From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 07:38:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BD4916A4CE for ; Sun, 7 Nov 2004 07:38:21 +0000 (GMT) Received: from jay.exetel.com.au (jay.exetel.com.au [220.233.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id D282743D55 for ; Sun, 7 Nov 2004 07:38:18 +0000 (GMT) (envelope-from ldsift-applels@yahoo.com.au) Received: (qmail 8894 invoked by uid 507); 7 Nov 2004 18:38:17 +1100 Received: from 63.7.233.220.exetel.com.au (HELO ?192.168.1.2?) (220.233.7.63) by jay.exetel.com.au with SMTP; 7 Nov 2004 18:38:17 +1100 In-Reply-To: <6.0.3.0.0.20041103152300.02238ec0@dreadlock.phreakout.net> References: <6.0.3.0.0.20041101123154.02265a08@mail.dc2.adelphia.net> <6.0.3.0.0.20041103152300.02238ec0@dreadlock.phreakout.net> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <025C3D0D-3090-11D9-81C4-0005025E2371@yahoo.com.au> Content-Transfer-Encoding: 7bit From: LD Date: Sun, 7 Nov 2004 18:38:25 +1100 To: Bob Ababurko X-Mailer: Apple Mail (2.619) cc: freebsd-ipfw@freebsd.org Subject: Re: assistance dummynet config X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 07:38:21 -0000 Hi there, I have a question of my own which is similar to yours - but figure that (as you've noted) if other's questions are not being answered that I might also find myself answering my own questions. So, though I'm also new to the FreeBSD world - I'll throw some food for thought into the mix from what I've read. See below... On 04/11/2004, at 8:10 AM, Bob Ababurko wrote: >> What I am trying to accomplish with this dummynet config is give >> priority to udp traffic, namely dns and tcp ack's so that I can send >> mail to our clients announcement list, as fast and efficient as >> possible without congestion. So basically, I need this machine to ba >> able to make dns lookups with out a problem and I need the acks to >> get back to my machine so that the SMTP conversation can take place >> with out latency. I am not sure if I have taken all that I need into >> consideration, but for now I could use some constructive criticism in >> terms of making it better. >> >> Using FreeBSD 5.2.1, I have: >> >> /etc/sysctl.conf : >> net.inet.ip.fw.one_pass=0 >> >> /etc/rc.conf : >> firewall_enable="YES" >> firewall_script="/etc/rc.dummynet" >> firewall_type="open" >> firewall_logging="YES" >> >> /etc/rc.dummynet : >> ipfw -f flush >> ipfw pipe 1 config bw 300kbits/s >> ipfw queue 1 config pipe 1 weight 100 >> ipfw queue 2 config pipe 1 weight 1 mask all >> ipfw add 100 queue 1 udp from any to any out via fxp0 >> ipfw add 101 skipto 1000 udp from any to any out via fxp0 >> ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack >> ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack >> ipfw add queue 2 ip from any to any out via fxp0 >> ipfw add 1000 allow all from any to any >> >> Can I make this better or am I even on the right road?? Thanks in >> advance for your help. > > I am also wondering if there is a way to do any limiting based on > alias addresses. I am thinking about putting the DNS, which is the > service that we at the office are not able to access while the mail is > being sent out on the machine. Is there a way to designate a virtual > interface in the dummynet config. I came from a Solaris background > and the virtual interface were addressed as hme0:1. I know that > FreeBSD does not use this notation, but is there a way to make rules > for additional virtual > interface or aliases? From what I can see (and someone more in the know can correct me if I'm totally off base) the pipes and queues of ipfw/dummynet are somewhat analogous to virtual interfaces - insofar as they allow you to treat specific traffic as if they are physically coming from different sources. I didn't see any use of natd within your firewall script. That's probably something you're missing if this is a gateway machine. Taking the example from... http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html ...(e.g., the last script on the page), with a few mods: >> /etc/rc.dummynet : ipfw -q -f flush cmd="ipfw -q add" skip="skipto 800" uports="53, ..." tports="22, ..." ipfw pipe 1 config bw 300kbits/s ipfw queue 1 config pipe 1 weight 100 ipfw queue 2 config pipe 1 weight 1 mask all ipfw add 100 queue 1 udp from any to any out via fxp0 ipfw add 101 skipto 1000 udp from any to any out via fxp0 ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack ipfw add queue 2 ip from any to any out via fxp0 ipfw add 1000 allow all from any to any # anti-spoofing $cmd 004 deny ip from any to any not verrevpath in <...> # allow all LAN traffic $cmd 005 allow all from any to any via $iif # allow loopback traffic $cmd 010 allow all from any to any via lo0 # nat inbound traffic $cmd 014 divert natd ip from any to any in # allow previously keep-state'd traffic $cmd 015 check-state <...> # direct queue/pipe traffic $cmd 100 $skip udp from any to any $uports out via fxp0 $cmd 150 $skip tcp from any to any $tports out via fxp0 $cmd 155 $skip tcp from any to any out via fxp0 tcpflags ack <...> # deny/log unauthorised traffic $cmd 400 deny log all from any to any ############################################## #---Skipto section--- ############################################## # config pipe(s)/queue(s) $cmd 800 queue 1 udp from any to any out via fxp0 $cmd 800 queue 1 tcp from any to any out via fxp0 tcpflags ack $cmd 800 queue 2 tcp from any to any out via fxp0 ipfw -q 800 queue 1 config pipe 1 weight 100 ipfw -q 800 queue 2 config pipe 1 weight 1 mask all ipfw -q 800 pipe 1 config bw 300Kbit/s # Natd $cmd 801 divert natd ip from any to any out $cmd 802 allow ip from any to any # deny/log all else $cmd 999 deny log all from any to any Now, it'd be great if someone who's more experienced with this stuff could point out where the above could be improved (and/or corrected)... with regards, -- LD From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 09:22:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C78116A4CF for ; Sun, 7 Nov 2004 09:22:04 +0000 (GMT) Received: from smtpauth01.mail.atl.earthlink.net (smtpauth01.mail.atl.earthlink.net [209.86.89.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4427E43D2D for ; Sun, 7 Nov 2004 09:22:04 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.2.50]) by smtpauth01.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CQjFI-0006xi-CW for freebsd-ipfw@freebsd.org; Sun, 07 Nov 2004 04:22:04 -0500 From: Martes Wigglesworth To: ipfw-mailings Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1099819314.652.13.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 07 Nov 2004 12:21:55 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd488190fcfc284a24764521d4388bbd0df24e7a3108705b577b350badd9bab72f9c X-Originating-IP: 83.170.20.46 Subject: Dummynet dynamically assigned bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 09:22:04 -0000 I have had a problem getting dynamic bandwidth assigned while hosts are still online. I thought that when a dynamic queue has no packets, hence the pipe show displays 0 0 in between used and the last column, the queue should disappear, allowing for that segment of bandwidth to be utilized fully again. I have not seen this type of functionality, and would like help to get a better understanding of it. Example: pipe 1 config bw 128Kbit/s queue 1 config pipe 1 config mask dst-ip 0xffffffff queue 1 ip from any to ${int_net} in recv ${ext_dev} Result: if ext_net={ 192.168.1.0/24}, and 8 hosts are online, then the queues remain even when there is no traffic on that queue. Aren't the unused queues supposed to disappear so that the other hosts may use the difference? Please help. I have been struggling with this for a while. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 09:43:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC8AA16A4CE for ; Sun, 7 Nov 2004 09:43:30 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D7D943D5E for ; Sun, 7 Nov 2004 09:43:30 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 3B4B3347E01; Sun, 7 Nov 2004 10:44:33 +0100 (CET) Date: Sun, 7 Nov 2004 10:44:33 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20041107094433.GA56141@shellma.zin.lublin.pl> References: <1099819314.652.13.camel@Mobile1.276NET> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1099819314.652.13.camel@Mobile1.276NET> User-Agent: Mutt/1.4.2i Subject: Re: Dummynet dynamically assigned bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 09:43:31 -0000 On Sun, Nov 07, 2004 at 12:21:55PM +0300, Martes Wigglesworth wrote: > I have had a problem getting dynamic bandwidth assigned while hosts are > still online. I thought that when a dynamic queue has no packets, hence > the pipe show displays 0 0 in between used and the last column, the > queue should disappear, allowing for that segment of bandwidth to be > utilized fully again. I have not seen this type of functionality, and > would like help to get a better understanding of it. > > Example: > > pipe 1 config bw 128Kbit/s > queue 1 config pipe 1 config mask dst-ip 0xffffffff > queue 1 ip from any to ${int_net} in recv ${ext_dev} > > Result: > if ext_net={ 192.168.1.0/24}, and 8 hosts are online, then the queues > remain even when there is no traffic on that queue. Aren't the unused > queues supposed to disappear so that the other hosts may use the > difference? > > Please help. I have been struggling with this for a while. By default, it will disappear after some time. Note, this has nothing to do with bandwidth sharing -- it is shared immediatly because when queue has nothing to send, system will take another queue without waiting. -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 10:09:38 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEEAA16A4CE for ; Sun, 7 Nov 2004 10:09:38 +0000 (GMT) Received: from smtpauth08.mail.atl.earthlink.net (smtpauth08.mail.atl.earthlink.net [209.86.89.