From owner-freebsd-ipfw@freebsd.org Fri Jan 27 20:21:07 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 885EFCC4DC3 for ; Fri, 27 Jan 2017 20:21:07 +0000 (UTC) (envelope-from ljenlqescgut@t-online.de) Received: from mailout05.t-online.de (mailout05.t-online.de [194.25.134.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mailout00.t-online.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D70A769 for ; Fri, 27 Jan 2017 20:21:06 +0000 (UTC) (envelope-from ljenlqescgut@t-online.de) Received: from fwd26.aul.t-online.de (fwd26.aul.t-online.de [172.20.26.131]) by mailout05.t-online.de (Postfix) with SMTP id 8285242160AC for ; Fri, 27 Jan 2017 21:12:02 +0100 (CET) Received: from spica01.aul.t-online.de (ZBgGsgZeQhY2NrwY8JSmrzNx3XgIuFM4gfxOij70FXilz2VwqreJhO1+-OBYU1hQQv@[172.20.102.130]) by fwd26.aul.t-online.de with esmtp id 1cXCsM-0YRElU0; Fri, 27 Jan 2017 21:12:02 +0100 Received: from 5.199.130.188:24008 by cmpweb19.aul.t-online.de with HTTP/1.1 (Lisa V4-6-6-0.13826 on API V5-3-1-0) Received: from 172.20.102.129:40644 by spica01.aul.t-online.de:8080; Fri, 27 Jan 2017 21:12:02 +0100 (MET) Date: Fri, 27 Jan 2017 21:12:02 +0100 (MET) From: "ljenlqescgut@t-online.de" Sender: "ljenlqescgut@t-online.de" Reply-To: "ljenlqescgut@t-online.de" To: "freebsd-ipfw@freebsd.org" Message-ID: <1485547922337.3880059.90e7a8c022a1f1410b60ff2db02dc8f6512ed961@spica.telekom.de> Subject: Customer MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Importance: normal X-MSMail-Priority: normal X-Priority: 3 X-UMS: email X-ID: ZBgGsgZeQhY2NrwY8JSmrzNx3XgIuFM4gfxOij70FXilz2VwqreJhO1+-OBYU1hQQv@t-dialin.net X-TOI-MSGID: fff509c8-bf05-4b4c-a483-066fde872bf9 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jan 2017 20:21:07 -0000 Hi Customer ,=20 http://tinyurl.com/h245t9l&id=3Da17a8a098301c6f&gp=3Dyubhgau=20 =20 You can order any prescription quickly and easily from the comfort of your = home or office. We provide shipping guarantee to give you peace of mind.=EF=BB=BF ---------------------------------------------------------------- Gesendet mit Telekom Mail - kostenlos= und sicher f=C3=BCr alle! From owner-freebsd-ipfw@freebsd.org Sat Jan 28 06:39:32 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58420CC5C45 for ; Sat, 28 Jan 2017 06:39:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 419821E70 for ; Sat, 28 Jan 2017 06:39:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v0S6dV07056346 for ; Sat, 28 Jan 2017 06:39:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Date: Sat, 28 Jan 2017 06:39:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: lwhite@nrw.ca X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2017 06:39:32 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 Len White changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lwhite@nrw.ca --- Comment #11 from Len White --- I've been having the same issue, it's very random. I've spent A LOT of time debugging it, adding extra print statements in ipfw... unfortunately I can't trigger the issue at will. It does seem to happen more often if I start up World of Warcraft from a system behind the ipfw machine. But it seems like whatever the issue is, it's causing the connections to "expire" prematurely= .=20 When it happens new connections will die in 5-15 seconds over and over. I = can reboot the system and it will come back up, still doing the same thing, then 5-10 mins later it will be fine. Never any errors in logs or dmesg when it happens. Running 11.0-RELEASE-p5 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sat Jan 28 10:17:20 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A79B7CC5DA8 for ; Sat, 28 Jan 2017 10:17:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 974827F2 for ; Sat, 28 Jan 2017 10:17:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v0SAHJ7Z053079 for ; Sat, 28 Jan 2017 10:17:20 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Date: Sat, 28 Jan 2017 10:17:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: fk@fabiankeil.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2017 10:17:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 --- Comment #12 from Fabian Keil --- I'm still not using ipfw, but the patch from comment two seems to have fixed the issue for me. The patch from comment three should be safe to test. Running "vmstat -z" while the system is showing symptoms could help to decide whether or not the patches might be worth trying. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sat Jan 28 13:04:46 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82ED5CC3BAA for ; Sat, 28 Jan 2017 13:04:46 +0000 (UTC) (envelope-from freebsd@rakor-net.de) Received: from mail.denkrobat.de (mail.denkrobat.de [176.9.53.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.denkrobat.de", Issuer "StartCom Class 1 DV Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EA7BA1E2A for ; Sat, 28 Jan 2017 13:04:45 +0000 (UTC) (envelope-from freebsd@rakor-net.de) Received: from martins-mbp.fritz.box (062-142-067-156.ip-addr.inexio.net [156.67.142.62]) by mail.denkrobat.de (OpenSMTPD) with ESMTPSA id c5d25bac TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO for ; Sat, 28 Jan 2017 13:58:01 +0100 (CET) From: Rakor Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: How to use IPFW to filter routing Message-Id: <3C00AFCB-E2EF-4F89-8FBD-181C99DAC1FF@rakor-net.de> Date: Sat, 28 Jan 2017 13:58:01 +0100 To: freebsd-ipfw@FreeBSD.org X-Mailer: Apple Mail (2.3259) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2017 13:04:46 -0000 Hi there, I have a router from my ISP giving me a connection to the internet ans = SIP. Behind I have a FreeBSD-Box which should route and seperate my = VLANS. The setup is like this: +------------+ +------------+ = +------------+ VLAN1 10.10.10.0/24 | ISP-Router | 192.168.2.0/24 | BSD-Router | Trunk | = L2-SWITCH |----------- Internet---| |------------------| |----------| = VLANS | VLAN2 10.10.20.0/24 | | igb2 | IPFW | igb0 | = |----------- +------------+ +------------+ = +------------+ VLAN3 10.10.30.0/24 = ----------- I can route my VLANs to the Internet and I can route traffic from one = VLAN to another VLAN, all without using IPFW. But I don't know how to = setup my IPFW. Lets say VLAN1 is allowed to communicate with VLAN2 and = with the internet. VLAN3 is allowed to communicate only with the = internet. As far as I know a packet is once scanned by IPFW an then first hit = wins. So, if I set the following a packet coming from VLAN3 for port 80 = is permitted to travel all way it wants, even to VLAN2. Putting an other = rule behind just allowing to travel out using igb2 is not checked, = because the search terminated after first hit. ipfw add allow tcp 10.10.30.0/24 to any 80 setup keep-state If I try the follwing the packets are all rejected. I think the = inspection is done before the routing, so IPFW does not know it should = be forwarded using igb2. ipfw add allow tcp 10.10.30.0/24 to any 80 out via igb2 setup = keep-state So I don=E2=80=99t know how to filter packets that should be routed in a = exact manner. Can you help me? Thanks Rakor=