From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 13 11:06:51 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4EB41065687 for ; Mon, 13 Oct 2008 11:06:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A0BB98FC16 for ; Mon, 13 Oct 2008 11:06:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9DB6pFF029462 for ; Mon, 13 Oct 2008 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9DB6pGw029458 for freebsd-ipfw@FreeBSD.org; Mon, 13 Oct 2008 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Oct 2008 11:06:51 GMT Message-Id: <200810131106.m9DB6pGw029458@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2008 11:06:51 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 47 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 15 09:45:57 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A955D1065686 for ; Wed, 15 Oct 2008 09:45:57 +0000 (UTC) (envelope-from linzhao@ustc.edu.cn) Received: from ustc.edu.cn (smtp.ustc.edu.cn [202.38.64.16]) by mx1.freebsd.org (Postfix) with SMTP id C89C38FC0A for ; Wed, 15 Oct 2008 09:45:55 +0000 (UTC) (envelope-from linzhao@ustc.edu.cn) Received: (eyou send program); Wed, 15 Oct 2008 17:30:04 +0800 Message-ID: <424063004.07284@ustc.edu.cn> Received: from 202.38.70.193 by email.ustc.edu.cn with HTTP; Wed, 15 Oct 2008 17:30:04 +0800 X-WebMAIL-MUA: [202.38.70.193] From: "Lin Zhao" To: freebsd-ipfw@freebsd.org Date: Wed, 15 Oct 2008 17:30:04 +0800 X-Priority: 3 Content-Type: text/plain Subject: pls help on 2 public ip X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Lin Zhao List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 09:45:57 -0000 hi all we have a simple network |-------------| internal network---------| freeBSD |----------public network rl0/192.168.0.1|-------------|fxp0/a.b.c.1 a.b.c.2? currently 192.168.0.0/24 is natd to a.b.c.1, and i want to use another public ip (a.b.c.2) for some special websites, such as www.abc.com. how can i configure the ipfw? should i use alias ip or another nic? i'm a newbie to ipfw, thanks. Lin Zhao From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 15 22:10:10 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CFFB1065687 for ; Wed, 15 Oct 2008 22:10:10 +0000 (UTC) (envelope-from to.dev.null@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 80ACE8FC28 for ; Wed, 15 Oct 2008 22:10:09 +0000 (UTC) (envelope-from to.dev.null@gmx.de) Received: (qmail 27139 invoked by uid 0); 15 Oct 2008 21:43:28 -0000 Received: from 91.65.191.146 by www039.gmx.net with HTTP; Wed, 15 Oct 2008 23:43:28 +0200 (CEST) Content-Type: text/plain; charset="us-ascii" Date: Wed, 15 Oct 2008 23:43:27 +0200 From: to.dev.null@gmx.de Message-ID: <20081015214327.230570@gmx.net> MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Authenticated: #25596721 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1+oTgQ239uoAkuTauuI+NAk7RhSvAmSlTT0PahQiv vY4IMjKb0nQNjAmhh89ywN5bnmoUDlGbP2wA== Content-Transfer-Encoding: 7bit X-GMX-UID: yFvAeSNpYmYBeQek43Y3+E9CWkZTQZSJ X-FuHaFi: 0.67 X-Mailman-Approved-At: Wed, 15 Oct 2008 23:23:49 +0000 Subject: Expiration of dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Oct 2008 22:10:10 -0000 Hello together, i have a strange phenomenon with dynamic rules. I am using Mac OS X 10..5.5 and have disabled keepalive-messages for dynamic rules: net.inet.ip.fw.dyn_keepalive: 0 ruleset host1 ... check-state allow tcp from me to any out setup keep-state ... 