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EFF643D3F for ; Sun, 7 Nov 2004 10:09:38 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.2.50]) by smtpauth08.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CQjzM-00008C-22; Sun, 07 Nov 2004 05:09:37 -0500 From: Martes Wigglesworth To: Pawel Malachowski , ipfw-mailings In-Reply-To: <20041107094433.GA56141@shellma.zin.lublin.pl> References: <1099819314.652.13.camel@Mobile1.276NET> <20041107094433.GA56141@shellma.zin.lublin.pl> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1099822179.652.18.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 07 Nov 2004 13:09:39 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48d49f7f22feb50c52c22a9aba5b060773350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 83.170.20.46 Subject: Re: Dummynet dynamically assigned bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 10:09:39 -0000 Thanks for the reply, however, I have a subnet with eight clients and whenever I have the queued rule enabled, there is a significant latency increase, and the queues do not get full access to the pipe. I have done tests online, and it is fine for about the first few minutes, however, as the other clients use the net, the tests drop from 39KByts/s to like 20KByte/s and lower. The only thing left is that the queues are assigning static bandwidth that is not changing in the upward direction. Anymore input is welcome. Thanks -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 10:36:38 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C25E216A4CE for ; Sun, 7 Nov 2004 10:36:38 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7CA2743D2D for ; Sun, 7 Nov 2004 10:36:38 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 4C1EE347BA8; Sun, 7 Nov 2004 11:37:42 +0100 (CET) Date: Sun, 7 Nov 2004 11:37:42 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20041107103742.GA74864@shellma.zin.lublin.pl> References: <1099819314.652.13.camel@Mobile1.276NET> <20041107094433.GA56141@shellma.zin.lublin.pl> <1099822179.652.18.camel@Mobile1.276NET> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1099822179.652.18.camel@Mobile1.276NET> User-Agent: Mutt/1.4.2i Subject: Re: Dummynet dynamically assigned bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 10:36:38 -0000 On Sun, Nov 07, 2004 at 01:09:39PM +0300, Martes Wigglesworth wrote: > Thanks for the reply, however, I have a subnet with eight clients and > whenever I have the queued rule enabled, there is a significant latency > increase, and the queues do not get full access to the pipe. I have done > tests online, and it is fine for about the first few minutes, however, > as the other clients use the net, the tests drop from 39KByts/s to like > 20KByte/s and lower. The only thing left is that the queues are > assigning static bandwidth that is not changing in the upward direction. > Anymore input is welcome. I'm not sure if this will be source of Your problem, but I'm sure You are footshooting with default size of pipe and queues, which is 50 slots. With 128kbit/s (as showed in previous mail, BTW, this is 16KB/s) transmitting of 50 full size packets (with MTU 1500B) requires: 50*1.5KB/16KBpS = ~4,68 seconds This will kill TCP throughput. Try adding something like `queue 5KBytes' parameter both to pipe and queue definitions. -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 12:43:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5951E16A4CE for ; Sun, 7 Nov 2004 12:43:48 +0000 (GMT) Received: from smtpauth04.mail.atl.earthlink.net (smtpauth04.mail.atl.earthlink.net [209.86.89.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3260543D1F for ; Sun, 7 Nov 2004 12:43:48 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.2.50]) by smtpauth04.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CQmOY-0000a7-7i for freebsd-ipfw@freebsd.org; Sun, 07 Nov 2004 07:43:47 -0500 From: Martes Wigglesworth To: ipfw-mailings In-Reply-To: <20041107103742.GA74864@shellma.zin.lublin.pl> References: <1099819314.652.13.camel@Mobile1.276NET> <20041107094433.GA56141@shellma.zin.lublin.pl> <1099822179.652.18.camel@Mobile1.276NET> <20041107103742.GA74864@shellma.zin.lublin.pl> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1099831431.652.43.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 07 Nov 2004 15:43:51 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd489ad47aaf1e2f86465b508215ee03122b2601a10902912494350badd9bab72f9c X-Originating-IP: 83.170.20.46 Subject: Re: Dummynet dynamically assigned bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 12:43:48 -0000 I am so sorry to have to demonstrate my ignorance on this subject, however, I am not quite sure what you mean by 50*1.5KB/s/16KB/s. Where is that rational expression comming from? Also, since I really have no good context for understanding your possible solution, could you supply more info, or an example? Thanks. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 13:03:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FC8716A4CE for ; Sun, 7 Nov 2004 13:03:55 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id F212D43D2F for ; Sun, 7 Nov 2004 13:03:54 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 4CE09347BA8; Sun, 7 Nov 2004 14:04:59 +0100 (CET) Date: Sun, 7 Nov 2004 14:04:59 +0100 From: Pawel Malachowski To: ipfw-mailings Message-ID: <20041107130459.GB75933@shellma.zin.lublin.pl> References: <1099819314.652.13.camel@Mobile1.276NET> <20041107094433.GA56141@shellma.zin.lublin.pl> <1099822179.652.18.camel@Mobile1.276NET> <20041107103742.GA74864@shellma.zin.lublin.pl> <1099831431.652.43.camel@Mobile1.276NET> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1099831431.652.43.camel@Mobile1.276NET> User-Agent: Mutt/1.4.2i Subject: Re: Dummynet dynamically assigned bandwidth X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 13:03:55 -0000 On Sun, Nov 07, 2004 at 03:43:51PM +0300, Martes Wigglesworth wrote: > I am so sorry to have to demonstrate my ignorance on this subject, > however, I am not quite sure what you mean by 50*1.5KB/s/16KB/s. Where > is that rational expression comming from? Also, since I really have no > good context for understanding your possible solution, could you supply > more info, or an example? Your example: pipe 1 config bw 128Kbit/s queue 1 config pipe 1 config mask dst-ip 0xffffffff queue 1 ip from any to ${int_net} in recv ${ext_dev} 128Kbit/s = 16KBytes/s As described in ipfw(8), default size of queues and pipes is 50 slots. This may valid for 10Mbit/s, but not for 128Kbit/s... Proposal: pipe 1 config bw 128Kbit/s queue 4KB queue 1 config pipe 1 mask dst-ip 0xffffffff queue 3KB queue 1 ip from any to ${int_net} in recv ${ext_dev} Lowering size of queues and pipes from 50 slots (which can give 75KB with 1500B MTU) to 2 slots (or 3-4KBytes, I prefer specifying sizes in bytes) will help TCP in `smooth' working by lowering maximum delay. Just give it a try. See also: http://groups.google.pl/groups?selm=blc6oa%2416bm%241%40FreeBSD.csie.NCTU.edu.tw -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 19:20:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA23316A4CF for ; Sun, 7 Nov 2004 19:20:14 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE09943D41 for ; Sun, 7 Nov 2004 19:20:13 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 94F2B347BA8; Sun, 7 Nov 2004 20:21:19 +0100 (CET) Date: Sun, 7 Nov 2004 20:21:19 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20041107192119.GA88583@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.2i Subject: [PATCH] limit N connections without dropping N+1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 19:20:14 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit Hello, ipfw limit option allows limiting number of states generated by a rule. If packet belongs to a registered state, it is matched; otherwise, it is dropped. I believie this behaviour is too restrictive. My proposal is to: . perform rule action on matched (belonging to states) packet; . continue packets journey through firewall if it is unmatched. With this, we have additional possibilities, e.g. to pass first N connections (flows) to dummynet queue with high weight and next (starting from N+1) connections to queue with low weight. Previous behaviour can be emulated with additional deny rule. Current behaviour: ipfw add 100 skipto 300 ip from any to any out xmit rl0 limit src-addr 10 This will allow 10 outgoing flows per source IP. Packet creating 11th state will be dropped. After change: ipfw add 100 skipto 300 ip from any to any out xmit rl0 limit src-addr 10 ipfw add 200 