From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 28 11:07:23 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4A71106566B for ; Mon, 28 Nov 2011 11:07:22 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D27D68FC29 for ; Mon, 28 Nov 2011 11:07:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pASB7MkG042690 for ; Mon, 28 Nov 2011 11:07:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pASB7MVb042674 for freebsd-ipfw@FreeBSD.org; Mon, 28 Nov 2011 11:07:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Nov 2011 11:07:22 GMT Message-Id: <201111281107.pASB7MVb042674@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 11:07:23 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 40 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 3 13:19:42 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CF92106564A for ; Sat, 3 Dec 2011 13:19:42 +0000 (UTC) (envelope-from blogtiengviet@yahoo.com) Received: from nm6.bullet.mail.bf1.yahoo.com (nm6.bullet.mail.bf1.yahoo.com [98.139.212.165]) by mx1.freebsd.org (Postfix) with SMTP id C53148FC08 for ; Sat, 3 Dec 2011 13:19:41 +0000 (UTC) Received: from [98.139.215.140] by nm6.bullet.mail.bf1.yahoo.com with NNFMP; 03 Dec 2011 13:07:04 -0000 Received: from [98.139.212.250] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 03 Dec 2011 13:07:04 -0000 Received: from [127.0.0.1] by omp1059.mail.bf1.yahoo.com with NNFMP; 03 Dec 2011 13:07:04 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 271158.19465.bm@omp1059.mail.bf1.yahoo.com Received: (qmail 97909 invoked by uid 60001); 3 Dec 2011 13:07:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1322917624; bh=cjoXTbR0uME395t9KJr4/JUu5Ac9YE7q8bqZEig9bRg=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ZqKaTQ2dhVxHir7oF1RuDOD/ly0Td2Ln+6d3Kv74Mf4P2f5PLJg5R+l7x+EuVvCF0XnKkLbU3IGiOtUjSj2Vv7XKb8sQoIsvhn0uWSpCZLcUtmjOD8H8tJA2cHEtY3HGtMauaZxC1fEgzGzYncEdNvX5rAyYRUGKZricUXdU/x4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=wbBQ5k5otx+go+FNiiPRlFfSSYnaA0RuWhursj1acpnlG0xYmotnEOC4UUruPPnlaxNNibToxUhVjWy+NGUyK0RArlV7TPEYHtpW1aHMPFe+1H/xQjrDFGbxeLBPcqzeOsU+MubB0pPWVx1d+3Up7EnS4r7HFsmqKevfRWfy3+s=; X-YMail-OSG: NSFb4tAVM1k6sCCWs2neLgejVfyb_iugm8ItS6IgaMyn8UV Zr.tLSVBAq1HJnEdfZUw1Z.AsaRh_w1kAc1qd5bHOgrD5xDueBUZeJ2S3SRh G6DkkMJYGUkvXpzxrrHnmXKuSzGsndCta7wld.HQzCwMpo2Ib2AWt9BNLetf TNKW8cOgyPhpxcHv53cE6eek5os8dhH8IPhfLulHOlZRmPBFFpEAfC9dVpVP aW_.K2HLQhTEWREa4SuRhyQugfyDw3DiqEvymMdMRfGkgVA6ML_VQ3yV7rYi 2YacBhd9MlJTMFYnCFJiiaaH86Aj0Ve2nZPQdM2S77a4cnzDYxOgNOhHGh7l NNhtdxaSoSEc0Jb.9Nvy9q4BwoT1hi4DRmXeXufos1VoLi24vS1ZqOStiqWH yQlgKVUipKMNpToiF4MBpM2BMOooZ2OQEMufaJdOZezWzDZ_vz5M0WFChp2V CrtzDz.u.cntSMD3mScEn2Af7.L3aNUUG4ZohC4EMuYfkfY0mA1EB8pkWr8C vUr4fH0pO9dgZpmMjp00YqpZEpBVFtbRC6Rfvagq__seD Received: from [222.226.245.101] by web161704.mail.bf1.yahoo.com via HTTP; Sat, 03 Dec 2011 05:07:04 PST X-Mailer: YahooMailClassic/15.0.4 YahooMailWebService/0.8.115.331698 Message-ID: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com> Date: Sat, 3 Dec 2011 05:07:04 -0800 (PST) From: Blog Tieng Viet To: freebsd-ipfw@freebsd.org Cc: freebsd-ipfw@freebsd.org In-Reply-To: <1475430265.24464.1320253002379.JavaMail.root@mail-01.cse.