From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 27 05:37:35 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6305F16A419; Mon, 27 Aug 2007 05:37:35 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3C2E913C442; Mon, 27 Aug 2007 05:37:35 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7R5bZNq001048; Mon, 27 Aug 2007 05:37:35 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7R5bZGC001044; Mon, 27 Aug 2007 05:37:35 GMT (envelope-from maxim) Date: Mon, 27 Aug 2007 05:37:35 GMT Message-Id: <200708270537.l7R5bZGC001044@freefall.freebsd.org> To: maxim@FreeBSD.org, freebsd-ipfw@FreeBSD.org, maxim@FreeBSD.org From: maxim@FreeBSD.org Cc: Subject: Re: bin/115372: [ipfw] [patch] "ipfw show" prints ill result. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 05:37:35 -0000 Synopsis: [ipfw] [patch] "ipfw show" prints ill result. Responsible-Changed-From-To: freebsd-ipfw->maxim Responsible-Changed-By: maxim Responsible-Changed-When: Mon Aug 27 05:37:02 UTC 2007 Responsible-Changed-Why: Grab. http://www.freebsd.org/cgi/query-pr.cgi?pr=115372 From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 27 11:08:23 2007 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D1D016A421 for ; Mon, 27 Aug 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5171213C45A for ; Mon, 27 Aug 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7RB8NKT020552 for ; Mon, 27 Aug 2007 11:08:23 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7RB8MTa020548 for freebsd-ipfw@FreeBSD.org; Mon, 27 Aug 2007 11:08:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Aug 2007 11:08:22 GMT Message-Id: <200708271108.l7RB8MTa020548@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 11:08:23 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti o kern/115261 ipfw [ipfw]: incorrect 'ipfw: pullup failed' with IPv6 no-n 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher 26 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 27 17:12:06 2007 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D22316A417 for ; Mon, 27 Aug 2007 17:12:06 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from thunder.lsstelecom.ro (thunder.lsstelecom.ro [194.117.236.32]) by mx1.freebsd.org (Postfix) with ESMTP id 9CF2013C461 for ; Mon, 27 Aug 2007 17:12:03 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: (qmail 13510 invoked by uid 1007); 27 Aug 2007 19:43:45 +0300 Received: from 6.112.158.88.radiocom.ro (HELO ?127.0.0.1?) (vladone@spaingsm.com@88.158.112.6) by mail.lsstelecom.ro with AES256-SHA encrypted SMTP; 27 Aug 2007 19:43:45 +0300 Message-ID: <46D2FF99.1020303@spaingsm.com> Date: Mon, 27 Aug 2007 19:45:13 +0300 From: Fratiman Vladut User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: natd load problem. How block some traffic with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 17:12:06 -0000 Hi! I'm using freebsd 5.4 with ipfw+natd+dummynet. Everything work well, except that sometimes natd daemon require too match resources. I run natd in verbose mode and i found some traffic that is strange for me. For example: In {default} 0000ffff[TCP] [TCP] 89.38.249.21:4111 -> myIP:1085 aliased to [TCP] 89.38.249.21:4111 -> myIP:1085 In {default} 0000ffff[UDP] [UDP] 196.219.167.100:1831 -> myIP:20278 aliased to [UDP] 196.219.167.100:1831 -> myIP:20278 In {default} 0000ffff[TCP] [TCP] 64.125.154.81:39840 -> myIP:2800 aliased to [TCP] 64.125.154.81:39840 -> myIP:2800 It's like natd don't change destination ip. I don't have applications running on server that listen to these ports 1085, 20278, 2800,..... Usually natd change destination ip for packets according with some internal tables. So what is with this traffic? I don't have public IP's in my LAN, only private . Some legitimate traffic is like this: In {default} 0000ffff[UDP] [UDP] 89.39.74.183:31336 -> myIP:17324 aliased to [UDP] 89.39.74.183:31336 -> 10.0.0.115:17324 If is some illegal traffic, how can be blocked with ipfw. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 27 18:10:28 2007 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59FA816A419 for ; Mon, 27 Aug 2007 18:10:28 +0000 (UTC) (envelope-from skafte@trollkarl.net) Received: from worlock.trollkarl.net (018.216-123-203-0.interbaun.com [216.123.203.18]) by mx1.freebsd.org (Postfix) with ESMTP id 15A3F13C45D for ; Mon, 27 Aug 2007 18:10:27 +0000 (UTC) (envelope-from skafte@trollkarl.net) Received: from trollkarl.trollkarl.net (trollkarl [192.168.100.16]) by worlock.trollkarl.net (8.14.1/8.14.1) with ESMTP id l7RHlMYo022804 for ; Mon, 27 Aug 2007 11:47:22 -0600 (MDT) (envelope-from skafte@trollkarl.net) Received: from trollkarl.trollkarl.net (localhost.trollkarl.net [127.0.0.1]) by trollkarl.trollkarl.net (8.14.1/8.14.1) with ESMTP id l7RHlMSI062739 for ; Mon, 27 Aug 2007 11:47:22 -0600 (MDT) (envelope-from skafte@trollkarl.trollkarl.net) Received: (from skafte@localhost) by trollkarl.trollkarl.net (8.14.1/8.14.1/Submit) id l7RHlMwh062738 for ipfw@freebsd.org; Mon, 27 Aug 2007 11:47:22 -0600 (MDT) (envelope-from skafte) Date: Mon, 27 Aug 2007 11:47:22 -0600 From: Greg Skafte To: ipfw@freebsd.org Message-ID: <20070827174721.GA62693@trollkarl.trollkarl.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Organization: Greg's Hidey Hole Errors-To: skafte@trollkarl.net X-Spam-Status: No, score=-11.1 required=5.0 tests=ALL_TRUSTED,BAYES_50, DKIM_POLICY_SIGNSOME, J_CHICKENPOX_33, SARE_FROM_SPAM_WORD3, USER_IN_WHITELIST autolearn=no version=3.2.0 X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on worlock.trollkarl.net Cc: Subject: dscp support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Aug 2007 18:10:28 -0000 did anyone every take a more indepth look at kern/102471 (tos and scp support). It would be useful for doing more advanced work with VOIP and more advanced queueing with equipment that manipulates dscp fields (avaya pbx's and cisco sip products) -- Email: skafte@trollkarl.net Contact me for ICQ,MSN,AIM,Yahoo,Jabber -- -- When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex. (Janet Morris) From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 06:47:57 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06AB016A41A for ; Thu, 30 Aug 2007 06:47:57 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id A232613C459 for ; Thu, 30 Aug 2007 06:47:56 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 3849F4807EA for ; Thu, 30 Aug 2007 18:19:35 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8uquuRYsN8Vo for ; Thu, 30 Aug 2007 18:19:35 +1200 (NZST) Received: from bluebottle.insec.auckland.ac.nz (bluebottle.insec.auckland.ac.nz [130.216.4.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 19BFB4807ED for ; Thu, 30 Aug 2007 18:19:35 +1200 (NZST) Message-ID: <46D66176.9020300@auckland.ac.nz> Date: Thu, 30 Aug 2007 18:19:34 +1200 From: Russell Fulton User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: getting state to work properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 06:47:57 -0000 Hi Folks I have a fair bit of experience with firewalls particularly pf and also iptables but I have never played with ipfw before. I have the ipfw man page and some of the free bsd tutorial stuff to consult -- all looks pretty straight forward. I have inherited a ipfw firewall which I am trying to make some changes to. The current rule set does not use state and is very difficult to understand as filtering is being done on many interfaces (four vlans representing the 'inside' and one physical interface being the 'outside'). In an attempt to impose some order I rewrote the rule set from scratch doing all the real filtering on the external interface and using state to keep track of connections. Today I had a two hour outage to try and make it work and totally failed. (I'm not really surprised...) My first question is "is there anyway of maintaining state over a rule reload?" One way of doing it would be to change the rule set number of the running rule set before loading the new rules. Is this possible? But this is in the "it would be nice category". More importantly I failed to make the state stuff work. State gets created -- ipfw -ad show shows the dynamic rules with numbers in both counters but the returning packets never appear on either the inbound or outbound interfaces (according to tcpdump). I have log logamount 0 on *all* denies but nothing is logged. I know, from monitoring traffic out side the firewall that the original packets are coming out and replies are being sent to the firewall where they silently vanish. Any ideas appreciated. My gut feeling is that I'm missing something basic. If anyone wants to have a look at the rule set