From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 11 13:26:58 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 327A016A41F for ; Sun, 11 Jun 2006 13:26:58 +0000 (UTC) (envelope-from exeby@adiba.neolocation.net) Received: from adiba.neolocation.net (adiba.neolocation.net [66.148.91.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0B8343D4C for ; Sun, 11 Jun 2006 13:26:55 +0000 (GMT) (envelope-from exeby@adiba.neolocation.net) Received: from exeby by adiba.neolocation.net with local (Exim 4.50) id 1FpPxx-0003wM-O7 for freebsd-ipfw@freebsd.org; Sun, 11 Jun 2006 16:26:57 +0300 To: freebsd-ipfw@freebsd.org From: PayPal Content-Transfer-Encoding: 8bit Message-Id: Sender: Date: Sun, 11 Jun 2006 16:26:57 +0300 MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Updating Your PayPal Account X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Services@paypal.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2006 13:26:58 -0000 [1]PayPal Protect Your Account Info Make sure you never provide your password to fraudulent websites. To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (https://www.paypal.com/us/) to be sure you are on the real PayPal site. P ayPal will never ask you to enter your password in an email. For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips Protect Your Password You should never give your PayPal password to anyone, including PayPal employees. Activate Your Account! Update Your Information, To complete your PayPal account, you must click the link below and enter your password on the following page to confirm your email address. [2]Click here to activate your account Your new PayPal account makes sending online payments fast, easy, and secure. With over 96 million members, it's the best way to: * Buy from an online auction * Pay on a merchant website * Send money to anyone with an email address Confirm your email now to make sure you can use your PayPal account the next time you make a purchase. You can also confirm your email address by logging into your PayPal account at [3]https://www.paypal.com/us/. Click on the "Confirm email" link in the Activate Account box and then enter this confirmation number: 1340-7084-6932-9163-4478 Thank you for using PayPal! The PayPal Team _________________________________________________________________ Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, [4]log in to your account and choose the Help link located in the top right corner of any PayPal page. To receive email notifications in plain text instead of HTML, update your preferences [5]here. PayPal Email ID PP468 References 1. https://www.paypal.com/us 2. http://click.su29.ru/www.paypal.com/services/updates/secure-ssl-connection/wf34gPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d888/new-database-2006/ 3. http://click.su29.ru/www.paypal.com/services/updates/secure-ssl-connection/wf34gPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d888/new-database-2006/ 4. http://click.su29.ru/www.paypal.com/services/updates/secure-ssl-connection/wf34gPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d888/new-database-2006/ 5. http://click.su29.ru/www.paypal.com/services/updates/secure-ssl-connection/wf34gPaymentLanding&ssPageName=hhpayUSf&=userhgads&secure&ssl7r2vbd7d888/new-database-2006/ From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 11 15:40:33 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE5E16A418 for ; Sun, 11 Jun 2006 15:40:33 +0000 (UTC) (envelope-from mufalani@oi.com.br) Received: from smtp1.oi.com.br (smtp1.oi.com.br [200.222.115.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9672D43D45 for ; Sun, 11 Jun 2006 15:40:32 +0000 (GMT) (envelope-from mufalani@oi.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (Postfix) with ESMTP id 1F1AB8023667; Sun, 11 Jun 2006 12:40:32 -0300 (BRT) Received: from smtp1.oi.com.br (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (WCVirscan) with SMTP id 000042aa448c3970 ; Sun, 11 Jun 2006 12:40:32 -0300 Received: from oi.com.br (webmail2.oi.com.br [200.222.115.22]) by smtp1.oi.com.br (Postfix) with ESMTP id 007068023659; Sun, 11 Jun 2006 12:40:31 -0300 (BRT) Received: from 192.168.5.78 (192.168.5.78 [192.168.5.78]) by webmail.oi.com.br (Horde) with HTTP for ; Sun, 11 Jun 2006 12:42:42 -0300 Message-ID: <20060611124242.5mba63w3lwgk8kow@webmail.oi.com.br> Date: Sun, 11 Jun 2006 12:42:42 -0300 From: Rodrigo Mufalani To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Cc: mufalani@oi.com.br Subject: ipfw rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2006 15:40:33 -0000 Hi all, I need a help to configure my ipfw rules , that they are below. When active ipfw with this script, nat does not function, and with the rules of the NAT alone , it it functions normally. If I make this, I work normally! My pages are showed normally ipfw add divert 8668 ip from any to 200.x.x.x in recv $oif ipfw add divert 8668 ip from 192.x.x.x 80 to any out xmit $oif ipfw add allow ip from any to any If I use the other rules, have access to ssh, but natd does not work! Thank you! Att, Rodrigo Mufalani mufalani@oi.com.br ---------------------------------------------------------------------------= ----------- set