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Limit src address may not work well: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2011 13:19:42 -0000 Dear all, =0A=0AI am using IPFW in FreeBSD 7.3-RELEASE.=0AI have some probl= ems as following:=0A=0ALimit src address may not work well:=0A=0AFor exampl= e, I want to limit google robot not over 1 connection establishment:=0A=0A$= {fwcmd} add 5625 pass tcp from 66.249.0.0/16 to me 80 limit src-addr 1=0A= =0ABut I saw there are about 6 ESTABLISMENT of this address in the results = of "netstat -n"=0A=0AIs it my wrong, please give me an advice.=0A=0ABest re= gards.=0A=0A=0A--- On Thu, 11/3/11, Tim Gustafson wrote:= =0A=0A> From: Tim Gustafson =0A> Subject: Re: IPFW Proble= ms=0A> To: "Michael Sierchio" =0A> Cc: freebsd-ipfw@fre= ebsd.org=0A> Date: Thursday, November 3, 2011, 1:56 AM=0A> > You may want t= o tweak the sysctl=0A> items that control the lifespan=0A> > of dynamic rul= es.=0A> > =0A> > sysctl net.inet.ip.fw=0A> > =0A> > in particular, the defa= ult value of=0A> net.inet.ip.fw.dyn_ack_lifetime=0A> > is probably way too = long for your purposes.=0A> =0A> Here's what I have right now:=0A> =0A> roo= t@bsd-02: sysctl net.inet.ip.fw=0A> net.inet.ip.fw.static_count: 48=0A> net= .inet.ip.fw.default_to_accept: 0=0A> net.inet.ip.fw.tables_max: 128=0A> net= .inet.ip.fw.default_rule: 65535=0A> net.inet.ip.fw.verbose_limit: 0=0A> net= .inet.ip.fw.verbose: 0=0A> net.inet.ip.fw.autoinc_step: 100=0A> net.inet.ip= .fw.one_pass: 1=0A> net.inet.ip.fw.enable: 1=0A> net.inet.ip.fw.dyn_keepali= ve: 1=0A> net.inet.ip.fw.dyn_short_lifetime: 5=0A> net.inet.ip.fw.dyn_udp_l= ifetime: 10=0A> net.inet.ip.fw.dyn_rst_lifetime: 1=0A> net.inet.ip.fw.dyn_f= in_lifetime: 1=0A> net.inet.ip.fw.dyn_syn_lifetime: 20=0A> net.inet.ip.fw.d= yn_ack_lifetime: 300=0A> net.inet.ip.fw.dyn_max: 32768=0A> net.inet.ip.fw.d= yn_count: 805=0A> net.inet.ip.fw.curr_dyn_buckets: 256=0A> net.inet.ip.fw.d= yn_buckets: 256=0A> =0A> I'm assuming that's in seconds.=A0 Is 300 seconds = too=0A> long?=A0 It seems like the dynamic rules are hanging=0A> around for= hours or days, and I think the timeout is getting=0A> reset by the fact th= at the system is constantly sending out=0A> ACK packets to clients that are= n't acknowledging them.=0A> =0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=0A> Tim Gustafson=A0 =A0 =A0 =A0 =A0 = =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =0A> =A0 =A0 tjg@soe.ucsc.edu=0A> Baskin School of Engineering=A0 =A0 =A0 = =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0=0A> =A0=A0= =A0831-459-5354=0A> UC Santa Cruz=A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0=A0=A0Baskin=0A> Engineering= 317B=0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=0A> _______________________________________________=0A> freeb= sd-ipfw@freebsd.org=0A> mailing list=0A> http://lists.freebsd.org/mailman/l= istinfo/freebsd-ipfw=0A> To