From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 18 22:50:19 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7948716A41F for ; Sun, 18 Dec 2005 22:50:19 +0000 (GMT) (envelope-from rloef@interfold.com) Received: from b.mail.mho.net (b.mail.base.mho.net [64.58.4.37]) by mx1.FreeBSD.org (Postfix) with SMTP id C63BC43D68 for ; Sun, 18 Dec 2005 22:50:13 +0000 (GMT) (envelope-from rloef@interfold.com) Received: (qmail 6860 invoked from network); 18 Dec 2005 22:50:11 -0000 Received: from dialup-208-157-46-207.mho.net (208.157.46.207) by b.mail.mho.net with SMTP; 18 Dec 2005 22:50:11 -0000 Date: Sun, 18 Dec 2005 15:54:54 -0700 (MST) From: Reed Loefgren X-X-Sender: rloef@auden.jmla.com To: freebsd-ipfw@freebsd.org Message-ID: <20051218154106.M971@auden.jmla.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: ipfw ruleset blocking game server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2005 22:50:19 -0000 Hi all, I have been using ipfw for a little while now and have recently changed to a ruleset copied off of the FreeBSD website's documentation of ipfw. I changed the pertinent stuff to match my network and ISP's namesevers and everything works fine _except_ i seem to be blocking responses from a game server in (in this case) london, where my nine year old and his friends go to play a game called "Runescape". Of course, access to this is inifintely more critical than the safety of other things, like perhaps, our financial data, so I want to get this straightened out (really). Does anyone here have any ideas about what port games such as this use to come back in? I'll also email the server's admin to see what the IP is for the server so I can write a rule for it. I've included below the 'inbound' section of the offending ruleset. And thanks. Also, for what it's worth, I'm on a 56k dial-up connection using tun0. r. ################################################################# # Interface facing Public Internet (Inbound Section) # Interrogate packets originating from the public Internet # destined for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect $cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny public pings $cmd 00310 deny icmp from any to any in via $pif # Deny ident $cmd 00315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 00320 deny tcp from any to any 137 in via $pif $cmd 00321 deny tcp from any to any 138 in via $pif $cmd 00322 deny tcp from any to any 139 in via $pif $cmd 00323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 00330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 00332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP.s DHCP server as it.s the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for .user ppp. type connection to # the public Internet. This is the same IP address you captured # and used in the outbound section. #$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state # Allow in standard www function because I have apache server $cmd 00400 allow tcp from any to me in via xl0 setup limit src-addr 2 $cmd 00401 deny tcp