I'm happy to mail it to them but I don't want it appearing in a public mail archive ;) Thanks, Russell. ISO, The University of Auckland, New Zealand. From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 08:43:23 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1661D16A417 for ; Thu, 30 Aug 2007 08:43:23 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.freebsd.org (Postfix) with ESMTP id B229B13C48A for ; Thu, 30 Aug 2007 08:43:22 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id C15D510539C for ; Thu, 30 Aug 2007 15:10:14 +0700 (NOVST) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Awm-BAumBJON for ; Thu, 30 Aug 2007 15:09:42 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 61B601053A2 for ; Thu, 30 Aug 2007 14:32:42 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Aug 2007 14:32:42 +0700 Received: from nuclight.avtf.net ([83.172.2.134]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Aug 2007 14:32:42 +0700 Date: Thu, 30 Aug 2007 14:32:40 +0700 To: freebsd-ipfw@freebsd.org References: <46D66176.9020300@auckland.ac.nz> From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: <46D66176.9020300@auckland.ac.nz> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 30 Aug 2007 07:32:42.0082 (UTC) FILETIME=[F31A8C20:01C7EAD7] Subject: Re: getting state to work properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 08:43:23 -0000 30.08.07 @ 13:19 Russell Fulton wrote: > If anyone wants to have a look at the rule set I'm happy to mail it to > them but I don't want it appearing in a public mail archive ;) You can simply replace all your IP addresses to strings like X.X.X.X, Y.Y.Y.Y, Z.Z.Z.0/24 etc., and then post it here. That's nothing interesting in ruleset without real addresses, IMHO. Without ruleset it's possible to give only the most general advices, like remembering packet flow (always in and out, two passes), check-state, rule ordering, and so on. -- WBR, Vadim Goncharov From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 14:26:30 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED3E816A41A for ; Thu, 30 Aug 2007 14:26:30 +0000 (UTC) (envelope-from paul@wilorc.co.uk) Received: from popper.yospace.com (popper.yospace.com [217.155.122.185]) by mx1.freebsd.org (Postfix) with ESMTP id 415FE13C45D for ; Thu, 30 Aug 2007 14:26:29 +0000 (UTC) (envelope-from paul@wilorc.co.uk) Received: from paul-bridgers-computer-2.local ([10.0.1.66]) by popper.yospace.com (8.11.2/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id l7UE90532529 for ; Thu, 30 Aug 2007 15:09:01 +0100 Message-ID: <46D6CF7A.9080502@wilorc.co.uk> Date: Thu, 30 Aug 2007 15:08:58 +0100 From: Paul Bridger User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw2 deep packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: paul@wilorc.co.uk List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 14:26:31 -0000 Hi I'm trying to solve a problem with ipfw2, so would be grateful for help from anyone on the list with moving things forward. I would like to understand if it's possible to discover the real MAC address of a packet that has been NAT'd by another device. The scenario for using this would be for hosts on a wireless LAN that connect to a wireles router which NAT's their connection and then routes the packets to another LAN (across a wire) where a FreeBSD server performs firewall packet filtering via ipfw2. As all the connections from the hosts on the wireless LAN have had their MAC and IP addresses NAT'd to that of the wireless router, it is difficult to distinguish between hosts, unless some form of deep packet inspection could be performed to discover the true MAC address. Is this something that would be possible with ipfw2? Thank you. -Paul From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 17:41:54 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 671BF16A419 for ; Thu, 30 Aug 2007 17:41:54 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id EEEC713C458 for ; Thu, 30 Aug 2007 17:41:53 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id C2CB018428; Fri, 31 Aug 2007 05:41:40 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ypbbvdv+ycCD; Fri, 31 Aug 2007 05:41:40 +1200 (NZST) Received: from [192.168.10.103] (60-234-152-218.bitstream.orcon.net.nz [60.234.152.218]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 