From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 15 11:06:54 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BA141065672 for ; Mon, 15 Dec 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 259FF8FC1B for ; Mon, 15 Dec 2008 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBFB6sut004369 for ; Mon, 15 Dec 2008 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBFB6r6n004360 for freebsd-ipfw@FreeBSD.org; Mon, 15 Dec 2008 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Dec 2008 11:06:53 GMT Message-Id: <200812151106.mBFB6r6n004360@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2008 11:06:54 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 18 09:31:51 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8467E1065677 for ; Thu, 18 Dec 2008 09:31:51 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from bay0-omc3-s13.bay0.hotmail.com (bay0-omc3-s13.bay0.hotmail.com [65.54.246.213]) by mx1.freebsd.org (Postfix) with ESMTP id 7912A8FC2C for ; Thu, 18 Dec 2008 09:31:51 +0000 (UTC) (envelope-from gloomygroup@hotmail.com) Received: from BAY131-W19 ([65.55.136.54]) by bay0-omc3-s13.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 18 Dec 2008 01:19:51 -0800 Message-ID: X-Originating-IP: [202.79.40.134] From: Gloomy Group To: Date: Thu, 18 Dec 2008 09:19:51 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 18 Dec 2008 09:19:51.0738 (UTC) FILETIME=[C81B31A0:01C960F1] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW firewall rule in mpd pppoe server to single pc behind router X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2008 09:31:51 -0000 Hello all=2C =20 I have freebsd mpd pppoe server. Users connect to internet by giving usern= ame and password. My problem is some users put router and share internet co= nnection with other pc. Is it possbile to disable internet sharing in serve= r by rate limiting with ipfw firewall scripts. So that if users keep router= or does nat in their pc to share internet then only single pc can access t= o internet. Is is possible? _________________________________________________________________ Send e-mail anywhere. No map=2C no compass. http://windowslive.com/Explore/hotmail?ocid=3DTXT_TAGLM_WL_hotmail_acq_anyw= here_122008= From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 18 09:57:39 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F7941065686 for ; Thu, 18 Dec 2008 09:57:39 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id A641B8FC0C for ; Thu, 18 Dec 2008 09:57:38 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mBI9va48023783; Thu, 18 Dec 2008 20:57:36 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 18 Dec 2008 20:57:36 +1100 (EST) From: Ian Smith To: Gloomy Group In-Reply-To: Message-ID: <20081218204044.H29108@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2008 09:57:39 -0000 On Thu, 18 Dec 2008, Gloomy Group wrote: > I have freebsd mpd pppoe server. Users connect to internet by giving > username and password. My problem is some users put router and share > internet connection with other pc. Is it possbile to disable internet > sharing in server by rate limiting with ipfw firewall scripts. So > that if users keep router or does nat in their pc to share internet > then only single pc can access to internet. Is is possible? Detecting that a connection is shared using NAT? Not that I know of. Rate limiting per connection with dummynet pipes, easy enough. If you limit the bandwidth, why would you need to care how many pcs share it? cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 03:35:50 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5845C106564A for ; Fri, 19 Dec 2008 03:35:50 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id ABA898FC08 for ; Fri, 19 Dec 2008 03:35:49 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mBJ3ZlrP059002; Fri, 19 Dec 2008 14:35:47 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 19 Dec 2008 14:35:47 +1100 (EST) From: Ian Smith To: Gloomy Group In-Reply-To: Message-ID: <20081219140743.M29108@sola.nimnet.asn.au> References: <20081218204044.H29108@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: ipfw@freebsd.org Subject: RE: IPFW firewall rule in mpd pppoe server to single pc behind router X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 03:35:50 -0000 On Fri, 19 Dec 2008, Gloomy Group wrote: > Hello Ian, > > I have implemented traffic shaping with dummy net pipe. But i want > to strictly control the internet sharing to single pc. Is there other > way of allowing like MAC address restricting to 2 pc coming from that > source ip. > > > Date: Thu, 18 Dec 2008 20:57:36 +1100 > > From: smithi@nimnet.asn.au > > To: gloomygroup@hotmail.com > > CC: freebsd-ipfw@freebsd.org > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router > > > > On Thu, 18 Dec 2008, Gloomy Group wrote: > > > I have freebsd mpd pppoe server. Users connect to internet by giving > > > username and password. My problem is some users put router and share > > > internet connection