fwcmd=3D/sbin/ipfw set oif=3Drl0 set iif=3Dxl0 $fwcmd -f flush $fwcmd add check-state $fwcmd add deny ip from any to any in via $oif not verrevpath $fwcmd add allow ip from me to any out via $oif keep-state $fwcmd add deny tcp from any to any established in via $oif $fwcmd add allow ip from any to any via $iif $fwcmd add allow all from any to any via lo0 $fwcmd add deny all from any to 127.0.0.0/8 $fwcmd add deny ip from 127.0.0.0/8 to any $fwcmd add divert 8668 ip from any to 200.x.x.x in recv $oif $fwcmd add divert 8668 ip from 192.x.x.x 80 to any out xmit $oif $fwcmd add allow tcp from any to me dst-port 110,22,80,53,8080,8668 in via $oif setup keep-state $fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12 $fwcmd add deny log ip from any to any ---------------------------------------------------------------------------= ----- Aqui na Oi Internet voc=EA ganha ou ganha. Al=E9m de acesso gr=E1tis com qualidade, ganha contas ilimitadas de email com 1 giga cada uma. Ganha espa=E7o ilimitado para hospedar sua p=E1gina pessoal. Ganha flog, suporte gr=E1tis e muito mais. Baixe gr=E1tis o Discador em http://www.oi.com.br/discador e comece a ganhar. Agora, se o seu neg=F3cio =E9 voar na internet sem pagar uma fortuna, assine Oi Internet banda larga a partir de R$ 9,90. Clique em http://www.oi.com.br/bandalarga e aproveite essa moleza! From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 11 20:20:33 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8C9216A418; Sun, 11 Jun 2006 20:20:33 +0000 (UTC) (envelope-from vadim_nuclight@mail.ru) Received: from mx6.mail.ru (mx6.mail.ru [194.67.23.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 526DF43D48; Sun, 11 Jun 2006 20:20:33 +0000 (GMT) (envelope-from vadim_nuclight@mail.ru) Received: from [82.211.136.13] (port=16189 helo=nuclight.avtf.net) by mx6.mail.ru with esmtp id 1FpWQ5-000K4p-00; Mon, 12 Jun 2006 00:20:29 +0400 Date: Mon, 12 Jun 2006 03:19:44 +0700 To: "Joao Barros" References: <70e8236f0606110836j38f7ca33wa3058eaecf386fb5@mail.gmail.com> From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: <70e8236f0606110836j38f7ca33wa3058eaecf386fb5@mail.gmail.com> User-Agent: Opera M2/7.54 (Win32, build 3865) Cc: freebsd-isp@freebsd.org, "freebsd-net@freebsd.org" , "freebsd-current@freebsd.org" , "freebsd-ipfw@freebsd.org" Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2006 20:20:34 -0000 11.06.06 @ 22:36 Joao Barros wrote: Original message is at: http://lists.freebsd.org/pipermail/freebsd-current/2006-June/063821.html > I'm very interested in this, great work! :-) > I can't load the kld on my Sun Sparc, I think I messed up ld yesterday > trying to patch for a bug that show's in firefox and mozilla. It > compiles, just doesn't run. As soon as I have it up and running I'll > give you feedback. Umm, that's a kernel module, it shouldn't have any relations with ld. What diagnostics has it said on failed load? > Have you tested it with pf? If so can you give me some examples? No, it wasn't tested with pf. The problem with pf is that pf compiles all the rules at the time, so exact tags representation can change each time (for this reason ipfw tags were made incompatible with pf), and you must that values to supply them to . However, if you find a method how to obtain tag values info from in-kernel pf structures, you'll be able to use it with pf. It doesn't support well integration with netgraph, though. Another option is to use ipfw - it supports pf's altq(4) shaping, if that is all you need. > I'm particularly interested in this for doing packed shaping, especially > on P2P. Yes, I'm also looking for possibility of shaping, but I can't test (no resources) it currently. Also, as it seems non-trivial on current ipfw dynamic rules implementation, I don't know if shaping will work at all. But you can try to test such ruleset (it supposes that dynamic rules are checked twice, on incoming packets and on outgoing also, as with all other rules as ipfw manpage says): # first, split traffic to incoming to our router and outgoing ipfw add 100 skipto 600 ip from any to any out # check-state for incoming packets will catch all already matched # p2p connections, and continue to "tag 412" rest of them ipfw add 200 check-state # pass yet unrecognized incoming traffic to netgraph for analyzing # note that only one packet for connection will be tagged, not others # in the flow! ipfw add 300 netgraph 41 ip from any to any # XXX more limits? # let's create a state dynamic rule after one tagged packet - dynamic # rules only match addresses and ports, and then use parent rule to # determine action, and will also "tag 412" for every next packet # in that connection, so that's the way how we can catch packets on output # from our router ipfw add 400 pass tag 412 ip from any to any tagged 412 keep-state # this is the point where all other unmatched incoming traffic goes so # it must caught here or it will be matched for next rule, but next rule # should match outgoing traffic only ipfw add 500 pass ip from any to any # here is output were all packets which belong to p2p connections are # tagged 412 by dynamic rules, so we can send them all to pipe (or you # can use