From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 11:07:15 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 585121065671 for ; Mon, 27 Oct 2008 11:07:15 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 453478FC1B for ; Mon, 27 Oct 2008 11:07:15 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9RB7FhL001978 for ; Mon, 27 Oct 2008 11:07:15 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9RB7EWJ001974 for freebsd-ipfw@FreeBSD.org; Mon, 27 Oct 2008 11:07:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Oct 2008 11:07:14 GMT Message-Id: <200810271107.m9RB7EWJ001974@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 11:07:15 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 48 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 13:58:31 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAA771065672 for ; Mon, 27 Oct 2008 13:58:31 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id 314C88FC3A for ; Mon, 27 Oct 2008 13:58:30 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: by ey-out-2122.google.com with SMTP id 6so764674eyi.7 for ; Mon, 27 Oct 2008 06:58:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=dpyPfBybNliZksV0LvwxOFAwEcOmgFZMsrWBm7eKjeg=; b=pnGwDcWiv2HB2pIcP7O8tF8D9Yn61PgxOkJSpfk3E70yzkpPsEMJlHin6LTel23IE5 wUNWmSr6gybFCHeIgg+yfa6917/puhEH7Wq1ocHLITxhIJHOkjNG/JWjrU/KxIcvhVZN 6XLJEtgmIH2FmnFp02kJoaeeY1EOJt55kTc/4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; b=mdOSC+Sx5gnZrKm51RGqEdZFGaRHbtFZCfc+7IFbXtPfzK4nhQV0NQ3//ujAJUNEwE Xk4VGaPie3mwl30r1wr4qEgKGIy5p9S32Amifi+IijFemB8SoXn6G+4ZO0LyHvApmbQa NSuIEVvnVGJlW8IDPzdxkTSE1LJVUc06bi/jg= Received: by 10.86.82.6 with SMTP id f6mr3286391fgb.52.1225115909535; Mon, 27 Oct 2008 06:58:29 -0700 (PDT) Received: from ?192.168.190.25? (p509936fe.dip0.t-ipconnect.de [80.153.54.254]) by mx.google.com with ESMTPS id d4sm6931989fga.5.2008.10.27.06.58.27 (version=SSLv3 cipher=RC4-MD5); Mon, 27 Oct 2008 06:58:28 -0700 (PDT) Message-ID: <4905C902.9040306@googlemail.com> Date: Mon, 27 Oct 2008 14:58:26 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 13:58:31 -0000 Roman Kurakin schrieb: > John Hay wrote: >> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: >> >>> Hi, >>> >>> I'm trying to set up something like a HotSpot. Goal is it to force >>> unregistred users to get redirected to the Captive Portalsite where >>> they'll be able to agree my licence therms and get some information >>> ... etc. ... >>> >>> So fact is I need an IPFW rule which forwards Port 80,443,8080 >>> Traffic to another Port i.e. 8080 --> where my Apache will already >>> wait for serving the Captive Portalsite back to the request. >>> >>> So I did read the man and saw something like the fwd rule and the >>> Kernel Option for it - so I added the option - rcompiled the Kernel >>> and gave my Firewall the following fwd rule in an extra script: >>> >>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any >>> 80,443,8080 in via ${LAN_if} >>> > Try to make the rule stateful, eq add 'setup keep-state'. Also add > some logging in the rule > and add the last one additional deny with the logging. Oh-oh ... Can't log right now - have to recompile the kernel before ... sry. >> You have to catch it where it is going out and not in. Fwd only works >> when packets are out bound. I don't think so ?! And what sence would it make? Because think twice ... I want to fwd incoming HTTP:80 packages to make them look like HTTP:8080 packages ... the outgoing ones are uninteresting because it's apache's job to send back Websitedata on port 8080 where it's listening anyway. >> > But how this works for me? > > ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 > to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state > > rik >> John >> I tried: [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup in via ath0 keep-state as well as this one too: [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80 dst-port 8080 setup in via ath0 keep-state ^^ But sadly without success - "root$ ipfw show" doesn't even show me at least one package going through .... not even blocked ones ... 0 0 ;-) But here is my szenario again: 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on port 8080. 