with other pc. Is it possbile to disable internet > > > sharing in server by rate limiting with ipfw firewall scripts. So > > > that if users keep router or does nat in their pc to share internet > > > then only single pc can access to internet. Is is possible? > > > > Detecting that a connection is shared using NAT? Not that I know of. > > > > Rate limiting per connection with dummynet pipes, easy enough. If you > > limit the bandwidth, why would you need to care how many pcs share it? Not that I know of. You're only going to see the MAC address of a directly connected system, not those of any other box connected to the first one's other interface, even if you are able to do ARP over PPPoE. This is more people-policy stuff I think, unlikely to have a technical solution. Some ISPs tell people they're not permitted to use NAT, but I've not heard of any way of actually and reliably detecting its use. One way to block use of the particular form of NAT implemented in M$ XP is to give users addresses in the 192.168.0.x range, with 192.168.0.1 as (your end's) gateway address .. since this latter address is forcibly assigned to the NAT box's inside interface by XP's 'internet connection sharing' .. but there are other NAT systems for windows users out there. Others may know more than I do about this, of course .. if you wish to pursue it further, net@freebsd.org would be the more appropriate list. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 13:42:40 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29292106564A for ; Fri, 19 Dec 2008 13:42:40 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 0AAE08FC16 for ; Fri, 19 Dec 2008 13:42:39 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1LDfGx-0006YS-Ba for freebsd-ipfw@freebsd.org; Fri, 19 Dec 2008 05:20:07 -0800 Message-ID: <21091035.post@talk.nabble.com> Date: Fri, 19 Dec 2008 05:20:07 -0800 (PST) From: LaGatorVII To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: bobw@esllc.com Subject: IPFW newbie question. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 13:42:40 -0000 I need help with a basic dummynet(ipfw) configuration on FreeBSD 6.1. I need unlimited traffic on the local subnet X.X.X.192/28. The FreeBSD Box's IP is X.X.X.193 and it has aliases for many other IPs in the subnet. These are "live" internet IP address not private. The external interface is 'bge0'. I want to limit ALL other traffic, incoming and outgoing. Any traffic not destined for the local network will burn precious CoLo bandwidth. I am thinking outbound 30KBytes\s out and 10KBytes\s in. But I am not sure. The server runs all our internet services. Here is a paste from the last email from the colo company: 95th Percentile = 49.51KBps = 396.09Kbps Maximum = 186.94KBps = 1495.50Kbps I would like that 95th percentile to end up back down around 30KBps, and I think this drastic step would cause it to be much lower. Any advice is appreciated. I know this is probably simple but searching around the web everyone seems to use a little different syntax, and I can't afford to mess this up. Thanks in advance. -- View this message in context: http://www.nabble.com/IPFW-newbie-question.-tp21091035p21091035.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 15:07:21 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E0331065670 for ; Fri, 19 Dec 2008 15:07:21 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id ADF018FC1F for ; Fri, 19 Dec 2008 15:07:20 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: (qmail invoked by alias); 19 Dec 2008 14:40:38 -0000 Received: from p5B12E03B.dip.t-dialin.net (EHLO MacBook-Pro.local) [91.18.224.59] by mail.gmx.net (mp003) with SMTP; 19 Dec 2008 15:40:38 +0100 X-Authenticated: #23985221 X-Provags-ID: V01U2FsdGVkX19aFKdn/TFaLExUzLNMsZ9RL0iPSRuUOgWd4Tjj+s dQXh3VHs3bJhbL Message-ID: <494BB265.4070201@gmx.net> Date: Fri, 19 Dec 2008 15:40:37 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.57 Subject: ===== Port/Traffic Redirection ===== X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 15:07:21 -0000 Hi, I'm trying to get a captive portal- / transparent proxy- like attitude on my IPFW traffic. I actually want to divert all http traffic to the webserver on the same IPFW diverting machine. I tried rules like that but I sadly never got it working. SERVERSIDE: my Apache webserver is listening on port 8080 AND also 80. CLIENTSIDE: I'm guessing my clients http requests on port 80 as well as 8080 and 443 ############################################################################################### ############################################################################################### ### HTTP Traffic forwarding to Apache:8080 ${fwcmd} add 21200 allow tcp from any to ${LAN_IP} 80,443,8080 in via ${LAN_if} ${fwcmd} add 21300 allow tcp from any to ${LAN_IP} 80,443,8080 out via ${LAN_if} ${fwcmd} add 21400 fwd ${LAN_IP},8080 tcp from ${LAN} to me 80,443,8080 setup in via ${LAN_if} keep-state ### Package Detour ${fwcmd} add 21500 allow all