91E2518427; Fri, 31 Aug 2007 05:41:39 +1200 (NZST) Message-ID: <46D70145.3030708@auckland.ac.nz> Date: Fri, 31 Aug 2007 05:41:25 +1200 From: Russell Fulton User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Russell Fulton References: <46D66176.9020300@auckland.ac.nz> In-Reply-To: <46D66176.9020300@auckland.ac.nz> X-Enigmail-Version: 0.95.3 Content-Type: multipart/mixed; boundary="------------080606030308080508070508" Cc: freebsd-ipfw@freebsd.org Subject: Re: getting state to work properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 17:41:54 -0000 This is a multi-part message in MIME format. --------------080606030308080508070508 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Rule set appended -- anonymizing the rule set while keeping the sense would be a lot of work and I don't want to trim it down for fear of dropping something vital. As this network is not exposed to the internet and the firewall's primary purpose is traffic shaping not security I'll post it. Attached. Russell Russell Fulton wrote: > Hi Folks > > I have a fair bit of experience with firewalls particularly pf and also > iptables but I have never played with ipfw before. I have the ipfw man > page and some of the free bsd tutorial stuff to consult -- all looks > pretty straight forward. > > I have inherited a ipfw firewall which I am trying to make some changes > to. The current rule set does not use state and is very difficult to > understand as filtering is being done on many interfaces (four vlans > representing the 'inside' and one physical interface being the > 'outside'). In an attempt to impose some order I rewrote the rule set > from scratch doing all the real filtering on the external interface and > using state to keep track of connections. Today I had a two hour outage > to try and make it work and totally failed. (I'm not really surprised...) > > My first question is "is there anyway of maintaining state over a rule > reload?" One way of doing it would be to change the rule set number of > the running rule set before loading the new rules. Is this possible? But > this is in the "it would be nice category". > > More importantly I failed to make the state stuff work. > > State gets created -- ipfw -ad show shows the dynamic rules with numbers > in both counters but the returning packets never appear on either the > inbound or outbound interfaces (according to tcpdump). I have log > logamount 0 on *all* denies but nothing is logged. I know, from > monitoring traffic out side the firewall that the original packets are > coming out and replies are being sent to the firewall where they > silently vanish. > > Any ideas appreciated. My gut feeling is that I'm missing something basic. > > If anyone wants to have a look at the rule set I'm happy to mail it to > them but I don't want it appearing in a public mail archive ;) > > Thanks, Russell. > > ISO, The University of Auckland, New Zealand. > > > > > --------------080606030308080508070508 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="ipfw.conf.sh" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw.conf.sh" #!/bin/sh # the file /etc/ipfw.conf.sh - configuration script for ipfw disable firewall # Flush out the list before we begin. -f flush #interfaces: # fxp0 is inside # fxp1 is outside # vlan89 is UoA # vlan90 is a copy of UoA # vlan94 is guest # vlan95 is Eduroam # already established connections continue going through add 10 check-state # allow outbond traffic to mailhost from UoA add 11 allow tcp from 130.216.89.0/24, 130.216.90.0/23 to 130.216.11.210 25, 587, 465 xmit fxp1 setup keep-state # bad ports that we want to block add 15 deny log logamount 0 udp from any to any 7,67,68,69,111,134-140,199,445,512,513,520,1993,2049,1900,5000 via fxp1 add 16 deny log logamount 0 tcp from any to any 7,11,15,25,67,68,87,111,134-140,144,199,445,511-516,1025,1993,1900,2049,2766,5000,5999-6020 via fxp1 # multicast rules VRP # wgate-1 add 20 allow all from 130.216.89.6 to 224.0.0.18 via vlan89 keep-state add 21 allow all from 130.216.90.6 to 224.0.0.18 via vlan90 keep-state add 22 allow all from 130.216.94.6 to 224.0.0.18 via vlan94 keep-state add 23 allow all from 130.216.95.6 to 224.0.0.18 via vlan95 keep-state add 24 allow all from 130.216.1.11 to 224.0.0.18 via fxp1 keep-state #wgate-2 add 25 allow all from 130.216.89.7 to 224.0.0.18 via vlan89 keep-state add 26 allow all from 130.216.90.7 to 224.0.0.18 via vlan09 keep-state add 27 allow all from 130.216.94.7 to 224.0.0.18 via vlan94 keep-state add 28 allow all from 130.216.95.7 to 224.0.0.18 via vlan95 keep-state add 29 allow all from 130.216.1.12 to 224.0.0.18 via fxp1 keep-state add 30 allow all from 130.216.4.173 to 224.0.0.18 via fxp1 keep-state add 31 allow all from 130.216.4.174 to 224.0.0.18 via fxp1 keep-state # filter traffic to and from main campus on the external interface # telnet for network management ?? need a better way of doing this! add 40 allow all from 130.216.4.0/23, 130.216.76.0/23 to any in recv fxp1 setup keep-state # deny all traffic between vlans i.e. all traffic coming in on a vlan goes out fxp1 add 01121 deny log logamount 0 all from any to any out recv vlan89 not xmit fxp1 add 01122 deny log logamount 0 all from any to any out recv vlan90 not xmit fxp1 add 01123 deny log logamount 0 all from any to any out recv vlan94 not xmit fxp1 add 01124 deny log logamount 0 all from any to any out recv vlan95 not xmit fxp1 # anti spoofing rules add 01125 deny log logamount 0 all from not 130.216.89.0/24 to any in recv vlan89 add 01126 deny log logamount 0 all from not 130.216.90.0/23 to any in recv vlan90 add 01127 deny log logamount 0 all from not 130.216.94.0/24 to any in recv vlan94 add 01128 deny log logamount 0 all from not 130.216.95.0/24 to any in recv vlan95 # allow anything else in from the vlans add 01135 allow all from 130.216.89.0/24 to any in recv vlan89 add 01136 allow all from 130.216.90.0/23 to any in recv vlan90 add 01137 allow all from 130.216.94.0/24 to any in recv vlan94 add 01138 allow all from 130.216.95.0/24 to any in recv vlan # allow icmp through fxp1 -- review !!!! add 01160 allow icmp from any to any via fxp1 setup keep-state ### dns rules #add 01167 allow udp from any to 130.216.1.1, 130.216.1.2 53 out xmit fxp1 keep-state #add 01168 allow tcp from any to 130.216.1.1, 130.216.1.2 53 out xmit fxp1 setup keep-state # don't forget the loopback interface or some things might break add 01102 allow all from any to any via lo0 setup keep-state ### Rate limited access to Internet for UoA vlan89 add 01281 allow tcp from 130.216.89.0/24 to any xmit fxp1 setup keep-state add 01282 allow all from 130.216.89.0/24 to any xmit fxp1 keep-state pipe 1 config mask src-ip 0x000000ff bw 128Kbit/s ###pipe 2 config mask dst-ip 0x000000ff bw 128Kbit/s #pipe 3 config mask src-ip 0x000000ff bw 128Kbit/s pipe 4 config mask dst-ip 0x000000ff bw 128Kbit/s add 01285 pipe 1 all from 130.216.89.0/24 to not 130.216.0.0/16 #add 01286 pipe 2 all from 130.216.89.0/24 to any #add 01287 pipe 3 all from any to 130.216.89.0/24 add 01288 pipe 4 all from not 130.216.0.0/16 to 130.216.89.0/24 ### Rate limited access to Internet for UoA vlan90 add 01301 allow tcp from 130.216.90.0/23 to any xmit fxp1 setup keep-state add 01302 allow all from 130.216.90.0/23 to any xmit fxp1 keep-state pipe 11 config mask src-ip 0x000001ff bw 128Kbit/s #pipe 12 config mask dst-ip 0x000001ff bw 128Kbit/s #pipe 13 config mask src-ip 0x000001ff bw 128Kbit/s pipe 14 config mask dst-ip 0x000001ff bw 128Kbit/s #add 01305 pipe 11 all from 130.216.90.0/23 to not 130.216.0.0/16 #add 01306 pipe 12 all from 130.216.90.0/23 to any #add 01307 pipe 13 all from any to 130.216.90.0/23 #add 01308 pipe 14 all from not 130.216.0.0/16 to 130.216.90.0/23 ### campus access for Guests and Student to UoA network vlan94 add 02300 allow tcp from 130.216.94.0/24 to 130.216.0.0/16 xmit fxp1 setup keep-state add 02301 allow all from 130.216.94.0/24 to 130.216.0.0/16 xmit fxp1 keep-state ### Eduroam access to Internet vlan95 add 02410 allow tcp from 130.216.95.0/24 to any out xmit fxp1 setup keep-state add 02411 allow all from 130.216.95.0/24 to any out xmit fxp1 keep-state pipe 5 config mask src-ip 0x000000ff bw 128Kbit/s #pipe 6 config mask dst-ip 0x000000ff bw 128Kbit/s #pipe 7 config mask src-ip 0x000000ff bw 128Kbit/s pipe 8 config mask dst-ip 0x000000ff bw 128Kbit/s add 02420 pipe 5 all from 130.216.95.0/24 to not 130.216.0.0/16 #add 02421 pipe 6 all from 130.216.95.0/24 to any #add 02422 pipe 7 all from any to 130.216.95.0/24 add 02422 pipe 8 all from not 130.216.0.0/16 to 130.216.95.0/24 # this next