deny ip from any to any out xmit fxp0 This will allow 10 outgoing flows per source IP. Packet creating 11th state will not match rule 100, so it will be check against next rule, 200. And it will be dropped. However, this kind of setup is possible *only* with new behaviour: ipfw pipe 1 config bw 1Mbit/s queue 20KB ipfw pipe 2 config bw 128Kbit/s queue 5KB ipfw add 100 pipe 1 ip from any to any out xmit fxp0 ipfw add 150 skipto 300 ip from any to any out xmit fxp0 limit src-addr 10 ipfw add 200 pipe 2 ip from any to any out xmit fxp0 (This example assumes one_pass=0.) Pass all outgoing traffic to pipe 1, additionally, if source IP generates more than 10 states (possible P2P or download accelerator traffic), pass all these additional connections to pipe 2 to enforce restrictive limit. Example from live system: ipfw -f flush ipfw add 65000 allow ip from any to any ipfw add 1000 skipto 10000 ip from any to any out xmit fxp0 limit src-addr 1 ipfw add 2000 skipto 20000 ip from any to any out xmit fxp0 limit src-addr 2 ipfw add 3000 count ip from any to any out xmit fxp0 // Now run pings from 10.1.4.106 to 10.1.0.1, 10.1.2.1, 10.1.7.1 hosts, // 4th ping -c 5 from 10.1.4.106 to some other host, it matches 3000 only. % ipfw -d show 01000 348 29232 skipto 10000 ip from any to any out xmit fxp0 limit src-addr 1 02000 694 58296 skipto 20000 ip from any to any out xmit fxp0 limit src-addr 2 03000 5 420 count ip from any to any out xmit fxp0 65000 1308 122154 allow ip from any to any 65535 25 2076 deny ip from any to any ## Dynamic rules (5): 02000 0 0 (3s) PARENT 2 icmp 10.1.4.106 0 <-> 0.0.0.0 0 01000 0 0 (3s) PARENT 1 icmp 10.1.4.106 0 <-> 0.0.0.0 0 02000 347 29148 (5s) LIMIT icmp 10.1.4.106 0 <-> 10.1.2.1 0 01000 347 29148 (5s) LIMIT icmp 10.1.4.106 0 <-> 10.1.0.1 0 02000 345 28980 (5s) LIMIT icmp 10.1.4.106 0 <-> 10.1.7.1 0 Patch is against 5.3RC2. Probably no man page changes needed. ;) -- Paweł Małachowski --opJtzjQTFsWo+cga Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: attachment; filename="ipfw-limit-dontdrop.patch" --- /sys/netinet/ip_fw2.c-orig Fri Oct 29 21:29:56 2004 +++ /sys/netinet/ip_fw2.c Sun Nov 7 19:21:56 2004 @@ -2281,8 +2281,8 @@ * These opcodes try to install an entry in the * state tables; if successful, we continue with * the next opcode (match=1; break;), otherwise - * the packet * must be dropped - * ('goto done' after setting retval); + * the packet will not match, however, it will + * travel through firewall. * * O_PROBE_STATE and O_CHECK_STATE: these opcodes * cause a lookup of the state table, and a jump @@ -2296,12 +2296,10 @@ */ case O_LIMIT: case O_KEEP_STATE: - if (install_state(f, - (ipfw_insn_limit *)cmd, args)) { - retval = IP_FW_PORT_DENY_FLAG; - goto done; /* error/limit violation */ - } match = 1; + if (install_state(f, + (ipfw_insn_limit *)cmd, args)) + match = 0; break; case O_PROBE_STATE: --opJtzjQTFsWo+cga-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 19:37:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B26B016A4CE for ; Sun, 7 Nov 2004 19:37:39 +0000 (GMT) Received: from smtpauth03.mail.atl.earthlink.net (smtpauth03.mail.atl.earthlink.net [209.86.89.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C55743D2F for ; Sun, 7 Nov 2004 19:37:39 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.2.50]) by smtpauth03.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CQsr3-00005j-MO for freebsd-ipfw@freebsd.org; Sun, 07 Nov 2004 14:37:39 -0500 From: Martes Wigglesworth To: ipfw-mailings Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1099856264.652.276.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 07 Nov 2004 22:37:44 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd4850504d06c325ceb946beb14524a28536350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 83.170.20.46 Subject: Listing multiple subnets w/ specific host addresses.. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 19:37:39 -0000 Does anyone know how to list the following rule? I am unable to find a working example of such a declaration. add log ip from any to \{ 192.168.1.0/24{a,b,c} or 192.168.2.0/24{d,e,f,g} \} The backslash works while listing more than one interface at the end of rules, however, whenever I use it as above, I get parenthesis errors. This current format give the following error on the console: > sudo ipfw add pass log ip from any to \{ 192.168.1.0/24 { 23,24,35,60 } or 192.168.2.0/24 { 24,25,26,50 }\} ipfw: missing ")" Thanks for the help. You guys have been so darn helpful in the last couple of days. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 19:59:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0455416A4CE for ; Sun, 7 Nov 2004 19:59:14 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ACFE43D46 for ; Sun, 7 Nov 2004 19:59:13 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 86C9F347BA8; Sun, 7 Nov 2004 21:00:18 +0100 (CET) Date: Sun, 7 Nov 2004 21:00:18 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20041107200018.GD88583@shellma.zin.lublin.pl> References: <1099856264.652.276.camel@Mobile1.276NET> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1099856264.652.276.camel@Mobile1.276NET> User-Agent: Mutt/1.4.2i Subject: Re: Listing multiple subnets w/ specific host addresses.. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 19:59:14 -0000 On Sun, Nov 07, 2004 at 10:37:44PM +0300, Martes Wigglesworth wrote: > Does anyone know how to list the following rule? I am unable to find a > working example of such a declaration. > > add log ip from any to \{ 192.168.1.0/24{a,b,c} or > 192.168.2.0/24{d,e,f,g} \} > > The backslash works while listing more than one interface at the end of > rules, however, whenever I use it as above, I get parenthesis errors. > This current format give the following error on the console: > > > sudo ipfw add pass log ip from any to \{ 192.168.1.0/24 { 23,24,35,60 > } or 192.168.2.0/24 { 24,25,26,50 }\} > ipfw: missing ")" This is a matter of shell. On tcsh: % ipfw add 31337 count ip from any to \{ 192.168.1.0/24\{7,5,2\} or 192.168.2.0/24\{1,6,8,11\} \} 31337 count ip from any to { 192.168.1.0/24{2,5,7} or dst-ip 192.168.2.0/24{1,6,8,11} } % ipfw show 31337 31337 0 0 count ip from any to { 192.168.1.0/24{2,5,7} or dst-ip 192.168.2.0/24{1,6,8,11} } Still, this `IP or dst-ip IP' on output looks weird... -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 20:08:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E132F16A4CE for ; Sun, 7 Nov 2004 20:08:16 +0000 (GMT) Received: from mta6.srv.hcvlny.cv.net (mta6.srv.hcvlny.cv.net [167.206.5.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8112643D3F for ; Sun, 7 Nov 2004 20:08:16 +0000 (GMT) (envelope-from asym@rfnj.org) Received: from risen.rfnj.org (ool-457369de.dyn.optonline.net [69.115.105.222]) by mta6.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I6T00L0TRXP4Y@mta6.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Sun, 07 Nov 2004 15:08:13 -0500 (EST) Date: Sun, 07 Nov 2004 15:08:18 -0500 From: asym In-reply-to: <1099856264.652.276.camel@Mobile1.276NET> X-Sender: asym@rfnj.org@mail.rfnj.org To: martes.wigglesworth@earthlink.net, ipfw-mailings Message-id: <6.1.2.0.2.20041107145238.02ef3e98@mail.rfnj.org> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <1099856264.652.276.camel@Mobile1.276NET> Subject: Re: Listing multiple subnets w/ specific host addresses.. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 20:08:17 -0000 At 14:37 11/7/2004, Martes Wigglesworth wrote: >Does anyone know how to list the following rule? I am unable to find a >working example of such a declaration. > >add log ip from any to \{ 192.168.1.0/24{a,b,c} or >192.168.2.0/24{d,e,f,g} \} > >The backslash works while listing more than one interface at the end of >rules, however, whenever I use it as above, I get parenthesis errors. >This current format give the following error on the console: > > > sudo ipfw add pass log ip from any to \{ 192.168.1.0/24 { 23,24,35,60 >} or 192.168.2.0/24 { 24,25,26,50 }\} >ipfw: missing ")" ipfw add count log ip from any to 192.168.1.0/24\{23,24,35,60\} ipfw add count log ip from any to 192.168.2.0/24\{24,25,26,50\} I do not believe you can specify both subnets on one line as you're trying to do with the brackets. Note the lack of spaces in the commands I have shown vs. the spaces in your own. From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 20:24:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B689C16A4CE for ; Sun, 7 Nov 2004 20:24:39 +0000 (GMT) Received: from smtpauth05.mail.atl.earthlink.net (smtpauth05.mail.atl.earthlink.net [209.86.89.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43DDB43D31 for ; Sun, 7 Nov 2004 20:24:39 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.2.50]) by smtpauth05.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CQtaR-0006sd-3c; Sun, 07 Nov 2004 15:24:38 -0500 From: Martes Wigglesworth To: Pawel Malachowski In-Reply-To: <20041107200018.GD88583@shellma.zin.lublin.pl> References: <1099856264.652.276.camel@Mobile1.276NET> <20041107200018.GD88583@shellma.zin.lublin.pl> Content-Type: multipart/mixed; boundary="=-fVCUVY18GnXB0CJqUcQc" Organization: Wiggtekmicro Corporation Message-Id: <1099859047.652.279.