Date: Sun, 22 Oct 2000 21:10:02 -0700 (PDT) From: Jeff Kletsky <jeff@spotlife.com> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/22224: ipfw pipe command causes kernel panic Message-ID: <200010230410.VAA74187@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/22224; it has been noted by GNATS. From: Jeff Kletsky <jeff@spotlife.com> To: freebsd-gnats-submit@FreeBSD.org, jeff+freebsd@spotlife.com Cc: Subject: Re: kern/22224: ipfw pipe command causes kernel panic Date: Sun, 22 Oct 2000 21:00:17 -0700 (PDT) Further testing indicates that the issue is not the creation of the firewall rule itself, but seems to be related to the flow of packets. ipfw pipe 1097 config ipfw add 21097 pipe 1097 ip from 64.220.148.97 to any or ipfw pipe config 1097 ipfw add 21097 pipe 1097 ip from 64.220.148.97 to any Both have the same behaviour: If no ethernet is connected, or just the ethernet to the outside world, things seem stable. As soon as the ethernet to the inside (traffic sources) are connected, the crash occurs. Occurs for other choices of IP address and netmask (including the proper class C netmask...) Tried to get a debugging kernel to dump to /var/crash. but am apparently missing something other than the config line in the configuration file and config -g. Will be happy to follow directions to get the crashed kernel. Let me know what else I can do to help... Jeff (Pipes are being created to throttle traffic and simulate degradation of service over modems and that great master of QOS, our friend, AOL...) uname-a: ======== FreeBSD goldengate.wagsky.com 4.1.1-STABLE FreeBSD 4.1.1-STABLE #0: Sun Oct 22 15:59:08 PDT 2000 toor@port7.pn.wagsky.com:/usr/src/sys/compile/GGdebug.20001022 i386 GGdebug.20001022 (kernel configuration) ======================================= # # GENERIC -- Generic kernel configuration file for FreeBSD/i386 # # For more information on this file, please read the handbook section on # Kernel Configuration Files: # # http://www.FreeBSD.org/handbook/kernelconfig-config.html # # The handbook is also available locally in /usr/share/doc/handbook # if you've installed the doc distribution, otherwise always see the # FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the # latest information. # # An exhaustive list of options and more detailed explanations of the # device lines is also present in the ./LINT configuration file. If you are # in doubt as to the purpose or necessity of a line, check first in LINT. # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.15 2000/10/12 01:47:16 msmith Exp $ machine i386 #cpu I386_CPU #cpu I486_CPU cpu I586_CPU #cpu I686_CPU ident GOLDENGATE maxusers 32 makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols #options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options MFS #Memory Filesystem options MD_ROOT #MD is a potential root device options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, NFS required options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev # To make an SMP kernel, the next two are needed #options SMP # Symmetric MultiProcessor Kernel #options APIC_IO # Symmetric (APIC) I/O device isa device eisa device pci # Floppy drives device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 #device fd1 at fdc0 drive 1 # ATA and ATAPI devices device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives #device atapifd # ATAPI floppy drives #device atapist # ATAPI tape drives options ATA_STATIC_ID #Static device numbering options ATA_ENABLE_ATAPI_DMA #Enable DMA on ATAPI devices # SCSI Controllers #device ahb # EISA AHA1742 family device ahc # AHA2940 and onboard AIC7xxx devices #device amd # AMD 53C974 (Teckram DC-390(T)) #device isp # Qlogic family device ncr # NCR/Symbios Logic device sym # NCR/Symbios Logic (newer chipsets) options SYM_SETUP_LP_PROBE_MAP=0x40 # Allow ncr to attach legacy NCR devices when # both sym and ncr are configured #device adv0 at isa? #device adw #device bt0 at isa? #device aha0 at isa? #device aic0 at isa? # SCSI peripherals device scbus # SCSI bus (required) device da # Direct Access (disks) device sa # Sequential Access (tape etc) device cd # CD device pass # Passthrough device (direct SCSI access) # RAID controllers interfaced to the SCSI subsystem #device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID #device dpt # DPT Smartcache - See LINT for options! # RAID controllers #device ida # Compaq Smart RAID #device amr # AMI MegaRAID #device mlx # Mylex DAC960 family #device twe # 3ware Escalade # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100 # Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver #device vt0 at isa? #options XSERVER # support for X server on a vt console #options FAT_CURSOR # start with block cursor # If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines #options PCVT_SCANSET=2 # IBM keyboards are non-std # Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13 # Power management support (see LINT for more options) device apm0 at nexus? disable flags 0x20 # Advanced Power Management # PCCARD (PCMCIA) support #device card #device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000 #device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable # Serial (COM) ports device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device sio2 at isa? disable port IO_COM3 irq 5 device sio3 at isa? disable port IO_COM4 irq 9 # Parallel port device ppc0 at isa? irq 7 device ppbus # Parallel port bus (required) device lpt # Printer device plip # TCP/IP over parallel device ppi # Parallel port interface device #device vpo # Requires scbus and da # PCI Ethernet NICs. #device de # DEC/Intel DC21x4x (``Tulip'') device fxp # Intel EtherExpress PRO/100B (82557, 82558) #device tx # SMC 9432TX (83c170 ``EPIC'') #device vx # 3Com 3c590, 3c595 (``Vortex'') #device wx # Intel Gigabit Ethernet Card (``Wiseman'') # PCI Ethernet NICs that use the common MII bus controller code. device miibus # MII bus support #device dc # DEC/Intel 21143 and various workalikes #device pcn # AMD Am79C79x PCI 10/100 NICs #device rl # RealTek 8129/8139 #device sf # Adaptec AIC-6915 (``Starfire'') #device sis # Silicon Integrated Systems SiS 900/SiS 7016 #device ste # Sundance ST201 (D-Link DFE-550TX) #device tl # Texas Instruments ThunderLAN #device vr # VIA Rhine, Rhine II #device wb # Winbond W89C840F #device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # ISA Ethernet NICs. #device ed0 at isa? port 0x280 irq 10 iomem 0xd8000 #device ex #device ep #device fe0 at isa? port 0x300 # WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really # exists only as a PCMCIA device, so there is no ISA attatement needed # and resources will always be dynamically assigned by the pccard code. #device wi # Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will # work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP # mode (the factory default). If you set the switches on your ISA # card for a manually chosen I/O address and IRQ, you must specify # those paremeters here. #device an # Xircom Ethernet #device xe # The probe order of these is presently determined by i386/isa/isa_compat.c. #device ie0 at isa? port 0x300 irq 10 iomem 0xd0000 #device le0 at isa? port 0x300 irq 5 iomem 0xd0000 #device lnc0 at isa? port 0x280 irq 10 drq 0 #device cs0 at isa? port 0x300 #device sn0 at isa? port 0x300 irq 10 # Pseudo devices - the number indicates how many units to allocated. pseudo-device