from any to any out via ${LAN_if} ############################################################################################### ############################################################################################### ^^ Btw. my IPFW denies packages by default. ^^ I'm not quite sure if those make sense at all?! Thanks, Leander From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 15:34:49 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1BEE1065673 for ; Fri, 19 Dec 2008 15:34:49 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by mx1.freebsd.org (Postfix) with ESMTP id 820A38FC12 for ; Fri, 19 Dec 2008 15:34:49 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: by fg-out-1718.google.com with SMTP id l26so391332fgb.35 for ; Fri, 19 Dec 2008 07:34:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=e691E+zdi6shVTiV1VUk6dhtvrqCoczRJn7TVFQzlmk=; b=sNea8f/sCUq5lHSjt/zx4w04c8Q9swVvoOCdOPh0EwE2J2EcLfojXNVWiiAtRTPJr2 S5J5bTOxvYJcc53EacbpFngc+vbNGuDrKMg2zUpssB2O+TVgsmO7bSC/RVnDVaVwael9 eoeQKWSq93NNnZgduiUTh67l6p4/vZa0tRQR8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; b=bk1JohzCTwTAeN427L9u2eDm76YKxHgUjAKeoflU1WnLoRgQMANCeeG+roWPPMi/+U Oiid2NThEcGQNNtlg6WFVifNIbUxP/fMAxfZuYA+FTH5qU/xvpyHlgkpeenC81filDhq exvEv9L8y83qrwn4XNXtm8rOMXPGj+HTpsBQY= Received: by 10.86.91.12 with SMTP id o12mr1889162fgb.16.1229699206448; Fri, 19 Dec 2008 07:06:46 -0800 (PST) Received: from MacBook-Pro.local (p5B12E03B.dip.t-dialin.net [91.18.224.59]) by mx.google.com with ESMTPS id e11sm3684244fga.2.2008.12.19.07.06.45 (version=SSLv3 cipher=RC4-MD5); Fri, 19 Dec 2008 07:06:46 -0800 (PST) Message-ID: <494BB884.7070400@googlemail.com> Date: Fri, 19 Dec 2008 16:06:44 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: ===== Port/Traffic Redirection ===== X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 15:34:50 -0000 Hi, I'm trying to get a captive portal- / transparent proxy- like attitude on my IPFW traffic. I actually want to divert all http traffic to the webserver on the same IPFW diverting machine. I tried rules like that but I sadly never got it working. SERVERSIDE: my Apache webserver is listening on port 8080 AND also 80. CLIENTSIDE: I'm guessing my clients http requests on port 80 as well as 8080 and 443 ############################################################################################### ############################################################################################### ### HTTP Traffic forwarding to Apache:8080 ${fwcmd} add 21200 allow tcp from any to ${LAN_IP} 80,443,8080 in via ${LAN_if} ${fwcmd} add 21300 allow tcp from any to ${LAN_IP} 80,443,8080 out via ${LAN_if} ${fwcmd} add 21400 fwd ${LAN_IP},8080 tcp from ${LAN} to me 80,443,8080 setup in via ${LAN_if} keep-state ### Package Detour ${fwcmd} add 21500 allow all from any to any out via ${LAN_if} ############################################################################################### ############################################################################################### ^^ Btw. my IPFW denies packages by default. ^^ I'm not quite sure if those make sense at all?! Thanks, Leander From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 23:47:34 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14C05106564A for ; Fri, 19 Dec 2008 23:47:34 +0000 (UTC) (envelope-from goffredo@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id BFB528FC08 for ; Fri, 19 Dec 2008 23:47:33 +0000 (UTC) (envelope-from goffredo@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so1148675yxb.13 for ; Fri, 19 Dec 2008 15:47:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=uH60AW9kL9zWakUYO2DMN92UJAd4vvcO+nbgaGBOhIs=; b=NlVMKGXk8wP4NJwomuMOxaxLCFGUNQCrVgUM0tTqb6IGalOAFU33KBr0HdxLxUP5ql uGoghgP4PKgfEN3+3Qend9AW5XiX4WG+CqWofYjdCH7GHlmmkm869F/MFPdnDrw8qTdj wvfXLlyABcZOHq6LRdVbpizMgSu8kmKjU3En0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=uk6KcitBAwLSf4spp0/m5Vh3kiIPq5gEedH+M8krS7KJI2BnAgwF2Yc8ueesARb7nl Jii6gpOT85Siz1dDJNZcP3ygwsvMnyane0l106ZeUjmxnpGaNmCybcmyXeX9BlhNBaky fFRGWUTAHp76GI7/9FiMU0UatNZGqS7FlDKxM= Received: by 10.100.140.20 with SMTP id n20mr2579728and.135.1229729054724; Fri, 19 Dec 2008 15:24:14 -0800 (PST) Received: by 10.100.165.7 with HTTP; Fri, 19 Dec 2008 15:24:14 -0800 (PST) Message-ID: Date: Fri, 19 Dec 2008 21:24:14 -0200 From: "Joao Rocha Braga Filho" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: kernel nat memory usage? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 23:47:34 -0000 I was looking the archives and found this thread. I don't know about kernel nat memory leak, but there is one in natd. The memory use and the CPU load increases, and don't stop. I am a ISP and have almost 500 users, and some a Lan Houses, schools, offices... If the bug is in the same lib used by both, the problem is the same. I subscribed this list so tell this problem. I know, it is the wrong place, but seemed logical to include this observation in this tread. Thanks, Jo=E3o Rocha. --=20 goffredo@gmail.com