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 07 Nov 2004 23:24:07 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd4850504d06c325ceb9ef717bd12cc34e1fdaeb3e8d137e934c350badd9bab72f9c X-Originating-IP: 83.170.20.46 cc: ipfw-mailings Subject: Re: Listing multiple subnets w/ specific host addresses.. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 20:24:39 -0000 --=-fVCUVY18GnXB0CJqUcQc Content-Type: text/plain Content-Transfer-Encoding: 7bit So, this is the / functionality that is discussed in the manpage? I really wish there were more verbose version of these documents. I was wondering why that was the only way that I could list more than one interface in one rule. Thanks alot. The list saves me two days of headbanging, not set to music, again. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 --=-fVCUVY18GnXB0CJqUcQc Content-Disposition: inline Content-Description: Forwarded message - Re: Listing multiple subnets w/ specific host addresses.. Content-Type: message/rfc822 Status: U Return-Path: Received: from mx2.freebsd.org ([216.136.204.119]) by mx-a065b14.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cqTl26FT3NZFpN0 for ; Sun, 7 Nov 2004 12:08:36 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 4B66557A26; Sun, 7 Nov 2004 20:07:30 +0000 (GMT) (envelope-from owner-freebsd-ipfw@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6941916A500; Sun, 7 Nov 2004 20:07:26 +0000 (GMT) Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0455416A4CE for ; Sun, 7 Nov 2004 19:59:14 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl 8ACFE43D46 for ; Sun, 7 Nov 2004 19:59:13 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 86C9F347BA8; Sun, 7 Nov 2004 21:00:18 +0100 (CET) Date: Sun, 7 Nov 2004 21:00:18 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20041107200018.GD88583@shellma.zin.lublin.pl> References: <1099856264.652.276.camel@Mobile1.276NET> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline In-Reply-To: <1099856264.652.276.camel@Mobile1.276NET> User-Agent: Mutt/1.4.2i Subject: Re: Listing multiple subnets w/ specific host addresses.. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: owner-freebsd-ipfw@freebsd.org Errors-To: owner-freebsd-ipfw@freebsd.org X-ELNK-AV: 0 Content-Transfer-Encoding: quoted-printable On Sun, Nov 07, 2004 at 10:37:44PM +0300, Martes Wigglesworth wrote: > Does anyone know how to list the following rule? I am unable to find a > working example of such a declaration. >=20 > add log ip from any to \{ 192.168.1.0/24{a,b,c} or > 192.168.2.0/24{d,e,f,g} \} >=20 > The backslash works while listing more than one interface at the end of > rules, however, whenever I use it as above, I get parenthesis errors.=20 > This current format give the following error on the console: >=20 > > sudo ipfw add pass log ip from any to \{ 192.168.1.0/24 { 23,24,35,60 > } or 192.168.2.0/24 { 24,25,26,50 }\} > ipfw: missing ")" This is a matter of shell. On tcsh: % ipfw add 31337 count ip from any to \{ 192.168.1.0/24\{7,5,2\} or 192.168= .2.0/24\{1,6,8,11\} \} 31337 count ip from any to { 192.168.1.0/24{2,5,7} or dst-ip 192.168.2.0/24= {1,6,8,11} } % ipfw show 31337 31337 0 0 count ip from any to { 192.168.1.0/24{2,5,7}= or dst-ip 192.168.2.0/24{1,6,8,11} } Still, this `IP or dst-ip IP' on output looks weird... --=20 Pawe=B3 Ma=B3achowski _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" --=-fVCUVY18GnXB0CJqUcQc-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 7 23:08:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA23616A4CE for ; Sun, 7 Nov 2004 23:08:16 +0000 (GMT) Received: from mailomat.net (f-1.mailomat.net [217.110.117.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 653EF43D1D for ; Sun, 7 Nov 2004 23:08:13 +0000 (GMT) (envelope-from noses@noses.com) X-Mailomat-SpamCatcher-Score: 2 [X] Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by mailomat.net (CommuniGate Pro SMTP 4.2) with ESMTP-TLS id 2554791 for freebsd-ipfw@freebsd.org; Mon, 08 Nov 2004 00:08:09 +0100 Received: by bnc.net (CommuniGate Pro PIPE 4.2b2) with PIPE id 775853; Mon, 08 Nov 2004 00:08:09 +0100 Received: from [194.39.192.247] (account noses@noses.com HELO [194.39.192.247]) by bnc.net (CommuniGate Pro SMTP 4.2b2) with ESMTP-TLS id 775851 for freebsd-ipfw@freebsd.org; Mon, 08 Nov 2004 00:07:58 +0100 Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; format=flowed To: ipfw-mailings From: Noses Date: Mon, 8 Nov 2004 00:07:57 +0100 X-Mailer: Apple Mail (2.619) X-MailScanner-Information: Please contact info@mailomat.net for more information (colossus) X-MailScanner: Found to be clean Subject: nat + forwarding == routing error??? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Nov 2004 23:08:16 -0000 Hi! I've got a slightly complicated problem. I'm running a router with multiple outgoing connections and a number of LANs and a DMZ being routed through it. 1) Even though I have "fwd " rules for all addresses I have to have a default router or the rules won't even be reached (giving me a "no route to host" - I'd assume there should be a way to force a packet to get into ipfw even if the kernel is believing the packet would go nowhere. 2) Strangest problem: It depends on passing through natd whether a fwd rule is behaving according to the man page or not. I've got the following construction: divert ${NAT_1} all from 192.168.160.0/24 to any in via ${nic_LAN} fwd ${Provider_1} all from ${DMZ_Provider_1} to any not ${local} fwd ${Provider_1} all from ${NAT_addr_1} to any not ${local} The relevant NATD is using an "alias_address" statement (if there is any difference). Extending the rules by "log" statements shows packets being caught by the correct rules and tcpdump shows the packets on the wire having been treated correctly by NAT. Now packets from DMZ_Provider_1 are being sent to the correct outgoing interface (which is different from the default route's interface) but the packets that have been aliased by natd are sent out on the default route even though the log shows me that the relevant "fwd" rule has been taken. Any ideas? I always assumed that the knowledge about packets having been treated by NAT would be kept inside natd... Achim From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 10:12:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9F2B16A4CE for ; Mon, 8 Nov 2004 10:12:42 +0000 (GMT) Received: from mailomat.net (f-1.mailomat.net [217.110.117.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 061C043D46 for ; Mon, 8 Nov 2004 10:12:42 +0000 (GMT) (envelope-from noses@noses.com) X-Mailomat-SpamCatcher-Score: 2 [X] Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by mailomat.net (CommuniGate Pro SMTP 4.2) with ESMTP-TLS id 2557581 for freebsd-ipfw@freebsd.org; Mon, 08 Nov 2004 11:12:39 +0100 Received: by bnc.net (CommuniGate Pro PIPE 4.2b2) with PIPE id 776101; Mon, 08 Nov 2004 11:12:39 +0100 Received: from [194.39.192.247] (account noses@noses.com HELO [194.39.192.247]) by bnc.net (CommuniGate Pro SMTP 4.2b2) with ESMTP-TLS id 776099 for freebsd-ipfw@freebsd.org; Mon, 08 Nov 2004 11:12:33 +0100 Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: References: Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Noses Date: Mon, 8 Nov 2004 11:12:32 +0100 To: ipfw-mailings X-Mailer: Apple Mail (2.619) X-MailScanner-Information: Please contact info@mailomat.net for more information (colossus) X-MailScanner: Found to be clean Subject: Re: nat + forwarding == routing error??? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 10:12:42 -0000 > I've got a slightly complicated problem. I'm running a router with > multiple outgoing connections and a number of LANs and a DMZ being > routed through it. > > 1) Even though I have "fwd " rules for all > addresses I have to have a default router or the rules won't even be > reached (giving me a "no route to host" - I'd assume there should be a > way to force a packet to get into ipfw even if the kernel is believing > the packet would go nowhere. > > 2) Strangest problem: It depends on passing through natd whether a fwd > rule is behaving according to the man page or not. I've got the > following construction: > > divert ${NAT_1} all from 192.168.160.0/24 to any in via ${nic_LAN} > fwd ${Provider_1} all from ${DMZ_Provider_1} to any not ${local} > fwd ${Provider_1} all from ${NAT_addr_1} to any not ${local} > > The relevant NATD is using an "alias_address" statement (if there is > any difference). Extending the rules by "log" statements shows packets > being caught by the correct rules and tcpdump shows the packets on the > wire having been treated correctly by NAT. > Now packets from DMZ_Provider_1 are being sent to the correct outgoing > interface (which is different from the default route's interface) but > the packets that have been aliased by natd are sent out on the default > route even though the log shows me that the relevant "fwd" rule has > been taken. > > Any ideas? I always assumed that the knowledge about packets having > been treated by NAT would be kept inside natd... I have to admit that doing serious things after not having slept for 24 hours is not a good idea. My observation was wrong: The second fwd rule is applied and the packet is leaving the machine nut it is acting like a "permit" rule (i.e. the forwarding part is ignored). Which is just as bad but probably easier to explain. Achim From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 11:02:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F323F16A4CE for ; Mon, 8 Nov 2004 11:02:35 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6CAF43D3F for ; Mon, 8 Nov 2004 11:02:35 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id iA8B2Z2h010692 for ; Mon, 8 Nov 2004 11:02:35 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA8B2ZkV010687 for ipfw@freebsd.org; Mon, 8 Nov 2004 11:02:35 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Nov 2004 11:02:35 GMT Message-Id: <200411081102.iA8B2ZkV010687@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 11:02:36 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 14:12:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8867116A4CE for ; Mon, 8 Nov 2004 14:12:20 +0000 (GMT) Received: from server1.carmatec.com (server1.carmatec.com [66.45.229.