loop # Network loopback pseudo-device ether # Ethernet support #pseudo-device sl 1 # Kernel SLIP #pseudo-device ppp 1 # Kernel PPP pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) pseudo-device md # Memory "disks" pseudo-device gif 4 # IPv6 and IPv4 tunneling pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation) # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf 4 #Berkeley packet filter # USB support device uhci # UHCI PCI->USB interface device ohci # OHCI PCI->USB interface device usb # USB Bus (required) device ugen # Generic device uhid # "Human Interface Devices" device ukbd # Keyboard device ulpt # Printer device umass # Disks/Mass storage - Requires scbus and da device ums # Mouse # USB Ethernet, requires mii device aue # ADMtek USB ethernet device cue # CATC USB ethernet device kue # Kawasaki LSI USB ethernet # # Internet family options: # # TCP_COMPAT_42 causes the TCP code to emulate certain bugs present in # 4.2BSD. This option should not be used unless you have a 4.2BSD # machine and TCP connections fail. # # MROUTING enables the kernel multicast packet forwarder, which works # with mrouted(8). # # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. # # IPDIVERT enables the divert IP sockets, used by ``ipfw divert'' # # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the ttl). This can be useful to hide firewalls # from traceroute and similar tools. # # TCPDEBUG is undocumented. # #options TCP_COMPAT_42 #emulate 4.2BSD TCP bugs #options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets #options IPFIREWALL_FORWARD #enable transparent proxy support #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPV6FIREWALL #firewall for IPv6 options IPV6FIREWALL_VERBOSE #options IPV6FIREWALL_VERBOSE_LIMIT=100 #options IPV6FIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #divert sockets #options IPFILTER #ipfilter support #options IPFILTER_LOG #ipfilter logging #options IPSTEALTH #support for stealth forwarding #options TCPDEBUG # Statically Link in accept filters #options ACCEPT_FILTER_DATA #options ACCEPT_FILTER_HTTP # The following options add sysctl variables for controlling how certain # TCP packets are handled. # # TCP_DROP_SYNFIN adds support for ignoring TCP packets with SYN+FIN. This # prevents nmap et al. from identifying the TCP/IP stack, but breaks support # for RFC1644 extensions and is not recommended for web servers. # # TCP_RESTRICT_RST adds support for blocking the emission of TCP RST packets. # This is useful on systems which are exposed to SYN floods (e.g. IRC servers) # or any system which one does not want to be easily portscannable. # options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_RESTRICT_RST #restrict emission of TCP RST # ICMP_BANDLIM enables icmp error response bandwidth limiting. You # typically want this option as it will help protect the machine from # D.O.S. packet attacks. # options ICMP_BANDLIM # DUMMYNET enables the "dummynet" bandwidth limiter. You need # IPFIREWALL as well. See the dummynet(4) manpage for more info. # BRIDGE enables bridging between ethernet cards -- see bridge(4). # You can use IPFIREWALL and dummynet together with bridging. options DUMMYNET options BRIDGE dmesg.boot ========== Copyright (c) 1992-2000 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.1.1-STABLE #0: Sun Oct 22 15:59:08 PDT 2000 toor@port7.pn.wagsky.com:/usr/src/sys/compile/GGdebug.20001022 Timecounter "i8254" frequency 1193182 Hz CPU: Pentium/P55C (199.43-MHz 586-class CPU) Origin = "GenuineIntel" Id = 0x544 Stepping = 4 Features=0x8001bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8,MMX> real memory = 33554432 (32768K bytes) config> di pcic0 No such device: pcic0 