from any to me 80 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet ###$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # Internet as clear text. # Delete this sample group if you do not have telnet server enabled. ##$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Reject & Log all incoming connections from the outside $cmd 00499 deny log all from any to any in via $pif # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 00999 deny log all from any to any ################ End of IPFW rules file ############################### ---------- I'd rather flunk my Wassermann Test Than read the poems of Edgar Guest. - Auden From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 18 23:18:50 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9819316A41F for ; Sun, 18 Dec 2005 23:18:50 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10B8043D46 for ; Sun, 18 Dec 2005 23:18:49 +0000 (GMT) (envelope-from dennisolvany@gmail.com) Received: by xproxy.gmail.com with SMTP id t12so781191wxc for ; Sun, 18 Dec 2005 15:18:49 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:cc:subject:references:in-reply-to:x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=utXj/zqKsMVnlV0O4J+arvBmaflJfpVa6g32cgP5FHS1vh3Q5RQZxtw7GQzdtPvuOg9PfqA+COApHlomLlixqxFzdfstKfBx8+gQZZVgIeManltw0U1zydcu6rTlpN+1wFTqz7ghcw3TKU5u/rxfxVCOM+DT63ZHEjzebs8rRSI= Received: by 10.70.48.2 with SMTP id v2mr3726813wxv; Sun, 18 Dec 2005 15:18:49 -0800 (PST) Received: from ?192.168.102.3? ( [67.102.60.210]) by mx.gmail.com with ESMTP id i11sm9047801wxd.2005.12.18.15.18.48; Sun, 18 Dec 2005 15:18:48 -0800 (PST) Message-ID: <43A5EE57.7060500@gmail.com> Date: Sun, 18 Dec 2005 17:18:47 -0600 From: Dennis Olvany User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051129) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Reed Loefgren References: <20051218154106.M971@auden.jmla.com> In-Reply-To: <20051218154106.M971@auden.jmla.com> X-Enigmail-Version: 0.93.0.0 OpenPGP: id=D71A85AB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw ruleset blocking game server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2005 23:18:50 -0000 Reed Loefgren wrote: > I have been using ipfw for a little while now and have recently changed > to a ruleset copied off of the FreeBSD website's documentation of ipfw. The rulesets included in the FreeBSD Handbook and IPFW documentation, namely rc.firewall, are quite primitive. You may want to consider using something a bit more advanced. > Does anyone here have any ideas about what > port games such as this use to come back in? Discovering ports is a trivial matter of running tcpdump and attempting a connection with the game. You will most likely find that dynamic rules will allow this ingress traffic, without the need to explicitly allow it. If you post the output of ipfw list, I can assist in the creation of a more scalable ruleset. From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 19 11:02:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7BA116A41F for ; Mon, 19 Dec 2005 11:02:40 