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 423DD43D49 for ; Mon, 8 Nov 2004 14:12:20 +0000 (GMT) (envelope-from akhthar@carmatec.com) Received: from [61.95.188.54] (helo=192.168.0.7) by server1.carmatec.com with esmtpa (Exim 4.43) id 1CRAFk-0008A7-JP for freebsd-ipfw@freebsd.org; Mon, 08 Nov 2004 09:11:56 -0500 From: "Akhthar Parvez. K" Organization: Carmatec Solutions To: ipfw-mailings Date: Mon, 8 Nov 2004 19:38:56 +0530 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200411081938.56359.akhthar@carmatec.com> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server1.carmatec.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - carmatec.com X-Source: X-Source-Args: X-Source-Dir: Subject: Stop firewall service X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: akhthar@carmatec.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 14:12:20 -0000 Hi All, I am new in FreeBSD :). Could someone please tell me how to stop/disable the firewall service temporarily in FreeBSD. Please let me know what is the firewall service in FreeBSD. -- With Regards, Akhthar Parvez.K Carmatec Solutions From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 16:53:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA68516A4CE for ; Mon, 8 Nov 2004 16:53:51 +0000 (GMT) Received: from jay.exetel.com.au (jay.exetel.com.au [220.233.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id D85A143D54 for ; Mon, 8 Nov 2004 16:53:50 +0000 (GMT) (envelope-from ldsift-applels@yahoo.com.au) Received: (qmail 20862 invoked by uid 507); 9 Nov 2004 03:53:49 +1100 Received: from 63.7.233.220.exetel.com.au (HELO ?192.168.1.2?) (220.233.7.63) by jay.exetel.com.au with SMTP; 9 Nov 2004 03:53:49 +1100 Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <200411081938.56359.akhthar@carmatec.com> References: <200411081938.56359.akhthar@carmatec.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: LD Date: Tue, 9 Nov 2004 03:53:48 +1100 To: FreeBSD-IPFW X-Mailer: Apple Mail (2.619) Subject: Re: Stop firewall service X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 16:53:51 -0000 Hi there, On 09/11/2004, at 1:08 AM, Akhthar Parvez. K wrote: > I am new in FreeBSD :). Could someone please tell me how to > stop/disable the > firewall service temporarily in FreeBSD. Please let me know what is the > firewall service in FreeBSD. There are two builtin firewall options - both of which won't be enabled unless you've told them to be in /etc/rc.conf: # for ipfw firewall_enable="YES" if the above is true: `ipfw disable firewall' or `ipfw -f flush' # for ipf pf_enable="YES" see `man ipf' the default options are to disable: /etc/defaults/rc.conf For more info: 1) man ipf[w] 2) http://freebsd.org/doc/en_US.ISO8859-1/books/handbook [specifically --> Section 14 [security] --> firewalls] 3) google helps me too when the above two aren't verbose enough. with regards, -- LD From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 17:13:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7932C16A4CE for ; Mon, 8 Nov 2004 17:13:31 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 578F943D1F for ; Mon, 8 Nov 2004 17:13:31 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id iA8HDQd8002737; Mon, 8 Nov 2004 09:13:30 -0800 (PST) Received: from [10.1.1.245] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0)iA8HDOoi019038; Mon, 8 Nov 2004 09:13:25 -0800 (PST) In-Reply-To: <200411081938.56359.akhthar@carmatec.com> References: <200411081938.56359.akhthar@carmatec.com> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <7F77EAA4-31A9-11D9-8097-003065ABFD92@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Mon, 8 Nov 2004 12:13:24 -0500 To: akhthar@carmatec.com X-Mailer: Apple Mail (2.619) cc: ipfw-mailings Subject: Re: Stop firewall service X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 17:13:31 -0000 On Nov 8, 2004, at 9:08 AM, Akhthar Parvez. K wrote: > I am new in FreeBSD :). Could someone please tell me how to > stop/disable the > firewall service temporarily in FreeBSD. Please let me know what is the > firewall service in FreeBSD. Most probably, you are using a firewall called "IPFW". This firewall is implemented using a series of rules, and normally one adjusts specific rules rather than just turning the whole thing on or off. Still, the following will do something close: ipfw add 1 allow ip from any to any # this "disables" the firewall ...or... ipfw delete 1 # deletes the pass-all rule -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 18:45:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9623A16A4CE for ; Mon, 8 Nov 2004 18:45:13 +0000 (GMT) Received: from jay.exetel.com.au (jay.exetel.com.au [220.233.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4B5943D39 for ; Mon, 8 Nov 2004 18:45:12 +0000 (GMT) (envelope-from ldsift-applels@yahoo.com.au) Received: (qmail 23446 invoked by uid 507); 9 Nov 2004 05:45:11 +1100 Received: from 63.7.233.220.exetel.com.au (HELO ?192.168.1.2?) (220.233.7.63) by jay.exetel.com.au with SMTP; 9 Nov 2004 05:45:11 +1100 Mime-Version: 1.0 (Apple Message framework v619) Content-Transfer-Encoding: 7bit Message-Id: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> Content-Type: text/plain; charset=US-ASCII; format=flowed To: FreeBSD-IPFW From: LD Date: Tue, 9 Nov 2004 05:45:11 +1100 X-Mailer: Apple Mail (2.619) Subject: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 18:45:13 -0000 Hi there, I'm setting up a FreeBSD gateway at work to replace 2 [RH9] gateways that serve 2 separate external connections through 2 different isp's. Only the cable is currently utilised by most - and there's no redundancy in place without fiddling with individual machines. The 2nd gateway, however, does currently allow VPN connectivity for external users. The external connections: 1) Cable (dynamic IP); 2) ADSL 512/512 (static IP). I'm fairly new to FreeBSD/ipfw/dummynet and so I'm hoping that people here might be able to point me in the right direction. i.e., things to bear in mind include: My Questions are: a) Do I need any specific kernel options? i.e., features that aren't available otherwise through dynamic loading. b) I'd like to make the whole thing transparent to the internal network. i.e., internal computers nameserver references are to the gateway (rather than isp) which then translates such requests to the appropriate nameserver(s) of the relevant isp according to which pipe the request is sent through :-) b) I'm assuming that for the most part 'prob 0.5' will balance the load between two pipes to the external interfaces...but is there a better scheme? Also guaranteeing that a complete conversation, once initiated via an interface would continue through that interface... c) How would you set it up to automatically place all traffic out via one of the external interfaces should the other connection not be available? i.e., auto-redundancy. d) any other tricks of the trade? I've based my 'draft' script (below - which has various problems for the problem at hand) off the last example on... freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html ...adjusting for pipes. Any pointers in the right direction would be much appreciated. Thanks. #!/bin/sh <..> cmd="ipfw -q add" skip="skipto 800" ipfw -q -f flush $cmd 005 allow all from any to any via $iif $cmd 010 allow all from any to any via lo0 $cmd 014 divert natd ip from any to any via $pif1 $cmd 014 divert natd ip from any to any via $pif2 $cmd 015 check-state # Public Interface for DNS in `cat /etc/resolv.conf | grep nameserver | awk -F\t '{print $2}'`; do $cmd 020 $skip tcp from any to $DNS 53 out setup keep-state done # access isp dhcp server for cable $cmd 021 $skip udp from any to $ISP_DHCPs 67 out via $pif1 keep-state # outgoing traffic $cmd 030 $skip tcp from any to any $tcpports out <...> # deny various incoming <...> # allow cable dhcp $cmd 360 allow udp from $ISP_DHCPs to any 68 in keep-state <...