1.) host2: nc -k -l -p 1234 2.) host1: nc host2 1234 3.) dynamic rule with 300s gets created 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it shows with flag -e)) 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host After 5) that expired rule appeared again with 300s timeout and the firewall is again opened. I would expect that an expired rule could not be reanimated. The reactivation of expired rules seems to stop if after tcp fin from both hosts are detected. Thus if the tcp disconnection was not successfull there are some zombie rules which could be reanimated?!? (also with keepalive you could reproduce it: tcp rst -> then there is no keepalive message and the dynamic rule expires but can be reanimated with 5)) Jerry -- GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 02:11:36 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DAA17106569F for ; Thu, 16 Oct 2008 02:11:36 +0000 (UTC) (envelope-from rik@inse.ru) Received: from mail.inse.ru (mail.inse.ru [144.206.128.1]) by mx1.freebsd.org (Postfix) with ESMTP id 968248FC27 for ; Thu, 16 Oct 2008 02:11:36 +0000 (UTC) (envelope-from rik@inse.ru) Received: from www.inse.ru (www.inse.ru [144.206.128.1]) by mail.inse.ru (Postfix) with ESMTPSA id 3465633C51; Thu, 16 Oct 2008 06:11:35 +0400 (MSD) Message-ID: <48F6A160.901@localhost.inse.ru> Date: Thu, 16 Oct 2008 06:05:20 +0400 From: Roman Kurakin User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: to.dev.null@gmx.de References: <20081015214327.230570@gmx.net> In-Reply-To: <20081015214327.230570@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Expiration of dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 02:11:37 -0000 to.dev.null@gmx.de wrote: > Hello together, > > i have a strange phenomenon with dynamic rules. I am using Mac OS X 10..5.5 and have disabled keepalive-messages for dynamic rules: > > net.inet.ip.fw.dyn_keepalive: 0 > > ruleset host1 > ... > check-state > allow tcp from me to any out setup keep-state > ... > > 1.) host2: nc -k -l -p 1234 > 2.) host1: nc host2 1234 > 3.) dynamic rule with 300s gets created > 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it shows with flag -e)) > 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host > > After 5) that expired rule appeared again with 300s timeout and the firewall is again opened. > > I would expect that an expired rule could not be reanimated. The reactivation of expired rules seems to stop if after tcp fin from both hosts are detected. Thus if the tcp disconnection was not successfull there are some zombie rules which could be reanimated?!? > IMHO if the connection starts from over again it is a new connection. It is not the old one reanimated. rik > (also with keepalive you could reproduce it: tcp rst -> then there is no keepalive message and the dynamic rule expires but can be reanimated with 5)) > > Jerry > > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 07:48:18 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 887A51065677 for ; Thu, 16 Oct 2008 07:48:18 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 439AB8FC3B for ; Thu, 16 Oct 2008 07:48:16 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id m9G7Ykw5069167; Thu, 16 Oct 2008 18:34:47 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 16 Oct 2008 18:34:46 +1100 (EST) From: Ian Smith To: Lin Zhao In-Reply-To: <424063004.07284@ustc.edu.cn> Message-ID: <20081016174847.U4254@sola.nimnet.asn.au> References: <424063004.07284@ustc.edu.cn> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: pls help on 2 public ip X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 07:48:18 -0000 On Wed, 15 Oct 2008, Lin Zhao wrote: > hi all > > we have a simple network > > |-------------| > internal network---------| freeBSD |----------public network > rl0/192.168.0.1|-------------|fxp0/a.b.c.1 > a.b.c.2? > > currently 192.168.0.0/24 is natd to a.b.c.1, and i want to use another public ip > (a.b.c.2) for some special websites, such as www.abc.com. > > how can i configure the ipfw? > should i use alias ip or another nic? If a.b.c.2 is a separate box from a.b.c.1 you'll likely want a separate segment, ie on another nic. If the same box, you can use an fxp0 alias. Looks like you could probably use a slightly modified 'simple' ruleset in rc.firewall as a starting point - though you'll want to enable ICMP (see examples in the 'workstation' rules) and probably replace 'me' with the specific a.b.c addresses in rules for the various services offered. How is fxp0 connected to the public network? Via another router? Or eg PPPoE over ADSL? It may matter in terms of