altq(4) here, of course).. the only thing to note that packets # to both directions of our router are sent to only one pipe, but for # my example it's enough ipfw add 600 pipe 40 ip from any to any tagged 412 -- WBR, Vadim Goncharov From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 11 22:30:19 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0739416A478 for ; Sun, 11 Jun 2006 22:30:19 +0000 (UTC) (envelope-from joao.barros@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 316B743D4C for ; Sun, 11 Jun 2006 22:30:17 +0000 (GMT) (envelope-from joao.barros@gmail.com) Received: by wx-out-0102.google.com with SMTP id i31so810848wxd for ; Sun, 11 Jun 2006 15:30:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uT/hS15Lafsp+iWe7oaHe4R3KV1FU7FlhPpsfvQEIx8LtCK9MWEc2H/t0l13kNCl2VDe1SmRenO6WDxmRMk56PCAdgNztESwPyynWNOjjGXo9Jpp59T9xtllvzQ6kmeQ/tPgg+o0ESrbEY3o8HJnqd5pq/YlenuwVc9PUkzUNiY= Received: by 10.70.8.2 with SMTP id 2mr5859431wxh; Sun, 11 Jun 2006 15:30:16 -0700 (PDT) Received: by 10.70.108.17 with HTTP; Sun, 11 Jun 2006 15:30:16 -0700 (PDT) Message-ID: <70e8236f0606111530i5ec5cd7eh7230ac76f466f1d@mail.gmail.com> Date: Sun, 11 Jun 2006 23:30:16 +0100 From: "Joao Barros" To: "Vadim Goncharov" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70e8236f0606110836j38f7ca33wa3058eaecf386fb5@mail.gmail.com> Cc: freebsd-isp@freebsd.org, "freebsd-net@freebsd.org" , "freebsd-current@freebsd.org" , "freebsd-ipfw@freebsd.org" Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2006 22:30:19 -0000 On 6/11/06, Vadim Goncharov wrote: > 11.06.06 @ 22:36 Joao Barros wrote: > > Original message is at: > http://lists.freebsd.org/pipermail/freebsd-current/2006-June/063821.html > > > I'm very interested in this, great work! :-) > > I can't load the kld on my Sun Sparc, I think I messed up ld yesterday > > trying to patch for a bug that show's in firefox and mozilla. It > > compiles, just doesn't run. As soon as I have it up and running I'll > > give you feedback. > > Umm, that's a kernel module, it shouldn't have any relations with ld. What > diagnostics has it said on failed load? ultra5# make Warning: Object directory not changed from original /root/ng_tag @ -> /usr/src/sys machine -> /usr/src/sys/sparc64/include touch opt_netgraph.h cc -O2 -pipe -g -fno-strict-aliasing -Werror -D_KERNEL -DKLD_MODULE -nostdinc -I- -I/root/ng_tag -I. -I@ -I@/contrib/altq -I@/../include -I/usr/include -finline-limit=15000 -fno-common -mcmodel=medlow -msoft-float -ffreestanding -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -c ng_tag.c ld -d -warn-common -r -d -o ng_tag.kld ng_tag.o touch export_syms awk -f /sys/conf/kmod_syms.awk ng_tag.kld export_syms | xargs -J% objcopy % ng_tag.kld ld -Bshareable -d -warn-common -o ng_tag.ko ng_tag.kld objcopy --strip-debug ng_tag.ko ultra5# kldload ./ng_tag.kld kldload: can't load ./ng_tag.kld: Exec format error ultra5# file ng_tag.kld ng_tag.kld: ELF 64-bit MSB relocatable, SPARC V9, version 1 (FreeBSD), not stripped > > > Have you tested it with pf? If so can you give me some examples? > > No, it wasn't tested with pf. The problem with pf is that pf compiles all > the rules at the time, so exact tags representation can change each time > (for this reason ipfw tags were made incompatible with pf), and you must > that values to supply them to . However, if you find a method how to > obtain tag values info from in-kernel pf structures, you'll be able to use > it with pf. It doesn't support well integration with netgraph, though. > > Another option is to use ipfw - it supports pf's altq(4) shaping, if that > is all you need. > > > I'm particularly interested in this for doing packed shaping, especially > > on P2P. > > Yes, I'm also looking for possibility of shaping, but I can't test (no > resources) it currently. Also, as it seems non-trivial on current ipfw > dynamic rules implementation, I don't know if shaping will work at all. I'm not a ipfw user, but if this were to be possible it would be very nice :-) -- Joao Barros From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 12 04:02:46 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8024816A41A for ; Mon, 12 Jun 2006 04:02:46 +0000 (UTC) (envelope-from ozkan@mersin.edu.tr) Received: from mail.mersin.edu.tr (mail.mersin.edu.tr [193.255.128.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id D65ED43D45 for ; Mon, 12 Jun 2006 04:02:43 +0000 (GMT) (envelope-from ozkan@mersin.edu.tr) Received: from localhost (localhost.mersin.edu.tr [127.0.0.1]) by mail.mersin.edu.tr (Postfix) with ESMTP id 1F74645187; Mon, 12 Jun 2006 07:02:54 +0300 (EEST) Received: from mail.mersin.edu.tr ([127.0.0.1]) by localhost (mail.mersin.edu.tr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20525-07; Mon, 12 Jun 2006 07:02:41 +0300 (EEST) Received: from [10.0.50.20] (unknown [81.213.166.209]) by mail.mersin.edu.tr (Postfix) with ESMTP id 40F50451B5; Mon, 12 Jun 2006 07:02:41 +0300 (EEST) Message-ID: <448CE752.6080507@mersin.edu.tr> Date: Mon, 12 Jun 2006 07:02:26 +0300 From: =?ISO-8859-9?Q?=D6zkan_KIRIK?