> # reject/log $cmd 400 deny log all from any to any in $cmd 400 deny log all from any to any out # SKIPTO Section $cmd 800 prob 0.5 pipe 1 from any to any out via $pif1 $cmd 800 prob 0.5 pipe 2 from any to any out via $pif2 ipfw -q 800 pipe 1 config bw ipfw -q 800 pipe 2 config bw # Natd $cmd 801 divert natd ip from any to any out $cmd 802 allow ip from any to any # deny/log all else $cmd 999 deny log all from any to any with regards, -- LD From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 20:35:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7508D16A4D1 for ; Mon, 8 Nov 2004 20:35:05 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7D2643D2D for ; Mon, 8 Nov 2004 20:35:04 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 11B5E347E01; Mon, 8 Nov 2004 21:36:16 +0100 (CET) Date: Mon, 8 Nov 2004 21:36:16 +0100 From: Pawel Malachowski To: freebsd-ipfw@freebsd.org Message-ID: <20041108203616.GA21361@shellma.zin.lublin.pl> References: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> User-Agent: Mutt/1.4.2i Subject: Re: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 20:35:05 -0000 On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote: > My Questions are: > a) Do I need any specific kernel options? i.e., features that aren't > available otherwise through dynamic loading. Using divert requires IPDIVERT option (loadable version of divert is in very fresh sources only), which is not in GENERIC I guess. Both ipfw and dummynet can be loaded from modules. Warning: ipfw default policy is to block all traffic so be careful when loading it remotly. :) > b) I'd like to make the whole thing transparent to the internal > network. i.e., internal computers nameserver references are to the > gateway (rather than isp) which then translates such requests to the > appropriate nameserver(s) of the relevant isp according to which pipe > the request is sent through :-) That's obsolete. Set up your caching DNS server or allow to use nameservers of both upstream ISPs. > b) I'm assuming that for the most part 'prob 0.5' will balance the load > between two pipes to the external interfaces...but is there a better > scheme? Also guaranteeing that a complete conversation, once initiated > via an interface would continue through that interface... You don't understand what `pipe' is. Pipe is for bandwidth limiting, not for redirecting traffic between interfaces. What You want is called `fwd'. Still, prob 0.5 will match 50% of packets, which are not TCP sessions, so it won't work this way. You want connection (flow) balancing. This may be hard to achieve. I would experiment with fwd rule with keep-state option. > c) How would you set it up to automatically place all traffic out via > one of the external interfaces should the other connection not be > available? i.e., auto-redundancy. Set up some shell script that somehow checks if connection is working and if not, modifies default route or ipfw ruleset (using rule SETs may be helpful in atomic ipfw ruleset changes). > d) any other tricks of the trade? > > #!/bin/sh > <..> > cmd="ipfw -q add" > skip="skipto 800" > ipfw -q -f flush > $cmd 005 allow all from any to any via $iif > $cmd 010 allow all from any to any via lo0 > $cmd 014 divert natd ip from any to any via $pif1 > $cmd 014 divert natd ip from any to any via $pif2 > $cmd 015 check-state > # Public Interface > for DNS in `cat /etc/resolv.conf | grep nameserver | awk -F\t '{print > $2}'`; do > $cmd 020 $skip tcp from any to $DNS 53 out setup keep-state > done > # access isp dhcp server for cable > $cmd 021 $skip udp from any to $ISP_DHCPs 67 out via $pif1 keep-state > # outgoing traffic > $cmd 030 $skip tcp from any to any $tcpports out > <...> > # deny various incoming > <...> > # allow cable dhcp > $cmd 360 allow udp from $ISP_DHCPs to any 68 in keep-state > <...> > # reject/log > $cmd 400 deny log all from any to any in > $cmd 400 deny log all from any to any out > > # SKIPTO Section > $cmd 800 prob 0.5 pipe 1 from any to any out via $pif1 > $cmd 800 prob 0.5 pipe 2 from any to any out via $pif2 > ipfw -q 800 pipe 1 config bw > ipfw -q 800 pipe 2 config bw > > # Natd > $cmd 801 divert natd ip from any to any out > $cmd 802 allow ip from any to any > # deny/log all else > $cmd 999 deny log all from any to any As said, this DNS stuff seems weird. Also fwd is not used. Also prob 0.5 is not used properly (forst 50% will match 50%, second will match 50% of rest 50%, which gives 25%). Try setting default route to one ISP and fwd 50% of flows from its interface to second ISP gateway. When configuring pipes, no rule number is needed, pipe configuration is not part of ruleset. Note, by default pipe will accept packet (it won't be check against another rules). Same with fwd. Same with allow. I would suggest temporary resigning from blocking and dummynet stuff and just trying to create pure load-balancing. It will be hard enough. Always do `ipfw -d show' and look at rule counters to make sure that packets go as expected. I would also look at ipf and pf firewalls, they have strong session handling, You may find one of them to be more easy to setup or even find some ready-to-use examples with google. -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 8 21:40:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04FA716A4CE for ; Mon, 8 Nov 2004 21:40:01 +0000 (GMT) Received: from jay.exetel.com.au (jay.exetel.com.au [220.233.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FA2143D41 for ; Mon, 8 Nov 2004 21:40:00 +0000 (GMT) (envelope-from ldsift-applels@yahoo.com.au) Received: (qmail 26962 invoked by uid 507); 9 Nov 2004 08:39:58 +1100 Received: from 63.7.233.220.exetel.com.au (HELO ?192.168.1.2?) (220.233.7.63) by jay.exetel.com.au with SMTP; 9 Nov 2004 08:39:58 +1100 In-Reply-To: <20041108203616.GA21361@shellma.zin.lublin.pl> References: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> <20041108203616.GA21361@shellma.zin.lublin.pl> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=EUC-KR; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: LD Date: Tue, 9 Nov 2004 08:39:58 +1100 To: Pawel Malachowski X-Mailer: Apple Mail (2.619) cc: freebsd-ipfw@freebsd.org Subject: Re: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Nov 2004 21:40:01 -0000 Hi Pawe=A9=A9, Thanks for your explanations. If I can bother you some more... On 09/11/2004, at 7:36 AM, Pawel Malachowski wrote: > On Tue, Nov 09, 2004 at 05:45:11AM +1100, LD wrote: >> My Questions are: >> a) Do I need any specific kernel options? i.e., features that aren't >> available otherwise through dynamic loading. > > Using divert requires IPDIVERT option (loadable version of divert is > in very fresh sources only), which is not in GENERIC I guess. > Both ipfw and dummynet can be loaded from modules. > Warning: ipfw default policy is to block all traffic so be careful = when > loading it remotly. :) That won't be a problem as I'll be at the machine. >> b) I'd like to make the whole thing transparent to the internal >> network. i.e., internal computers nameserver references are to the >> gateway (rather than isp) which then translates such requests to the >> appropriate nameserver(s) of the relevant isp according to which pipe >> the request is sent through :-) > > That's obsolete. Set up your caching DNS server or allow to use > nameservers of both upstream ISPs. No worries. >> b) I'm assuming that for the most part 'prob 0.5' will balance the=20 >> load >> between two pipes to the external interfaces...but is there a better >> scheme? Also guaranteeing that a complete conversation, once = initiated >> via an interface would continue through that interface... > > What You want is called `fwd'. Still, prob 0.5 will match 50% of=20 > packets, > which are not TCP sessions, so it won't work this way. You want=20 > connection > (flow) balancing. This may be hard to achieve. I would experiment with > fwd rule with keep-state option. Is my understanding correct that the following (placed before the fwd=20 rules) achieves that? i.e., 'ipfw add check-state' placed prior to ' setup=20 keep-state' >> d) any other tricks of the trade? > > As said, this DNS stuff seems weird. > Also fwd is not used. Would you be able to show me a quick skeleton example of how you'd do=20 your script? > Also prob 0.5 is not used properly (forst 50% will match 50%, second > will match 50% of rest 50%, which gives 25%). Ah, so second one should not have a prob so as to match the=20 remainder...of course (was too early in the morning). > Try setting default route to one ISP and fwd 50% of flows from its > interface to second ISP gateway. Quick example? > Note, by default pipe will accept packet (it won't be check against > another rules). Same with fwd. Same with allow. > > I would suggest temporary resigning from blocking and dummynet stuff > and just trying to create pure load-balancing. It will be hard enough. The reason I went for the dummynet stuff (and hence got off track as=20 you've said) is that I'm wanting to test this out at home (where I=20 don't have 2 external connections or 3 network cards - but instead 2=20 network cards) prior to taking down the company network. So, how would=20= you simulate this? Or what would you suggest? > Always do `ipfw -d show' and look at rule counters to make sure that > packets go as expected. Okay, thanks. > I would also look at ipf and pf firewalls, they have strong session > handling, You may find one of them to be more easy to setup or even > find some ready-to-use examples with google. I will certainly have another look should this avenue fail...I just=20 liked the syntax/concept/integration of ipfw/dummynet. I've spent a fair amount of time trying to get familiar with ipfw - so=20= it'd be good if these things can be done through it... Thanks for your assistance! with regards, -- LD= From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 10 18:08:07 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 232A716A4CE for ; Wed, 10 Nov 2004 18:08:07 +0000 (GMT) Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77C8C43D55 for ; Wed, 10 Nov 2004 18:08:06 +0000 (GMT) (envelope-from ababurko@adelphia.net) Received: from ample.adelphia.net ([24.52.224.96]) by mta13.