unsubscribe, send any mail to "freebsd-ipfw-uns= ubscribe@freebsd.org"=0A> From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 3 13:20:05 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9387C106564A for ; Sat, 3 Dec 2011 13:20:05 +0000 (UTC) (envelope-from blogtiengviet@yahoo.com) Received: from nm14-vm0.bullet.mail.bf1.yahoo.com (nm14-vm0.bullet.mail.bf1.yahoo.com [98.139.213.164]) by mx1.freebsd.org (Postfix) with SMTP id 2FFB08FC19 for ; Sat, 3 Dec 2011 13:20:04 +0000 (UTC) Received: from [98.139.212.148] by nm14.bullet.mail.bf1.yahoo.com with NNFMP; 03 Dec 2011 13:07:04 -0000 Received: from [98.139.212.196] by tm5.bullet.mail.bf1.yahoo.com with NNFMP; 03 Dec 2011 13:07:04 -0000 Received: from [127.0.0.1] by omp1005.mail.bf1.yahoo.com with NNFMP; 03 Dec 2011 13:07:04 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 270383.96682.bm@omp1005.mail.bf1.yahoo.com Received: (qmail 97909 invoked by uid 60001); 3 Dec 2011 13:07:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1322917624; bh=cjoXTbR0uME395t9KJr4/JUu5Ac9YE7q8bqZEig9bRg=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ZqKaTQ2dhVxHir7oF1RuDOD/ly0Td2Ln+6d3Kv74Mf4P2f5PLJg5R+l7x+EuVvCF0XnKkLbU3IGiOtUjSj2Vv7XKb8sQoIsvhn0uWSpCZLcUtmjOD8H8tJA2cHEtY3HGtMauaZxC1fEgzGzYncEdNvX5rAyYRUGKZricUXdU/x4= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=wbBQ5k5otx+go+FNiiPRlFfSSYnaA0RuWhursj1acpnlG0xYmotnEOC4UUruPPnlaxNNibToxUhVjWy+NGUyK0RArlV7TPEYHtpW1aHMPFe+1H/xQjrDFGbxeLBPcqzeOsU+MubB0pPWVx1d+3Up7EnS4r7HFsmqKevfRWfy3+s=; X-YMail-OSG: NSFb4tAVM1k6sCCWs2neLgejVfyb_iugm8ItS6IgaMyn8UV Zr.tLSVBAq1HJnEdfZUw1Z.AsaRh_w1kAc1qd5bHOgrD5xDueBUZeJ2S3SRh G6DkkMJYGUkvXpzxrrHnmXKuSzGsndCta7wld.HQzCwMpo2Ib2AWt9BNLetf TNKW8cOgyPhpxcHv53cE6eek5os8dhH8IPhfLulHOlZRmPBFFpEAfC9dVpVP aW_.K2HLQhTEWREa4SuRhyQugfyDw3DiqEvymMdMRfGkgVA6ML_VQ3yV7rYi 2YacBhd9MlJTMFYnCFJiiaaH86Aj0Ve2nZPQdM2S77a4cnzDYxOgNOhHGh7l NNhtdxaSoSEc0Jb.9Nvy9q4BwoT1hi4DRmXeXufos1VoLi24vS1ZqOStiqWH yQlgKVUipKMNpToiF4MBpM2BMOooZ2OQEMufaJdOZezWzDZ_vz5M0WFChp2V CrtzDz.u.cntSMD3mScEn2Af7.L3aNUUG4ZohC4EMuYfkfY0mA1EB8pkWr8C vUr4fH0pO9dgZpmMjp00YqpZEpBVFtbRC6Rfvagq__seD Received: from [222.226.245.101] by web161704.mail.bf1.yahoo.com via HTTP; Sat, 03 Dec 2011 05:07:04 PST X-Mailer: YahooMailClassic/15.0.4 YahooMailWebService/0.8.115.331698 Message-ID: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com> Date: Sat, 3 Dec 2011 05:07:04 -0800 (PST) From: Blog Tieng Viet To: freebsd-ipfw@freebsd.org Cc: freebsd-ipfw@freebsd.org In-Reply-To: <1475430265.24464.1320253002379.JavaMail.root@mail-01.cse.ucsc.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Limit src address may not work well: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2011 13:20:05 -0000 Dear all, =0A=0AI am using IPFW in FreeBSD 7.3-RELEASE.=0AI have some probl= ems as following:=0A=0ALimit src address may not work well:=0A=0AFor exampl= e, I want to limit google robot not over 1 connection establishment:=0A=0A$= {fwcmd} add 5625 pass tcp from 66.249.0.0/16 to me 80 limit src-addr 1=0A= =0ABut I saw there are about 6 ESTABLISMENT of this address in the results = of "netstat -n"=0A=0AIs it my wrong, please give me an advice.