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC7BE43D86 for ; Mon, 19 Dec 2005 11:02:17 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id jBJB2H8l011223 for ; Mon, 19 Dec 2005 11:02:17 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id jBJB2F92011209 for freebsd-ipfw@freebsd.org; Mon, 19 Dec 2005 11:02:15 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Dec 2005 11:02:15 GMT Message-Id: <200512191102.jBJB2F92011209@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2005 11:02:41 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w 9 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/02/01] kern/76971 ipfw [ipfw] ipfw antispoof incorrectly blocks o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple 17 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 21 14:47:18 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1164F16A41F for ; Wed, 21 Dec 2005 14:47:18 +0000 (GMT) (envelope-from john.wood@nrl.navy.mil) Received: from s2.itd.nrl.navy.mil (s2.itd.nrl.navy.mil [132.250.83.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE28F43D5D for ; Wed, 21 Dec 2005 14:47:16 +0000 (GMT) (envelope-from john.wood@nrl.navy.mil) Received: from smtp.itd.nrl.navy.mil (smtp.itd.nrl.navy.mil [132.250.86.3]) by s2.itd.nrl.navy.mil (8.12.10+Sun/8.12.8) with SMTP id jBLElFoL022864 for ; Wed, 21 Dec 2005 09:47:15 -0500 (EST) Received: from [132.250.99.10] ([132.250.99.10]) by smtp.itd.nrl.navy.mil (SMSSMTP 4.1.9.35) with SMTP id M2005122109471410778 for ; Wed, 21 Dec 2005 09:47:14 -0500 Message-ID: <43A96AF2.3010504@nrl.navy.mil> Date: Wed, 21 Dec 2005 09:47:14 -0500 From: "John B. Wood" User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD 6.0-RELEASE+Dummynet+Bridging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Dec 2005 14:47:18 -0000 Hello, all. I am running the subject software on a Dell Dimension 3000 desktop with two Ethernet interfaces (using the em and fxp drivers). The kernel modules that are being used are dummynet.ko, ipfw.ko, and if_bridge.ko. After setting up the pipes, etc. the platform runs as expected doing its bridging and desired dummynet traffic shaping function but consistently crashes the platform after about 15 minutes requiring a power off/on restart (or logging in on a virtual terminal and issuing a shutdown). If I just do bridging with IPFW but without dummynet.ko loaded everything is fine. The same behavior results if I recompile the kernel to support firewalling and dummynet. I am consistently obtaining what appears to be a FIFO overrun (kernel: em0: Rx overrun). I also tried all this with an IBM T22 Thinkpad (internal + PC Card Ethernet interfaces) and got the same result. Has anyone had a similar experience and found a fix? Thanks for your time and comment. Sincerely, -- __ __ ______ __ John Wood / |\ / /\ / ____ \ / /\ Code 5551 / | ||/ / / / /\__/ /| / / / U.S. Naval Research Lab / /| |/ / / / /_/_/ / / / / / 4555 Overlook Avenue, SW / / | / / / ___ / / / / / Washington, DC 20375-5337 / / /| / / / /\_| |\_/ / /_/_ (202) 767-2608 /_/ / |_/ / /_/ / |_|| /_____/\ (202) 767-3377 (FAX) \_\/ \_\/ \_\/ \_\| \_____\/ e-mail: wood@itd.nrl.navy.mil WWW: http://server5550.itd.nrl.navy.mil To have and to want more that is life. - F. Nietzsche From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 23 13:22:36 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9EEA16A41F for ; Fri, 23 Dec 2005 13:22:36 +0000 (GMT) (envelope-from robertusn@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7868543D66 for ; Fri, 23 Dec 2005 13:22:33 +0000 (GMT) (envelope-from robertusn@gmail.com) Received: by zproxy.gmail.com with SMTP id l8so11774nzf for ; Fri, 23 Dec 2005 05:22:32 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=PeZL0w0CThgwa8mUXQgqAeylaUoaO4f+kcYR+6+X/npfNyKArfHQVxB1rNJ7oCmxYsgeaCu90z7VV1cDClRGJh/PVt4qivhmMzXY/J0mT0Ky6eAZPyrEaSaWn0eH6+oBswoM+T+bH0DdIumcQOYbEQmHkTGnGksQsEpQsHRaBXs= Received: by 10.65.22.18 with SMTP id z18mr903944qbi; Fri, 23 Dec 2005 05:22:31 -0800 (PST) Received: by 10.64.185.13 with HTTP; Fri, 23 Dec 2005 05:22:31 -0800 (PST) Message-ID: <3713853f0512230522k57488f55j@mail.gmail.com> Date: Fri, 23 Dec 2005 14:22:31 +0100 From: Robert Usle To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw dummynet, divert order X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2005 13:22:37 -0000 SGVsbG8sCgpJJ20gdHJ5aW5nIHRvIGNyZWF0ZSBwaXBlcyBwZXIgc3JjL2RzdCBpcCBvbiBteQpG cmVlYnNkIDQuOSAmIEZyZWVCU0QgNC4xMSByb3V0ZXIuCgpJIGNhbid0IGZpbmQgYSBkZXRhaWxl ZCBkb2N1bWVudGF0aW9uIG9uIGhvdyBuYXRkL2RpdmVydAp3b3Jrcy4gV2hhdCBpcyB0aGUgcGFj a2V0IGZsb3cgbGlrZSB0aGVuLCB3aGF0IGludGVyZmFjZQppbmZvcm1hdGlvbiBpcyBrbm93IHRo ZW4gL3VzaW5nIHhtaXQvcmVjdi9pbi9vdXQvdmlhKS4KCkkgb25seSB3YW50IHRvIHF1ZXVlIHRy YWZmaWMgZnJvbS90byBpbnRlcm5ldC4KVXNpbmcgTkFURAoKTXkgcnVsZXNldHMgaXMgYXMgZm9s bG93czoKCi0tLS0tLS0tIG5ldC5pbmV0LmlwLmZ3Lm9uZV9wYXNzPTEKRVhUX0lGPXJsMApFWFRf SVA9InNvbWUgZXh0X2lwIgpJTlRfSUY9cmwxCgpuZXQuaW5ldC5pcC5mdy5vbmVfcGFzcz0xCgpp cGZ3IC1mIGZsdXNoCmlwZncgLWYgcGlwZSBmbHVzaAoKaXBmdyBhZGQgMjAgZGl2ZXJ0IDg2Njgg aXAgZnJvbSBhbnkgdG8gJEVYVF9JUCBpbiByZWN2ICRFWFRfSUYKaXBmdyBwaXBlIDEgY29uZmln IGJ3IDI1NmtiaXQvcyBtYXNrIGRzdC1pcCAweDAwMDAwMGZmCmlwZncgYWRkIDMwIHBpcGUgMSBp cCBmcm9tIGFueSB0byAxMC4wLjIuMC8yNCBpbiByZWN2ICRFWFRfSUYKCmlwZncgcGlwZSAyIGNv bmZpZyBidyAyNTZrYml0L3MgbWFzayBzcmMtaXAgMHgwMDAwMDBmZgppcGZ3IGFkZCA0MCBwaXBl IDIgaXAgZnJvbSAxMC4wLjIuMC8yNCB0byBhbnkgb3V0IHhtaXQgJEVYVF9JRgoKaXBmdyBhZGQg NTAgZGl2ZXJ0IDg2NjggaXAgZnJvbSBhbnkgdG8gYW55IG91dCB4bWl0ICRFWFRfSUYKCmlwZncg YWRkIDEwMCBkZW55IGxvZyBpcCBmcm9tIGFueSB0byBhbnkKCgotYmFzaC0yLjA1YiMgaXBmdyBz aG93CjAwMDIwICAgIDggICAxOTI3IGRpdmVydCA4NjY4IGlwIGZyb20gYW55IHRvICRFWFRfSVAg aW4gcmVjdiBybDAKMDAwMzAgICAgOCAgIDE5MjcgcGlwZSAxIGlwIGZyb20gYW55IHRvIDEwLjAu Mi4wLzI0IGluIHJlY3YgcmwwCjAwMDQwICAgIDAgICAgICAwIHBpcGUgMiBpcCBmcm9tIDEwLjAu Mi4wLzI0IHRvIGFueSBvdXQgeG1pdCBybDAKMDAwNTAgICAgMCAgICAgIDAgZGl2ZXJ0IDg2Njgg aXAgZnJvbSBhbnkgdG8gYW55IG91dCB4bWl0IHJsMAowMDEwMCAgIDc3ICAgODcyNiBkZW55IGxv ZyBsb2dhbW91bnQgMTAwIGlwIGZyb20gYW55IHRvIGFueQo2NTUzNSA1Mzg1IDI4OTczNCBhbGxv dyBpcCBmcm9tIGFueSB0byBhbnkKCi1iYXNoLTIuMDViIyBpcGZ3IHBpcGUgMSBzaG93CjAwMDAx