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to klick http://google:80 BUT accidently should be fwded & run into my PortalSite:8080 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also bring as well as 127.0.0.1:8080 to the portalsite. Regards, Leander From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 13:58:42 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64B69106566B for ; Mon, 27 Oct 2008 13:58:42 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id E1B368FC37 for ; Mon, 27 Oct 2008 13:58:41 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: by ug-out-1314.google.com with SMTP id 30so232945ugs.39 for ; Mon, 27 Oct 2008 06:58:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=KtJytdCXERmDjbOobgRzh6i5vkw281tGwhOy7A2in60=; b=GdnB/4mSb4CitOSipgz1Po9rVfxZueZnzgXUFgAur47rsbggzjuYZXdaaZg0ThPJ8J SB43jz4rfzZQruYEt+1Nd8IwF6ndQZ5FkI0iRue3eHn06xw6QQ8rqexN/DGtc9/mVxPm jQt/V3Dzlo0+6y3WuEMD4iZN9N65DBRxYwWXA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; b=h23VDsPkZS6dAUMNIdpJGI4va0Og7LdawEkvfbQ/IAY5vQv5NuFaVxxo51bz3I7RcC scwsUBmMjsQ/MTAt9SGuWOe+jTb3QQd0I5xEwIPV+jb2+qxuDQ8H20EaqztzpY32A030 HDURZ7tCNBWLWamgUpssnag8/7388N5WGl4v4= Received: by 10.86.51.10 with SMTP id y10mr3268264fgy.51.1225115920511; Mon, 27 Oct 2008 06:58:40 -0700 (PDT) Received: from ?192.168.190.25? (p509936fe.dip0.t-ipconnect.de [80.153.54.254]) by mx.google.com with ESMTPS id 4sm6950968fge.8.2008.10.27.06.58.38 (version=SSLv3 cipher=RC4-MD5); Mon, 27 Oct 2008 06:58:39 -0700 (PDT) Message-ID: <4905C90C.40506@googlemail.com> Date: Mon, 27 Oct 2008 14:58:36 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 13:58:42 -0000 Another question would be if it is neccesary to open port 80 secificaly before doing some fwd .. or dows the fwd command also open port 80? I'm just not sure wether port 80 is opend twice - which wouldn't make sence ... ### HTTP Traffic forwarding to Apache:8080 ${fwcmd} add 21200 allow tcp from any to ${LAN_IP} 80 in via ${LAN_if} ${fwcmd} add 21300 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if} ${fwcmd} add 21400 fwd ${LAN_IP},8080 tcp from ${LAN} to me 80 setup in via ${LAN_if} keep-state root ~ # ipfw show 20100 8 4416 allow ip from any to any via lo0 20200 0 0 deny ip from any to 127.0.0.0/8 20300 0 0 deny ip from 127.0.0.0/8 to any 20400 40 4608 allow ip from any to any via msk0 20600 0 0 divert 8668 ip from any to any via msk0 20700 0 0 allow icmp from 192.1.1.0/24 to 192.1.1.0/24 icmptypes 0,8 20800 0 0 allow tcp from any to 192.1.1.1 dst-port 1723 in via ath0 20900 0 0 allow gre from any to 192.1.1.0/24 21000 0 0 allow gre from 192.1.1.0/24 to any 21100 0 0 allow gre from 192.1.1.0/24 to any out via ath0 21200 450 38013 allow tcp from any to 192.1.1.1 dst-port 80 in via ath0 21300 79 23633 allow tcp from any to 192.1.1.1 dst-port 8080 in via ath0 21400 0 0 fwd 192.1.1.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup in via ath0 keep-state 21500 904 1243836 allow ip from any to any out via ath0 65535 5922 575146 deny ip from any to any root ~ # root ~ # sockstat | grep 8080 www httpd 6413 5 tcp46 *:8080 *:* www httpd 6390 5 tcp46 *:8080 *:* www httpd 6389 5 tcp46 *:8080 *:* www httpd 6388 5 tcp46 *:8080 *:* www httpd 6384 5 tcp46 *:8080 *:* www httpd 1459 5 tcp46 *:8080 *:* www httpd 840 5 tcp46 *:8080 *:* www httpd 839 5 tcp46 *:8080 *:* www httpd 838 5 tcp46 *:8080 *:* www httpd 837 5 tcp46 *:8080 *:* root httpd 751 5 tcp46 *:8080 *:* root ~ # Btw.: IPFW and anything else is compiled statically into FreeBSD Kernel - NO_MODULES=YES Regards, Leander From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 14:18:26 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC43E106566B for ; Mon, 27 Oct 2008 14:18:26 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 4409E8FC08 for ; Mon, 27 Oct 2008 14:18:25 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: (qmail invoked by alias); 27 Oct 2008 14:18:23 -0000 Received: from p509936fe.dip0.t-ipconnect.de (EHLO [192.168.190.25]) [80.153.54.254] by mail.gmx.net (mp015) with SMTP; 27 Oct 2008 15:18:23 +0100 X-Authenticated: #23985221 X-Provags-ID: V01U2FsdGVkX1+e2e4HmhieebYuEcUnjsD90516otN5L0AQ1Ke+Bn J7I1VIkyzTO2GJ Message-ID: <4905CDAE.7080906@gmx.net> Date: Mon, 27 Oct 2008 15:18:22 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.47 Subject: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 14:18:26 -0000 Roman