s queue 4KBytes $bwm 11 config mask src-ip 0x000000ff bw 256Kbit/s queue 3KBytes ################################################################ # Users with 256Kb / 128Kb access ################################################################ $cmd pipe 20 ip from any to $u256k in via $ext_if1 $cmd pipe 21 ip from $u256k to any out via $ext_if1 $bwm 20 config mask dst-ip 0x000000ff bw 256Kbit/s queue 4KBytes $bwm 21 config mask src-ip 0x000000ff bw 128Kbit/s queue 3KBytes ################################################################ # Users with 128Kb / 64Kb access ################################################################ $cmd pipe 30 ip from any to $u128k in via $ext_if1 $cmd pipe 31 ip from $u128k to any out via $ext_if1 $bwm 30 config mask dst-ip 0x000000ff bw 128Kbit/s queue 4KBytes $bwm 31 config mask src-ip 0x000000ff bw 64Kbit/s queue 3KBytes ################################################################ # Users with 64Kb / 56Kb access ################################################################ $cmd pipe 40 ip from any to $u64k in via $ext_if1 $cmd pipe 41 ip from $u64k to any out via $ext_if1 $bwm 40 config mask dst-ip 0x000000ff bw 64Kbit/s queue 14KBytes $bwm 41 config mask src-ip 0x000000ff bw 56Kbit/s queue 12KBytes # 40 was set to 7KB # 41 was set to 6KB ################################################################# # Interface facing Public Internet (Outbound Section) ################################################################# # Allow out access to my ISP's Domain name server. # Get the IP addresses from /etc/resolv.conf file #$cmd $skip UDP from any to { 196.7.0.138 or 196.28.86.2 or 196.28.86.3 or 196.25.1.1 } 53 out #$cmd allow udp from me to any 53 out # rather use working adsl line out $cmd $skip udp from any to any 53 out # Allow this box out access to my ISP's DHCP server (or adsl router) # to get it's network configuration settings (IP, DNS, etc). $cmd $skip udp from me to any 67 out # Allow skype connections out # Allow ntp time server out $cmd $skip UDP from any to any 80,443,123,1024-65535 out $cmd $skip UDP from any 80,443,1024-65535 to any out $cmd $skip tcp from any 1024-65535 to any 1024-65535 out # Allow me to reach local routers from this box (tunneled via ssh) $cmd allow tcp from me to 192.168.0.0/16 80 out # Allow out www, ftp from me or from proxy out $cmd $skip tcp from me to any 20,21,80 out # Natting because of the 2 outgoing lines # Allow out secure www function https over TLS SSL # Allow out send & get email function (GMail uses ports 587, 995) # Allow out MSN messenger # Allow out Time, nntp news (i.e. news groups), # SSH (secure FTP, Telnet, and SCP), whois $cmd $skip tcp from any to any 443,25,110,587,995,1863,37,119,22,43 out # Allow out regular ftp access (not via proxy) $cmd $skip tcp from any to any 20,21,80 out # Allow out ping $cmd $skip icmp from 192.168.1.0/24 to any out icmptypes 3,8 $cmd allow icmp from me to any out icmptypes 3,8 $cmd allow icmp from me to 192.168.0.0/16 out # Allow external ssh connection back out $cmd $skipto tcp from me 22 to any out # Allow external web traffic from internal servers back out $cmd $skip tcp from 192.168.1.8 80,443 to any out # Allow external mail traffic from internal servers back out $cmd $skip tcp from 192.168.1.3 25,110 to any out # Allow external ftp, vpn connection traffic from internal servers back out $cmd $skip tcp from 192.168.1.9 20,21,1723 to any out # Allow out FreeBSD (make install & CVSUP) functions # Give user root "GOD" privileges. $cmd allow ip from me to any out uid root # Deny the rest out $cmd deny log ip from any to any out ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces #$cmd 300 deny all from 192.168.0.0/16 to any in via $ext_if1 #RFC 1918 private IP $cmd deny all from 172.16.0.0/12,10.