Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Sep 2015 01:05:50 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Warren Block <wblock@wonkity.com>
Cc:        "O. Hartmann" <ohartman@zedat.fu-berlin.de>, Kimmo Paasiala <kpaasial@gmail.com>, freebsd-net@freebsd.org, Lev Serebryakov <lev@freebsd.org>, freebsd-ipfw@freebsd.org
Subject:   Re: HELP! Mysterious socket 843/tcp listening on CURRENT system
Message-ID:  <20150916235555.F82084@sola.nimnet.asn.au>
In-Reply-To: <alpine.BSF.2.20.1509150743500.99919@wonkity.com>
References:  <20150915090658.1e0b9074@freyja.zeit4.iv.bundesimmobilien.de> <CA+7WWSdW_JTL+Kt_WcaLVDVLhtBnUGkXXNJezvTSkDy4rHLjPw@mail.gmail.com> <20150915094757.3daef42c@freyja.zeit4.iv.bundesimmobilien.de> <20150915201451.L90924@sola.nimnet.asn.au> <alpine.BSF.2.20.1509150743500.99919@wonkity.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, 15 Sep 2015 07:51:11 -0600 (MDT), Warren Block wrote:
 > On Tue, 15 Sep 2015, Ian Smith wrote:
 > 
 O. Hartmann wrote:
 > > >  But that is an other issue and it is most likely
 > > > due to the outdated documentation (that doc still uses port 37 for NTP
 > > > purposes and referes to the outdated divert mechanism using natd, see the
 > > > recent handbook). The internet is also full of ambigous examples.
 > > 
 > > Yes, the handbook IPFW section is still crazy after all these years,
 > > despite ongoing attempts to limit the damage.  Best just ignore it.
 > 
 > Best overall would be to fix the documentation.

Oh, absolutely.  But it can't be me, for reasons I'll mail you about.  
I've become reluctant to talk about what I can't fix, but when I see 
people in trouble due to that section, I'm compelled to so advise.

 > Given that there seems to be more interest in IPFW lately, it would 
 > be nice if someone well-versed in it would repair or even rewrite the 
 > IPFW handbook section.  Rewrites are sometimes less work than fixing 
 > an old section that no longer fits actual usage.

Exactly the conclusion I'd come to after an effort last October to 
correct some of the more egregious errors, including the one Oliver 
mentions above and quite a lot else.  In reviewing that today, I see I 
got some things wrong myself :) but I'll send it to you anyway.  It's 
nothing more than a start, and only saved-as text, not in doc markup.

 > I have not used IPFW in years, but would be willing to help with an
 > edit/rewrite.

Well if you're prepared to coordinate efforts, I'll certainly review and 
contribute as best I can.  There was another offer in ipfw@ to assist in 
a rewrite recently.  If you're up for it, I'll shunt that your way too?

I've a feeling that the best way to do a lot of this would be by brief 
sections that mostly just pointed to sections of (online) ipfw(8); e.g. 
even the basic description is best covered by ipfw(8)'s /DESCRIPTION ..
so a good index into that with some extra pointers and tips might work.

But we really need some good examples of ipfw + nat with stateful rules 
that actually work properly.  I found one saved good(-looking :) ruleset 
from 2012 with the sort of multiple interfaces and subnets Oliver needs, 
by Lev Serebryakov <lev@freebsd.org>, who's more recently been working 
on adding new rules to better handle timing/placement of state checking 
including in NAT scenarios, who I poke occasionally - like now - to 
provide some worked examples :)

I think freebsd-ipfw@ may be a better place to take this now .. cc'd.

cheers, Ian



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20150916235555.F82084>