Kurakin schrieb: > John Hay wrote: >> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: >> >>> Hi, >>> >>> I'm trying to set up something like a HotSpot. Goal is it to force >>> unregistred users to get redirected to the Captive Portalsite where >>> they'll be able to agree my licence therms and get some information >>> ... etc. ... >>> >>> So fact is I need an IPFW rule which forwards Port 80,443,8080 >>> Traffic to another Port i.e. 8080 --> where my Apache will already >>> wait for serving the Captive Portalsite back to the request. >>> >>> So I did read the man and saw something like the fwd rule and the >>> Kernel Option for it - so I added the option - rcompiled the Kernel >>> and gave my Firewall the following fwd rule in an extra script: >>> >>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any >>> 80,443,8080 in via ${LAN_if} >>> > Try to make the rule stateful, eq add 'setup keep-state'. Also add > some logging in the rule > and add the last one additional deny with the logging. Oh-oh ... Can't log right now - have to recompile the kernel before ... sry. >> You have to catch it where it is going out and not in. Fwd only works >> when packets are out bound. I don't think so ?! And what sence would it make? Because think twice ... I want to fwd incoming HTTP:80 packages to make them look like HTTP:8080 packages ... the outgoing ones are uninteresting because it's apache's job to send back Websitedata on port 8080 where it's listening anyway. >> > But how this works for me? > > ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 > to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state > > rik >> John >> I tried: [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup in via ath0 keep-state as well as this one too: [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80 dst-port 8080 setup in via ath0 keep-state ^^ But sadly without success - "root$ ipfw show" doesn't even show me at least one package going through .... not even blocked ones ... 0 0 ;-) But here is my szenario again: 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on port 8080. 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to klick http://google:80 BUT accidently should be fwded & run into my PortalSite:8080 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also bring as well as 127.0.0.1:8080 to the portalsite. Regards, Leander From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 14:19:39 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E3561065671 for ; Mon, 27 Oct 2008 14:19:39 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 7AA888FC1C for ; Mon, 27 Oct 2008 14:19:38 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: (qmail invoked by alias); 27 Oct 2008 14:19:36 -0000 Received: from p509936fe.dip0.t-ipconnect.de (EHLO [192.168.190.25]) [80.153.54.254] by mail.gmx.net (mp011) with SMTP; 27 Oct 2008 15:19:36 +0100 X-Authenticated: #23985221 X-Provags-ID: V01U2FsdGVkX194UaAgN+h4HfdwczEiy/n9kOysoZjMCdcyq95I/f OoUIFK6PnVO8f/ Message-ID: <4905CDF7.8090408@gmx.net> Date: Mon, 27 Oct 2008 15:19:35 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.54 Subject: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 14:19:39 -0000 Another question would be if it is neccesary to open port 80 secificaly before doing some fwd .. or dows the fwd command also open port 80? I'm just not sure wether port 80 is opend twice - which wouldn't make sence ... ### HTTP Traffic forwarding to Apache:8080 ${fwcmd} add 21200 allow tcp from any to ${LAN_IP} 80 in via ${LAN_if} ${fwcmd} add 21300 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if} ${fwcmd} add 21400 fwd ${LAN_IP},8080 tcp from ${LAN} to me 80 setup in via ${LAN_if} keep-state root ~ # ipfw show 20100 8 4416 allow ip from any to any via lo0 20200 0 0 deny ip from any to 127.0.0.0/8 20300 0 0 deny ip from 127.0.0.0/8 to any 20400 40 4608 allow ip from any to any via msk0 20600 0 0 divert 8668 ip from any to any via msk0 20700 0 0 allow icmp from 192.1.1.0/24 to 192.1.1.0/24 icmptypes 0,8 20800 0 0 allow tcp from any to 192.1.1.1 dst-port 1723 in via ath0 20900 0 0 allow gre from any to 192.1.1.0/24 21000 0 0 allow gre from 192.1.1.0/24 to any 21100 0 0 allow gre from 192.1.1.0/24 to any out via ath0 21200 450 38013 allow tcp from any to 192.1.1.1 dst-port 80 in via ath0 21300 79 23633 allow tcp from any to 192.1.1.1 dst-port 8080 in via ath0 21400 0 0 fwd 192.1.1.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup in via ath0 keep-state 21500 904 1243836 allow ip from any to any out via ath0 65535 5922 575146 deny ip from any to any root ~ # root ~ # sockstat | grep 8080 www httpd 6413 5 tcp46 *:8080 *:* www httpd 6390 5 tcp46 *:8080 *:* www httpd 6389 5 tcp46 *:8080 *:* www httpd 6388 5 tcp46 *:8080 *:* www httpd 6384 5 tcp46 *:8080 *:* www httpd 1459 5 tcp46 *:8080 *:* www httpd 840 5 tcp46 *:8080 *:* www httpd 839 5 tcp46 *:8080 *:* www httpd 838 5 tcp46 *:8080 *:* www httpd 837 5 tcp46 *:8080 *:* root httpd 751 5 tcp46 *:8080 *:* root ~ # Btw.: IPFW and anything else is compiled statically into FreeBSD Kernel - NO_MODULES=YES Regards, Leander From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 16:33:16 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB1151065675 for ; Mon, 27 Oct 2008 16:33:16 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outG.internet-mail-service.net (outg.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id 6EEFC8FC34 for ; Mon, 27 Oct 2008 16:33:16 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 1E6172346; Mon, 27 Oct 2008 09:33:16 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 728902D6293; Mon, 27 Oct 2008 09:33:15 -0700 (PDT) Message-ID: <4905ED4B.7040007@elischer.org> Date: Mon, 27 Oct 2008 09:33:15 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: "Leander S." References: <4905C902.9040306@googlemail.com> In-Reply-To: <4905C902.9040306@googlemail.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 16:33:16 -0000 Leander S. wrote: > Roman Kurakin schrieb: >> John Hay wrote: >>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: >>> >>>> Hi, >>>> >>>> I'm trying to set up something like a HotSpot. Goal is it to force >>>> unregistred users to get redirected to the Captive Portalsite where >>>> they'll be able to agree my licence therms and get some information >>>> ... etc. ... >>>> >>>> So fact is I need an IPFW rule which forwards Port 80,443,8080 >>>> Traffic to another Port i.e. 8080 --> where my Apache will already >>>> wait for serving the Captive Portalsite back to the request. >>>> >>>> So I did read the man and saw something like the fwd rule and the >>>> Kernel Option for it - so I added the option - rcompiled the Kernel >>>> and gave my Firewall the following fwd rule in an extra script: >>>> >>>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any >>>> 80,443,8080 in via ${LAN_if} >>>> >> Try to make the rule stateful, eq add 'setup keep-state'. Also add >> some logging in the rule >> and add the last one additional deny with the logging. > Oh-oh ... Can't log right now - have to recompile the kernel before ... > sry. >>> You have to catch it where it is going out and not in. Fwd only works >>> when packets are out bound. I think you can forward an incoming packet out again.. I am sure I have done that. > I don't think so ?! And what sence would it make? Because think twice > ... I want to fwd incoming HTTP:80 packages to make them look like > HTTP:8080 packages ... the outgoing ones are uninteresting because it's > apache's job to send back Websitedata on port 8080 where it's listening > anyway. >>> >> But how this works for me? >> >> ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 >> to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state >> >> rik >>> John >>> > I tried: > > [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup > in via ath0 keep-state > > as well as this one too: > > [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80 > dst-port 8080 setup in via ath0 keep-state > > ^^ > But sadly without success - "root$ ipfw show" doesn't even show me at > least one package going through .... not even blocked ones ... 