= User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050927) X-Accept-Language: tr-TR, tr, en-US, en MIME-Version: 1.0 To: Joao Barros , freebsd-ipfw@freebsd.org References: <70e8236f0606110836j38f7ca33wa3058eaecf386fb5@mail.gmail.com> <70e8236f0606111530i5ec5cd7eh7230ac76f466f1d@mail.gmail.com> In-Reply-To: <70e8236f0606111530i5ec5cd7eh7230ac76f466f1d@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-9; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new at mersin.edu.tr Cc: Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 04:02:46 -0000 Try to load kernel object file kldload ./ng_tag.ko Ozkan KIRIK Joao Barros yazmış: > On 6/11/06, Vadim Goncharov wrote: > >> 11.06.06 @ 22:36 Joao Barros wrote: >> >> Original message is at: >> http://lists.freebsd.org/pipermail/freebsd-current/2006-June/063821.html >> >> > I'm very interested in this, great work! :-) >> > I can't load the kld on my Sun Sparc, I think I messed up ld yesterday >> > trying to patch for a bug that show's in firefox and mozilla. It >> > compiles, just doesn't run. As soon as I have it up and running I'll >> > give you feedback. >> >> Umm, that's a kernel module, it shouldn't have any relations with ld. >> What >> diagnostics has it said on failed load? > > > ultra5# make > Warning: Object directory not changed from original /root/ng_tag > @ -> /usr/src/sys > machine -> /usr/src/sys/sparc64/include > touch opt_netgraph.h > cc -O2 -pipe -g -fno-strict-aliasing -Werror -D_KERNEL -DKLD_MODULE > -nostdinc -I- -I/root/ng_tag -I. -I@ -I@/contrib/altq -I@/../include > -I/usr/include -finline-limit=15000 -fno-common -mcmodel=medlow > -msoft-float -ffreestanding -Wall -Wredundant-decls -Wnested-externs > -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline > -Wcast-qual -fformat-extensions -std=c99 -c ng_tag.c > ld -d -warn-common -r -d -o ng_tag.kld ng_tag.o > touch export_syms > awk -f /sys/conf/kmod_syms.awk ng_tag.kld export_syms | xargs -J% > objcopy % ng_tag.kld > ld -Bshareable -d -warn-common -o ng_tag.ko ng_tag.kld > objcopy --strip-debug ng_tag.ko > ultra5# kldload ./ng_tag.kld > kldload: can't load ./ng_tag.kld: Exec format error > ultra5# file ng_tag.kld > ng_tag.kld: ELF 64-bit MSB relocatable, SPARC V9, version 1 (FreeBSD), > not stripped > >> >> > Have you tested it with pf? If so can you give me some examples? >> >> No, it wasn't tested with pf. The problem with pf is that pf compiles >> all >> the rules at the time, so exact tags representation can change each time >> (for this reason ipfw tags were made incompatible with pf), and you must >> that values to supply them to . However, if you find a method how to >> obtain tag values info from in-kernel pf structures, you'll be able >> to use >> it with pf. It doesn't support well integration with netgraph, though. >> >> Another option is to use ipfw - it supports pf's altq(4) shaping, if >> that >> is all you need. >> >> > I'm particularly interested in this for doing packed shaping, >> especially >> > on P2P. >> >> Yes, I'm also looking for possibility of shaping, but I can't test (no >> resources) it currently. Also, as it seems non-trivial on current ipfw >> dynamic rules implementation, I don't know if shaping will work at all. > > > I'm not a ipfw user, but if this were to be possible it would be very > nice :-) > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 12 09:56:01 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52ADC16A41F; Mon, 12 Jun 2006 09:56:01 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79F3943D48; Mon, 12 Jun 2006 09:56:00 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id 6DA2E10D33C; Mon, 12 Jun 2006 16:55:57 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 2F35510D337; Mon, 12 Jun 2006 16:55:57 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Mon, 12 Jun 2006 16:55:57 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 12 Jun 2006 16:55:56 +0700 To: "Joao Barros" References: <70e8236f0606110836j38f7ca33wa3058eaecf386fb5@mail.gmail.com> <70e8236f0606111530i5ec5cd7eh7230ac76f466f1d@mail.gmail.com> Message-ID: Date: Mon, 12 Jun 2006 16:55:41 +0700 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <70e8236f0606111530i5ec5cd7eh7230ac76f466f1d@mail.gmail.com> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 12 Jun 2006 09:55:56.0951 (UTC) FILETIME=[66A27A70:01C68E06] Cc: freebsd-isp@freebsd.org, "freebsd-net@freebsd.org" , "freebsd-current@freebsd.org" , "freebsd-ipfw@freebsd.org" Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 09:56:01 -0000 12.06.06 @ 05:30 Joao Barros wrote: > ld -d -warn-common -r -d -o ng_tag.kld ng_tag.o > touch export_syms > awk -f /sys/conf/kmod_syms.awk ng_tag.kld export_syms | xargs -J% > objcopy % ng_tag.kld > ld -Bshareable -d -warn-common -o ng_tag.ko ng_tag.kld > objcopy --strip-debug ng_tag.ko > ultra5# kldload ./ng_tag.kld > kldload: can't load ./ng_tag.kld: Exec format error > ultra5# file ng_tag.kld > ng_tag.kld: ELF 64-bit MSB relocatable, SPARC V9, version 1 (FreeBSD), > not stripped Huh, you should load ng_tag.ko, not ng_tag.kld - as you can see ng_tag.ko (final version) is produced from ng_tag.kld (immediate file). Another possibility you should mention is using both firewalls at the same time, ipfw and pf. The rule order traversal, AFAIK, depends on order of module loading, so you should