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with ESMTP id <20041110180805.GMAM15165.mta13.adelphia.net@ample.adelphia.net> for ; Wed, 10 Nov 2004 13:08:05 -0500 Message-Id: <6.0.3.0.0.20041110124952.024fa788@mail.dc2.adelphia.net> X-Sender: ababurko@mail.dc2.adelphia.net X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Wed, 10 Nov 2004 13:08:04 -0500 To: freebsd-ipfw@freebsd.org From: Bob Ababurko Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: dummynet bw cumulative limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Nov 2004 18:08:07 -0000 HEllo all- We are interested in limiting the bandwidth of a newly setup connection. We are on a 100 Mb/s switch port and want to keep it to 1 Mb/s for now. Forgive my ignorance, but do they measure this cumulative(inbound + outbound)?....I would assume so, but I would like to confirm this since the rate for overage is not within the budget for now. Assuming the conservative, how does the dummynet config have to be setup fpor thsi to occur?...or can it be configured for both inbound and outbound? Right now, I have the below config and since I have not put the box on the network yet, I have not been able to look at the MRTG to figure the answer. I am thinking that this config may limit to 1 meg in both directions....I am just not looking forward to overage fees right off the bat! btw, this config is for the priority of the udp/tcp acks in both directions. I am not sure if this is going to work so any comments on it would be appreciated. thanks, Bob ipfw -f flush ipfw pipe 1 config bw 1000kbits/s ipfw queue 1 config pipe 1 weight 100 ipfw queue 2 config pipe 1 weight 1 mask all ipfw queue 3 config pipe 1 weight 100 ipfw queue 4 config pipe 1 weight 1 mask all ipfw add 100 queue 1 udp from any to any out via fxp0 ipfw add 101 skipto 1000 udp from any to any out via fxp0 ipfw add 100 queue 3 udp from any to any in via fxp0 ipfw add 101 skipto 1000 udp from any to any in via fxp0 ipfw add 110 queue 1 tcp from any to any out via fxp0 tcpflags ack ipfw add 111 skipto 1000 tcp from any to any out via fxp0 tcpflags ack ipfw add 110 queue 3 tcp from any to any in via fxp0 tcpflags ack ipfw add 111 skipto 1000 tcp from any to in out via fxp0 tcpflags ack ipfw add queue 2 ip from any to any out via fxp0 ipfw add queue 4 ip from any to any out via fxp0 ipfw add 1000 allow all from any to any From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 11 13:02:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1D9F16A4CE for ; Thu, 11 Nov 2004 13:02:42 +0000 (GMT) Received: from shellma.zin.lublin.pl (shellma.zin.lublin.pl [212.182.126.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EC1E43D4C for ; Thu, 11 Nov 2004 13:02:42 +0000 (GMT) (envelope-from pawmal-posting@freebsd.lublin.pl) Received: by shellma.zin.lublin.pl (Postfix, from userid 1018) id 1D24F347BA8; Thu, 11 Nov 2004 14:04:08 +0100 (CET) Date: Thu, 11 Nov 2004 14:04:07 +0100 From: Pawel Malachowski To: LD Message-ID: <20041111130407.GC21054@shellma.zin.lublin.pl> References: <5223CD88-31B6-11D9-838C-0005025E2371@yahoo.com.au> <20041108203616.GA21361@shellma.zin.lublin.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.2i cc: freebsd-ipfw@freebsd.org Subject: Re: Help: Load Balancing 2 external connections X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 13:02:42 -0000 On Tue, Nov 09, 2004 at 08:39:58AM +1100, LD wrote: > >fwd rule with keep-state option. > > Is my understanding correct that the following (placed before the fwd > rules) achieves that? > i.e., 'ipfw add check-state' placed prior to ' setup > keep-state' Something like: // route add default ISP1 ipfw add A check-state ... ipfw add B prob 0.5 fwd ISP2 ip from LAN to any out xmit ISP1 keep-state (Haven't tried.) Still, connections speed and direction may vary so trafic on ISP1 and ISP2 may not be shared equally. It can't be helped. I forgot to note that `fwd' requires yet another option in kernel config, IPFIREWALL_FORWARD. There is another problem here: NAT. Outgoing packets have to be NAT-ed before they match fwd rule. With natd, keep-state and prob should be moved from fwd rule to natd rule, and fwd rule should match packets using their NAT-ed address. (Ouch, there is also problem with prob, it is checked before keep-state is checked. We will try to workaround this.) Incoming packets have to be un-NAT-ed before they touch check-state rule. So, it would be something like this: default gw is ISP1GW on ISP1 link, NAT to ISP1NATIP on ISP2 link, NAT to ISP2NATIP add divert NATD1 ip from any to any in recv ISP1 add divert NATD2 ip from any to any in recv ISP2 // we have private IPs now add check-state // If we have state, packets belongs to fwded flow so jump to count line // only packets without state left here add prob 0.5 skipto X ip from LAN to any out xmit ISP1 // prob matches before keep-state, try to workaround // we have half of new (not belongign to any flow) packets here add count ip from any to any keep-state // our workaround. create state for them, no prob here add divert NATD2 ip from LAN to any out xmit ISP1 // pass outgoing to NATD2 so they will be fwded to ISP2 later add fwd ISP2GW ip from ISP2NATIP to any out xmit ISP1 // redirect ISP2 traffic from ISP1 to ISP2 link // theoretically, what we have here left is: // traffic in recv ISP2, after un-NATing, with state (jumped from check-state) add X divert NATD1 ip from any to any out xmit ISP1 // another 50% of flows is left via ISP1 // traffic to ISP1 goes via default route, so do nothing This is written from scratch, untested and may not work, don't blame me. ;) -- Paweł Małachowski From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 12 06:57:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74AC316A4CE for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) Received: from smtp804.mail.sc5.yahoo.com (smtp804.mail.sc5.yahoo.com [66.163.168.183]) by mx1.FreeBSD.org (Postfix) with SMTP id 4EEE743D49 for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) (envelope-from dtrobert@pacbell.net) Received: from unknown (HELO MADAGASCAR) (dtrobert@pacbell.net@69.107.12.181 with login) by smtp804.mail.sc5.yahoo.com with SMTP; 12 Nov 2004 06:57:14 -0000 From: "David Roberts" To: Date: Thu, 11 Nov 2004 22:57:12 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTIhNWIGdUImtd9SgmSlhEhVuFUBA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Message-Id: <20041112065715.4EEE743D49@mx1.FreeBSD.org> Subject: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 06:57:15 -0000 Hi, I have been using ipfw for some time now and recently upgraded from 5.2.1 to 5.3. My firewall immediately started blocking me even from pinging localhost. I also noted an error around an ipfw log entry I had and commented it out. I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured I'd give it a try since I was always frustrated that flushing my rules would bump me off. I rebuilt the kernel and now I have the opposite problem, eveything is allowed no matter what my rules say. My kernel opts are now options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT After flushing ipfw I get # ipfw show 65535 67836 20914281 deny ip from any to any I even added another deny rule but everything is still allowed. Does that option just disable my firewall entirely? My #ipfw show after running my firewall.rules is: 00100 0 0 allow ip from 127.0.0.1 to any keep-state 00200 0 0 allow ip from 192.168.1.0/28 to any keep-state 00300 0 0 allow ip from to any keep-state 00400 0 0 deny ip from 192.168.1.0/28 to any in via fxp0 00500 0 0 deny ip from any to 172.16.0.0/12 via fxp0 00600 0 0 deny ip from any to 192.168.0.0/16 via fxp0 00700 0 0 deny ip from any to 0.0.0.0/8 via fxp0 00800 0 0 deny ip from any to 169.254.0.0/16 via fxp0 00900 0 0 deny ip from any to 192.0.2.0/24 via fxp0 01000 0 0 deny ip from any to 224.0.0.0/4 via fxp0 01100 0 0 deny ip from any to 240.0.0.0/4 via fxp0 01200 0 0 deny ip from 172.16.0.0/12 to any via fxp0 01300 0 0 deny ip from 192.168.0.0/16 to any via fxp0 01400 0 0 deny ip from 0.0.0.0/8 to any via fxp0 01500 0 0 deny ip from 169.254.0.0/16 to any via fxp0 01600 0 0 deny ip from 192.0.2.0/24 to any via fxp0 01700 0 0 deny ip from 224.0.0.0/4 to any via fxp0 01800 0 0 deny ip from 240.0.0.0/4 to any via fxp0 01900 0 0 allow tcp from any to dst-port 80 setup 02000 0 0 allow tcp from any to dst-port 22 setup keep-state 02100 0 0 allow tcp from 192.168.1.0/28 to any setup 65535 70851 21336238 deny ip from any to any Thanks David From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 12 08:35:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F3B816A4CE for ; Fri, 12 Nov 2004 08:35:11 +0000 (GMT) Received: from smtpauth06.mail.atl.earthlink.net (smtpauth06.mail.atl.earthlink.net [209.86.89.