whether your uplink is via a single address - that is, is a.b.c.2 reachable directly from the public internet, or only via a.b.c.1? How many public IPs have you (netmask)? cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 08:08:09 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50DBF1065691 for ; Thu, 16 Oct 2008 08:08:09 +0000 (UTC) (envelope-from to.dev.null@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id ACC678FC18 for ; Thu, 16 Oct 2008 08:08:08 +0000 (UTC) (envelope-from to.dev.null@gmx.de) Received: (qmail invoked by alias); 16 Oct 2008 08:08:06 -0000 Received: from 91-65-191-146-dynip.superkabel.de (EHLO [192.168.1.199]) [91.65.191.146] by mail.gmx.net (mp052) with SMTP; 16 Oct 2008 10:08:06 +0200 X-Authenticated: #25596721 X-Provags-ID: V01U2FsdGVkX19hsucR/UVh6rsPtM1Z4o7IJOk/I+L9YqS3r+OR5G r4+UsGAQoFyilj Message-Id: <344A1282-4B6D-4600-B30B-3A01EFBAAC33@gmx.de> From: Jerry To: Roman Kurakin In-Reply-To: <48F6A160.901@localhost.inse.ru> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Thu, 16 Oct 2008 10:08:05 +0200 References: <20081015214327.230570@gmx.net> <48F6A160.901@localhost.inse.ru> X-Mailer: Apple Mail (2.929.2) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.62 Cc: freebsd-ipfw@freebsd.org Subject: Re: Expiration of dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 08:08:09 -0000 my rules only allow tcp out (host1 -> host2) connections: >> allow tcp from me to any out setup keep-state (me should denote host1) But the nmap goes from host2 -> host1 which should be blocked by the firewall >> 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host (i've made a mistake it should mean host1 instead of only host) Thus it seems to be the old dynamic rule. jerry Am 16.10.2008 um 04:05 schrieb Roman Kurakin: > to.dev.null@gmx.de wrote: >> Hello together, >> >> i have a strange phenomenon with dynamic rules. I am using Mac OS X >> 10..5.5 and have disabled keepalive-messages for dynamic rules: >> >> net.inet.ip.fw.dyn_keepalive: 0 >> >> ruleset host1 >> ... >> check-state >> allow tcp from me to any out setup keep-state >> ... >> >> 1.) host2: nc -k -l -p 1234 >> 2.) host1: nc host2 1234 >> 3.) dynamic rule with 300s gets created >> 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it >> shows with flag -e)) >> 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host >> >> After 5) that expired rule appeared again with 300s timeout and the >> firewall is again opened. >> >> I would expect that an expired rule could not be reanimated. The >> reactivation of expired rules seems to stop if after tcp fin from >> both hosts are detected. Thus if the tcp disconnection was not >> successfull there are some zombie rules which could be reanimated?!? >> > IMHO if the connection starts from over again it is a new > connection. It is not the old one > reanimated. > > rik >> (also with keepalive you could reproduce it: tcp rst -> then there >> is no keepalive message and the dynamic rule expires but can be >> reanimated with 5)) >> >> Jerry >> >> >> > From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 10:33:19 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 302DE1065687 for ; Thu, 16 Oct 2008 10:33:19 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 9422B8FC0C for ; Thu, 16 Oct 2008 10:33:18 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id m9GAXHhL074741 for ; Thu, 16 Oct 2008 21:33:17 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 16 Oct 2008 21:33:16 +1100 (EST) From: Ian Smith To: freebsd-ipfw@freebsd.org Message-ID: <20081016212110.T4254@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Speaking of rc.firewall .. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 10:33:19 -0000 I see that both HEAD and RELENG_7 rc.firewall have been updated for in- kernel NAT functionality, but only for the 'open' and 'client' rulesets. Is there any (functional) reason that the ${firewall_nat_enable} case is not also included in the 'simple' rules, where its different placement is determined by being preceded and anteceded by anti-spoofing rules? I'm also slightly bemused by the lack (still) of any rules to allow any ICMP (especially necessary icmptypes for MTU discovery) in 'simple'? cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 14:18:53 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29139106568F for ; Thu, 16 Oct 2008 14:18:53 +0000 (UTC) (envelope-from patrick.matters@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 836598FC18 for ; Thu, 16 Oct 2008 14:18:52 +0000 (UTC) (envelope-from patrick.matters@gmx.de) Received: (qmail invoked by alias); 16 Oct 2008 13:52:10 -0000 Received: from 91-65-191-146-dynip.superkabel.de (EHLO [192.168.1.199]) [91.65.191.146] by mail.gmx.net (mp052) with SMTP; 16 Oct 2008 15:52:10 +0200 X-Authenticated: #25596721 X-Provags-ID: V01U2FsdGVkX1/mYalK8bnmhVWMrd3b/OeB2cbZShgEr5RZH0EQj/ sYZcI5Xv4+qKwu From: Patrick Matters To: to.dev.null@gmx.de In-Reply-To: <20081015214327.230570@gmx.net> X-Priority: 3 References: <20081015214327.230570@gmx.net> Message-Id: <7809E47C-7C44-43E3-A588-0C99D642FC6B@gmx.de> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v929.2) Date: Thu, 16 Oct 2008 15:52:10 +0200 X-Mailer: Apple Mail (2.929.2) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.53 Cc: freebsd-ipfw@freebsd.org Subject: Re: Expiration of dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 14:18:53 -0000 Hello, a real life example: ruleset host1 ... 00100 0 0 check-state 00101 0 0 allow tcp from me to any out setup keep-state ... sysctl net.inet.ip.fw.dyn_keepalive: 1 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_rst_lifetime: 3 net.inet.ip.fw.dyn_fin_lifetime: 3 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.static_count: 24 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.dyn_count: 237 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 2 net.inet.ip.fw.debug: 0 net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.enable: 1 tcpdump 11:57:12.452517 IP host1.port1 > host2.80: S 4285172461:4285172461(0) win 65535 11:57:12.465820 IP host2.80 > host1.port1: S 4165668431:4165668431(0) ack 4285172462 win 5672 11:57:12.465951 IP host1.port1 > host2.80: . ack 1 win 65535 ... some tcp ack and tcp ack,psh 11:57:12.703599 IP host2.80 > host1.port1: P 6629:7198(569) ack 721 win 112 11:57:12.703678 IP host1.port1 > host2.80: . ack 7198 win 65156 11:57:22.700872 IP host2.80 > host1.port1: F 7198:7198(0) ack 721 win 112 11:57:22.700997 IP host1.port1 > host2.80: . ack 7199 win 65535 12:02:07.529664 IP host1.port1 > host2.80: . ack 7199 win 0 12:02:07.529786 IP host1.port1 > host2.80: . ack 7199 win 65535 12:02:07.543323 IP host2.80 > host1.port1: R 4165675630:4165675630(0) win 0 12:02:07.545776 IP host2.80 > host1.port1: R 4165675630:4165675630(0) win 0 netstat tcp4 0 0 host1.port1 host2.80 CLOSE_WAIT CLOSE_WAIT means an established connection on host 1 receives a tcp fin from host 2 and host 1 sends tcp ack to host2. Now host2 waits for a tcp fin from host1 After tcp rst netstat shows no tcp socket with port1 anymore 'nmap -PN -n -S host2 -p port1 -e eth0 --source-port 80 --scanflags ack host1' (it could be any tcp flag or combination of that) The dynmaic rule reopens with timeout 3s and disappears after the timeout. I guess only a tcp fin from host1 would stop the reappearing of the dynamic rule. jerry Am 15.10.2008 um 23:43 schrieb to.dev.null@gmx.de: > Hello together, > > i have a strange phenomenon with dynamic rules. I am using Mac OS X > 10..5.5 and have disabled keepalive-messages for dynamic rules: > > net.inet.ip.fw.dyn_keepalive: 0 > > ruleset host1 > ... > check-state > allow tcp from me to any out setup keep-state > ... > > 1.) host2: nc -k -l -p 1234 > 2.) host1: nc host2 1234 > 3.) dynamic rule with 300s gets created > 4.) dynamic rule expired after 300s (ipfw -d show: rule is gone (it > shows with flag -e)) > 5.) nmap -PN -n -p ... --source-port 1234 --scanflags ack host > > After 5) that expired rule appeared again with 300s timeout and the > firewall