OiAyNTYuMDAwIEtiaXQvcyAgICAwIG1zICAgNTAgc2wuIDYgcXVldWVzICg2NCBidWNrZXRzKSBk cm9wdGFpbAogICAgbWFzazogMHgwMCAweDAwMDAwMDAwLzB4MDAwMCAtPiAweDAwMDAwMGZmLzB4 MDAwMApCS1QgUHJvdCBfX19Tb3VyY2UgSVAvcG9ydF9fX18gX19fX0Rlc3QuIElQL3BvcnRfX19f IFRvdF9wa3QvYnl0ZXMgUGt0L0J5dGUKRHJwCiAxMSBpcCAgICAgICAgICAgMC4wLjAuMC8wICAg ICAgICAgICAwLjAuMC4xMzkvMCAgICAgICAgMSAgICAgICA2MiAgMCAgICAwCjAKIDE1IGlwICAg ICAgICAgICAwLjAuMC4wLzAgICAgICAgICAgICAwLjAuMC4xNS8wICAgICAgICA1ICAgICAgMjA3 ICAwICAgIDAKMAogMzcgaXAgICAgICAgICAgIDAuMC4wLjAvMCAgICAgICAgICAgMC4wLjAuMjI5 LzAgICAgICAgIDEgICAgICAxMzYgIDAgICAgMAowCiA0MiBpcCAgICAgICAgICAgMC4wLjAuMC8w ICAgICAgICAgICAwLjAuMC4yMzQvMCAgICAgICAgMyAgICAgIDE4NiAgMCAgICAwCjAKIDQ2IGlw ICAgICAgICAgICAwLjAuMC4wLzAgICAgICAgICAgIDAuMC4wLjIzOC8wICAgICAgICAxICAgICAx NDkyICAwICAgIDAKMAogNjEgaXAgICAgICAgICAgIDAuMC4wLjAvMCAgICAgICAgICAgMC4wLjAu MTI1LzAgICAgICAgIDMgICAgICAxOTUgIDAgICAgMAowCi1iYXNoLTIuMDViIyBpcGZ3IHBpcGUg MiBzaG93CjAwMDAyOiAyNTYuMDAwIEtiaXQvcyAgICAwIG1zICAgNTAgc2wuIDAgcXVldWVzICg2 NCBidWNrZXRzKSBkcm9wdGFpbAogICAgbWFzazogMHgwMCAweDAwMDAwMGZmLzB4MDAwMCAtPiAw eDAwMDAwMDAwLzB4MDAwMAotYmFzaC0yLjA1YiMKClRoaXMgd2F5LCBub3RoaW5nIGdldHMgZGl2 ZXJ0ZWQgaW4gcnVsZSAjNTAKCi0tLS0tLS0tIG5ldC5pbmV0LmlwLmZ3Lm9uZV9wYXNzPTAKCgpF WFRfSUY9cmwwCkVYVF9JUD0ic29tZSBleHRfaXAiCklOVF9JRj1ybDEKCm5ldC5pbmV0LmlwLmZ3 Lm9uZV9wYXNzPTAKCmlwZncgLWYgZmx1c2gKaXBmdyAtZiBwaXBlIGZsdXNoCgppcGZ3IGFkZCAy MCBkaXZlcnQgODY2OCBpcCBmcm9tIGFueSB0byAkRVhUX0lQIGluIHJlY3YgJEVYVF9JRgppcGZ3 IHBpcGUgMSBjb25maWcgYncgMjU2a2JpdC9zIG1hc2sgZHN0LWlwIDB4MDAwMDAwZmYKaXBmdyBh ZGQgMzAgcGlwZSAxIGlwIGZyb20gYW55IHRvIDEwLjAuMi4wLzI0IGluIHJlY3YgJEVYVF9JRgpp cGZ3IGFkZCAzMSBhbGxvdyBpcCBmcm9tIGFueSB0byAxMC4wLjIuMC8yNCBpbiByZWN2ICRFWFRf SUYKCmlwZncgcGlwZSAyIGNvbmZpZyBidyAyNTZrYml0L3MgbWFzayBzcmMtaXAgMHgwMDAwMDBm ZgppcGZ3IGFkZCA0MCBwaXBlIDIgaXAgZnJvbSAxMC4wLjIuMC8yNCB0byBhbnkgb3V0IHhtaXQg JEVYVF9JRgppcGZ3IGFkZCA0MSBhbGxvdyBpcCBmcm9tIDEwLjAuMi4wLzI0IHRvIGFueSBvdXQg eG1pdCAkRVhUX0lGCgppcGZ3IGFkZCA1MCBkaXZlcnQgODY2OCBpcCBmcm9tIGFueSB0byBhbnkg b3V0IHhtaXQgJEVYVF9JRgoKaXBmdyBhZGQgMTAwIGRlbnkgbG9nIGlwIGZyb20gYW55IHRvIGFu eQoKLWJhc2gtMi4wNWIjIGlwZncgc2hvdwowMDAyMCAgIDQyICAgODA2MiBkaXZlcnQgODY2OCBp cCBmcm9tIGFueSB0byAkRVhUX0lQIGluIHJlY3YgcmwwCjAwMDMwICAgMjkgICA3NDY5IHBpcGUg MSBpcCBmcm9tIGFueSB0byAxMC4wLjIuMC8yNCBpbiByZWN2IHJsMAowMDAzMSAgIDI5ICAgNzQ2 OSBhbGxvdyBpcCBmcm9tIGFueSB0byAxMC4wLjIuMC8yNCBpbiByZWN2IHJsMAowMDA0MCAgICAw ICAgICAgMCBwaXBlIDIgaXAgZnJvbSAxMC4wLjIuMC8yNCB0byBhbnkgb3V0IHhtaXQgcmwwCjAw MDQxICAgIDAgICAgICAwIGFsbG93IGlwIGZyb20gMTAuMC4yLjAvMjQgdG8gYW55IG91dCB4bWl0 IHJsMAowMDA1MCAgICAzICAgIDE1NiBkaXZlcnQgODY2OCBpcCBmcm9tIGFueSB0byBhbnkgb3V0 IHhtaXQgcmwwCjAwMTAwICAxMDYgIDI0MzY2IGRlbnkgbG9nIGxvZ2Ftb3VudCAxMDAgaXAgZnJv bSBhbnkgdG8gYW55CjY1NTM1IDY3NjggNDQzNzkxIGFsbG93IGlwIGZyb20gYW55IHRvIGFueQoK Ci1iYXNoLTIuMDViIyBpcGZ3IHBpcGUgMSBzaG93CjAwMDAxOiAyNTYuMDAwIEtiaXQvcyAgICAw IG1zICAgNTAgc2wuIDMgcXVldWVzICg2NCBidWNrZXRzKSBkcm9wdGFpbAogICAgbWFzazogMHgw MCAweDAwMDAwMDAwLzB4MDAwMCAtPiAweDAwMDAwMGZmLzB4MDAwMApCS1QgUHJvdCBfX19Tb3Vy Y2UgSVAvcG9ydF9fX18gX19fX0Rlc3QuIElQL3BvcnRfX19fIFRvdF9wa3QvYnl0ZXMgUGt0L0J5 