0 0 ;-) > > what version of FreeBSD.. forwarding was crippled in an early 6.x revision I think. you needed to ad another option as well. > > > But here is my szenario again: > > 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on > port 8080. > > 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to > klick http://google:80 BUT accidently should be fwded & run into my > PortalSite:8080 > 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also > bring as well as 127.0.0.1:8080 to the portalsite. > > > Regards, > > Leander > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 16:56:08 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C267B106566C for ; Mon, 27 Oct 2008 16:56:08 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.freebsd.org (Postfix) with ESMTP id 777808FC08 for ; Mon, 27 Oct 2008 16:56:08 +0000 (UTC) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.13.3/8.13.3) with ESMTP id m9RGiqgY073849 for ; Mon, 27 Oct 2008 09:44:52 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.13.3/8.13.1/Submit) id m9RGiqE2073848 for ipfw@freebsd.org; Mon, 27 Oct 2008 09:44:52 -0700 (PDT) (envelope-from david) Date: Mon, 27 Oct 2008 09:44:52 -0700 From: David Wolfskill To: ipfw@freebsd.org Message-ID: <20081027164452.GC69155@bunrab.catwhisker.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OBd5C1Lgu00Gd/Tn" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Cc: Subject: Any plans or desire for "bulk addition" to tables? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ipfw@freebsd.org, David Wolfskill List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 16:56:08 -0000 --OBd5C1Lgu00Gd/Tn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On my systems that are directly connected to network not known to be relatively "safe," I use ipfw a fair bit. Of late, I've taken to augmenting the usual rules that are sensitive to specific ports and the like with (early) rules that check certain ipfw tables; they are used in the following way: * Traffic where an endpoint is found in table 1 is blocked. Period. * Traffic where the source address is in table 2 is not permitted to initiate a 22/tcp connection. * Traffic where the source address is in table 3 is not permitted to initiate a 80/tcp or a 443/tcp connection. Reasons for the above are somewhat off-topic for the list; I'll merely comment that they have to do with perceived failure to respond to observed attempts at abuse: I will protect my networks. In any case, I've cobbled up a moderately complex mechanism for maintaining the tables in question, and table 1 (in particular) has grown to be rather large: d254(8.0-C)[1] sudo ipfw table 1 list | wc -l Password: 11230 d254(8.0-C)[2] ^1^2 sudo ipfw table 2 list | wc -l 1743 d254(8.0-C)[3] ^2^3 sudo ipfw table 3 list | wc -l 50 d254(8.0-C)[4]=20 Unfortunately, the only way I've found to populate a given table is to issue ipfw table ${table} add ${netblock} for each "netblock" in the table (assuming that I don't care about the optional "value" parameter -- which I haven't found a use for). Issuing something on the order of 13K "ipfw table ... add" commands during the single- to multu-user transition tends to slow down the effective boot time a bit -- especially when I'm booting up CURRENT on my laptop (with WITNESS & INVARIANTS specified). Would some way to teach ipfw(8) how to perform some sort of "bulk add" of a bunch of table entries in a single command invocation be of interest to anyone else? Please include my address on responses, as I'm not subscribed to -ipfw@. (I've tweaked Reply-To to provide an MUA hint.) Peace, david --=20 David H. Wolfskill david@catwhisker.org Depriving a girl or boy of an opportunity for education is evil. See http://www.catwhisker.org/~david/publickey.gpg for my public key. --OBd5C1Lgu00Gd/Tn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkkF8AMACgkQmprOCmdXAD3EdQCfVOKc20O4pTony9doLxXKi7qa bmIAn0LyJammelJvnHS8YVe1uvZq+viE =Y9RW -----END PGP SIGNATURE----- --OBd5C1Lgu00Gd/Tn-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 17:24:47 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DF011065674 for ; Mon, 27 Oct 2008 17:24:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outU.internet-mail-service.net (outu.internet-mail-service.net [216.240.47.244]) by mx1.freebsd.org (Postfix) with ESMTP id 31AD18FC12 for ; Mon, 27 Oct 2008 17:24:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id D21CA24D7; Mon, 27 Oct 2008 10:12:47 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 77F102D6016; Mon, 27 Oct 2008 10:12:47 -0700 (PDT) Message-ID: <4905F68F.2030403@elischer.org> Date: Mon, 27 Oct 2008 10:12:47 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: ipfw@freebsd.org, David Wolfskill References: <20081027164452.GC69155@bunrab.catwhisker.org> In-Reply-To: <20081027164452.GC69155@bunrab.catwhisker.