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23,224.0.0.0/3 to any in #RFC 1918 private IP #RFC 1918 private IP #DHCP auto-config #reserved for docs #Sun cluster #Class D & E multicast # Deny ident # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd deny all from any to any 113,137,138,139,81 in # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. $cmd allow udp from 192.168.8.1,192.168.0.1 to any 68,1900,5678 in # Allow dns lookups back in $cmd allow udp from any 53,67 to 192.168.1.0/24 in $cmd allow udp from any 53,67 to me in # Allow skype connections in $cmd allow udp from any 80,123,443,1024-655353 to 192.168.1.0/24 in $cmd allow udp from any to 192.168.1.0/24 80,443,1024-655353 in $cmd deny log udp from any to any in # Deny the rest $cmd allow tcp from any 1024-65535 to 192.168.1.0/24 1024-65535 in # Allow in standard www function because I have Apache server - or is there an internal webserver? # Allow Webmin connections from close-by $cmd allow tcp from { 192.168.8.0/24 or 192.168.0.0/24 } to me 10000,80 in $cmd allow tcp from any to 192.168.1.8,192.168.1.9 80,443 in # Allow outgoing ftp, web traffic (via proxy) back in $cmd allow tcp from any 80 to me in # Allow in regular ftp, http access if proxy is off $cmd allow tcp from any 20,21,80 to 192.168.1.0/24 in # Allow in secure www function https over TLS SSL # Allow in send & get email function (GMail uses ports 587, 995) # Allow in MSN messenger # Allow in Time, nntp news (i.e. news groups), # SSH (secure FTP, Telnet, and SCP), whois $cmd allow tcp from any 443,25,110,587,995,1863,37,119,22,43 to any in # Allow external web traffic in to internal servers $cmd allow tcp from any to 192.168.1.8 80,443 in keep-state # Allow external mail traffic in to internal servers $cmd allow tcp from any to 192.168.1.3 25,110 in keep-state # Allow external ftp, vpn connection traffic in to internal servers $cmd allow tcp from any to 192.168.1.9 20,21,1723 in keep-state # Allow in secure FTP, Telnet, and SCP from public Internet $cmd allow tcp from { 192.168.0.0/24 or 192.168.1.0/24 or 192.168.8.0/24 } to me 22 in #setup limit src-addr 3 $cmd allow tcp from any to me 22 in setup limit src-addr 3 # Deny the rest to me $cmd deny log tcp from any to me in #Allow in ICMP (ping) from public networks close by only. $cmd allow icmp from 196.7.0.138,196.25.1.1,196.4.160.7 to me in icmptypes 0,3,11 $cmd allow icmp from any to 192.168.1.0/24 in icmptypes 0,3,11 $cmd allow icmp from any to me in icmptypes 0,3,11 $cmd allow icmp from 192.168.0.0/16 to me in #Deny the rest icmp $cmd deny icmp from any to any in # Reject & Log all unauthorized incoming connections from the public Internet (/var/log/security) $cmd deny log all from any to any in ### ********************************************************* # This is skipto location for outbound stateful rules $cmd 8000 skipto 9000 tcp from any to any out setup $cmd 8010 skipto 9000 udp from any to any out $cmd 8020 skipto 9000 icmp from any to any out $cmd 8100 tee natd1 ip from any to any out $cmd 8150 check-state $cmd 8160 allow ip from me 20,21,22,25,80,110,443,1723 to any out $cmd 8200 divert natd2 ip from any to any out $cmd 8250 check-state $cmd 8260 allow ip from me 20,21,22,25,80,110,443,1723 to any out $cmd 8400 deny ip from any to any out $cmd 9000 set 12 prob 0.5 skipto 9500 ip from any to any out $cmd 9100 set 1 divert natd1 ip from any to any out $cmd 9200 set 1 fwd 192.168.8.1 ip from any to any out keep-state $cmd 9500 set 2 divert natd2 ip from any to any out $cmd 9600 set 2 fwd 192.168.0.1 ip from any to any out keep-state # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 9999 deny log all from any to any ipfw -q delete 10 ################ End of IPFW rules file ############################### --------------090402040307030304090109--