dGUKRHJwCiAxNSBpcCAgICAgICAgICAgMC4wLjAuMC8wICAgICAgICAgICAgMC4wLjAuNzkvMCAg ICAgICAgNCAgICAgIDMwMiAgMCAgICAwCjAKIDMyIGlwICAgICAgICAgICAwLjAuMC4wLzAgICAg ICAgICAgICAwLjAuMC4zMi8wICAgICAgICA2ICAgICAgNTEwICAwICAgIDAKMAogNDggaXAgICAg ICAgICAgIDAuMC4wLjAvMCAgICAgICAgICAgMC4wLjAuMTEyLzAgICAgICAgIDUgICAgICA0NDUg IDAgICAgMAowCi1iYXNoLTIuMDViIyBpcGZ3IHBpcGUgMiBzaG93CjAwMDAyOiAyNTYuMDAwIEti aXQvcyAgICAwIG1zICAgNTAgc2wuIDEgcXVldWVzICg2NCBidWNrZXRzKSBkcm9wdGFpbAogICAg bWFzazogMHgwMCAweDAwMDAwMGZmLzB4MDAwMCAtPiAweDAwMDAwMDAwLzB4MDAwMApCS1QgUHJv dCBfX19Tb3VyY2UgSVAvcG9ydF9fX18gX19fX0Rlc3QuIElQL3BvcnRfX19fIFRvdF9wa3QvYnl0 ZXMgUGt0L0J5dGUKRHJwCiA1OCBpcCAgICAgICAgIDAuMC4wLjEyNS8wICAgICAgICAgICAgIDAu MC4wLjAvMCAgICAgICAgMiAgICAgICA4MCAgMCAgICAwCjAKLWJhc2gtMi4wNWIjCgpGb3IgbWUg aXQgbG9va3MgcHJldHR5IHN0cmFuZ2UuLgoKQ2FuIHNvbWVib2R5IHBsZWFzZSBleHBsYWluIG9u IHdoYXQvd2hlbiBpbnRlcmZhY2Ugc2hvdWxkIEkgYXR0YWNoCnF1ZXVlcy9waXBlcyA/CgpJIGtu b3cgdGhpcyBsb29rcyBjb21wbGljYXRlZCwgYWxsIEkgbmVlZCBpcyB0byBiZSBhYmxlIHRvIHF1 ZXVlCmluY29taW5nL291dGdvaW5nIHRyYWZmaWMKZm9yIGV2ZXJ5IHVzZXIgaW4gbXkgTEFOLiAo ZnVydGhlcm1vcmUgaSB3aWxsIG5lZWQgYWxzbyB1c2Ugc3F1aWQsIHdoaWNoIGkKdW5kZXJzdGFu ZCwgYW5kIG9tbWl0ZWQgaW4gdGhpcyBwb3N0KS4KCkkgd291bGQgYmUgYWxzbyBncmF0ZWZ1bCBp ZiB5b3UgbGV0IG1lIGtub3cgYWJvdXQgc29tZSBpcGZ3IGxhbiBzaGFyaW5nCmV4YW1wbGVzLgoK VGhhbmtzIQoKUmVnYXJkcywKUm9iZXJ0Cg== From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 23 14:55:50 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0DD016A41F for ; Fri, 23 Dec 2005 14:55:50 +0000 (GMT) (envelope-from alvaro.saurin@gmail.com) Received: from uproxy.gmail.com (uproxy.gmail.com [66.249.92.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id E76F743D5C for ; Fri, 23 Dec 2005 14:55:38 +0000 (GMT) (envelope-from alvaro.saurin@gmail.com) Received: by uproxy.gmail.com with SMTP id o2so184674uge for ; Fri, 23 Dec 2005 06:55:37 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:content-transfer-encoding:message-id:content-type:to:from:subject:date:x-mailer; b=iGEjljV7uZUzToNF2unkbEgAUvL30v81DuGm9TAMMyPlyNJO1cp81oGiQtMutvz9RGI1v85EiUI9OVshb4GyW6z6qfLkitTEAIDwQRNqgOiYqfiSkS5Qh/nggrkZxZIvInOzYQIr1YpZMYynggC28+NRzrX4aDX4hTsIoj0Pk68= Received: by 10.66.255.18 with SMTP id c18mr893092ugi; Fri, 23 Dec 2005 06:55:36 -0800 (PST) Received: from ?130.209.254.18? ( [130.209.254.18]) by mx.gmail.com with ESMTP id k2sm1299905ugf.2005.12.23.06.55.35; Fri, 23 Dec 2005 06:55:36 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v746.2) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-ipfw@freebsd.org From: Alvaro Saurin Date: Fri, 23 Dec 2005 15:01:56 +0000 X-Mailer: Apple Mail (2.746.2) Subject: Dummynet delay X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2005 14:55:51 -0000 Hi, I have been using dummynet for some time and there is something that I find very strange: in order to get a RTT, I have to use much lower delay when I create the pipe. For example, in a typical dumbell, for a 100ms RTT, I have to set up the pipe in the router with 'delay 23', for 20ms I need 'delay 4', and so on. With dummynet off, the