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Any plans or desire for "bulk addition" to tables? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 17:24:47 -0000 David Wolfskill wrote: > On my systems that are directly connected to network not known to be > relatively "safe," I use ipfw a fair bit. > > Of late, I've taken to augmenting the usual rules that are sensitive to > specific ports and the like with (early) rules that check certain ipfw > tables; they are used in the following way: > > * Traffic where an endpoint is found in table 1 is blocked. Period. > > * Traffic where the source address is in table 2 is not permitted to > initiate a 22/tcp connection. > > * Traffic where the source address is in table 3 is not permitted to > initiate a 80/tcp or a 443/tcp connection. > > Reasons for the above are somewhat off-topic for the list; I'll merely > comment that they have to do with perceived failure to respond to > observed attempts at abuse: I will protect my networks. > > In any case, I've cobbled up a moderately complex mechanism for > maintaining the tables in question, and table 1 (in particular) has > grown to be rather large: > > d254(8.0-C)[1] sudo ipfw table 1 list | wc -l > Password: > 11230 > d254(8.0-C)[2] ^1^2 > sudo ipfw table 2 list | wc -l > 1743 > d254(8.0-C)[3] ^2^3 > sudo ipfw table 3 list | wc -l > 50 > d254(8.0-C)[4] > > Unfortunately, the only way I've found to populate a given table is to > issue > > ipfw table ${table} add ${netblock} you can read in a file of entries i.e. ipfw -q filename where each line is of the form table N add IP VAL this increases the speed many times as you are not starting ipfw(1) for each entry. > > for each "netblock" in the table (assuming that I don't care about the > optional "value" parameter -- which I haven't found a use for). oh I have lots of use for that... > > Issuing something on the order of 13K "ipfw table ... add" commands > during the single- to multu-user transition tends to slow down the > effective boot time a bit -- especially when I'm booting up CURRENT on > my laptop (with WITNESS & INVARIANTS specified). I add many thousands using hte method described above and it trakse a second or so you can alternatively do: myscript|ipfw -q /dev/stdin where 'myscript' generates the values. > > Would some way to teach ipfw(8) how to perform some sort of "bulk add" > of a bunch of table entries in a single command invocation be of > interest to anyone else? > > Please include my address on responses, as I'm not subscribed to -ipfw@. > (I've tweaked Reply-To to provide an MUA hint.) > > Peace, > david From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 21:39:31 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9C374106567F for ; Mon, 27 Oct 2008 21:39:31 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 0BC158FC1B for ; Mon, 27 Oct 2008 21:39:30 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: (qmail invoked by alias); 27 Oct 2008 21:39:29 -0000 Received: from p509936fe.dip0.t-ipconnect.de (EHLO [192.168.190.25]) [80.153.54.254] by mail.gmx.net (mp003) with SMTP; 27 Oct 2008 22:39:29 +0100 X-Authenticated: #23985221 X-Provags-ID: V01U2FsdGVkX1+tWFh/5CitQKXWD2rsVXTKrc0e961B83uE6N6MTw WRb5DefJ6L5fiw Message-ID: <49063510.3070102@gmx.net> Date: Mon, 27 Oct 2008 22:39:28 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4905C902.9040306@googlemail.com> <4905ED4B.7040007@elischer.org> In-Reply-To: <4905ED4B.7040007@elischer.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.46 Subject: Re: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 21:39:31 -0000 Julian Elischer schrieb: > Leander S. wrote: >> Roman Kurakin schrieb: >>> John Hay wrote: >>>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm trying to set up something like a HotSpot. Goal is it to force >>>>> unregistred users to get redirected to the Captive Portalsite >>>>> where they'll be able to agree my licence therms and get some >>>>> information ... etc. ... >>>>> >>>>> So fact is I need an IPFW rule which forwards Port 80,443,8080 >>>>> Traffic to another Port i.e. 8080 --> where my Apache will already >>>>> wait for serving the Captive Portalsite back to the request. >>>>> >>>>> So