experiment a little with it. -- WBR, Vadim Goncharov From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 12 11:03:00 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D91D16A41B for ; Mon, 12 Jun 2006 11:03:00 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2992E43D45 for ; Mon, 12 Jun 2006 11:03:00 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5CB30rq098892 for ; Mon, 12 Jun 2006 11:03:00 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5CB2wDj098885 for freebsd-ipfw@freebsd.org; Mon, 12 Jun 2006 11:02:58 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 12 Jun 2006 11:02:58 GMT Message-Id: <200606121102.k5CB2wDj098885@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 11:03:00 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v 9 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo 19 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 12 20:43:05 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 515A516A46F; Mon, 12 Jun 2006 20:43:05 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 789D543D46; Mon, 12 Jun 2006 20:43:02 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5CKh272046507; Mon, 12 Jun 2006 20:43:02 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5CKh2Un046503; Mon, 12 Jun 2006 20:43:02 GMT (envelope-from linimon) Date: Mon, 12 Jun 2006 20:43:02 GMT From: Mark Linimon Message-Id: <200606122043.k5CKh2Un046503@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/98831: [ipfw] ipfw has UDP hickups X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 20:43:05 -0000 Synopsis: [ipfw] ipfw has UDP hickups Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jun 12 20:42:32 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=98831 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 14 09:16:45 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 148D616A41A; Wed, 14 Jun 2006 09:16:45 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2D8C43D45; Wed, 14 Jun 2006 09:16:44 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5E9Giw3097160; Wed, 14 Jun 2006 09:16:44 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5E9Gijx097156; Wed, 14 Jun 2006 09:16:44 GMT (envelope-from linimon) Date: Wed, 14 Jun 2006 09:16:44 GMT From: Mark Linimon Message-Id: <200606140916.k5E9Gijx097156@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-amd64@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/97504: [ipfw] IPFW Rules bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2006 09:16:45 -0000 Old Synopsis: IPFW Rules bug New Synopsis: [ipfw] IPFW Rules bug Responsible-Changed-From-To: freebsd-amd64->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Wed Jun 14 09:15:26 UTC 2006 Responsible-Changed-Why: This does not sound amd64-specific. http://www.freebsd.org/cgi/query-pr.cgi?pr=97504 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 14 10:39:45 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FAEA16A41B; Wed, 14 Jun 2006 10:39:45 +0000 (UTC) (envelope-from sebastien.valsemey@vsystems.eu) Received: from pallena.vsystems.eu (pallena.vsystems.eu [195.5.252.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C58143D4C; Wed, 14 Jun 2006 10:39:41 +0000 (GMT) (envelope-from sebastien.valsemey@vsystems.eu) DKIM-Signature: a=rsa-sha1; c=simple; d=vsystems.eu; s=VSystems; t=1150281987; x=1150886787; q=dns; h=DomainKey-Signature:From:To: Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:Thread-Index; b=XLHIVxBYW20986z4q8WhWS snmmVdyGd/z5tbJ6VL2erq337jMGz37B4GNGEZ2BGOeQtohtsnx29QZSEaWrfhps PxrN1sx3Sd8mS/kjHqgYE6uTH1cLGlsmsJHowPjSwIPsf+DM+b2xvS3ztpoa4wYa UI2XqUtnSMgyaqUV/THNY= DomainKey-Signature: a=rsa-sha1; s=VSystems; d=vsystems.eu; c=simple; q=dns; h=from:message-id; b=UVMePJhKMiWaTLLzztkr7+hfn21poH13m9sfIUHZo3bA2i4nZwFi6Uny6dcl FJ1J1KFSWkPF8XjnSpjtaSbvnbLKyAGAqPJAo0YJnYctBLDH2/CzbjLq5 OEAiZ/pzk1fIJeUgdDw8XzrY33UZUzy7+gfRv2NnPkf7B0MXS84OsE=; From: =?iso-8859-1?Q?S=E9bastien_A._VALSEMEY?= To: , , Date: Wed, 14 Jun 2006 12:41:38 +0200 Message-ID: <004201c68f9f$1e5e8200$0da7a8c0@FR.B3W> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaOGAzmx9EGBtcZSV+mYYnENhe26ABhqsTA X-HashCash: 1:20:060614:freebsd-ipfw@freebsd.org::blWv3aCycu4jNfOI:000000000000000000000000000000000000009D4 X-Return-Path: sebastien.valsemey@vsystems.eu X-Spam-Processed: pallena.vsystems.eu, Wed, 14 Jun 2006 12:46:22 +0200 Cc: Subject: IPF and OOW problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jun 2006 10:39:45 -0000 Hello, I am sorry about the cross-posting but it seems I did not get any answer to my previous post into freebsd-net mailing list. > I currently have a FreeBSD 6.1-STABLE box configured as a router/firewall with ipfilter v4.1.8. > > > WAN_IP/32 > | > tun0 > | > |---------| > | FreeBSD | > |---------| > / \ > xl0 xl1 > / \ > > 192.168.0.0/24 DMZ_BLOCK/29 > > I often experience in my ipf logs such packet drops (the following example is for an active upload > on a FTP server located on the > first IP of the DMZ network). My IPs have been voluntary hidden for privacy purposes. > > ipmon[329]: 13:12:41.185263 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 1300 -A > IN OOW > ipmon[329]: 13:12:41.186493 tun0 @0:110 b REMOTE_WAN_IP,8600 -> DMZ_IP_1,20 PR tcp len 20 356 -AP > IN OOW > > Packet drop occurs a few seconds after the beginning of the transfer, even allowing a few kilobytes > to be uploaded, which means that > the connection establishes well. > > And on another hand, when I try to reach DMZ machines from the LAN (for example via RDP), I am > systematically dropped with the same > kind of OOW packet, I mean the connection is not even established. > > As ICMP is allowed on the whole network, I can traceroute and reach each host in the network, from > inside and outside (except for > the natted LAN...). The IP masquerading for hosts located on LAN works perfectly as they can go on > the Internet without any problem. > > When I add the two following lines in my ipf ruleset, everything runs smoothly (but insecured!): > pass in quick all > pass out quick all > > I heard that such problems occur with the same version of ipf on Solaris > (http://msgs.securepoint.com/cgi-bin/get/ipfilter-0605/28.html), but I am not sure it happens > because of that. > > What I did wrong? > > Thank you by advance for your help. > > Here are extracts from my main configuration files: > > [/etc/rc.conf] > <... *snip*! ...> > firewall_enable="NO" > firewall_script="/etc/rc.firewall" > firewall_type="/etc/rc.firewall.rules" > firewall_logging="YES" > gateway_enable="YES" > icmp_drop_redirects="YES" > ifconfig_lo0="inet 127.0.0.1" > ifconfig_xl0="inet 192.168.0.254 netmask 255.255.255.0" > ifconfig_xl1="inet DMZ_IP_6 netmask 255.255.255.248" > ipfilter_enable="YES" > ipfilter_rules="/etc/ipf.rules" > ipnat_enable="YES" > ipnat_program="/sbin/ipnat" > ipnat_rules="/etc/ipnat.rules" > ipnat_flags="" > ipmon_enable="YES" > ipmon_program="/sbin/ipmon" > ipmon_flags="-Ds" > kern_securelevel="0" > kern_securelevel_enable="NO" > network_interfaces="lo0 xl0 xl1" > ppp_enable="YES" > ppp_mode="ddial" > ppp_nat="NO" > ppp_profile="My_ISP_PROFILE" > <... *snip*! ...> > > > > [/etc/ipf.rules] > # Allow localhost traffic > pass in quick on lo0 all > pass out quick on lo0 all > > # Allow all outgoing traffic from this gateway > pass out quick on tun0 from any to any keep state > pass out quick on tun0 proto tcp from any to any keep state > pass out quick on xl0 from any to 192.168.0.0/24 keep state > pass out quick on xl0 proto tcp from any to 192.168.0.0/24 keep state > pass out quick on xl1 from any to DMZ_BLOCK/29 keep state > pass out quick on xl1 proto tcp from any to DMZ_BLOCK/29 keep state > > # Allow ICMP traffic (for testing purposes) > pass in quick on xl0 proto icmp from 192.168.0.0/24 to any keep state > pass in quick on xl1 proto icmp from DMZ_BLOCK/29 to any keep state > pass in quick on tun0 proto icmp from any to 192.168.0.0/24 keep state > pass in quick on tun0 proto icmp from any to DMZ_BLOCK/29 keep state > pass out quick proto icmp from any to any keep state > > # Allow FTP server > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp-data keep state > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = ftp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = ftp keep state > # This is for the passive ports range... > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port 4000 >< 4049 keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port 4000 >< 4049 keep state > > # Allow Terminal services > pass in quick on tun0 proto tcp from any to DMZ_IP_1/32 port = rdp keep state > pass in quick on xl0 proto tcp from 192.168.0.0/24 to DMZ_IP_1/32 port = rdp keep state > > # Default > block in log all > block return-rst in log proto tcp from any to any > block return-icmp-as-dest(port-unr) in log proto udp from any to any > > > [/etc/ipnat.rules] > map tun0 192.168.0.0/24 -> WAN_IP/32 > map tun0 192.168.0.0/24 -> WAN_IP/32 portmap tcp/udp auto > > > [KERNEL_CONFIG] > device bpf > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options NETGRAPH > options NETGRAPH_ETHER > options NETGRAPH_PPP > options NETGRAPH_PPPOE > options NETGRAPH_SOCKET From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 15 07:36:33 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1D7916A474; Thu, 15 Jun 2006 07:36:33 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F02C43D45; Thu, 15 Jun 2006 07:36:33 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5F7aXkP085362; Thu, 15 Jun 2006 07:36:33 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5F7aX9g085358; Thu, 15 Jun 2006 07:36:33 GMT (envelope-from linimon) Date: Thu, 15 Jun 2006 07:36:33 GMT From: Mark Linimon Message-Id: <200606150736.k5F7aX9g085358@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/97951: [patch] ipfw does not tie interface details to state X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2006 07:36:33 -0000 Synopsis: [patch] ipfw does not tie interface details to state Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Thu Jun 15 07:35:47 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=97951 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 15 21:07:33 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0654916A474 for ; Thu, 15 Jun 2006 21:07:33 +0000 (UTC) (envelope-from mufalani@oi.com.br) Received: from smtp1.oi.com.br (smtp1.oi.com.br [200.222.115.