RTT is <1ms. Could anybody tell me why is this happening? Looking at the RTTs, it seems that every packet is delayed 4 times. It this right? It is not too important, really, but I would like to know if I have set up everything correctly. Thanks in advance Alvaro -- Alvaro Saurin From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 24 23:50:26 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5813A16A420 for ; Sat, 24 Dec 2005 23:50:26 +0000 (GMT) (envelope-from david@xinus.net) Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id C162B43D5D for ; Sat, 24 Dec 2005 23:50:24 +0000 (GMT) (envelope-from david@xinus.net) Received: from wizard.xinus.net (wizard.xinus.net [82.227.42.60]) by smtp3-g19.free.fr (Postfix) with ESMTP id AF22541955 for ; Sun, 25 Dec 2005 00:50:23 +0100 (CET) Received: (qmail 86596 invoked by uid 98); 24 Dec 2005 23:50:01 -0000 Received: from 192.168.0.1 by wizard.xinus.net (envelope-from , uid 82) with qmail-scanner-1.25st (Everything is here, f-prot and spamassassin. Clear:RC:1(192.168.0.1):. Processed in 0.345397 secs); 24 Dec 2005 23:50:01 -0000 Received: from unknown (HELO ?127.0.0.1?) (192.168.0.1) by 0 with SMTP; 24 Dec 2005 23:50:00 -0000 Message-ID: <43ADDEBF.3000606@xinus.net> Date: Sun, 25 Dec 2005 00:50:23 +0100 From: David DU SERRE TELMON User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: fr, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: NATd issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2005 23:50:26 -0000 Hi, I've the network below : 192.168.2.0/23 | 192.168.3.454 FreeBSD x.x.x.x router 1 | Internet | y.y.y.y FreeBSD 10.0.0.254 router 2 | 10.0.0.0/24 Each gateway run racoon. Each network can go on Internet. VPN is ok. I would like to NAT packets from 192.168.2.0/23 to 10.0.0.0/24 with IP 192.168.3.254 on router 1. VPN interface is gif5 on router 1. My ipfw rules : dialup:~# ipfw show | grep 8670 00650 4 400 divert 8670 ip from 192.168.2.0/23 to 10.0.0.0/24 00660 4 400 divert 8670 ip from 10.0.0.0/24 natd in debug mode : dialup:~# natd -v -p natd-vpn -interface gif5 natd[42308]: Aliasing to 192.168.3.254, mtu 1280 bytes In [ICMP] [ICMP] 192.168.3.82 -> 10.0.0.1 8(0) aliased to [ICMP] 192.168.3.82 -> 10.0.0.1 8(0) Out [ICMP] [ICMP] 10.0.0.1 -> 192.168.3.82 0(0) aliased to [ICMP] 10.0.0.1 -> 192.168.3.82 0(0) As you can see, packets are not translated with IP 192.168.3.54. Same result with natd -p natd-vpn -a 192.168.3.254. I think the solution will be with -reverse, when I use it, packets are natd (ping from 192.168.3.61 to 10.0.0.1) : dialup:/etc# natd -v -p natd-vpn -reverse -interface gif5 natd[43271]: Aliasing to 192.168.3.254, mtu 1280 bytes In [ICMP] [ICMP] 192.168.3.61 -> 10.0.0.1 8(0) aliased to [ICMP] 192.168.3.254 -> 10.0.0.1 8(0) tcmpdump on remote gateway : 11:26:44.641090 IP 192.168.3.254 > 10.0.0.1: icmp 64: echo request seq 0 11:26:44.641240 IP 10.0.0.1 > 192.168.3.254: icmp 64: echo reply seq 0 But I haven't got any reply on localsite (192.168.2.0/23), I haven't got packet OUT on natd. David. Thanks ! Have a nice Christmas !