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00FFF43D31 for ; Fri, 12 Nov 2004 08:35:11 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [213.209.169.198] (helo=[192.168.1.50]) by smtpauth06.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CSWtc-0001Hz-UL; Fri, 12 Nov 2004 03:35:10 -0500 From: Martes Wigglesworth To: David Roberts In-Reply-To: <20041112065715.4EEE743D49@mx1.FreeBSD.org> References: <20041112065715.4EEE743D49@mx1.FreeBSD.org> Content-Type: multipart/mixed; boundary="=-PEZycNUkMrBPNLxfFGGn" Organization: Wiggtekmicro Corporation Message-Id: <1100248505.826.6.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 12 Nov 2004 11:35:05 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48b99f727214eaac27184df7c5b9d1fefa387f7b89c61deb1d350badd9bab72f9c X-Originating-IP: 213.209.169.198 cc: ipfw-mailings Subject: Re: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 08:35:11 -0000 --=-PEZycNUkMrBPNLxfFGGn Content-Type: text/plain Content-Transfer-Encoding: 7bit That is really a problem. I have seen more broken stuff with 5.3, than with 5.2.1, than I care to complain about. The way that the default-accept option is supposed to work, is that your default 65535 rule is allow ip from any to any. Your experience is not normal. You rules should apply to something. Have you tried doing a /etc/netstart? I used to get ignored functionality, when my routing table was querky, due to dhcp or something else. The main issue is that your rule is saying one thing, and not doing the displayed functionality. That is something that you may want to put to the Current list. I am not an expert, however, I have bumped into erronious-user land many a time, with BSD, and I have experienced such functionality, with the exception of the ficticious default rule.(Please excuse spelling) You may want to fetch the newest CVSUP'd src and recompile the kernel, with a new version of the config file, and all. I have found that an unreliable source can cause this wierdness, aswell. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 --=-PEZycNUkMrBPNLxfFGGn Content-Disposition: inline Content-Description: Forwarded message - upgrading from 5.2.1 to 5.3 broke my ipfw Content-Type: message/rfc822 Status: U Return-Path: Received: from mx2.freebsd.org ([216.136.204.119]) by mx-a065a10.pas.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1csvnh4Gn3NZFpB0 for ; Thu, 11 Nov 2004 22:57:35 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 907C455AAA; Fri, 12 Nov 2004 06:57:18 +0000 (GMT) (envelope-from owner-freebsd-ipfw@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id DEEF916A4D8; Fri, 12 Nov 2004 06:57:17 +0000 (GMT) Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74AC316A4CE for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) Received: from smtp804.mail.sc5.yahoo.com (smtp804.mail.sc5.yahoo.com 4EEE743D49 for ; Fri, 12 Nov 2004 06:57:15 +0000 (GMT) (envelope-from dtrobert@pacbell.net) Received: from unknown (HELO MADAGASCAR) (dtrobert@pacbell.net@69.107.12.181 with login) by smtp804.mail.sc5.yahoo.com with SMTP; 12 Nov 2004 06:57:14 -0000 From: "David Roberts" To: Date: Thu, 11 Nov 2004 22:57:12 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTIhNWIGdUImtd9SgmSlhEhVuFUBA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Message-Id: <20041112065715.4EEE743D49@mx1.FreeBSD.org> Subject: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: owner-freebsd-ipfw@freebsd.org Errors-To: owner-freebsd-ipfw@freebsd.org X-ELNK-AV: 0 Content-Transfer-Encoding: 7bit Hi, I have been using ipfw for some time now and recently upgraded from 5.2.1 to 5.3. My firewall immediately started blocking me even from pinging localhost. I also noted an error around an ipfw log entry I had and commented it out. I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured I'd give it a try since I was always frustrated that flushing my rules would bump me off. I rebuilt the kernel and now I have the opposite problem, eveything is allowed no matter what my rules say. My kernel opts are now options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT After flushing ipfw I get # ipfw show 65535 67836 20914281 deny ip from any to any I even added another deny rule but everything is still allowed. Does that option just disable my firewall entirely? My #ipfw show after running my firewall.rules is: 00100 0 0 allow ip from 127.0.0.1 to any keep-state 00200 0 0 allow ip from 192.168.1.0/28 to any keep-state 00300 0 0 allow ip from to any keep-state 00400 0 0 deny ip from 192.168.1.0/28 to any in via fxp0 00500 0 0 deny ip from any to 172.16.0.0/12 via fxp0 00600 0 0 deny ip from any to 192.168.0.0/16 via fxp0 00700 0 0 deny ip from any to 0.0.0.0/8 via fxp0 00800 0 0 deny ip from any to 169.254.0.0/16 via fxp0 00900 0 0 deny ip from any to 192.0.2.0/24 via fxp0 01000 0 0 deny ip from any to 224.0.0.0/4 via fxp0 01100 0 0 deny ip from any to 240.0.0.0/4 via fxp0 01200 0 0 deny ip from 172.16.0.0/12 to any via fxp0 01300 0 0 deny ip from 192.168.0.0/16 to any via fxp0 01400 0 0 deny ip from 0.0.0.0/8 to any via fxp0 01500 0 0 deny ip from 169.254.0.0/16 to any via fxp0 01600 0 0 deny ip from 192.0.2.0/24 to any via fxp0 01700 0 0 deny ip from 224.0.0.0/4 to any via fxp0 01800 0 0 deny ip from 240.0.0.0/4 to any via fxp0 01900 0 0 allow tcp from any to dst-port 80 setup 02000 0 0 allow tcp from any to dst-port 22 setup keep-state 02100 0 0 allow tcp from 192.168.1.0/28 to any setup 65535 70851 21336238 deny ip from any to any Thanks David _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" --=-PEZycNUkMrBPNLxfFGGn-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 12 08:47:50 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6C1516A4CE for ; Fri, 12 Nov 2004 08:47:50 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2ADA443D3F for ; Fri, 12 Nov 2004 08:47:49 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)iAC8ht9e000244 for ; Fri, 12 Nov 2004 09:43:55 +0100 (CET) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) iAC8hsdn000231; Fri, 12 Nov 2004 09:43:55 +0100 (CET) (envelope-from tw@wsf.at) Date: Fri, 12 Nov 2004 08:43:54 -0000 To: David Roberts , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20041112094354.fqa1koqnuxkc88@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 08:47:50 -0000 David Roberts schrieb: > Hi, > I have been using ipfw for some time now and recently upgraded from 5.2.1 > to 5.3. My firewall immediately started blocking me even from pinging > localhost. > > I also noted an error around an ipfw log entry I had and commented it out. > I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured I'd > give it a try since I was always frustrated that flushing my rules would > bump me off. I rebuilt the kernel and now I have the opposite problem, > eveything is allowed no matter what my rules say. Are you 100% sure that your kernel and userland are in sync? I am pretty sure that ignoring every rule and just applying the default rule points to the userland part of ipfw not corresponding to the kernel part. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 12 16:11:37 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2A1216A4CE for ; Fri, 12 Nov 2004 16:11:36 +0000 (GMT) Received: from smtp812.mail.sc5.yahoo.com (smtp812.mail.sc5.yahoo.com [66.163.170.82]) by mx1.FreeBSD.org (Postfix) with SMTP id B910C43D2D for ; Fri, 12 Nov 2004 16:11:36 +0000 (GMT) (envelope-from dtrobert@pacbell.net) Received: from unknown (HELO MADAGASCAR) (dtrobert@pacbell.net@63.197.250.220 with login) by smtp812.mail.sc5.yahoo.com with SMTP; 12 Nov 2004 16:11:36 -0000 From: "David Roberts" To: , Date: Fri, 12 Nov 2004 08:11:36 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTIlE8KINu58RTTQyaWuQDh15OuWwAPX2Rw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <20041112094354.fqa1koqnuxkc88@.mailhost.wsf.at> Message-Id: <20041112161136.B910C43D2D@mx1.FreeBSD.org> Subject: RE: upgrading from 5.2.1 to 5.3 broke my ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 16:11:37 -0000 David Roberts schrieb: >> Hi, >> I have been using ipfw for some time now and recently upgraded from >> 5.2.1 to 5.3. My firewall immediately started blocking me even from >> pinging localhost. >> >> I also noted an error around an ipfw log entry I had and commented it out. >> I checked online and saw an IPFIREWALL_DEFAULT_TO_ACCEPT and figured >> I'd give it a try since I was always frustrated that flushing my rules >> would bump me off. I rebuilt the kernel and now I have the opposite >> problem, eveything is allowed no matter what my rules say. >Are you 100% sure that your kernel and userland are in sync? >I am pretty sure that ignoring every rule and just applying the default rule points to the userland part of ipfw not >>corresponding to the kernel part. I believe so. I did a "makebuildworld, makekernel, installkernel, mergemaster, installworld, reboot" following a full cvsup. My kernel is custom but nothing new from prior releases. I will try installworld once again to see if that changes anything. >Thomas >-- >Thomas Wolf >Wiener Software Fabrik >Dubas u. Wolf GMBH >1050 Wien, Mittersteig 4