=0A=0ABest re= gards.=0A=0A=0A--- On Thu, 11/3/11, Tim Gustafson wrote:= =0A=0A> From: Tim Gustafson =0A> Subject: Re: IPFW Proble= ms=0A> To: "Michael Sierchio" =0A> Cc: freebsd-ipfw@fre= ebsd.org=0A> Date: Thursday, November 3, 2011, 1:56 AM=0A> > You may want t= o tweak the sysctl=0A> items that control the lifespan=0A> > of dynamic rul= es.=0A> > =0A> > sysctl net.inet.ip.fw=0A> > =0A> > in particular, the defa= ult value of=0A> net.inet.ip.fw.dyn_ack_lifetime=0A> > is probably way too = long for your purposes.=0A> =0A> Here's what I have right now:=0A> =0A> roo= t@bsd-02: sysctl net.inet.ip.fw=0A> net.inet.ip.fw.static_count: 48=0A> net= .inet.ip.fw.default_to_accept: 0=0A> net.inet.ip.fw.tables_max: 128=0A> net= .inet.ip.fw.default_rule: 65535=0A> net.inet.ip.fw.verbose_limit: 0=0A> net= .inet.ip.fw.verbose: 0=0A> net.inet.ip.fw.autoinc_step: 100=0A> net.inet.ip= .fw.one_pass: 1=0A> net.inet.ip.fw.enable: 1=0A> net.inet.ip.fw.dyn_keepali= ve: 1=0A> net.inet.ip.fw.dyn_short_lifetime: 5=0A> net.inet.ip.fw.dyn_udp_l= ifetime: 10=0A> net.inet.ip.fw.dyn_rst_lifetime: 1=0A> net.inet.ip.fw.dyn_f= in_lifetime: 1=0A> net.inet.ip.fw.dyn_syn_lifetime: 20=0A> net.inet.ip.fw.d= yn_ack_lifetime: 300=0A> net.inet.ip.fw.dyn_max: 32768=0A> net.inet.ip.fw.d= yn_count: 805=0A> net.inet.ip.fw.curr_dyn_buckets: 256=0A> net.inet.ip.fw.d= yn_buckets: 256=0A> =0A> I'm assuming that's in seconds.=A0 Is 300 seconds = too=0A> long?=A0 It seems like the dynamic rules are hanging=0A> around for= hours or days, and I think the timeout is getting=0A> reset by the fact th= at the system is constantly sending out=0A> ACK packets to clients that are= n't acknowledging them.=0A> =0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=0A> Tim Gustafson=A0 =A0 =A0 =A0 =A0 = =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =0A> =A0 =A0 tjg@soe.ucsc.edu=0A> Baskin School of Engineering=A0 =A0 =A0 = =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0=0A> =A0=A0= =A0831-459-5354=0A> UC Santa Cruz=A0 =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0=0A> =A0 =A0 =A0 =A0 =A0 =A0=A0=A0Baskin=0A> Engineering= 317B=0A> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=0A> _______________________________________________=0A> freeb= sd-ipfw@freebsd.org=0A> mailing list=0A> http://lists.freebsd.org/mailman/l= istinfo/freebsd-ipfw=0A> To unsubscribe, send any mail to "freebsd-ipfw-uns= ubscribe@freebsd.org"=0A> From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 3 20:14:22 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68BD11065673 for ; Sat, 3 Dec 2011 20:14:22 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0AD058FC08 for ; Sat, 3 Dec 2011 20:14:22 +0000 (UTC) Received: from secured.by.ipfw.ru ([81.200.11.182] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1RWvyW-000EPw-NI; Sun, 04 Dec 2011 00:14:20 +0400 Message-ID: <4EDA82E1.4000106@FreeBSD.org> Date: Sun, 04 Dec 2011 00:13:21 +0400 From: "Alexander V. Chernikov" User-Agent: Thunderbird 2.0.0.24 (X11/20100515) MIME-Version: 1.0 To: Blog Tieng Viet References: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com> In-Reply-To: <1322917624.95519.YahooMailClassic@web161704.mail.bf1.yahoo.com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Limit src address may not work well: X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Dec 2011 20:14:22 -0000 Blog Tieng Viet wrote: > Dear all, > > I am using IPFW in FreeBSD 7.3-RELEASE. > I have some problems as following: > > Limit src address may not work well: > > For example, I want to limit google robot not over 1 connection establishment: > > ${fwcmd} add 5625 pass tcp from 66.249.0.0/16 to me 80 limit src-addr 1 > > But I saw there are about 6 ESTABLISMENT of this address in the results of "netstat -n" > > Is it my wrong, please give me an advice. Do you have some rule before 5625 consuming all TCP established traffic, for example? You need to get ALL traffic from '66.249.0.0/16 to me 80' to match this exact rule. > > Best regards. > > > --- On Thu, 11/3/11, Tim Gustafson wrote: > >> From: Tim Gustafson >> Subject: Re: IPFW Problems >> To: "Michael Sierchio" >> Cc: freebsd-ipfw@freebsd.org >> Date: Thursday, November 3, 2011, 1:56 AM >>> You may want to tweak the sysctl >> items that control the lifespan >>> of dynamic rules. >>> >>> sysctl net.inet.ip.fw >>> >>> in particular, the default value of >> net.inet.ip.fw.dyn_ack_lifetime >>> is probably way too long for your purposes. >> Here's what I have right now: >> >> root@bsd-02: sysctl net.inet.ip.fw >> net.inet.ip.fw.static_count: 48 >> net.inet.ip.fw.default_to_accept: 0 >> net.inet.ip.fw.tables_max: 128 >> net.inet.ip.fw.default_rule: 65535 >> net.inet.ip.fw.verbose_limit: 0 >> net.inet.ip.fw.verbose: 0 >> net.inet.ip.fw.autoinc_step: 100 >> net.inet.ip.fw.one_pass: 1 >> net.inet.ip.fw.enable: 1 >> net.inet.ip.fw.dyn_keepalive: 1 >> net.inet.ip.fw.dyn_short_lifetime: 5 >> net.inet.ip.fw.dyn_udp_lifetime: 10 >> net.inet.ip.fw.dyn_rst_lifetime: 1 >> net.inet.ip.fw.dyn_fin_lifetime: 1 >> net.inet.ip.fw.dyn_syn_lifetime: 20 >> net.inet.ip.fw.dyn_ack_lifetime: 300 >> net.inet.ip.fw.dyn_max: 32768 >> net.inet.ip.fw.dyn_count: 805 >> net.inet.ip.fw.curr_dyn_buckets: 256 >> net.inet.ip.fw.dyn_buckets: 256 >> >> I'm assuming that's in seconds. Is 300 seconds too >> long? It seems like the dynamic rules are hanging >> around for hours or days, and I think the timeout is getting >> reset by the fact that the system is constantly sending out >> ACK packets to clients that aren't acknowledging them. >> >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> Tim Gustafson >> >> >> tjg@soe.ucsc.edu >> Baskin School of Engineering >> >> >> 831-459-5354 >> UC Santa Cruz >> >> Baskin >> Engineering 317B >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >> _______________________________________________ >> freebsd-ipfw@freebsd.org >> mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >