From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 2 00:45:03 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18CE7106566B for ; Sun, 2 Jan 2011 00:45:03 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from out-0.mx.aerioconnect.net (out-0-25.mx.aerioconnect.net [216.240.47.85]) by mx1.freebsd.org (Postfix) with ESMTP id D05738FC08 for ; Sun, 2 Jan 2011 00:45:02 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id p020VfsH009114; Sat, 1 Jan 2011 16:31:41 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id A48802D6012; Sat, 1 Jan 2011 16:31:40 -0800 (PST) Message-ID: <4D1FC784.2000409@freebsd.org> Date: Sat, 01 Jan 2011 16:32:04 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Nima Khoramdin References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW - NAT - two gateway -HELP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 00:45:03 -0000 On 1/1/11 5:11 AM, Nima Khoramdin wrote: > hello . > > I installed freebsd 7.1 with ifpw - nat - dummynet with below kernel config > : > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_FORWARD > options IPDIVERT > options DUMMYNET > options HZ=1000 > > > and i have three NICs , with internal webserver works with nat: > > default gw : 172.16.1.5 > > (in natd.conf : > > port 8668 > interface nfe0 > use_sockets yes > > # redirect to webserver > redirect_port tcp 192.168.1.121:80 172.16.1.5:80) > webserver > ) > > it works fine. > > > ISP1 ISP2 > wireless connection ADSL > 2mb/2mb 1mb/1mb > 172.16.1.1/23 10.0.0.1/23 > > | | > | | > | | > | | > static static > 172.16.1.5 10.0.1.15 > *aue0*******************tun0* > * FreeBSD * > *************ep0************* > > 192.168.1.254 > | > | > ***** > Private LAN > 192.168.1.0/24 > | > | > | > webserver > > 192.168.1.121 > > > how to use of this two gateways for my internal webserver with ipfw& nat > > i want to know how can i use ISP2 adsl as ISP1 ( i mean if anyone put ISP1 > (172.16.1.5) , ISP2 (10.0.10.15) to the browser , can see my internal > webserver page with two separated ISPs ) not load balance . i want to use > two ISPs at the same time . do you REALLY have 172.16.1.5 and 10.0.1.15 as your IP addresses? If so there is no way you can be reached from the outside.. unless you have made an agreement with the ISPs to forward some address/port to you. They are doing NAT on your outgoing sessions as it is already.. > sorry for my bad explanation > thanx > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 2 06:42:44 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B099106566B for ; Sun, 2 Jan 2011 06:42:44 +0000 (UTC) (envelope-from nima.gooler@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id EA8E78FC08 for ; Sun, 2 Jan 2011 06:42:43 +0000 (UTC) Received: by yxh35 with SMTP id 35so5451105yxh.13 for ; Sat, 01 Jan 2011 22:42:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type; bh=E1kIrLaXUhou08Si5OBgvLePlrLPTAwQLt68Awqtguc=; b=RUx4t+GCUvdgFt0QB08nw3bNzRvisQdJesIFuBhCaXxvszCSS50/diqr7uWaQRLuRg sAsb28szOF0y2vAHwzs4lS9RKXXL6fCM4S9fZKdJE1gzzqpsaTYulZHu7ZLFfPghIXTQ KcL+b4PInjj3dt6pQ2RB/TQOWAX+dt1gE9IcQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=abbUvhDFhovNZqpxIvYh2df+aMByTXPMFHPNDsdmnE71/diZ9SbAjMCQVWd8mBZ6hV Mq91LScDyH9DtDKeZiZQkT0Rv/HE3WTN+A/A7szm8LeH+8+Co+9CeYniiLghQRlPxDYf 4XXabPIKw+Caru7rhmeQWFOy1NBHhYidEvGuQ= Received: by 10.101.6.12 with SMTP id j12mr11782138ani.46.1293950563089; Sat, 01 Jan 2011 22:42:43 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.250.17 with HTTP; Sat, 1 Jan 2011 22:42:23 -0800 (PST) In-Reply-To: <4D1FC784.2000409@freebsd.org> References: <4D1FC784.2000409@freebsd.org> From: Nima Khoramdin Date: Sun, 2 Jan 2011 10:12:23 +0330 Message-ID: To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW - NAT - two gateway -HELP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 06:42:44 -0000 hello again ok Maybe I was wrong explain. I already have an ip address in my network is working with NAT ( nat to internal web server ) , i want to add another NIC with a new isp (IP) for backup, and new nat rule. how can i set two separated gateways on freebsd. thanx ---------- Forwarded message ---------- From: Julian Elischer Date: Sun, Jan 2, 2011 at 4:02 AM Subject: Re: IPFW - NAT - two gateway -HELP To: Nima Khoramdin Cc: freebsd-ipfw@freebsd.org On 1/1/11 5:11 AM, Nima Khoramdin wrote: > hello . > > I installed freebsd 7.1 with ifpw - nat - dummynet with below kernel config > : > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPFIREWALL_FORWARD > options IPDIVERT > options DUMMYNET > options HZ=1000 > > > and i have three NICs , with internal webserver works with nat: > > default gw : 172.16.1.5 > > (in natd.conf : > > port 8668 > interface nfe0 > use_sockets yes > > # redirect to webserver > redirect_port tcp 192.168.1.121:80 172.16.1.5:80) > webserver > ) > > it works fine. > > > ISP1 ISP2 > wireless connection ADSL > 2mb/2mb 1mb/1mb > 172.16.1.1/23 10.0.0.1/23 > > | | > | | > | | > | | > static static > 172.16.1.5 10.0.1.15 > *aue0*******************tun0* > * FreeBSD * > *************ep0************* > > 192.168.1.254 > | > | > ***** > Private LAN > 192.168.1.0/24 > | > | > | > webserver > > 192.168.1.121 > > > how to use of this two gateways for my internal webserver with ipfw& nat > > i want to know how can i use ISP2 adsl as ISP1 ( i mean if anyone put ISP1 > (172.16.1.5) , ISP2 (10.0.10.15) to the browser , can see my internal > webserver page with two separated ISPs ) not load balance . i want to use > two ISPs at the same time . > do you REALLY have 172.16.1.5 and 10.0.1.15 as your IP addresses? If so there is no way you can be reached from the outside.. unless you have made an agreement with the ISPs to forward some address/port to you. They are doing NAT on your outgoing sessions as it is already.. sorry for my bad explanation > thanx > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 2 07:29:17 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5589C106566B for ; Sun, 2 Jan 2011 07:29:17 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from out-0.mx.aerioconnect.net (out-0-32.mx.aerioconnect.net [216.240.47.92]) by mx1.freebsd.org (Postfix) with ESMTP id 36AF18FC13 for ; Sun, 2 Jan 2011 07:29:16 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id p027TGie027988; Sat, 1 Jan 2011 23:29:16 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 11A6E2D6013; Sat, 1 Jan 2011 23:29:14 -0800 (PST) Message-ID: <4D202962.8090209@freebsd.org> Date: Sat, 01 Jan 2011 23:29:38 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Nima Khoramdin References: <4D1FC784.2000409@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW - NAT - two gateway -HELP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2011 07:29:17 -0000 On 1/1/11 10:42 PM, Nima Khoramdin wrote: > hello again > > ok Maybe I was wrong explain. I already have an ip address in my network is > working with NAT ( nat to internal web server ) , i want to add another NIC > with a new isp (IP) for backup, and new nat rule. > > how can i set two separated gateways on freebsd. > > thanx > so, your addresses are NOT 172... and 10.....? Assuming you have a way to get the externally sourced packets to your interface, then you have a couple of options. Firstly you will need to either use two natd instances, or single natd using tow of the new 'instance' sections. (quoting from the natd man page...) --------start quote------- Options can be divided to several sections. Each section applies to own natd instance. This ability allows to config- ure one natd process for several NAT instances. The first instance that always exists is a "default" instance. Each another instance should begin with instance instance_name At the next should be placed a configuration option. Exam- ple: # default instance port 8668 alias_address 158.152.17.1 # second instance instance dsl1 port 8888 alias_address 192.168.0.1 Trailing spaces and empty lines are ignored. A `#' sign will mark the rest of the line as a comment. -instance instancename This option switches command line options processing to con- figure instance instancename (creating it if necessary) till the next -instance option or end of command line. It is eas- ier to set up multiple instances in the configuration file specified with the -config option rather than on a command line. --------- end quote--------- you can then use the ipfw 'fwd' command to decide which goes where or alternatively, you can also use the new multiple routing table feature to decide which sessions go to which gateway. >> >> ISP1 ISP2 >> wireless connection ADSL >> 2mb/2mb 1mb/1mb >> 172.16.1.1/23 10.0.0.1/23 >> >> | | >> | | >> | | >> | | >> static static >> 172.16.1.5 10.0.1.15 >> *aue0*******************tun0* >> * FreeBSD * >> *************ep0************* >> >> 192.168.1.254 >> | >> | >> ***** >> Private LAN >> 192.168.1.0/24 >> | >> | >> | >> webserver >> >> 192.168.1.121 >> >> >> how to use of this two gateways for my internal webserver with ipfw& nat >> >> i want to know how can i use ISP2 adsl as ISP1 ( i mean if anyone put ISP1 >> (172.16.1.5) , ISP2 (10.0.10.15) to the browser , can see my internal >> webserver page with two separated ISPs ) not load balance . i want to use >> two ISPs at the same time . >> > do you REALLY have 172.16.1.5 and 10.0.1.15 as your IP addresses? > If so there is no way you can be reached from the outside.. > unless you have made an agreement with the ISPs to forward some address/port > to you. > They are doing NAT on your outgoing sessions as it is already.. > > > > > sorry for my bad explanation >> thanx >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 3 11:07:06 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F48A10656A4 for ; Mon, 3 Jan 2011 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 330F48FC28 for ; Mon, 3 Jan 2011 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p03B7663046522 for ; Mon, 3 Jan 2011 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p03B75R6046520 for freebsd-ipfw@FreeBSD.org; Mon, 3 Jan 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Jan 2011 11:07:05 GMT Message-Id: <201101031107.p03B75R6046520@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2011 11:07:06 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153415 ipfw [ipfw] [patch] Port numbers always zero in dynamic IPF o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o conf/153155 ipfw [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on o kern/152887 ipfw [ipfw] Can not set more then 1024 buckets with buckets o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/150798 ipfw [ipfw] ipfw2 fwd rule matches packets but does not do o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 82 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 3 18:46:20 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54FEE106564A for ; Mon, 3 Jan 2011 18:46:20 +0000 (UTC) (envelope-from nangergong@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id D8F348FC15 for ; Mon, 3 Jan 2011 18:46:19 +0000 (UTC) Received: by bwz12 with SMTP id 12so6560206bwz.13 for ; Mon, 03 Jan 2011 10:46:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=bRDsLR9RVMrAE3WghGQrIIi3S/KKteFKA9mVXEfj1s4=; b=sc3u5/3HK9be6v/j4S4deZOF21Tm3dsaPod4/z9PM+aY0d9AzoMOEKm/ALcejfMK9k nniprYNWvRXfLcRiXFLPzWp88LhbS+oebblsPjvaGMfQpOuROUgKYE/U3Ih+il/CKG63 9msFnHi8JUXwq3EeksGXYKQWA6QQg2NhRIMzs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=O2+iIqNOiim70aPqD4MXQcEST4+iRBma8ABmJ213T9D0ZU+Mzc0uAxwAUiAHlLX2ru X84/JD/Lwa0LCUCIv0rIDe+sRfPeRcKUzGc9oo0jjz+84K0ZfIRC762PVcw58jB8Ub5z pc7jY+42NkMZwr+Jw9ed3iAeTz7e5cbHDhXIw= MIME-Version: 1.0 Received: by 10.204.119.200 with SMTP id a8mr2541166bkr.152.1294078974922; Mon, 03 Jan 2011 10:22:54 -0800 (PST) Received: by 10.204.102.14 with HTTP; Mon, 3 Jan 2011 10:22:54 -0800 (PST) Date: Mon, 3 Jan 2011 18:22:54 +0000 Message-ID: From: nangergong To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: How to obtain fixed packet loss ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2011 18:46:20 -0000 Hi, all: As far as I know, in dummynet, plr is prabability-based, namely, when a packet is processed, it will be discarded according to the probability. So, if I have 100 packets and the plr is 5%, eventually I may just discard 3 packets or even 1 packets. So, the real packet loss is not consitent with the plr-set value. Is there any good method that can give me a consistent packet loss? Thank you! From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 4 13:19:37 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 409A9106566C for ; Tue, 4 Jan 2011 13:19:37 +0000 (UTC) (envelope-from fam@sky.net.pk) Received: from ns1.sky.net.pk (mx1.sky.net.pk [203.175.64.8]) by mx1.freebsd.org (Postfix) with ESMTP id 81BBF8FC0C for ; Tue, 4 Jan 2011 13:19:35 +0000 (UTC) Received: from fam (fam.sky.net.pk [203.175.64.65]) by ns1.sky.net.pk (8.13.5/8.13.5) with SMTP id p04Dwq4p023643 for ; Tue, 4 Jan 2011 18:58:56 +0500 Message-ID: <78DC9B784B57453B9C81859DBFFE55F5@fam> From: "Fazal Ahmed Malik" To: Date: Tue, 4 Jan 2011 18:01:37 +0500 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5843 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Transparent Squid and traffic control X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 13:19:37 -0000 Hi, I have problem in running transparent squid along with dummynet on = FreeBSD 7. I have mpd5 for dialin pppoe which is working perfect along = with ipfw dummynet traffic control. Now i want to setup transparent = squid using ipfw fwd rule. if i place fwd rule before dummynet rule = transparent squid start working but than traffic is not being = controlled. Than i placed fwd rule after the dummynet pipe here traffic = controlled but transparent squid stop working.Any body have experience = in such configuration where both work simultaneously please gave me some = hints. Best regards, Fazal Ahmed From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 4 14:56:01 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7206B106564A for ; Tue, 4 Jan 2011 14:56:01 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 38CC08FC1E for ; Tue, 4 Jan 2011 14:56:00 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 1CF0B73098; Tue, 4 Jan 2011 15:52:53 +0100 (CET) Date: Tue, 4 Jan 2011 15:52:53 +0100 From: Luigi Rizzo To: nangergong Message-ID: <20110104145253.GB8235@onelab2.iet.unipi.it> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: How to obtain fixed packet loss ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 14:56:01 -0000 On Mon, Jan 03, 2011 at 06:22:54PM +0000, nangergong wrote: > Hi, all: > > As far as I know, in dummynet, plr is prabability-based, namely, when a > packet is processed, it will be discarded according to the probability. So, > if I have 100 packets and the plr is 5%, eventually I may just discard 3 > packets or even 1 packets. So, the real packet loss is not consitent with > the plr-set value. Is there any good method that can give me a consistent > packet loss? Thank you! you would need to modify the "prob" option in ipfw so that e.g. you specify a bitmap indicating the pattern of packet pass/drop (this was the way i originally implemented packet loss back in 1995!) cheers luigi > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 4 16:50:51 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 767E71065674 for ; Tue, 4 Jan 2011 16:50:51 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from ns1temp.jnielsen.net (ns1temp.jnielsen.net [69.55.230.42]) by mx1.freebsd.org (Postfix) with ESMTP id 5B5358FC26 for ; Tue, 4 Jan 2011 16:50:50 +0000 (UTC) Received: from jnielsen.socialserve.com ([12.249.176.26]) (authenticated bits=0) by ns1temp.jnielsen.net (8.14.3/8.14.3) with ESMTP id p04GQ1Kh032144 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 4 Jan 2011 11:26:02 -0500 (EST) (envelope-from lists@jnielsen.net) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: John Nielsen X-Priority: 3 In-Reply-To: <78DC9B784B57453B9C81859DBFFE55F5@fam> Date: Tue, 4 Jan 2011 11:25:56 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <6C2CEB9A-1E8C-4B3D-B91F-E49F3B2DE34B@jnielsen.net> References: <78DC9B784B57453B9C81859DBFFE55F5@fam> To: Fazal Ahmed Malik X-Mailer: Apple Mail (2.1082) X-DCC-x.dcc-servers-Metrics: ns1temp.jnielsen.net; whitelist X-Virus-Scanned: clamav-milter 0.96.3 at ns1temp.jnielsen.net X-Virus-Status: Clean Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent Squid and traffic control X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 16:50:51 -0000 On Jan 4, 2011, at 8:01 AM, Fazal Ahmed Malik wrote: > I have problem in running transparent squid along with dummynet on = FreeBSD 7. I have mpd5 for dialin pppoe which is working perfect along = with ipfw dummynet traffic control. Now i want to setup transparent = squid using ipfw fwd rule. if i place fwd rule before dummynet rule = transparent squid start working but than traffic is not being = controlled. Than i placed fwd rule after the dummynet pipe here traffic = controlled but transparent squid stop working.Any body have experience = in such configuration where both work simultaneously please gave me some = hints. I have done this successfully in the past. You need to remember that for = every web request there are potentially two TCP conversations: one = between the client and the proxy and one between the proxy and the = server. You probably do not want to pipe the first type of = conversation--requests that can be served from the proxy's cache do not = use WAN bandwidth and should be served at full speed over the LAN. You DO want to pipe the second type of conversation. Requests from the = proxy to web servers over the WAN will compete with other traffic for = bandwidth. So leave your fwd rule before the dummynet rule(s) and be sure that LAN = traffic is not piped. Then add rules to pipe requests from the proxy's external IP to non-LAN = addresses on port 80. Something like these: Downstream: ipfw add skipto $ACCEPT tcp from $LAN 80 to me ipfw add pipe $M tcp from any 80 to $EXTIP Upstream: ipfw add skipto $ACCEPT tcp from me to $LAN 80 ipfw add pipe $N tcp from $EXTIP to any 80 If you post a specific ruleset you can get specific advice. :) JN From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 4 17:28:30 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E24A106566B for ; Tue, 4 Jan 2011 17:28:30 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from out-0.mx.aerioconnect.net (out-0-24.mx.aerioconnect.net [216.240.47.84]) by mx1.freebsd.org (Postfix) with ESMTP id 4D28A8FC17 for ; Tue, 4 Jan 2011 17:28:29 +0000 (UTC) Received: from idiom.com (postfix@mx0.idiom.com [216.240.32.160]) by out-0.mx.aerioconnect.net (8.13.8/8.13.8) with ESMTP id p04HSP8d019645; Tue, 4 Jan 2011 09:28:25 -0800 X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by idiom.com (Postfix) with ESMTP id 84E732D6015; Tue, 4 Jan 2011 09:28:24 -0800 (PST) Message-ID: <4D2358D2.4020105@freebsd.org> Date: Tue, 04 Jan 2011 09:28:50 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Fazal Ahmed Malik References: <78DC9B784B57453B9C81859DBFFE55F5@fam> In-Reply-To: <78DC9B784B57453B9C81859DBFFE55F5@fam> Content-Type: multipart/mixed; boundary="------------050603000901020707080403" X-Scanned-By: MIMEDefang 2.67 on 216.240.47.51 Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent Squid and traffic control X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 17:28:30 -0000 This is a multi-part message in MIME format. --------------050603000901020707080403 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 1/4/11 5:01 AM, Fazal Ahmed Malik wrote: > Hi, > > I have problem in running transparent squid along with dummynet on FreeBSD 7. I have mpd5 for dialin pppoe which is working perfect along with ipfw dummynet traffic control. Now i want to setup transparent squid using ipfw fwd rule. if i place fwd rule before dummynet rule transparent squid start working but than traffic is not being controlled. Than i placed fwd rule after the dummynet pipe here traffic controlled but transparent squid stop working.Any body have experience in such configuration where both work simultaneously please gave me some hints. > > Best regards, > > > Fazal Ahmed > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > in your ipfw rules separate out the incoming and outgoing work on each inteface to different sets of rules.. As a simple example I attach a copy of a sanitased ipfw ruleset that does that with mpd.. Noteh that there are two different NAT points.. one for incoming and one for outgoing data You may do your forwarding at the appropriate point for each direction independently. In fact you probably should do it so that you forward incoming packets on both the local and remote interfaces and never forward outgoing packets.. this means you would add a new set of rules for the local interface that are not in my file but you should get the idea.. when you say 'transparent squid, do you mean transparent to the client or the server, or both? basically you should do fwds on incoming packets (fwd to squid locally) (incoming from the point of view of the firewall itself.) --------------050603000901020707080403 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="rc.firewall" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="rc.firewall" #!/bin/sh fwcmd="/sbin/ipfw" # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi # set these to your outside interface network and netmask and ip oif="tun0" onet="192.168.36.0" omask="24" oip="A.A.A.A" # set these to your inside interface network and netmask and ip iif="vr0" inet="192.168.2.0" imask="255.255.255.0" iip="192.168.2.21" # for not the natd target is us but change this if you # change that in natd.conf natd_target=${oip} work_vpnserver=B.B.B.B INCOMING=4000 OUTGOING=8000 sysctl net.inet.ip.fw.enable=0 ${fwcmd} -q flush ${fwcmd} -q table 1 flush ${fwcmd} -q table 2 flush ${fwcmd} -q table 3 flush ${fwcmd} -q table 4 flush # Addresses we should never talk to outside our firewall ${fwcmd} table 1 add 10.0.0.0/8 ${fwcmd} table 1 add 172.16.0.0/12 ${fwcmd} table 1 add 192.168.0.0/16 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class D), # and class E) on the outside interface ${fwcmd} table 1 add 0.0.0.0/8 ${fwcmd} table 1 add 169.254.0.0/16 ${fwcmd} table 1 add 192.0.2.0/24 ${fwcmd} table 1 add 224.0.0.0/4 ${fwcmd} table 1 add 240.0.0.0/4 # add legit sources of ssh.. DNS is not up yet so use IPs # could add to /etc/hosts I guess. # frienly server ${fwcmd} table 2 add C.C.C.C # work ${fwcmd} table 2 add D.D.D.D # vps1 ${fwcmd} table 2 add E.E.E>E # add legit DNS tcp (zone) sources # my.first.dns.server ${fwcmd} table 3 add F.F.F.F # my.second.dns.server ${fwcmd} table 3 add G.G.G.G # my.third.dns.server ${fwcmd} table 3 add H.H.H.H # Add our local networks here ${fwcmd} table 4 add 192.168.2.0/24 ${fwcmd} table 4 add 172.16.15.0/24 # common spoofing code # --------------- ALL PACKETS START HERE. ------------ # Stop localhost spoofing ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny log all from any to 127.0.0.0/8 ${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any # If we've already decided on it. keep our word. ${fwcmd} add check-state #-------- Select direction and interface class ${fwcmd} add skipto ${INCOMING} ip from any to any in recv ${oif} ${fwcmd} add skipto ${OUTGOING} ip from any to any out xmit ${oif} #-------- Internal traffic. generally don't care # except to stop spoofing. # make extra sure we don't block DHCP to our server # as initial request will be from 0.0.0.0/0 ${fwcmd} add allow udp from any to any 67 in recv ${iif} ${fwcmd} add allow udp from any 67 to any out xmit ${iif} # other wise it has to be to and from a net we actually have. ${fwcmd} add deny log all from not "table(4)" to any in recv ${iif} ${fwcmd} add deny log all from any to not "table(4)" out xmit ${iif} ${fwcmd} add allow ip from any to any #------- INCOMING # don't allow packets from the wrong net! ${fwcmd} add ${INCOMING} deny log all from "table(4)" to any # in fact don't accept packets that are not for this interface exactly ${fwcmd} add deny log ip from any to not ${oip} # Allow access to our ssh from trusted places # (work, friends, etc (sometimes)) ${fwcmd} add pass tcp from "table(2)" to ${oip} 22 setup keep-state # allow our DNS secondaries to get zone transfers ${fwcmd} add pass tcp from "table(3)" to ${oip} 53 setup keep-state # allow DNS requests, since we are authoratitive ${fwcmd} add pass udp from any to ${oip} 53 # Allow setup of incoming email # I, and root can start outgoing sessions and have them come # in if there is a waiting socket :-) ${fwcmd} add allow ip from any to ${oip} uid 0 ${fwcmd} add allow ip from any to ${oip} uid 53 ${fwcmd} add allow ip from any to ${oip} uid 1000 # ignore any mention of RFC1918 nets on the outside interface ${fwcmd} add deny log all from any to "table(1)" ${fwcmd} add deny log not icmp from "table(1)" to any #^v^v^v^v^v^v^v^v^v^v^v^v^v INCOMING NAT POINT ^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v # NAT anything that is left and trust NATD ${fwcmd} add divert natd all from any to any #After translation # explicitly allow NAT-T from the vpn server to inside nets ${fwcmd} add allow udp from ${work_vpnserver} to "table(4)" # allow the us to do traceroute and ping # note: if you point the natd target else where, # the gateway will NOT be able to do this. # Allow access to our DNS (NOPE) # is after nat to allow others to do dns too relies on # ${fwcmd} add pass tcp from any to ${oip} 53 setup # ${fwcmd} add pass udp from ${oip} 53 to any # Allow TCP through if setup succeeded . # bypass the logging step. too much data ${fwcmd} add allow tcp from any to any established # take note of unexpected stuff. then drop it. ${fwcmd} add drop log ip from any to ${natd_target} # Allow IP fragments to pass through (NOPE) # ${fwcmd} add pass all from any to any frag # XXX remove this if you turn on the target option on # natd to allow a server # Reject & Log all setup of incoming connections from the outside # that have not been explicitly allowed above. ${fwcmd} add deny log tcp from any to ${natd_target} setup # anything here should be logged. it's intersting. ${fwcmd} add count log ip from any to any # after that gauntlet, allow it to proceed. ${fwcmd} add allow ip from any to any #----- OUTGOING # Stop RFC1918 nets getting out to the outside interface # except for the wierdness of our next hop being such an address. ${fwcmd} add ${OUTGOING} allow icmp from ${oip} to ${onet}/${omask} keep-state ${fwcmd} add deny log all from any to "table(1)" # The firewall (and julian) can talk out if it wants to. # these are local sessions by definition. ${fwcmd} add pass all from ${oip} to any keep-state # ${fwcmd} add pass udp from ${oip} to any keep-state # ${fwcmd} add pass icmp from ${oip} to any keep-state # Allow NTP queries out in the world from the firewall. # ${fwcmd} add pass udp from ${oip} to any 123 keep-state # Allow DNS queries out in the world from the firewall. # ${fwcmd} add pass udp from ${oip} to any 53 keep-state #^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v OUTGOING NAT POINT ^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v ${fwcmd} add divert natd all from any to any out recv ${iif} # just in case natd goes wierd. ${fwcmd} add deny log all from "table(1)" to any # in fact don't allow packets out that are not from this interface exactly ${fwcmd} add deny log ip from not ${oip} to any ${fwcmd} add allow all from any to any sysctl net.inet.ip.fw.enable=1 --------------050603000901020707080403-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 4 20:28:36 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CFAC106564A for ; Tue, 4 Jan 2011 20:28:36 +0000 (UTC) (envelope-from lxue2@tigers.lsu.edu) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id E4AAB8FC1C for ; Tue, 4 Jan 2011 20:28:35 +0000 (UTC) Received: by wyf19 with SMTP id 19so14784582wyf.13 for ; Tue, 04 Jan 2011 12:28:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.216.166.67 with SMTP id f45mr1816145wel.112.1294171432599; Tue, 04 Jan 2011 12:03:52 -0800 (PST) Received: by 10.216.241.6 with HTTP; Tue, 4 Jan 2011 12:03:52 -0800 (PST) Date: Tue, 4 Jan 2011 14:03:52 -0600 Message-ID: From: Lin Xue To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: RED SCALE problem? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 20:28:36 -0000 Hi all, I am trying to do some test on RED for different parameters(like min/max threshold, probability..), but find there might be some problem with SCALE of RED. In ip_dummynet.h RED SCALE is defined as: #define SCALE_RED 16 #define SCALE(x) ( (x) << SCALE_RED ) And in ip_dummynet.c, the min and max threshold is scaled below: /* Now doing stuff that was in kerneland */ fs->min_th = SCALE(fs->fs.min_th); fs->max_th = SCALE(fs->fs.max_th); In that case, the min and max threshold will only support up to 16 bit (0-65K+) ? otherwise the higher bits will be dropped, because min_th and min_th all are int. Thank you! From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 4 21:55:45 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BD44106566B for ; Tue, 4 Jan 2011 21:55:45 +0000 (UTC) (envelope-from mike@magicislandtechnologies.com) Received: from mail.magicislandtechnologies.com (mail.magicislandtechnologies.com [74.208.96.3]) by mx1.freebsd.org (Postfix) with ESMTP id F209F8FC15 for ; Tue, 4 Jan 2011 21:55:44 +0000 (UTC) Received: (qmail 31042 invoked from network); 5 Jan 2011 01:18:55 +0300 Received: from c-68-42-75-112.hsd1.mi.comcast.net (HELO ?192.168.0.103?) (68.42.75.112) by mail.magicislandtechnologies.com with SMTP; 5 Jan 2011 01:18:55 +0300 Message-ID: <4D23A04A.3040107@magicislandtechnologies.com> Date: Wed, 05 Jan 2011 01:33:46 +0300 From: Michael Spratt User-Agent: Thunderbird 2.0.0.22 (X11/20090605) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20110104145253.GB8235@onelab2.iet.unipi.it> In-Reply-To: <20110104145253.GB8235@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: adrian@xenion.com.au, Douglas Lampi Subject: soft-cap, X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 21:55:45 -0000 Dear friends, linux/ipfw/dummynet/transparent-bridge, am trying to cap users to upload/TX rates, but allow them to go over if the link is not congested. The example below limits each src-ip mask-IP's TX from 10.10.0.0/20 to 128Kbp/s, and from 10.20.0.0/20 to 1024Kbp/s. ------------------------------------------------------------------------------------- ipfw pipe 1 config bw 128Kbit/s mask src-ip 0xffffffff ipfw pipe 2 config bw 1024Kbit/s mask src-ip 0xffffffff ipfw 10001 add pipe 1 ip from 10.10.0.0/20 to any out xmit br0 ipfw 10001 add pipe 2 ip from 10.20.0.0/20 to any out xmit br0 ?How to define total link size 100/100Mbit/s and allow individual ip's to exceed rate limit when link is not full? --------------------------------------------------------------------------------- This simply places a HARD CAP on each IP. My question is, how to allow each IP to exceed that hard limit if the bandwidth on the up-link is available. IE. If there is free bandwidth let them use it; if not scale users exceeding their subscibed data rate down until they are down to their subscribed limit? My WAN uplink is 100Mbp/s I want to give the clients the benefit of exceeding their TX dynamic pipe cap-limit, when the system has spare bandwdith. I welcome any feedback. Thanks -Mike 1-214-901-3232 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 4 23:41:06 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5184106566B for ; Tue, 4 Jan 2011 23:41:06 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6E7288FC12 for ; Tue, 4 Jan 2011 23:41:06 +0000 (UTC) Received: by yxh35 with SMTP id 35so6302910yxh.13 for ; Tue, 04 Jan 2011 15:41:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=p6/eJWYbHhA0DqbCLenZ+oQxr8Dqbqeb2YXg0Ikmnp4=; b=ZXrPM6OamXLMkSIbYV9N0ZtpnyaMf9vTZ0UgDJM/EogENyrDykV6vM4ut65UoYfHsF UremmwPhZim7b3w2fPBOUdv2nL/ZIOuGMny4WsiXvC5ll8jodW5la1qK/FGKWEZ/at9H cW5khHD819cWV7WJ91x1O3sWr8reMT/D/Gg9A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=UasseK3A7vT4txq/YIwOVE54up6ZJ98SbAAa0z3sNIkg9ElP+arKwTjeS82qlRzJ/R X6pAV85BkJ+q6l8Gesiz3YsZglXrQrsANYxzK+ISZJFL0KNSdpz+JIgPoTlOCYigzkkY QyqM2fGuZTteLAfk0ZtbfnwPHyXzdZx66YQ4A= MIME-Version: 1.0 Received: by 10.90.86.17 with SMTP id j17mr14505031agb.10.1294182783479; Tue, 04 Jan 2011 15:13:03 -0800 (PST) Received: by 10.90.153.20 with HTTP; Tue, 4 Jan 2011 15:13:03 -0800 (PST) In-Reply-To: <4D23A04A.3040107@magicislandtechnologies.com> References: <20110104145253.GB8235@onelab2.iet.unipi.it> <4D23A04A.3040107@magicislandtechnologies.com> Date: Tue, 4 Jan 2011 15:13:03 -0800 Message-ID: From: Freddie Cash To: Michael Spratt Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: soft-cap, X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jan 2011 23:41:06 -0000 On Tue, Jan 4, 2011 at 2:33 PM, Michael Spratt wrote: > Dear friends, =C2=A0linux/ipfw/dummynet/transparent-bridge, am trying to = cap > users to upload/TX rates, but allow them to go over if the link is not > congested. > > The example below limits each src-ip mask-IP's TX from 10.10.0.0/20 to > 128Kbp/s, =C2=A0and from 10.20.0.0/20 to 1024Kbp/s. > -------------------------------------------------------------------------= ------------ > ipfw pipe 1 config bw 128Kbit/s mask src-ip 0xffffffff > ipfw pipe 2 config bw 1024Kbit/s mask src-ip 0xffffffff Create 1 pipe of "1024+128" Kbps. Then create 2 queues, one with weight 1 (the slow queue) and the other with weight 8 (the fast queue). That will guarantee that traffic sent through queue 1 gets at least 128 Kbps of bandwidth, even when the pipe is full. And traffic sent through queue 2 gets at least 1024 Kbps of bandwidth, even when the pipe is full. The beauty of queues, though, is that either queue can "expand" to fill the full pipe, if there's no traffic in the other queues. Thus, queue 1 is guaranteed 128 Kbps of bandwidth, but can use up to the full pipe worth if queue 2 is empty. And queue 2 is guaranteed 1024 Kbps of bandwidth, but can use up to the full pipe worth if queue 1 is empty. > ipfw 10001 add pipe 1 ip from 10.10.0.0/20 to any out xmit br0 > ipfw 10001 add pipe 2 ip from 10.20.0.0/20 to any out xmit br0 Then, change the above rules to use the queues instead. The way dummynet works, is that pipes set hard limits on the bandwidth. And queues provide minimum guarantees for bandwidth inside of that pipe. --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 5 01:05:52 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C2F1106564A; Wed, 5 Jan 2011 01:05:52 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 02A008FC12; Wed, 5 Jan 2011 01:05:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p0515plx050667; Wed, 5 Jan 2011 01:05:51 GMT (envelope-from hrs@freefall.freebsd.org) Received: (from hrs@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p0515prC050663; Wed, 5 Jan 2011 01:05:51 GMT (envelope-from hrs) Date: Wed, 5 Jan 2011 01:05:51 GMT Message-Id: <201101050105.p0515prC050663@freefall.freebsd.org> To: hrs@FreeBSD.org, freebsd-ipfw@FreeBSD.org, hrs@FreeBSD.org From: hrs@FreeBSD.org Cc: Subject: Re: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 01:05:52 -0000 Synopsis: [ipfw] Problem with loading of ipfw NAT rules during system startup Responsible-Changed-From-To: freebsd-ipfw->hrs Responsible-Changed-By: hrs Responsible-Changed-When: Wed Jan 5 01:05:33 UTC 2011 Responsible-Changed-Why: Take. http://www.freebsd.org/cgi/query-pr.cgi?pr=148928 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 5 01:06:22 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB339106566B; Wed, 5 Jan 2011 01:06:22 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 919178FC0A; Wed, 5 Jan 2011 01:06:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p0516Mvv050736; Wed, 5 Jan 2011 01:06:22 GMT (envelope-from hrs@freefall.freebsd.org) Received: (from hrs@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p0516MHa050732; Wed, 5 Jan 2011 01:06:22 GMT (envelope-from hrs) Date: Wed, 5 Jan 2011 01:06:22 GMT Message-Id: <201101050106.p0516MHa050732@freefall.freebsd.org> To: hrs@FreeBSD.org, freebsd-ipfw@FreeBSD.org, hrs@FreeBSD.org From: hrs@FreeBSD.org Cc: Subject: Re: conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 01:06:22 -0000 Synopsis: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled Responsible-Changed-From-To: freebsd-ipfw->hrs Responsible-Changed-By: hrs Responsible-Changed-When: Wed Jan 5 01:06:05 UTC 2011 Responsible-Changed-Why: Take. http://www.freebsd.org/cgi/query-pr.cgi?pr=153155 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 5 21:10:01 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09610106564A for ; Wed, 5 Jan 2011 21:10:01 +0000 (UTC) (envelope-from mike@magicislandtechnologies.com) Received: from mail.magicislandtechnologies.com (mail.magicislandtechnologies.com [74.208.96.3]) by mx1.freebsd.org (Postfix) with ESMTP id B76318FC08 for ; Wed, 5 Jan 2011 21:10:00 +0000 (UTC) Received: (qmail 28180 invoked from network); 6 Jan 2011 00:59:52 +0300 Received: from c-68-42-75-112.hsd1.mi.comcast.net (HELO ?192.168.0.103?) (68.42.75.112) by mail.magicislandtechnologies.com with SMTP; 6 Jan 2011 00:59:52 +0300 Message-ID: <4D24ED60.3030802@magicislandtechnologies.com> Date: Thu, 06 Jan 2011 01:14:56 +0300 From: Michael Spratt User-Agent: Thunderbird 2.0.0.22 (X11/20090605) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20110104145253.GB8235@onelab2.iet.unipi.it> <4D23A04A.3040107@magicislandtechnologies.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Freddie Cash , adrian@xenion.com.au, Douglas Lampi Subject: Re: soft-cap, X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 21:10:01 -0000 Freddie Cash wrote: > On Tue, Jan 4, 2011 at 2:33 PM, Michael Spratt > wrote: > >> Dear friends, linux/ipfw/dummynet/transparent-bridge, am trying to cap >> users to upload/TX rates, but allow them to go over if the link is not >> congested. >> >> The example below limits each src-ip mask-IP's TX from 10.10.0.0/20 to >> 128Kbp/s, and from 10.20.0.0/20 to 1024Kbp/s. >> ------------------------------------------------------------------------------------- >> ipfw pipe 1 config bw 128Kbit/s mask src-ip 0xffffffff >> ipfw pipe 2 config bw 1024Kbit/s mask src-ip 0xffffffff >> > Create 1 pipe of "1024+128" Kbps. > Then create 2 queues, one with weight 1 (the slow queue) and the other > with weight 8 (the fast queue). > That will guarantee that traffic sent through queue 1 gets at least > 128 Kbps of bandwidth, even when the pipe is full. And traffic sent > through queue 2 gets at least 1024 Kbps of bandwidth, even when the > pipe is full. > > >> ipfw 10001 add pipe 1 ip from 10.10.0.0/20 to any out xmit br0 >> ipfw 10001 add pipe 2 ip from 10.20.0.0/20 to any out xmit br0 >> *Dear Fr. & all, The size for my wan-uplink is 100Mb/s. Since the pipe rules are dynamic, realize there will be aprox 10K IP's for each hash table?, each subsription rate will have to have 2 tables, one for TX and one for RX. In the example pipe 1 has a dynamic src-ip mask and will limit everything from 10.10.0.0/20. I want to cap various groups of IP clients at 128/256/512/1024, but only when congestion starts to occur, if the link is not really full, I want each IP-client to receive the benifit of not being capped. IE start pulling BW from subscribers who are exceeding the assigned Does this make sense? is it possible? This maximizes benefit to all users at all times, and when bandwidth is not available it limits people to a specific level. Is it possible to do this without having multiple configurations and switching based on link usage levels? Thanks -Mike * From owner-freebsd-ipfw@FreeBSD.ORG Wed Jan 5 21:24:29 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3047E1065672 for ; Wed, 5 Jan 2011 21:24:29 +0000 (UTC) (envelope-from mike@magicislandtechnologies.com) Received: from mail.magicislandtechnologies.com (mail.magicislandtechnologies.com [74.208.96.3]) by mx1.freebsd.org (Postfix) with ESMTP id E33E88FC20 for ; Wed, 5 Jan 2011 21:24:28 +0000 (UTC) Received: (qmail 29504 invoked from network); 6 Jan 2011 01:14:20 +0300 Received: from c-68-42-75-112.hsd1.mi.comcast.net (HELO ?192.168.0.103?) (68.42.75.112) by mail.magicislandtechnologies.com with SMTP; 6 Jan 2011 01:14:20 +0300 Message-ID: <4D24F0C4.7020901@magicislandtechnologies.com> Date: Thu, 06 Jan 2011 01:29:24 +0300 From: Michael Spratt User-Agent: Thunderbird 2.0.0.22 (X11/20090605) MIME-Version: 1.0 To: John Nielsen References: <78DC9B784B57453B9C81859DBFFE55F5@fam> <6C2CEB9A-1E8C-4B3D-B91F-E49F3B2DE34B@jnielsen.net> In-Reply-To: <6C2CEB9A-1E8C-4B3D-B91F-E49F3B2DE34B@jnielsen.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Fazal Ahmed Malik Subject: Re: Transparent Squid and traffic control X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 21:24:29 -0000 John Nielsen wrote: > On Jan 4, 2011, at 8:01 AM, Fazal Ahmed Malik wrote: > > >> I have problem in running transparent squid along with dummynet on FreeBSD 7. I have mpd5 for dialin pppoe which is working perfect along with ipfw dummynet traffic control. Now i want to setup transparent squid using ipfw fwd rule. if i place fwd rule before dummynet rule transparent squid start working but than traffic is not being controlled. Than i placed fwd rule after the dummynet pipe here traffic controlled but transparent squid stop working.Any body have experience in such configuration where both work simultaneously please gave me some hints. >> > > I have done this successfully in the past. You need to remember that for every web request there are potentially two TCP conversations: one between the client and the proxy and one between the proxy and the server. > > You probably do not want to pipe the first type of conversation--requests that can be served from the proxy's cache do not use WAN bandwidth and should be served at full speed over the LAN. > > You DO want to pipe the second type of conversation. Requests from the proxy to web servers over the WAN will compete with other traffic for bandwidth. > > So leave your fwd rule before the dummynet rule(s) and be sure that LAN traffic is not piped. > > Then add rules to pipe requests from the proxy's external IP to non-LAN addresses on port 80. Something like these: > > Downstream: > ipfw add skipto $ACCEPT tcp from $LAN 80 to me > ipfw add pipe $M tcp from any 80 to $EXTIP > > Upstream: > ipfw add skipto $ACCEPT tcp from me to $LAN 80 > ipfw add pipe $N tcp from $EXTIP to any 80 > > If you post a specific ruleset you can get specific advice. :) > > JN > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > John try thinking about using tproxy with your squids and then it will be invisible to your IPFW traffic control as the http traffic will have a spoofed source and not 'confuse' your bw control setup. -Mike From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 6 21:54:50 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B764106566B for ; Thu, 6 Jan 2011 21:54:50 +0000 (UTC) (envelope-from ptyll@nitronet.pl) Received: from mail.nitronet.pl (smtp.nitronet.pl [195.90.106.27]) by mx1.freebsd.org (Postfix) with ESMTP id 50A4E8FC19 for ; Thu, 6 Jan 2011 21:54:50 +0000 (UTC) Received: from mailnull by mail.nitronet.pl with virscan (Exim 4.72 (FreeBSD)) (envelope-from ) id 1PaxE2-0002lc-9t for freebsd-ipfw@freebsd.org; Thu, 06 Jan 2011 22:18:26 +0100 Date: Thu, 6 Jan 2011 22:18:21 +0100 From: Pawel Tyll X-Priority: 3 (Normal) Message-ID: <201953550.20110106221821@nitronet.pl> To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: Nitronet.pl X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ptyll@nitronet.pl X-SA-Exim-Scanned: No (on mail.nitronet.pl); SAEximRunCond expanded to false Cc: Subject: [Panic] Dummynet/IPFW related recurring crash. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jan 2011 21:54:50 -0000 Hi lists, I've reported this problem: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D152360 and ever since 8.1-RELEASE this machine keeps panicking every two weeks or so. Any help will be much appreciated. I'll be happy to provide any more info to help tracking this down. From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 06:02:43 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06CED106566B for ; Fri, 7 Jan 2011 06:02:43 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 914618FC0A for ; Fri, 7 Jan 2011 06:02:42 +0000 (UTC) Received: by wwf26 with SMTP id 26so16895902wwf.31 for ; Thu, 06 Jan 2011 22:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=YG6fx9yyYE3CjfWHphAxaFZSCoZuNGnjR5fke4tFKTM=; b=Ug8sgtD2XgLRAodIpBKh6zDR2aPJbHnHsMdI3KQqBI3XCnX/B3OkAssTVJYgQTWN0e HZ5P3U7WbZ/pY8unh1YbYRzF0rg7UFlhuwzAFq4zXEBZ7xvCnvwvlU3f2m7ZqOdbZS2k SEjgpGBY4gQXCyCFyhKkc1dFVTFZyi1hZkunM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MlKqmYI9bFMnixDG1N0xwFTWnDaKaKX+DZMGpgr9WmsMEeEAx2W4wfaE2JEzfEF6Xs 5WzeMXJK1QM60voYdwfT7WpZ5kZtaYOts8cmwbhjZI9b1VChNDghtN59BvBEIH7q+NTX w48AqXEm1YNp/Pu+BymNUnqabXjUfBkquKb1o= MIME-Version: 1.0 Received: by 10.216.20.141 with SMTP id p13mr1221032wep.102.1294378783501; Thu, 06 Jan 2011 21:39:43 -0800 (PST) Received: by 10.216.36.71 with HTTP; Thu, 6 Jan 2011 21:39:43 -0800 (PST) In-Reply-To: <201953550.20110106221821@nitronet.pl> References: <201953550.20110106221821@nitronet.pl> Date: Thu, 6 Jan 2011 23:39:43 -0600 Message-ID: From: Brandon Gooch To: Pawel Tyll Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [Panic] Dummynet/IPFW related recurring crash. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 06:02:43 -0000 2011/1/6 Pawel Tyll : > Hi lists, > > I've reported this problem: > http://www.freebsd.org/cgi/query-pr.cgi?pr=152360 > > and ever since 8.1-RELEASE this machine keeps panicking every two weeks > or so. Any help will be much appreciated. I'll be happy to provide any > more info to help tracking this down. Might this be an issue with the em(4) driver? It may be that it's fixed: http://svn.freebsd.org/viewvc/base?view=revision&sortby=date&revision=216440 -Brandon From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 15:11:25 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F0A9106566C for ; Fri, 7 Jan 2011 15:11:25 +0000 (UTC) (envelope-from ptyll@nitronet.pl) Received: from mail.nitronet.pl (smtp.nitronet.pl [195.90.106.27]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2438FC0C for ; Fri, 7 Jan 2011 15:11:25 +0000 (UTC) Received: from mailnull by mail.nitronet.pl with virscan (Exim 4.72 (FreeBSD)) (envelope-from ) id 1PbDyO-0008Ym-JX for freebsd-ipfw@freebsd.org; Fri, 07 Jan 2011 16:11:24 +0100 Date: Fri, 7 Jan 2011 16:11:18 +0100 From: Pawel Tyll X-Priority: 3 (Normal) Message-ID: <1471162506.20110107161118@nitronet.pl> To: Brandon Gooch In-Reply-To: References: <201953550.20110106221821@nitronet.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: Nitronet.pl X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ptyll@nitronet.pl X-SA-Exim-Scanned: No (on mail.nitronet.pl); SAEximRunCond expanded to false Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [Panic] Dummynet/IPFW related recurring crash. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 15:11:25 -0000 Hi Brandon, > Might this be an issue with the em(4) driver? It may be that it's fixed: > http://svn.freebsd.org/viewvc/base?view=3Drevision&sortby=3Ddate&revision= =3D216440 Thanks Brandon - I'll update to fresh stable and get back to you... in three to four weeks :) From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 16:14:38 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0518B10656A4 for ; Fri, 7 Jan 2011 16:14:38 +0000 (UTC) (envelope-from ptyll@nitronet.pl) Received: from mail.nitronet.pl (smtp.nitronet.pl [195.90.106.27]) by mx1.freebsd.org (Postfix) with ESMTP id B99138FC20 for ; Fri, 7 Jan 2011 16:14:37 +0000 (UTC) Received: from mailnull by mail.nitronet.pl with virscan (Exim 4.72 (FreeBSD)) (envelope-from ) id 1PbExZ-000A7Z-1X for freebsd-ipfw@freebsd.org; Fri, 07 Jan 2011 17:14:37 +0100 Date: Fri, 7 Jan 2011 17:14:30 +0100 From: Pawel Tyll X-Priority: 3 (Normal) Message-ID: <57312439.20110107171430@nitronet.pl> To: Brandon Gooch In-Reply-To: References: <201953550.20110106221821@nitronet.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: Nitronet.pl X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ptyll@nitronet.pl X-SA-Exim-Scanned: No (on mail.nitronet.pl); SAEximRunCond expanded to false Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [Panic] Dummynet/IPFW related recurring crash. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 16:14:38 -0000 One more question tough, I have 4 identical machines, also with em-driven NICs - yet this is the only one that dies like this. OTOH Other machines don't do traffic shaping and do not use ipfw that extensively. Does this match your theory? From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 16:44:54 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D0D9106566C; Fri, 7 Jan 2011 16:44:54 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id AD12D8FC19; Fri, 7 Jan 2011 16:44:52 +0000 (UTC) Received: by wyf19 with SMTP id 19so17724793wyf.13 for ; Fri, 07 Jan 2011 08:44:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=kIP2ouakiUsCM6cQOEpDFknh1P4iZ/jpZ1i6ZzuJoo4=; b=Fjc0FiiBm054ADPjLm2HD7Xhf/QjgDkEqndJCMTyg0Bw4LZbYYeunPBHmNlFWjj0S4 NyRopmu7YaGq2bLifJIAOiaApHxBo6q/Bbi8nuGnWng6zlguCkaSiTJt9Q6HKxPkb0Ov 1578s3D2OAyZlf/5gUs+tPVF5g80IYTohtPDM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=cDc7et78xeAyaG1mz5xX/RjGw0xVqLD/hes7v/+27grpSEj0/rU/wh5hddGaUUXrws Rv4RAuqhma4eU97IO3K0/bG3Z5aBM8Ytqq7zaAoOI1dxI3kwzaLslsViKvxuyER1G4/R FbGLI+qKgIMiH//YytDiAPQm587zcNS7q3/io= MIME-Version: 1.0 Received: by 10.216.55.145 with SMTP id k17mr1718213wec.48.1294418464142; Fri, 07 Jan 2011 08:41:04 -0800 (PST) Received: by 10.216.36.71 with HTTP; Fri, 7 Jan 2011 08:41:04 -0800 (PST) In-Reply-To: <57312439.20110107171430@nitronet.pl> References: <201953550.20110106221821@nitronet.pl> <57312439.20110107171430@nitronet.pl> Date: Fri, 7 Jan 2011 10:41:04 -0600 Message-ID: From: Brandon Gooch To: Pawel Tyll Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-net@freebsd.org, Jack Vogel , freebsd-ipfw@freebsd.org Subject: Re: [Panic] Dummynet/IPFW related recurring crash. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 16:44:54 -0000 On Fri, Jan 7, 2011 at 10:14 AM, Pawel Tyll wrote: > One more question tough, > > I have 4 identical machines, also with em-driven NICs - yet this is > the only one that dies like this. OTOH Other machines don't do traffic > shaping and do not use ipfw that extensively. Does this match your > theory? It's likely that the mbuf handling problem (in em_refresh_mbufs()) is triggered by the processing you're doing with ipfw (or elsewhere for that matter), so, yes, I think it's a bug fixed in the revision discussed. When you update and test, please let us know. Also, don't forget to submit a follow-up to your PR. Thanks! -Brandon From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 17:45:46 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F4A5106564A for ; Fri, 7 Jan 2011 17:45:46 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id C6F3E8FC16 for ; Fri, 7 Jan 2011 17:45:45 +0000 (UTC) Received: by wwf26 with SMTP id 26so17401073wwf.31 for ; Fri, 07 Jan 2011 09:45:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=BCtzuPH54JOdhRGAOAjalroRye/nDE/U+F+5gT1wsTA=; b=apqeHY+wvH1QzvO+KYV5nG7DGGNZ7CV0ByJsejsJ+RUPOMOpIQxmTdoqiWiILGFSoU 5MFy7I81YAg+mMLpXtnI5FnIgrolH8fj33LjRxtGse9muNJfjZd0DfteatwJ7Y6mEuY6 oSnqzWltPKJO0JXUvzQREm2nB1rz5LoeFNx8A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MJrFm7XvS5axpXSF5Qxv2xUC2+rNkqZW45ZR4xhmMzeVBWIGCEtL7pqoNfmultCdAq xRX1SPu8T3f3zqDHrbmnyCUFRYO5PN3/vdog69Q4kYiVuPaiSvs/OEGX+nS4OzWvQ+x8 WeTZGsVD3R6gcoa+Zu4I+8yUqRcMW8qhuK8jo= MIME-Version: 1.0 Received: by 10.216.18.194 with SMTP id l44mr1879143wel.87.1294422089310; Fri, 07 Jan 2011 09:41:29 -0800 (PST) Received: by 10.216.36.71 with HTTP; Fri, 7 Jan 2011 09:41:29 -0800 (PST) In-Reply-To: <20101223233437.Q27345@sola.nimnet.asn.au> References: <20101223233437.Q27345@sola.nimnet.asn.au> Date: Fri, 7 Jan 2011 11:41:29 -0600 Message-ID: From: Brandon Gooch To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: Request for policy decision: kernel nat vs/and/or natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 17:45:46 -0000 On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith wrote: > Folks, > > [ If someone implements an /etc/rc.d/ipfw reload command that reliably > works over a remote session without any open firewall window, great, but > I'd rather not discuss the related issues below in reponses to any PR ] > > In order to address issues (and PRs) introduced by and since adding > kernel nat and more recently firewall_coscripts, before offering any > code it's clearly necessary to determine policy for what we should do > when both natd_enable and firewall_nat_enable are set in rc.conf. > > "Don't do that" is not a policy, people will and already are bumping > into this, affecting startup scripts and nat[d] rules in rc.firewall. > > We could: > > 1) Preference kernel nat over natd when both are enabled. I vote for #1. What about the IPFW documentation regarding NAT in the Handbook? Will there be an update to the NAT instructions: http://www.freebsd.org/doc/handbook/firewalls-ipfw.html -Brandon From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 20:04:28 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72C781065722 for ; Fri, 7 Jan 2011 20:04:28 +0000 (UTC) (envelope-from eaalhq@eaalhq.com) Received: from sg2plwbeout19-1.prod.sin2.secureserver.net (sg2plwbeout19-1.prod.sin2.secureserver.net [182.50.144.34]) by mx1.freebsd.org (Postfix) with SMTP id A5D138FC22 for ; Fri, 7 Jan 2011 20:04:27 +0000 (UTC) Received: (qmail 24468 invoked from network); 7 Jan 2011 19:37:46 -0000 Received: from unknown (HELO sg2plout10-01.prod.sin2.secureserver.net) (182.50.145.4) by sg2plwbeout19-1.prod.sin2.secureserver.net with SMTP; 7 Jan 2011 19:37:46 -0000 Received: (qmail 12577 invoked from network); 7 Jan 2011 19:37:46 -0000 Received: from unknown (114.79.11.129) by sg2plout10-01.prod.sin2.secureserver.net (182.50.145.4) with ESMTP; 07 Jan 2011 19:37:45 -0000 MIME-Version: 1.0 X-Unsent: 1 Date: Sat, 08 Jan 2011 01:19:33 +0700 X-Priority: Normal X-Mailer: Vodamail 10 To: "freebsd-ipfw" From: "Ms. Maria Susanto" Message-ID: <3DD59F5F95D987DE7157A91E500563EE47EA8D0B@user-08902b163a> Content-Type: text/plain; charset="iso-8859-1";format="flowed" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Perhatian Mendesak, Perlu Anda Asisten. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: m-susanto1@hotmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2011 20:04:28 -0000 Hai, Nama saya Maria Susanto 39yrs saya berasal dari Indonesia, dan menikah d= engan Mr Marc Joeseph. dan saya memiliki dua anak dari pernikahan kami d= an kami tinggal di Britania Raya (London), akan tetapi suatu musibah dat= ang kepada keluarga saya dan saya kehilangan suami saya tercinta yang sa= ngat saya sayangi dalam mengalami musibah kecelakaan yang sangat fatal y= ang mengakibatkan suami saya meninggal dunia dan meninggalkan saya dan j= uga ke 2 anak saya untuk selamanya. Setelah mengalami musibah ini permas= alahan nya adalah saya ingin memperjuangkan hak asasi saya selayak nya s= aya seorang istri yang harus saya perjuangkan dan saya pun mempunyai kel= uarga di Indonesia akan tetapi semua keluarga saya tidak mengetahui bahw= a saya sudah menikah dengan suami saya (almarhum). karena saya sudah ham= il dan keluarga saya menolak saya tidak mengakui saya ketika mereka tahu= bahwa saya hamil dari dia suami saya ( almarhum), karena itulah sebabny= a saya tidak ingin menghubungi mereka / keluarga saya untuk masalah ini,= dan sekarang saudara suami adik saya, dan keluarga yang lain dengan sua= mi saya mereka mencoba untuk mengklaim segala sesuatu yang seharusnya mi= lik saya dari suami saya. Dari itu saya menulis surat ini kepada Anda un= tuk meminta kerjasama / membantu dan menolong saya untuk dapat saya memp= erjuang hak asasi saya dan suami saya dan karena itu pula saya sangat be= rharap besar dapat menemukan seseorang untuk membantu/menolong saya yang= dapat bisa dipercaya akan membantu/menolong saya untuk menerima jumlah = uang dan sebuah proparty yang sekarang berada di sebuah perusahaan keama= nan di sini (UK). karena jika keluarga suami saya mengetahui tentang hal= ini mereka akan mengklaim semua segala sesuatu nya dan tinggalkan saya = handless. Ini adalah Legal dan saya sudah membuat perjanjian dengan perusahaan jas= a keamanan untuk kesepakatan yang akan membuat dana relokasi ke alamat a= nda dengan diplomasi sopan, sebagai bagasi diplomatik untuk menghindari = serangan dan gangguan apa pun. Saya akan senang jika Anda dapat berdiri = dan menerima dana ini di negara kita sendiri di Indonesia atas nama kelu= arga saya dan anak saya sangat bersyukur sekali jika menemukan seseorang= menolong saya, setelah itu saya akan mengatur untuk saya kembali ke Ind= onesia setelah semua urusan keluarga dengan suami saya selesai. Apapun c= ara yang Anda lakukan untuk membantu/menolong saya sangat saya hargai de= ngan sangat hormat. Semoga Tuhan memberkati Anda selalu dalam lindungan = nya. Jika Anda tertarik dan dapat memberikan usul/saran yang saya alami ini, = Anda tidak perlu ragu dan sungkan kapan saja anda dapat menghubungi saya= , dan saya menawarkan anda beberapa% dari total semua. Saya selalu menunggu jawaban positif Anda mendesak. Silakan Anda menghub= ungi saya langsung ke mail pribadi saya: m-susanto1@hotmail.com Salam, Maria Susanto From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 04:02:33 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D03601065694 for ; Sat, 8 Jan 2011 04:02:33 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0F45F8FC14 for ; Sat, 8 Jan 2011 04:02:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p0842UKh050169; Sat, 8 Jan 2011 15:02:30 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 8 Jan 2011 15:02:29 +1100 (EST) From: Ian Smith To: Brandon Gooch In-Reply-To: Message-ID: <20110108141111.A15397@sola.nimnet.asn.au> References: <20101223233437.Q27345@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, hrs@freebsd.org Subject: Re: Request for policy decision: kernel nat vs/and/or natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2011 04:02:33 -0000 On Fri, 7 Jan 2011, Brandon Gooch wrote: > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith wrote: > > Folks, > > > > [ If someone implements an /etc/rc.d/ipfw reload command that reliably > > works over a remote session without any open firewall window, great, but > > I'd rather not discuss the related issues below in reponses to any PR ] > > > > In order to address issues (and PRs) introduced by and since adding > > kernel nat and more recently firewall_coscripts, before offering any > > code it's clearly necessary to determine policy for what we should do > > when both natd_enable and firewall_nat_enable are set in rc.conf. > > > > "Don't do that" is not a policy, people will and already are bumping > > into this, affecting startup scripts and nat[d] rules in rc.firewall. > > > > We could: > > > > 1) Preference kernel nat over natd when both are enabled. > > I vote for #1. Thanks. So far, that makes an overwhelming majority of 2 / NIL :) I see that hrs@freebsd.org has just grabbed two related PRs: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled so this seems a good time to work up patches to that effect for review (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time. > What about the IPFW documentation regarding NAT in the Handbook? Will > there be an update to the NAT instructions: > > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html That's another can of worms. Personally I think the present page is so full of deprecation, wrong assumptions and outright errors to be beyond redemption; I'd like to if not replace it, at least preface it with a section using rc.firewall out of the box to impliment a minimal initial firewall to get people going with client | simple | workstation rulesets using more recent (than documented) rc.conf variables supporting that. That said, I've never written in SGML and don't consider myself much good at presentation docs anyway .. so first, some updated scripts. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 14:30:57 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F262710656A4; Sat, 8 Jan 2011 14:30:57 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 2256F8FC0C; Sat, 8 Jan 2011 14:30:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p08EUsdJ082743; Sun, 9 Jan 2011 01:30:54 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 9 Jan 2011 01:30:54 +1100 (EST) From: Ian Smith To: freebsd-ipfw@freebsd.org In-Reply-To: <20110108141111.A15397@sola.nimnet.asn.au> Message-ID: <20110108220300.Q15397@sola.nimnet.asn.au> References: <20101223233437.Q27345@sola.nimnet.asn.au> <20110108141111.A15397@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-401406621-1294486097=:15397" Content-ID: <20110108223354.W15397@sola.nimnet.asn.au> Cc: Brandon Gooch , Thomas Sandford , hrs@freebsd.org, David Naylor Subject: Re: Request for policy decision: kernel nat vs/and/or natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2011 14:30:58 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-401406621-1294486097=:15397 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20110108223354.S15397@sola.nimnet.asn.au> On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote: > On Fri, 7 Jan 2011, Brandon Gooch wrote: > > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith wrote: [..] > > > We could: > > > > > > 1) Preference kernel nat over natd when both are enabled. > > > > I vote for #1. > > Thanks. So far, that makes an overwhelming majority of 2 / NIL :) > > I see that hrs@freebsd.org has just grabbed two related PRs: > > kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup > conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled > > so this seems a good time to work up patches to that effect for review > (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time. Ok, the attached patches are against HEAD, which is currently identical to 8-STABLE for these files. rc.d_ipfw.patch also applies to 7-STABLE with an offset but rc.firewall.patch needs more work for 7. I've no box on which to actually run-test tonight, and will be away for a few days. /etc/rc.d/ipfw: . prefer kernel nat (loading ipfw_nat) to natd when both are enabled . add ipdivert to required_modules - when only natd is enabled - as proposed by Thomas Sandford in conf/153155 and also re kern/148928 also fixing the related issue in conf/148137 (and possibly others) . prefix /etc/rc.d/natd to firewall_coscripts when only natd is enabled /etc/rc.d/natd: . seems nothing is needed; has KEYWORD nostart and so should only be started now by ipfw when natd - but not firewall_nat - is enabled /etc/rc.firewall: . move firewall_nat and natd code into a function, setup_nat() preferring kernel firewall_nat to natd if both are enabled . couldn't resist tidying up that code to within 80 columns . call setup_nat also in 'simple' ruleset, with same intent as proposed in conf/148144 by David Naylor . couldn't resist fixing unnecessarily long line in 'workstation' I've resisted other patches (enabling icmp) that I added to conf/148144 for which I apologise to David; one thing at a time .. If folks prefer that this be submitted as yet another PR, please say. cheers, Ian --0-401406621-1294486097=:15397 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rc.d_ipfw.patch Content-Transfer-Encoding: BASE64 Content-ID: <20110108222817.C15397@sola.nimnet.asn.au> Content-Description: Content-Disposition: ATTACHMENT; FILENAME=rc.d_ipfw.patch LS0tIHJjLmRfaXBmdy4xLjI0CVNhdCBKYW4gIDggMTg6MTM6NDYgMjAxMQ0K KysrIGlwZncJU2F0IEphbiAgOCAyMTowMDoxOCAyMDExDQpAQCAtMjcsOSAr MjcsOSBAQA0KIAlmaQ0KIA0KIAlpZiBjaGVja3llc25vIGZpcmV3YWxsX25h dF9lbmFibGU7IHRoZW4NCi0JCWlmICEgY2hlY2t5ZXNubyBuYXRkX2VuYWJs ZTsgdGhlbg0KLQkJCXJlcXVpcmVkX21vZHVsZXM9IiRyZXF1aXJlZF9tb2R1 bGVzIGlwZndfbmF0Ig0KLQkJZmkNCisJCXJlcXVpcmVkX21vZHVsZXM9IiRy ZXF1aXJlZF9tb2R1bGVzIGlwZndfbmF0Ig0KKwllbGlmIGNoZWNreWVzbm8g bmF0ZF9lbmFibGU7IHRoZW4NCisJCXJlcXVpcmVkX21vZHVsZXM9IiRyZXF1 aXJlZF9tb2R1bGVzIGlwZGl2ZXJ0Ig0KIAlmaQ0KIH0NCiANCkBAIC0xMDUs NiArMTA1LDcgQEANCiB9DQogDQogbG9hZF9yY19jb25maWcgJG5hbWUNCi1m aXJld2FsbF9jb3NjcmlwdHM9Ii9ldGMvcmMuZC9uYXRkICR7ZmlyZXdhbGxf Y29zY3JpcHRzfSINCitjaGVja3llc25vIG5hdGRfZW5hYmxlICYmICEgY2hl Y2t5ZXNubyBmaXJld2FsbF9uYXRfZW5hYmxlICYmIFwNCisJZmlyZXdhbGxf Y29zY3JpcHRzPSIvZXRjL3JjLmQvbmF0ZCAke2ZpcmV3YWxsX2Nvc2NyaXB0 c30iDQogDQogcnVuX3JjX2NvbW1hbmQgJCoNCg== --0-401406621-1294486097=:15397 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rc.firewall.patch Content-Transfer-Encoding: BASE64 Content-ID: <20110108222817.B15397@sola.nimnet.asn.au> Content-Description: Content-Disposition: ATTACHMENT; FILENAME=rc.firewall.patch LS0tIHJjLmZpcmV3YWxsLjEuNjkJU2F0IEphbiAgOCAxODowNDoyOCAyMDEx DQorKysgcmMuZmlyZXdhbGwJU2F0IEphbiAgOCAyMToyNDo1NCAyMDExDQpA QCAtNTIsNyArNTIsNyBAQA0KICMgICBmaWxlbmFtZSAgICAtIHdpbGwgbG9h ZCB0aGUgcnVsZXMgaW4gdGhlIGdpdmVuIGZpbGVuYW1lIChmdWxsIHBhdGgg cmVxdWlyZWQpDQogIw0KICMgRm9yIGBgY2xpZW50JycgYW5kIGBgc2ltcGxl JycgdGhlIGVudHJpZXMgYmVsb3cgc2hvdWxkIGJlIGN1c3RvbWl6ZWQNCi0j IGFwcHJvcHJpYXRlbHkuDQorIyBhcHByb3ByaWF0ZWx5IHdpdGggcmMuY29u ZiB2YXJpYWJsZXMuDQogDQogIyMjIyMjIyMjIyMjDQogIw0KQEAgLTExMiw2 ICsxMTIsMjkgQEANCiAJJHtmd2NtZH0gYWRkIHBhc3MgaXB2Ni1pY21wIGZy b20gYW55IHRvIGFueSBpY21wNnR5cGVzIDIsMTM1LDEzNg0KIH0NCiANCitz ZXR1cF9uYXQgKCkgew0KKwlsb2NhbCBpZmxhZw0KKwlpZiBjaGVja3llc25v IGZpcmV3YWxsX25hdF9lbmFibGU7IHRoZW4NCisJCWlmIFsgLW4gIiR7Zmly ZXdhbGxfbmF0X2ludGVyZmFjZX0iIF07IHRoZW4NCisJCQlpZiBlY2hvICIk e2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9IiB8IFwNCisJCQkJZ3JlcCAtcSAt RSAnXlswLTldKyhcLlswLTldKyl7MCwzfSQnOyB0aGVuDQorCQkJCWlmbGFn PSJpcCAke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9Ig0KKwkJCWVsc2UNCisJ CQkJaWZsYWc9ImlmICR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0iDQorCQkJ ZmkNCisJCQlmaXJld2FsbF9uYXRfZmxhZ3M9IiRpZmxhZyAke2ZpcmV3YWxs X25hdF9mbGFnc30iDQorCQkJJHtmd2NtZH0gbmF0IDEyMyBjb25maWcgbG9n ICR7ZmlyZXdhbGxfbmF0X2ZsYWdzfQ0KKwkJCSR7ZndjbWR9IGFkZCAkMSBu YXQgMTIzIGlwNCBmcm9tIGFueSB0byBhbnkgXA0KKwkJCQl2aWEgJHtmaXJl d2FsbF9uYXRfaW50ZXJmYWNlfQ0KKwkJZmkNCisJZWxpZiBjaGVja3llc25v IG5hdGRfZW5hYmxlOyB0aGVuDQorCQlpZiBbIC1uICIke25hdGRfaW50ZXJm YWNlfSIgXTsgdGhlbg0KKwkJCSR7ZndjbWR9IGFkZCAkMSBkaXZlcnQgbmF0 ZCBpcDQgZnJvbSBhbnkgdG8gYW55IFwNCisJCQkJdmlhICR7bmF0ZF9pbnRl cmZhY2V9DQorCQlmaQ0KKwlmaQ0KK30NCisNCiBpZiBbIC1uICIkezF9IiBd OyB0aGVuDQogCWZpcmV3YWxsX3R5cGU9IiR7MX0iDQogZmkNCkBAIC0xNDIs MzcgKzE2NSwxNyBAQA0KIHNldHVwX2lwdjZfbWFuZGF0b3J5DQogDQogIyMj IyMjIyMjIyMjDQotIyBOZXR3b3JrIEFkZHJlc3MgVHJhbnNsYXRpb24uICBB bGwgcGFja2V0cyBhcmUgcGFzc2VkIHRvIG5hdGQoOCkNCi0jIGJlZm9yZSB0 aGV5IGVuY291bnRlciB5b3VyIHJlbWFpbmluZyBydWxlcy4gIFRoZSBmaXJl d2FsbCBydWxlcw0KLSMgd2lsbCB0aGVuIGJlIHJ1biBhZ2FpbiBvbiBlYWNo IHBhY2tldCBhZnRlciB0cmFuc2xhdGlvbiBieSBuYXRkDQotIyBzdGFydGlu ZyBhdCB0aGUgcnVsZSBudW1iZXIgZm9sbG93aW5nIHRoZSBkaXZlcnQgcnVs ZS4NCisjIE5ldHdvcmsgQWRkcmVzcyBUcmFuc2xhdGlvbi4gIEFsbCBwYWNr ZXRzIGFyZSBwYXNzZWQgdG8ga2VybmVsIG5hdA0KKyMgb3IgbmF0ZCg4KSBi ZWZvcmUgdGhleSBlbmNvdW50ZXIgeW91ciByZW1haW5pbmcgcnVsZXMuICBU aGUgZmlyZXdhbGwNCisjIHJ1bGVzIHdpbGwgdGhlbiBiZSBydW4gYWdhaW4g b24gZWFjaCBwYWNrZXQgYWZ0ZXIgTkFUIHRyYW5zbGF0aW9uDQorIyBzdGFy dGluZyBhdCB0aGUgcnVsZSBudW1iZXIgZm9sbG93aW5nIHRoZSBuYXQgb3Ig ZGl2ZXJ0IHJ1bGUuDQogIw0KLSMgRm9yIGBgc2ltcGxlJycgZmlyZXdhbGwg dHlwZSB0aGUgZGl2ZXJ0IHJ1bGUgc2hvdWxkIGJlIHB1dCB0byBhDQotIyBk aWZmZXJlbnQgcGxhY2UgdG8gbm90IGludGVyZmVyZSB3aXRoIGFkZHJlc3Mt Y2hlY2tpbmcgcnVsZXMuDQorIyBGb3IgYGBzaW1wbGUnJyBmaXJld2FsbCB0 eXBlIHRoZSBuYXQgb3IgZGl2ZXJ0IHJ1bGUgaXMgaW5zdGFsbGVkIGluDQor IyBhIGRpZmZlcmVudCBwbGFjZSB0byBhdm9pZCBpbnRlcmZlcmluZyB3aXRo IGFkZHJlc3MtY2hlY2tpbmcgcnVsZXMuDQogIw0KIGNhc2UgJHtmaXJld2Fs bF90eXBlfSBpbg0KIFtPb11bUHBdW0VlXVtObl18W0NjXVtMbF1bSWldW0Vl XVtObl1bVHRdKQ0KLQljYXNlICR7bmF0ZF9lbmFibGV9IGluDQotCVtZeV1b RWVdW1NzXSkNCi0JCWlmIFsgLW4gIiR7bmF0ZF9pbnRlcmZhY2V9IiBdOyB0 aGVuDQotCQkJJHtmd2NtZH0gYWRkIDUwIGRpdmVydCBuYXRkIGlwNCBmcm9t IGFueSB0byBhbnkgdmlhICR7bmF0ZF9pbnRlcmZhY2V9DQotCQlmaQ0KLQkJ OzsNCi0JZXNhYw0KLQljYXNlICR7ZmlyZXdhbGxfbmF0X2VuYWJsZX0gaW4N Ci0JW1l5XVtFZV1bU3NdKQ0KLQkJaWYgWyAtbiAiJHtmaXJld2FsbF9uYXRf aW50ZXJmYWNlfSIgXTsgdGhlbg0KLQkJCWlmIGVjaG8gIiR7ZmlyZXdhbGxf bmF0X2ludGVyZmFjZX0iIHwgXA0KLQkJCQlncmVwIC1xIC1FICdeWzAtOV0r KFwuWzAtOV0rKXswLDN9JCc7IHRoZW4NCi0JCQkJZmlyZXdhbGxfbmF0X2Zs YWdzPSJpcCAke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9ICR7ZmlyZXdhbGxf bmF0X2ZsYWdzfSINCi0JCQllbHNlDQotCQkJCWZpcmV3YWxsX25hdF9mbGFn cz0iaWYgJHtmaXJld2FsbF9uYXRfaW50ZXJmYWNlfSAke2ZpcmV3YWxsX25h dF9mbGFnc30iDQotCQkJZmkNCi0JCQkke2Z3Y21kfSBuYXQgMTIzIGNvbmZp ZyBsb2cgJHtmaXJld2FsbF9uYXRfZmxhZ3N9DQotCQkJJHtmd2NtZH0gYWRk IDUwIG5hdCAxMjMgaXA0IGZyb20gYW55IHRvIGFueSB2aWEgJHtmaXJld2Fs bF9uYXRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7DQotCWVzYWMNCisJc2V0 dXBfbmF0IDUwDQogZXNhYw0KIA0KICMjIyMjIyMjIyMjIw0KQEAgLTMxMSwx MyArMzE0LDcgQEANCiAJIyB0cmFuc2xhdGVkIGJ5IG5hdGQoOCkgd291bGQg bWF0Y2ggdGhlIGBkZW55JyBydWxlIGFib3ZlLiAgU2ltaWxhcmx5DQogCSMg YW4gb3V0Z29pbmcgcGFja2V0IG9yaWdpbmF0ZWQgZnJvbSBpdCBiZWZvcmUg YmVpbmcgdHJhbnNsYXRlZCB3b3VsZA0KIAkjIG1hdGNoIHRoZSBgZGVueScg cnVsZSBiZWxvdy4NCi0JY2FzZSAke25hdGRfZW5hYmxlfSBpbg0KLQlbWXld W0VlXVtTc10pDQotCQlpZiBbIC1uICIke25hdGRfaW50ZXJmYWNlfSIgXTsg dGhlbg0KLQkJCSR7ZndjbWR9IGFkZCBkaXZlcnQgbmF0ZCBpcDQgZnJvbSBh bnkgdG8gYW55IHZpYSAke25hdGRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7 DQotCWVzYWMNCisJc2V0dXBfbmF0DQogDQogCSMgU3RvcCBSRkMxOTE4IG5l dHMgb24gdGhlIG91dHNpZGUgaW50ZXJmYWNlDQogCSR7ZndjbWR9IGFkZCBk ZW55IGFsbCBmcm9tIDEwLjAuMC4wLzggdG8gYW55IHZpYSAke29pZn0NCkBA IC01MTksNyArNTE2LDcgQEANCiANCiAJIyBEZW55IGFuZCAoaWYgd2FudGVk KSBsb2cgdGhlIHJlc3QgdW5jb25kaXRpb25hbGx5Lg0KIAlsb2c9IiINCi0J aWYgWyAke2ZpcmV3YWxsX2xvZ2Rlbnk6LXh9ID0gIllFUyIgLW8gJHtmaXJl d2FsbF9sb2dkZW55Oi14fSA9ICJ5ZXMiIF0gOyB0aGVuDQorCWlmIGNoZWNr eWVzbm8gZmlyZXdhbGxfbG9nZGVueTsgdGhlbg0KIAkgIGxvZz0ibG9nIGxv Z2Ftb3VudCA1MDAiCSMgVGhlIGRlZmF1bHQgb2YgMTAwIGlzIHRvbyBsb3cu DQogCSAgc3lzY3RsIG5ldC5pbmV0LmlwLmZ3LnZlcmJvc2U9MSA+L2Rldi9u dWxsDQogCWZpDQo= --0-401406621-1294486097=:15397--