Invalid command or syntax. Type `?' for help. config> di sn0 No such device: sn0 Invalid command or syntax. Type `?' for help. config> di lnc0 No such device: lnc0 Invalid command or syntax. Type `?' for help. config> di le0 No such device: le0 Invalid command or syntax. Type `?' for help. config> di ie0 No such device: ie0 Invalid command or syntax. Type `?' for help. config> di fe0 No such device: fe0 Invalid command or syntax. Type `?' for help. config> di ed0 No such device: ed0 Invalid command or syntax. Type `?' for help. config> di cs0 No such device: cs0 Invalid command or syntax. Type `?' for help. config> di bt0 No such device: bt0 Invalid command or syntax. Type `?' for help. config> di aic0 No such device: aic0 Invalid command or syntax. Type `?' for help. config> di aha0 No such device: aha0 Invalid command or syntax. Type `?' for help. config> di adv0 No such device: adv0 Invalid command or syntax. Type `?' for help. config> q avail memory = 29360128 (28672K bytes) Preloaded elf kernel "kernel" at 0xc0372000. Preloaded userconfig_script "/boot/kernel.conf" at 0xc037209c. Intel Pentium detected, installing workaround for F00F bug md0: Malloc disk npx0: <math processor> on motherboard npx0: INT 16 interface pcib0: <Host to PCI bridge> on motherboard pci0: <PCI bus> on pcib0 isab0: <Intel 82371SB PCI to ISA bridge> at device 7.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel PIIX3 ATA controller> port 0xffa0-0xffaf at device 7.1 on pci0 ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 uhci0: <Intel 82371SB (PIIX3) USB controller> port 0xff80-0xff9f irq 9 at device 7.2 on pci0 usb0: <Intel 82371SB (PIIX3) USB controller> on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered pci0: <Matrox MGA 1024SG/1064SG/1164SG graphics accelerator> at 13.0 irq 11 ahc0: <Adaptec aic7850 SCSI adapter> port 0xfc00-0xfcff mem 0xffbeb000-0xffbebfff irq 9 at device 14.0 on pci0 ahc0: Host Adapter Bios disabled. Using default SCSI device parameters aic7850: Single Channel A, SCSI Id=7, 3/255 SCBs fxp0: <Intel Pro 10/100B/100+ Ethernet> port 0xfd80-0xfdbf mem 0xffc00000-0xffcfffff,0xfff7e000-0xfff7efff irq 11 at device 15.0 on pci0 fxp0: Ethernet address 00:d0:b7:3f:d4:ab fxp1: <Intel Pro 10/100B/100+ Ethernet> port 0xfe80-0xfebf mem 0xffe00000-0xffefffff,0xfff7f000-0xfff7ffff irq 9 at device 16.0 on pci0 fxp1: Ethernet address 00:d0:b7:3f:d2:29 fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: FIFO enabled, 8 bytes threshold fd0: <1440-KB 3.5" drive> on fdc0 drive 0 atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0 kbd0 at atkbd0 psm0: <PS/2 Mouse> irq 12 on atkbdc0 psm0: model MouseMan+, device ID 0 vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0 ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold plip0: <PLIP network interface> on ppbus0 lpt0: <Printer> on ppbus0 lpt0: Interrupt-driven port ppi0: <Parallel I/O> on ppbus0 DUMMYNET initialized (000608) IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, unlimited logging BRIDGE 990810, have 9 interfaces -- index 1 type 6 phy 0 addrl 6 addr 00.d0.b7.3f.d4.ab -- index 2 type 6 phy 0 addrl 6 addr 00.d0.b7.3f.d2.29 IPv6 packet filtering initialized, unlimited logging ad0: 4112MB <WDC AC24300L> [8912/15/63] at ata0-master using WDMA2 ad2: 1222MB <WDC AC11200L> [2484/16/63] at ata1-master using WDMA2 acd0: CDROM <NEC CD-ROM DRIVE:284> at ata1-slave using PIO3 Waiting 15 seconds for SCSI devices to settle Mounting root from ufs:/dev/ad0s1a ifconfig -a =========== fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::2d0:b7ff:fe3f:d4ab%fxp0 prefixlen 64 scopeid 0x1 inet 64.220.148.96 netmask 0xff000000 broadcast 255.255.255.0 ether 00:d0:b7:3f:d4:ab