From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 2 09:52:26 2009 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18BC81065670; Sun, 2 Aug 2009 09:52:26 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D288D8FC1B; Sun, 2 Aug 2009 09:52:25 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n729qPAr048503; Sun, 2 Aug 2009 09:52:25 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n729qP8G048499; Sun, 2 Aug 2009 09:52:25 GMT (envelope-from remko) Date: Sun, 2 Aug 2009 09:52:25 GMT Message-Id: <200908020952.n729qP8G048499@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/137346: ipfw nat redirect_proto is broken X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Aug 2009 09:52:26 -0000 Synopsis: ipfw nat redirect_proto is broken Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Sun Aug 2 09:52:25 UTC 2009 Responsible-Changed-Why: Over to maintainer. http://www.freebsd.org/cgi/query-pr.cgi?pr=137346 From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 3 11:07:00 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 465ED10656A8 for ; Mon, 3 Aug 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 310B48FC1D for ; Mon, 3 Aug 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n73B70fT088650 for ; Mon, 3 Aug 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n73B6xNC088646 for freebsd-ipfw@FreeBSD.org; Mon, 3 Aug 2009 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Aug 2009 11:06:59 GMT Message-Id: <200908031106.n73B6xNC088646@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Aug 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 4 22:49:30 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58345106566B for ; Tue, 4 Aug 2009 22:49:30 +0000 (UTC) (envelope-from mira@chlastak.cz) Received: from mail.intime.cz (mail.intime.cz [88.208.96.252]) by mx1.freebsd.org (Postfix) with ESMTP id 13DD28FC13 for ; Tue, 4 Aug 2009 22:49:29 +0000 (UTC) (envelope-from mira@chlastak.cz) Received: from localhost (localhost [127.0.0.1]) by mail.intime.cz (Postfix) with ESMTP id B7C8F5D7131 for ; Wed, 5 Aug 2009 00:35:58 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.intime.cz Received: from mail.intime.cz ([127.0.0.1]) by localhost (mail.intime.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id twMPkYh-pvDq for ; Wed, 5 Aug 2009 00:35:54 +0200 (CEST) Received: from [192.168.200.99] (45.227.broadband3.iol.cz [85.70.227.45]) by mail.intime.cz (Postfix) with ESMTP id D5B225D5388 for ; Wed, 5 Aug 2009 00:35:53 +0200 (CEST) Message-ID: <4A78B6DD.7060908@chlastak.cz> Date: Wed, 05 Aug 2009 00:31:57 +0200 From: Miroslav Chlastak User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: Matching all protocols in /etc/protocols (1 rule) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mira@chlastak.cz List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Aug 2009 22:49:30 -0000 Hi all, it's possible to create one rule to pass (or disable) all traffic (all protocols - from /etc/protocols)? I know, that I can use "all" keyword. But this keyword "all" mean only "tcp, udp, icmp" protocols. But there is more then tcp, udp and icmp protocol (gre,esp,ospf,...). If I can allow all of this protocols, so at the moment I have to create 134 rules (1 rule for 1 protocol from /etc/protocols). Thanks for any idea. -- Mira From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 4 23:18:50 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0B8C1065672 for ; Tue, 4 Aug 2009 23:18:50 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-gx0-f217.google.com (mail-gx0-f217.google.com [209.85.217.217]) by mx1.freebsd.org (Postfix) with ESMTP id 9A4F58FC08 for ; Tue, 4 Aug 2009 23:18:50 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by gxk17 with SMTP id 17so6658822gxk.19 for ; Tue, 04 Aug 2009 16:18:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=12qr8YsRVwlbB56wudMluzrVf5WOMVTTv0G/uSeqC4E=; b=JB8CO6d8qqhI4mp2ZKEs24lQNoonPMcJW33GiIPqjz9Lj2z4f6UeKZCiiInc2Ny3FJ TOc/hg69SSlF08cvD0b0M3fu8qlnOCkIZ+4abugmxPp7HLWbgR5GvHCjnYU0KSOL8h2Z g11202M7eOpiGRb8GOk+iTeNPjghLm3z/clpg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rCUVDRza66ZmZMFcE7g9yQaO78lHlCkZ2PRqIZa9esKGepJP7vZk7V+t28fym+BSmm OxoSMRKXx+v3CqUckmorM/+XR2JPBQQHbJf1kwFpntgVBCg6kJ4HKXeu7uzWSi2NStXX nGIRywqbW6BVV0ErhGeySIYTpa1tQrokkZH8k= MIME-Version: 1.0 Received: by 10.150.178.19 with SMTP id a19mr12813827ybf.349.1249426552130; Tue, 04 Aug 2009 15:55:52 -0700 (PDT) In-Reply-To: <4A78B6DD.7060908@chlastak.cz> References: <4A78B6DD.7060908@chlastak.cz> Date: Tue, 4 Aug 2009 15:55:52 -0700 Message-ID: From: Freddie Cash To: mira@chlastak.cz Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: Matching all protocols in /etc/protocols (1 rule) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Aug 2009 23:18:51 -0000 2009/8/4 Miroslav Chlastak > Hi all, > > it's possible to create one rule to pass (or disable) all traffic (all > protocols - from /etc/protocols)? > I know, that I can use "all" keyword. But this keyword "all" mean only > "tcp, udp, icmp" protocols. > But there is more then tcp, udp and icmp protocol (gre,esp,ospf,...). If I > can allow all of this protocols, so at the moment I have to create 134 rules > (1 rule for 1 protocol from /etc/protocols). > If this is for IPFW, just use "ip" or "any". That will match any IP packets, regardless of what protocol data is inside the packet. -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 5 05:23:24 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71AF1106564A for ; Wed, 5 Aug 2009 05:23:24 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id DA2248FC08 for ; Wed, 5 Aug 2009 05:23:23 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n7558LxV065408; Wed, 5 Aug 2009 15:08:21 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 5 Aug 2009 15:08:20 +1000 (EST) From: Ian Smith To: Freddie Cash In-Reply-To: Message-ID: <20090805150508.B19821@sola.nimnet.asn.au> References: <4A78B6DD.7060908@chlastak.cz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, mira@chlastak.cz Subject: Re: Matching all protocols in /etc/protocols (1 rule) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Aug 2009 05:23:24 -0000 On Tue, 4 Aug 2009, Freddie Cash wrote: > 2009/8/4 Miroslav Chlastak > > > Hi all, > > > > it's possible to create one rule to pass (or disable) all traffic (all > > protocols - from /etc/protocols)? > > I know, that I can use "all" keyword. But this keyword "all" mean only > > "tcp, udp, icmp" protocols. > > But there is more then tcp, udp and icmp protocol (gre,esp,ospf,...). If I > > can allow all of this protocols, so at the moment I have to create 134 rules > > (1 rule for 1 protocol from /etc/protocols). > > > > If this is for IPFW, just use "ip" or "any". That will match any IP > packets, regardless of what protocol data is inside the packet. To be fussy, 'any' applies to addresses; 'ip' or 'all' is what's needed here: protocol: [not] protocol-name | protocol-number An IPv4 protocol specified by number or name (for a complete list see /etc/protocols). The ip or all keywords mean any protocol will match. cheers, Ian