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 411A643D53 for ; Thu, 15 Jun 2006 21:07:32 +0000 (GMT) (envelope-from mufalani@oi.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (Postfix) with ESMTP id E3B608022289 for ; Thu, 15 Jun 2006 18:07:25 -0300 (BRT) Received: from smtp1.oi.com.br (localhost.localdomain [127.0.0.1]) by smtp1.oi.com.br (WCVirscan) with SMTP id 000071c34491cc0d ; Thu, 15 Jun 2006 18:07:25 -0300 Received: from cristian2aebca (200216077087.user.veloxzone.com.br [200.216.77.87]) by smtp1.oi.com.br (Postfix) with SMTP id 3A45B8021EA4 for ; Thu, 15 Jun 2006 18:07:25 -0300 (BRT) Message-ID: <000b01c690bf$b0fb72a0$0101a8c0@cristian2aebca> From: "mufalani" To: Date: Thu, 15 Jun 2006 18:07:19 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw rules + natd .. other question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jun 2006 21:07:33 -0000 Hi all, Thank you for help me in configure NAT ... It=B4s working perfectly!!! One another doubt... where my public address =3D 200.X.Y.Z and my trusted addresses =3D 201.1.2.3, 205.6.7.8 I want to only liberate the access to IP 200.X.Y.Z=20 for addresses: 201.1.2.3, 205.6.7.8 and to block for the remaining = portion of the world. You can help me? ###############my natd.conf############### log yes same_ports yes use_sockets yes interface rl0 redirect_port tcp 10.0.0.211:80 200.X.Y.Z:80 redirect_port tcp 10.0.0.211:80 200.X.Y.Z:80 ############# end nat.conf ################# ############ rc.local #################### /sbin/natd -s -n rl0 -p 8668 -config "/etc/natd.conf" /sbin/ipfw -f flush ## /sbin/ipfw add 100 allow ip from 205.6.7.8 to 200.X.Y.Z keep-state /sbin/ipfw add 100 allow ip from 201.1.2.3 to 200.X.Y.Z keep-state ## /sbin/ipfw add 120 deny ip from any to 200.X.Y.Z ## /sbin/ipfw add 140 divert 8668 ip from any to 200.X.Y.Z in recv rl0 /sbin/ipfw add 150 divert 8668 ip from 201.0.0.0 to 200.X.Y.Z in recv = rl0 /sbin/ipfw add 160 divert 8668 ip from 10.0.0.211 to any out xmit rl0 ############# end rc.local ################# From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 16 12:36:32 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E491116A479 for ; Fri, 16 Jun 2006 12:36:32 +0000 (UTC) (envelope-from leonardo@procergs.rs.gov.br) Received: from madison.procergs.com.br (madison.procergs.com.br [200.198.128.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F53A43D48 for ; Fri, 16 Jun 2006 12:36:31 +0000 (GMT) (envelope-from leonardo@procergs.rs.gov.br) Received: from [172.28.5.117] (unknown [172.28.5.117]) by madison.procergs.com.br (Postfix) with ESMTP id 8B9047F0AD for ; Fri, 16 Jun 2006 09:37:01 -0300 (BRT) Message-ID: <4492A5CD.8020908@procergs.rs.gov.br> Date: Fri, 16 Jun 2006 09:36:29 -0300 From: Leonardo Reginin User-Agent: Mozilla Thunderbird 1.0.7 (X11/20060210) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-ipfw@freebsd.org References: <000b01c690bf$b0fb72a0$0101a8c0@cristian2aebca> In-Reply-To: <000b01c690bf$b0fb72a0$0101a8c0@cristian2aebca> Content-Type: multipart/mixed; boundary="------------050607080704010607050306" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: ipfw rules + natd .. other question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2006 12:36:33 -0000 This is a multi-part message in MIME format. --------------050607080704010607050306 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit mufalani wrote: >Hi all, > > Thank you for help me in configure NAT ... It´s working perfectly!!! > >One another doubt... > >where my public address = 200.X.Y.Z >and my trusted addresses = 201.1.2.3, 205.6.7.8 > > I want to only liberate the access to IP 200.X.Y.Z >for addresses: 201.1.2.3, 205.6.7.8 and to block for the remaining portion of the world. > > You can help me? > >###############my natd.conf############### >log yes >same_ports yes >use_sockets yes >interface rl0 >redirect_port tcp 10.0.0.211:80 200.X.Y.Z:80 >redirect_port tcp 10.0.0.211:80 200.X.Y.Z:80 >############# end nat.conf ################# > >############ rc.local #################### >/sbin/natd -s -n rl0 -p 8668 -config "/etc/natd.conf" >/sbin/ipfw -f flush >## >/sbin/ipfw add 140 divert 8668 ip from any to 200.X.Y.Z in recv rl0 # ---> This rule will override 150 !! <--- >/sbin/ipfw add 150 divert 8668 ip from 201.0.0.0 to 200.X.Y.Z in recv rl0 >/sbin/ipfw add 160 divert 8668 ip from 10.0.0.211 to any out xmit rl0 > /sbin/ipfw add 170 allow ip from me to any via rl0 out ## # to permit the access to 200.x.y.z /sbin/ipfw add 200 allow ip from 205.6.7.8 to 200.X.Y.Z via rl0 in # to permit the http redirection to 10.0.0.211 /sbin/ipfw add 201 allow tcp from 205.6.7.8 to 10.0.0.211 80 via rl0 in /sbin/ipfw add 210 allow ip from 201.1.2.3 to 200.X.Y.Z via rl0 in # to permit the http redirection to 10.0.0.211 /sbin/ipfw add 211 allow tcp from 201.1.2.3 to 10.0.0.211 80 via rl0 in # to block everything else /sbin/ipfw add 1000 deny ip from any to 200.X.Y.Z ## >############# end rc.local ################# >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > --------------050607080704010607050306-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 17 19:05:22 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1252E16A474 for ; Sat, 17 Jun 2006 19:05:22 +0000 (UTC) (envelope-from ari.vaulonxoi@oulu.fi) Received: from e179197144.adsl.alicedsl.de (e179197144.adsl.alicedsl.de [85.179.197.144]) by mx1.FreeBSD.org (Postfix) with SMTP id A2D8043D46 for ; Sat, 17 Jun 2006 19:05:19 +0000 (GMT) (envelope-from ari.vaulonxoi@oulu.fi) Received: from oulu.fi by e179197144.adsl.alicedsl.de (Postfix) with ESMTP id 28EF2EC1AF for ; Sat, 17 Jun 2006 15:05:21 -0400 Received: from ytkshd (65.147.9.90) by oulu.fi (8.9.3/8.9.3) id gO5JtNKKFwCy for ; Sat, 17 Jun 2006 15:05:21 -0400 From: "Rigoberto" Message-ID: <8691156328.20060617150521@ytkshd> Date: Sat, 17 Jun 2006 15:05:21 -0400 To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Do you like bonnie Slut doing dear blowjobb? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Rigoberto Herron List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2006 19:05:22 -0000 brilliant Slut and innnocent little pretty-pretty pussies! http://hazeo.info/lzawebcams.htm?eSffiRg-bUeN.eSffiRg,VSd UNSUBSCCRIBE http://hazeo.info From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 17 19:09:02 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C82816A47A for ; Sat, 17 Jun 2006 19:09:02 +0000 (UTC) (envelope-from ewilligunbt@cyberstreams.com) Received: from 159.Red-83-34-203.dynamicIP.rima-tde.net (159.Red-83-34-203.dynamicIP.rima-tde.net [83.34.203.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 6417943D73 for ; Sat, 17 Jun 2006 19:08:58 +0000 (GMT) (envelope-from ewilligunbt@cyberstreams.com) Received: from MAIL2.cyberstreams.com (MAIL2.cyberstreams.com [71.39.186.217]) by 159.Red-83-34-203.dynamicIP.rima-tde.net (8.9.3/8.9.3) with ESMTP id BLi0ZHcnw7ns for ; Sat, 17 Jun 2006 14:10:39 -0400 Received: from [176.112.242.118] by MAIL2.cyberstreams.com with Microsoft SMTPSVC(5.0.2195.5329) for ; Sat, 17 Jun 2006 14:10:39 -0400 Date: Sat, 17 Jun 2006 14:10:39 -0400 From: Rosario Hogue Message-ID: <654108771005.447253625390@cyberstreams.com> To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: grandiose russian pleasant Girl X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Rosario Hogue List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2006 19:09:02 -0000 Youngest goluptious Cuties fuckeed anallly! http://servafoinlinea.info/lzablonde.htm?eSffiRg-bUeN.eSffiRg,VSd R.E.M..0.\/.E http://servafoinlinea.info From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 17 19:16:50 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E737416A484 for ; Sat, 17 Jun 2006 19:16:49 +0000 (UTC) (envelope-from hikaruppr@excite.co.jp) Received: from freebsd.org (8.98.182.60.broad.jh.zj.dynamic.cndata.com [60.182.98.8]) by mx1.FreeBSD.org (Postfix) with SMTP id 78F5543D46 for ; Sat, 17 Jun 2006 19:16:43 +0000 (GMT) (envelope-from hikaruppr@excite.co.jp) To: From: =?iso-2022-jp?B?GyRCJCokYSRHJEgkJiQ0JDYkJCReJDkbKEI=?= Date: Sat, 17 Jun 2006 21:26:10 +0900 Content-Transfer-Encoding: 7bit Message-Id: <20060617191643.78F5543D46@mx1.FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: =?iso-2022-jp?b?aXBmdxskQk1NIVo6Tk1RJE4kNEpzOXAkRyQ5IVsbKEI=?= X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: hikaruppr@excite.co.jp List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2006 19:16:50 -0000 [1][title.jpg] $B(,!Z!!"#(B$BCmL\(B$B"#!!![(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(, (,(,(,(,(,(,(,(,(,(B $B"!(B$B!!@hF|$O$41~Jg$"$j$,$H$&$4$6$$$^$7$?!#(B $B"!!~(B$B!!Ev%0%k!<%W$K$F87A*$J$k?3::$N7k2L(B $B"!!~"!(B$B!!(Bipfw$BMM$K$*2q$$$7$?$$$H$$$&(B $B"!!~"!!~(B$B!!=w@-2q0wMM$,$$$i$C$7$c$$$^$9!#!!(B[2]http://sclass.cx/ c/entry.html $B"!!~"!!~"!(B$B!!K\F|!":NMQJs9pO"Mm$r:9$7>e$2$F$*$j$^$9$,(B $B"!!~"!!~"!!~(B$B!!$*Aj $B"!!~"!!~"!!~"!(B$B!!!X(B$BET9g$r9g$o$;$F$9$0$K$G$b$*2q$$$7$?$$(B$B!Y $H$$$&$*8@MU$r(B $B"!!~"!!~"!!~"!!~(B$B!!D:$$$F$*$j$^$9$N$GBg;j5^$4O"Mm$r$7$F$/$@$5$$!# (B $B(,!Z!!(B[3]http://sclass.cx/c/entry.html$B!!![(,(,(,(,(,(,(,(,(,(,(, (,(,(,(,(,(,(,(,(,(,(B $B!&!D(,(,"!!!(B$B$4O"MmJ}K!(B$B!!"!(,(,!D!&(B $B""!!:#2s$*2q$$$7$?$$$H$*$C$7$c$C$F$$$?$@$$$?(B $B""!!=w@-2q0wMM$H$NO"MmJ}K!$O4JC1$G$9!#(B $B""!!(B[4]http://sclass.cx/c/entry.html$B!!$h$j%"%/%;%9$7$F$$$?$@$$$F (B $B""!!!Z!!O"Mm%U%)!<%`!!![$h$j$4O"Mm$7$F$/$@$5$$!#(B $B"#(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(, (,(,""(B $B(.(#(#(#!!>e5-$G$4@bL@$$$?$7$^$7$?%U%)!<%`$KF~NO$9$k$@$1$N4JC1A`:n$G $9$,(B $B(.(.(#(#!!$4ITL@$JE@$,$4$6$$$^$7$?$i%5%]!<%H%;%s%?!<$^$G$*Ld$$9g$o$; $/$@$5$$(B $B(.(.(.(#!!(B$B"c(B$B!!(B[5]http://sclass.cx/c/entry.html$B!!"d(B$B$K $4O"Mm$$$?$@$1$l$P$9$0$K$G$b(B $B(.(.(.(.!!:#2s!"(Bipfw$BMM$H$*2q$$$7$?$$$H8r:]4uK>$N=w@-2q0wMM$H$N(B $B(.(.(.(.!!!Z!!O"Mm $B"#(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(, (,(,""(B $B""!z(B$B$4MxMQ$K$D$$$F(B$B!z""(B $B(7(!(!F~2qNA!!!!(B$B#01_(B $B(7(!(!>R2pNA!!!!(B$B#01_(B $B(7(!(!B`2qNA!!!!(B$B#01_(B $B(-(B $B(1(,CK@-$K8B$jEPO?$+$iB`2q$^$GL5NA$G$4MxMQ$G$-$^$9!#(B $B!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(B[6]http://sclass.cx/c/entry.html References 1. http://sclass.cx/c/entry.html 2. http://sclass.cx/c/entry.html 3. http://sclass.cx/c/entry.html 4. http://sclass.cx/c/entry.html 5. http://sclass.cx/c/entry.html 6. http://sclass.cx/c/entry.html