media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::2d0:b7ff:fe3f:d229%fxp1 prefixlen 64 scopeid 0x2 ether 00:d0:b7:3f:d2:29 media: autoselect status: no carrier supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 faith0: flags=8000<MULTICAST> mtu 1500 rc.conf ======= # This file now contains just the overrides from /etc/defaults/rc.conf # please make all changes to this file. # Enable network daemons for user convenience. # -- sysinstall generated deltas -- # moused_flags="" kern_securelevel="1" kern_securelevel_enable="YES" linux_enable="YES" sendmail_enable="NO" moused_enable="YES" saver="blank" font8x8="cp437-8x8" font8x14="cp437-8x14" font8x16="cp437-8x16" portmap_enable="NO" nfs_server_enable="NO" inetd_enable="NO" usbd_enable="YES" sshd_enable="YES" ifconfig_fxp0="64.220.148.96 255.255.255.0" hostname="goldengate.wagsky.com" # jmk firewall_enable="YES" #firewall_type="OPEN" firewall_script="/etc/firewall/goldengate" allscreens_flags="80x60" sysctl.conf =========== net.link.ether.bridge=1 net.link.ether.bridge_ipfw=1 net.inet.ip.fw.one_pass=0 goldengate (firewall script) ============================ ipfwa='/sbin/ipfw add' # My interfaces, inside and outside iif='fxp0' oif='fxp1' irb="in recv ${iif} bridged" irsb="in recv ${iif} setup bridged" otb="in recv ${oif} bridged" # Yes, these look funny, otsb="in recv ${oif} setup bridged" # but are "correct" # "Hidden" IP and net that can access it myip='192.168.7.2' mynet='192.168.7.1' # DSL addresses assigned to me mydsl='64.220.148.96/30' mydslv='207.20.242.61' # Specific services mysmtp='64.220.148.97' myhttp='64.220.148.97' myntp="${mydsl}" # "Friendly" nets rp15='63.100.15.128/25' rp16='63.100.16.1/25' rp167='63.95.167.0/25' kanga20='63.100.16.20' kanga21='63.100.16.21' spotlife='208.48.65.0/24' spotlife_ftp='208.48.65.12' # # Begin rules # # Rule 1 is reserved for those "critical" things # Log all setup and icmp from the outside #${ipfwa} 2 count log icmp from any to any in via ${oif} ${ipfwa} 2 count log icmp from any to any # # Remember that, from the outside: # routed packets first appear "in ${oif}" # bridged packets *only* appear "in ${iif} ${ipfwa} 3 skipto 5 ip from any to any bridged ${ipfwa} 4 count log tcp from any to any setup in ${ipfwa} 5 count log tcp from any to any setup in recv ${iif} bridged # # Bridged packets appear only as in on if nearest destination # #${ipfwa} 10 count log ip from any to any bridged #${ipfwa} 20 count log ip from any to any bridged in #${ipfwa} 30 count log ip from any to any bridged out # Make sure that lo0 does what it is supposed to #${ipfwa} 100 allow ip from 127.0.0.1 to 127.0.0.1 recv lo0 xmit lo0 ${ipfwa} 100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 ${ipfwa} 101 allow ip from ${myip} to ${myip} via lo0 # Allow connections from the private net to the inside interface ${ipfwa} 200 deny log ip from ${myip} to ${myip} in recv ${iif} ${ipfwa} 210 allow ip from ${mynet} to ${myip} in recv ${iif} ${ipfwa} 220 allow ip from ${myip} to ${mynet} out xmit ${iif} ${ipfwa} 230 deny log ip from any to ${myip} via any # Prevent spoofing ${ipfwa} 10000 deny log ip from ${myip} to any in via any ${ipfwa} 10100 skipto 10102 ip from ${mydsl} to any bridged ${ipfwa} 10101 deny log ip from ${mydsl} to any in via ${oif} # Routed ${ipfwa} 10102 deny log ip from ${mydsl} to any in via ${iif} bridged ${ipfwa} 10200 skipto 10202 ip from ${mydslv} to any bridged ${ipfwa} 10201 deny log ip from ${mydslv} to any in via ${oif} # Routed ${ipfwa} 10202 deny log ip from ${mydslv} to any in via ${iif} bridged # Deny unacceptable sources ${ipfwa} 11000 deny log ip from 0.0.0.0/8 to any in via any ${ipfwa} 11010 deny log ip from 127.0.0.0/8 to any in via any ${ipfwa} 11020 deny log ip from 192.0.2.0/24 to any in via any ${ipfwa} 11030 deny log ip from 10.0.0.0/8 to any in via any ${ipfwa} 11040 deny log ip from 172.16.0.0/12 to any in via any ${ipfwa} 11050 deny log ip from 192.168.0.0/16 to any in via any ${ipfwa} 11060 deny log ip from 169.254.0.0/16 to any in via any ${ipfwa} 11200 deny log ip from 255.255.255.255 to any in via any ${ipfwa} 11210 deny log ip from 0.255.255.255:128.255.255.255 to any in via any ${ipfwa} 11220 deny log ip from 128.0.255.255:192.0.255.255 to any in via any ${ipfwa} 11230 deny log ip from 192.0.0.255:224.0.0.255 to any in via any ${ipfwa} 11240 deny log ip from 240.0.0.1 to any in via any # Deny unacceptable destinations ${ipfwa} 12000 deny log ip from any to 0.0.0.0/8 out via any ${ipfwa} 12010 deny log ip from any to 127.0.0.0/8 out via any ${ipfwa} 12020 deny log ip from any to 192.0.2.0/24 out via any ${ipfwa} 12030 deny log ip from any to 10.0.0.0/8 out via any ${ipfwa} 12040 deny log ip from any to 172.16.0.0/12 out via any ${ipfwa} 12050 deny log ip from any to 192.168.0.0/16 out via any ${ipfwa} 12060 deny log ip from any to 169.254.0.0/16 out via any ${ipfwa} 12200 deny log ip from any to 255.255.255.255 out via any ${ipfwa} 12210 deny log ip from any to 0.255.255.255:128.255.255.255 out via any ${ipfwa} 12220 deny log ip from any to 128.0.255.255:192.0.255.255 out via any ${ipfwa} 12230 deny log ip from any to 192.0.0.255:224.0.0.255 out via any ${ipfwa} 12240 deny log ip from any to 240.0.0.1 out via any # # 20000s are good places to put pre-screened allows and pipes # ########################## # # # Start allowing packets # # # ########################## ############################## # # # Special hosts and services # # # ############################## # RTSP from SpotLife ${ipfwa} 40010 allow udp from ${spotlife} to ${mydsl} ${irb} # FTP from ftp.spotlife.com ${ipfwa} 40020 allow tcp from ${spotlife_ftp} to ${mydsl} ${irb} ############### # # # By services # # # ############### # ftp ${ipfwa} 50020 allow log tcp from any 20 to ${mydsl} ${irsb} # ssh ${ipfwa} 50022 allow log tcp from any to ${mydsl} 22 ${irsb} # smtp ${ipfwa} 50025 allow log tcp from any to ${mysmtp} 25 ${irsb} # dns ${ipfwa} 50053 allow udp from any 53 to ${mydsl} # http ${ipfwa} 50080 allow tcp from ${kanga20} to ${myhttp} 80 ${irsb} ${ipfwa} 50080 allow tcp from ${kanga21} to ${myhttp} 80 ${irsb} ${ipfwa} 50080 allow log tcp from ${rp15} to ${myhttp} 80 ${irsb} ${ipfwa} 50080 allow log tcp from ${rp16} to ${myhttp} 80 ${irsb} ${ipfwa} 50080 allow log tcp from ${rp167} to ${myhttp} 80 ${irsb} ${ipfwa} 50080 allow log tcp from any to ${myhttp} 80 ${irsb} # auth ${ipfwa} 50113 allow log tcp from any to ${mydsl} 113 ${irsb} # ntp ${ipfwa} 50123 allow udp from 240.123.2.5 123 to ${myntp} ${irb} ${ipfwa} 50123 allow udp from 128.115.14.97 123 to ${myntp} ${irb} ${ipfwa} 50123 allow udp from 128.9.176.30 123 to ${myntp} ${irb} ${ipfwa} 50123 allow udp from 165.227.1.1 123 to ${myntp} ${irb} ${ipfwa} 50123 allow udp from 131.216.18.4 123 to ${myntp} ${irb} ${ipfwa} 50123 allow udp from 206.86.8.69 123 to ${myntp} ${irb} ${ipfwa} 50123 allow udp from 206.86.0.21 123 to ${myntp} ${irb} ################################ # # # Return packets, frag, etc... # # # ################################ ${ipfwa} 60000 allow ip from ${mydsl} to any ${otb} ${ipfwa} 60100 allow tcp from any to ${mydsl} established ${irb} ${ipfwa} 60200 allow icmp from any to ${mydsl} icmptypes 0,3,4,8,11 ${irb} # # Deny and log the rest... # ${ipfwa} 65534 deny log ip from any to any ----- Jeffrey Marc Kletsky SpotLife | Personal Broadcasting Sr. Product Manager jeff@spotlife.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010230410.VAA74187>