is again opened. > > I would expect that an expired rule could not be reanimated. The > reactivation of expired rules seems to stop if after tcp fin from > both hosts are detected. Thus if the tcp disconnection was not > successfull there are some zombie rules which could be reanimated?!? > > (also with keepalive you could reproduce it: tcp rst -> then there > is no keepalive message and the dynamic rule expires but can be > reanimated with 5)) > > Jerry > > > -- > GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen! > Jetzt dabei sein: http://www.shortview.de/wasistshortview.php?mc=sv_ext_mf@gmx > From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 16 18:24:46 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 923FA10656A3 for ; Thu, 16 Oct 2008 18:24:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id E059A8FC0A for ; Thu, 16 Oct 2008 18:24:45 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id m9GIOhUI090062 for ; Fri, 17 Oct 2008 05:24:44 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 17 Oct 2008 05:24:43 +1100 (EST) From: Ian Smith To: freebsd-ipfw@freebsd.org In-Reply-To: <20081016212110.T4254@sola.nimnet.asn.au> Message-ID: <20081017045034.A4254@sola.nimnet.asn.au> References: <20081016212110.T4254@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Speaking of rc.firewall .. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 18:24:46 -0000 On Thu, 16 Oct 2008, Ian Smith wrote: > I see that both HEAD and RELENG_7 rc.firewall have been updated for in- > kernel NAT functionality, but only for the 'open' and 'client' rulesets. > > Is there any (functional) reason that the ${firewall_nat_enable} case is > not also included in the 'simple' rules, where its different placement > is determined by being preceded and anteceded by anti-spoofing rules? > > I'm also slightly bemused by the lack (still) of any rules to allow any > ICMP (especially necessary icmptypes for MTU discovery) in 'simple'? To put my patch where my mouth is, assuming that the answer to my first question is likely 'no', this is against the present RELENG_7 version. It addresses the second (ICMP) issue for 'client' and 'simple', and I see no harm in enabling outbound pings for such out-of-the-box setups? Hope this format's useful (just diff -u), and also that inline is ok. cheers, Ian --- rc.firewall.1.52.2.3 Fri Oct 17 01:34:56 2008 +++ rc.firewall Fri Oct 17 04:27:36 2008 @@ -116,15 +116,14 @@ # will then be run again on each packet after translation by natd # starting at the rule number following the divert rule. # -# For ``simple'' firewall type the divert rule should be put to a +# For ``simple'' firewall type the divert rule is included in a # different place to not interfere with address-checking rules. # -case ${firewall_type} in -[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt]) +setup_nat () { case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then - ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface} + ${fwcmd} add $1 divert natd ip4 from any to any via ${natd_interface} fi ;; esac @@ -138,11 +137,11 @@ firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" fi ${fwcmd} nat 123 config log ${firewall_nat_flags} - ${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface} + ${fwcmd} add $1 nat 123 ip4 from any to any via ${firewall_nat_interface} fi ;; esac -esac +} ############ # If you just configured ipfw in the kernel as a tool to solve network @@ -157,6 +156,7 @@ # case ${firewall_type} in [Oo][Pp][Ee][Nn]) + setup_nat 50 ${fwcmd} add 65000 pass all from any to any ;; @@ -172,6 +172,8 @@ # set this to your local network net="$firewall_client_net" + setup_nat 50 + # Allow any traffic to or from my own net. ${fwcmd} add pass all from me to ${net} ${fwcmd} add pass all from ${net} to me @@ -197,6 +199,12 @@ # Allow NTP queries out in the world ${fwcmd} add pass udp from me to any 123 keep-state + # Allow outbound pings + ${fwcmd} add pass icmp from me to any out icmptypes 8 keep-state + + # Allow essential