I did read the man and saw something like the fwd rule and the >>>>> Kernel Option for it - so I added the option - rcompiled the >>>>> Kernel and gave my Firewall the following fwd rule in an extra >>>>> script: >>>>> >>>>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any >>>>> 80,443,8080 in via ${LAN_if} >>>>> >>> Try to make the rule stateful, eq add 'setup keep-state'. Also add >>> some logging in the rule >>> and add the last one additional deny with the logging. >> Oh-oh ... Can't log right now - have to recompile the kernel before >> ... sry. >>>> You have to catch it where it is going out and not in. Fwd only works >>>> when packets are out bound. > > I think you can forward an incoming packet out again.. > I am sure I have done that. I'm also very sure - you might wanna have a quick look here: http://wannabe.guru.org/scott/hobbies/wireless/wireless.html ^^ That's where I've originally heard about that ... but it sadly didn't work out for me ... > >> I don't think so ?! And what sence would it make? Because think twice >> ... I want to fwd incoming HTTP:80 packages to make them look like >> HTTP:8080 packages ... the outgoing ones are uninteresting because >> it's apache's job to send back Websitedata on port 8080 where it's >> listening anyway. >>>> >>> But how this works for me? >>> >>> ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 >>> to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state >>> >>> rik >>>> John >>>> >> I tried: >> >> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 >> setup in via ath0 keep-state >> >> as well as this one too: >> >> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80 >> dst-port 8080 setup in via ath0 keep-state >> >> ^^ >> But sadly without success - "root$ ipfw show" doesn't even show me >> at least one package going through .... not even blocked ones ... 0 >> 0 ;-) >> >> > > what version of FreeBSD.. > forwarding was crippled in an early 6.x revision I think. > you needed to ad another option as well. I'm running the latest 7.0 RELEASE ... those are included into the Kernel NETGRAPH_IPFW IPFIREWALL IPFIREWALL_VERBOSE IPFIREWALL_VERBOSE_LIMIT=5 IPFIREWALL_FORWARD DUMMYNET IPDIVERT > >> >> >> But here is my szenario again: >> >> 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens >> on port 8080. >> >> 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to >> klick http://google:80 BUT accidently should be fwded & run into my >> PortalSite:8080 >> 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also >> bring as well as 127.0.0.1:8080 to the portalsite. >> >> >> Regards, >> >> Leander >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 28 08:45:07 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91B0E1065674 for ; Tue, 28 Oct 2008 08:45:07 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 687B48FC1F for ; Tue, 28 Oct 2008 08:45:07 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1Kujuh-0006nP-Jx for freebsd-ipfw@freebsd.org; Tue, 28 Oct 2008 01:26:55 -0700 Message-ID: <20203051.post@talk.nabble.com> Date: Tue, 28 Oct 2008 01:26:55 -0700 (PDT) From: techartist To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 X-Nabble-From: ali_professional@hotmail.com X-Mailman-Approved-At: Tue, 28 Oct 2008 11:20:36 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW MAC FILTERING WITH PORT FORWARDING X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2008 08:45:07 -0000 HI GEEKS! I HAVE 4 G STREAM OF INTERNET FOR MY ORGANIZATION FOR WHICH ON LAN SIDE I HAVE CACHE SERVER OF FREEBSD 4.9 STABLE RELEASE. ON THIS CACHE SERVER, THIS CACHE SERVER IS DOING TRANSPARENT PROXY ROLE. BUT MEANWHILE TO CONTROL MY LAN USERS I AM TRYING TO DO MAC FILTERING, WHAT I NEED THAT FIREWALL SHOULD CHECK THE USERS REQUEST IF THE REQUEST PASSED WITH MAC ADDRESS PRESENT IN FIREWALL FILE THAN IT ALLOW AND TRANSPARENTLY ALLOW THE STREAM OF INTERNET AND IF ITS NOT THAN IT TOTALLY DENY THAT CONNECTION ONLY. IF YOU HAVE ANY IDEA PLZ INFORM ME IMMEDIATLEY... I HAVE ALREADY DONE SOME TRICKS BUT ITS NOT WORKING ON , FIRST TELL ME THAN I DISCUSS YOU WITH MY APPLIED TRICKS... THANKS ALIZ -- View this message in context: http://www.nabble.com/IPFW-MAC-FILTERING-WITH-PORT-FORWARDING-tp20203051p20203051.html Sent from the freebsd-ipfw mailing list archive at Nabble.com.