ICMP: unreachable, source quench, TTL exceeded + ${fwcmd} add pass icmp from any to any icmptypes 3,4,11 + # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. @@ -248,13 +256,7 @@ # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. - case ${natd_enable} in - [Yy][Ee][Ss]) - if [ -n "${natd_interface}" ]; then - ${fwcmd} add divert natd all from any to any via ${natd_interface} - fi - ;; - esac + setup_nat # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} @@ -298,6 +300,12 @@ # Allow NTP queries out in the world ${fwcmd} add pass udp from me to any 123 keep-state + + # Allow outbound pings from our net + ${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state + + # Allow essential ICMP: unreachable, source quench, TTL exceeded + ${fwcmd} add pass icmp from any to any icmptypes 3,4,11 # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 17 07:15:25 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7A2CE106568B for ; Fri, 17 Oct 2008 07:15:25 +0000 (UTC) (envelope-from e9@homei.net.ua) Received: from main.merlin.com.ua (mail.onetelecom.od.ua [91.194.72.4]) by mx1.freebsd.org (Postfix) with ESMTP id 33BBC8FC13 for ; Fri, 17 Oct 2008 07:15:25 +0000 (UTC) (envelope-from e9@homei.net.ua) Received: from [192.168.67.95] (unknown [192.168.67.95]) by main.merlin.com.ua (Postmaster) with ESMTP id 6558F16A4B1 for ; Fri, 17 Oct 2008 09:58:06 +0300 (EEST) Message-ID: <48F83739.2090800@homei.net.ua> Date: Fri, 17 Oct 2008 09:56:57 +0300 From: Anatoliy User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20081016212110.T4254@sola.nimnet.asn.au> <20081017045034.A4254@sola.nimnet.asn.au> In-Reply-To: <20081017045034.A4254@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw rules optimitsing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: e9@homei.net.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 07:15:25 -0000 Greetings to all. I have a problem to optimise ipfw rules. When I have started to search for the decision there were some questions How it is possible to find out how many loading gives this or that rule or all corrected as a whole. Prompt as it better to make in practice? As it would be desirable to learn as dynamic pipes the quantity influences productivity, how many calculations in a second occur thus etc. if what or sysctl displaying expressly or by implication it is variables the information? thnx, an sorry for bad English. From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 17 11:43:09 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D4E51065695 for ; Fri, 17 Oct 2008 11:43:09 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outF.internet-mail-service.net (outf.internet-mail-service.net [216.240.47.229]) by mx1.freebsd.org (Postfix) with ESMTP id 86D508FC0A for ; Fri, 17 Oct 2008 11:43:09 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 9EBDB246E; Fri, 17 Oct 2008 04:43:09 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 213B62D6004; Fri, 17 Oct 2008 04:17:15 -0700 (PDT) Message-ID: <48F8743B.8050605@elischer.org> Date: Fri, 17 Oct 2008 19:17:15 +0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: e9@homei.net.ua References: <20081016212110.T4254@sola.nimnet.asn.au> <20081017045034.A4254@sola.nimnet.asn.au> <48F83739.2090800@homei.net.ua> In-Reply-To: <48F83739.2090800@homei.net.ua> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rules optimitsing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 11:43:09 -0000 Anatoliy wrote: > Greetings to all. > > I have a problem to optimise ipfw rules. > When I have started to search for the decision there were some questions > How it is possible to find out how many > loading gives this or that rule or all corrected as a whole. > Prompt as it better to make in practice? > As it would be desirable to learn as dynamic pipes the quantity > influences productivity, > how many calculations in a second occur thus etc. > if what or sysctl displaying expressly or by implication it is variables > the information? > > thnx, an sorry for bad English. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" This sounds like something that would be a useful project.. (to profile ipfw) you could try kernel bb profiling if it still works or you could try other ways to work it out.. So far we do not have this information so if you do it we would be very interested. From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 17 16:56:04 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A6861065693 for ; Fri, 17 Oct 2008 16:56:04 +0000 (UTC) (envelope-from e9@homei.net.ua) Received: from main.merlin.com.ua (mail.onetelecom.od.ua [91.194.72.4]) by mx1.freebsd.org (Postfix) with ESMTP id B3DD78FC2A for ; Fri, 17 Oct 2008 16:56:03 +0000 (UTC) (envelope-from e9@homei.net.ua) Received: from [192.168.67.95] (unknown [192.168.67.95]) by main.merlin.com.ua (Postmaster) with ESMTP id E271616A770; Fri, 17 Oct 2008 19:57:10 +0300 (EEST) Message-ID: <48F8C3A0.1000906@homei.net.ua> Date: Fri, 17 Oct 2008 19:56:00 +0300 From: Anatoliy User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Julian Elischer References: <20081016212110.T4254@sola.nimnet.asn.au> <20081017045034.A4254@sola.nimnet.asn.au> <48F83739.2090800@homei.net.ua> <48F8743B.8050605@elischer.org> In-Reply-To: <48F8743B.8050605@elischer.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rules optimitsing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: e9@homei.net.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 16:56:04 -0000 Julian Elischer пишет: > Anatoliy wrote: >> Greetings to all. >> >> I have a problem to optimise ipfw rules. >> When I have started to search for the decision there were some questions >> How it is possible to find out how many >> loading gives this or that rule or all corrected as a whole. >> Prompt as it better to make in practice? >> As it would be desirable to learn as dynamic pipes the quantity >> influences productivity, >> how many calculations in a second occur thus etc. >> if what or sysctl displaying expressly or by implication it is >> variables the information? >> >> thnx, an sorry for bad English. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > This sounds like something that would be a useful project.. > (to profile ipfw) > > you could try kernel bb profiling if it still works or you could try > other ways to work it out.. where i can read about this "bb profiling"? > > So far we do not have this information so if you do it we would be > very interested. at now i use a simple sh script but in not all whot i need ... ------ Script ------ [ ~/util]# cat ipfw_load.sh printf "IPFW match/s\t act/s\t d_steps\t d_searches\t PFnat searches match\t\t CPU sys intrpt idle \n" n=0; while : do ipfw -T sho |awk '{print $4}'|sort -rn >/tmp/ipfw_timest # geting time stamps TS_FW_MAX=`head -1 /tmp/ipfw_timest` # getting last time stamp FW_ACT=`cat /tmp/ipfw_timest|grep ${TS_FW_MAX}|grep -c ""` # couning activ rules val1_rs=$((`ipfw sho |awk '{print $2"+"}'`0)) # how match pacets val1_dnet_stps=`sysctl -n net.inet.ip.dummynet.search_steps` # how match searches steps val1_snet_searchs=`sysctl -n net.inet.ip.dummynet.searches` # how match searches sleep 1 val2_rs=$((`ipfw sho |awk '{print $2"+"}'`0)) # after 1s how match pacets val2_dnet_stps=`sysctl -n net.inet.ip.dummynet.search_steps` # after 1s how match searches steps val2_snet_searchs=`sysctl -n net.inet.ip.dummynet.searches` # after 1s how match searches MPS=$(($val2_rs-$val1_rs)) # pps DSTPSPS=$(($val2_dnet_stps-$val1_dnet_stps)) # dummynet searches steps per sec DSRCHSPS=$(($val2_snet_searchs-$val1_snet_searchs)) # dummynet searches per sec CPU_LD=`iostat -c 2 -t proc |tail +4|awk '{print $5" "$6" "$7}'` # cpu load PFNAT=`pfctl -si|grep -wE "(searches)|(match)"|sed s:\/s::|awk '{print $3}'|tr \\\n " "` if [ $n -eq 10 ]; then n=0 printf "\n IPFW match/s\t act/s\t d_steps\t d_searches\t PFnat searches match\t\t CPU sys intrpt idle \n" fi printf "${MPS}\t\t ${FW_ACT}\t ${DSTPSPS}\t\t ${DSRCHSPS}\t\t ${PFNAT}\t ${CPU_LD} \n" n=$(($n+1)) done