one is by default the last one. You can choose a LARGE number if you # like. I chose '6000', you can pick anything up to 65535. In FreeBSD the rule # for '65535' is initially defined as 'deny all from any to any' when you load ipfw. add 06000 deny log logamount 0 all from any to any enable firewall --------------080606030308080508070508-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 18:52:29 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4586716A417 for ; Thu, 30 Aug 2007 18:52:29 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 2C2BA13C458 for ; Thu, 30 Aug 2007 18:52:29 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 203AEFD8847; Thu, 30 Aug 2007 11:33:52 -0700 (PDT) Received: from relay11.apple.com (unknown [127.0.0.1]) by relay11.apple.com (Symantec Mail Security) with ESMTP id F123328063; Thu, 30 Aug 2007 11:33:51 -0700 (PDT) X-AuditID: 11807130-a79a2bb000006012-cd-46d70d8f3bf0 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay11.apple.com (Symantec Mail Security) with ESMTP id 1211B28051; Thu, 30 Aug 2007 11:33:51 -0700 (PDT) In-Reply-To: <46D6CF7A.9080502@wilorc.co.uk> References: <46D6CF7A.9080502@wilorc.co.uk> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Thu, 30 Aug 2007 11:33:50 -0700 To: paul@wilorc.co.uk X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 deep packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 18:52:29 -0000 On Aug 30, 2007, at 7:08 AM, Paul Bridger wrote: > I would like to understand if it's possible to discover the real > MAC address of a packet that has been NAT'd by another device. No. You can only get the real MACs of devices by listening on the same subnet that the traffic originates from; once it passes through a router (with NAT enabled or not, doesn't matter), you only see the MAC of the device which passed that traffic along. > The scenario for using this would be for hosts on a wireless LAN > that connect to a wireles router which NAT's their connection and > then routes the packets to another LAN (across a wire) where a > FreeBSD server performs firewall packet filtering via ipfw2. As > all the connections from the hosts on the wireless LAN have had > their MAC and IP addresses NAT'd to that of the wireless router, it > is difficult to distinguish between hosts, unless some form of deep > packet inspection could be performed to discover the true MAC > address. Is this something that would be possible with ipfw2? Nope. You'd need to do your firewall inspection of your wireless router, not on the FreeBSD box. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 19:35:27 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D90116A417 for ; Thu, 30 Aug 2007 19:35:27 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from webmail29.mail.yandex.net (webmail29.mail.yandex.net [213.180.200.148]) by mx1.freebsd.org (Postfix) with ESMTP id 1508913C461 for ; Thu, 30 Aug 2007 19:35:26 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from YAMAIL (webmail29) by mail.yandex.ru id S1060941AbXH3TD1 for ; Thu, 30 Aug 2007 23:03:27 +0400 X-Yandex-Spam: 1 Received: from [77.72.136.71] ([77.72.136.71]) by mail.yandex.ru with HTTP; Thu, 30 Aug 2007 23:03:25 +0400 From: "Andrey V. Elsukov" To: paul@wilorc.co.uk In-Reply-To: 1550000000206419139 References: 1550000000206419139 MIME-Version: 1.0 Message-Id: <470581188500605@webmail29.yandex.ru> Date: Thu, 30 Aug 2007 23:03:25 +0400 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 deep packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 19:35:27 -0000 Hi, > I'm trying to solve a problem with ipfw2, so would be grateful for help > from anyone on the list with moving things forward. This is not an ipfw problem. > I would like to understand if it's possible to discover the real MAC > address of a packet that has been NAT'd by another device. The scenario > for using this would be for hosts on a wireless LAN that connect to a > wireles router which NAT's their connection and then routes the packets > to another LAN (across a wire) where a FreeBSD server performs firewall > packet filtering via ipfw2. As all the connections from the hosts on > the wireless LAN have had their MAC and IP addresses NAT'd to that of > the wireless router, it is difficult to distinguish between hosts, > unless some form of deep packet inspection could be performed to > discover the true MAC address. Is this something that would be possible > with ipfw2? There is no way to discover this information. Maybe, you can parse some specific protocols that contain a MAC addresses within packets. But this is hard and don't give a 100% results. The right way, IMHO, is an VPN-connections between Wireless clients and FreeBSD server. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 30 21:27:13 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35A9516A46D for ; Thu, 30 Aug 2007 21:27:13 +0000 (UTC) (envelope-from daiyon.fbsd@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.228]) by mx1.freebsd.org (Postfix) with ESMTP id D9D2613C45E for ; Thu, 30 Aug 2007 21:27:12 +0000 (UTC) (envelope-from daiyon.fbsd@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so468066nzf for ; Thu, 30 Aug 2007 14:26:58 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=uQSoZFp3gTx8SFeL9sl4CtQAQeLL8bN9Xe4FeBVG+ppeL7EJ987eW/jca4M/ZHIHgT10evFbnPN/wZ3HVneOIY7uLUKtockdP6Eio/PM7LHV+qA7K1lcQViG79/KIlymqETdN3r7ikOJxUwOnR5C4sEd0igP4Hx/56iZBXoDFMY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=J5hNzsrJ9cYGp2M3E3ddsXsabi33PzXq6sIss/ZKEoKr5qKxmH9xvZbnppurVr605Ko8MdEqp4+JW9wg8WGDaEyP+aXaov7bicFiiu9yjkonIHrFtwBvv91QXzE7VZSCBToqbrlgGg77zRLuc2mb0uUlFK3jB5rmW+e+PgjscjY= Received: by 10.65.211.16 with SMTP id n16mr1848713qbq.1188507474527; Thu, 30 Aug 2007 13:57:54 -0700 (PDT) Received: from ?10.100.100.207? ( [75.34.86.138]) by mx.google.com with ESMTPS id 7sm753594nzo.2007.08.30.13.57.49 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 30 Aug 2007 13:57:50 -0700 (PDT) Message-ID: <46D72F19.10006@gmail.com> Date: Thu, 30 Aug 2007 15:56:57 -0500 From: Chris Bowman User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: paul@wilorc.co.uk References: <46D6CF7A.9080502@wilorc.co.uk> In-Reply-To: <46D6CF7A.9080502@wilorc.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 deep packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Aug 2007 21:27:13 -0000 Quick answer would be, not in that scenario. All frames from your NAT router to your FreeBSD machine are only going to have the SRC MAC of the NAT router itself, and the DST MAC of the FreeBSD machine if it's directly connected. You might be able to identify the hosts to a degree that are behind the router by using some type of passive OS identification. The easiest way to get what you want would be to replace the wireless NAT router with an access point which will allow you to bridge your wireless hosts directly to your wired network, and finally to your FreeBSD machine, use FreeBSD to do your NAT. Chris Bowman Paul Bridger wrote: > Hi > > I'm trying to solve a problem with ipfw2, so would be grateful for > help from anyone on the list with moving things forward. > > I would like to understand if it's possible to discover the real MAC > address of a packet that has been NAT'd by another device. The > scenario for using this would be for hosts on a wireless LAN that > connect to a wireles router which NAT's their connection and then > routes the packets to another LAN (across a wire) where a FreeBSD > server performs firewall packet filtering via ipfw2. As all the > connections from the hosts on the wireless LAN have had their MAC and > IP addresses NAT'd to that of the wireless router, it is difficult to > distinguish between hosts, unless some form of deep packet inspection > could be performed to discover the true MAC address. Is this > something that would be possible with ipfw2? > > Thank you. > > -Paul > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 31 00:44:22 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D0A316A41A for ; Fri, 31 Aug 2007 00:44:22 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id D8F9513C459 for ; Fri, 31 Aug 2007 00:44:21 +0000 (UTC) (envelope-from r.fulton@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id BDFDC18550 for ; Fri, 31 Aug 2007 12:43:47 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ClyoTppNa1Tn for ; Fri, 31 Aug 2007 12:43:47 +1200 (NZST) Received: from bluebottle.insec.auckland.ac.nz (bluebottle.insec.auckland.ac.nz [130.216.4.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 9EB771854D for ; Fri, 31 Aug 2007 12:43:47 +1200 (NZST) Message-ID: <46D76443.80407@auckland.ac.nz> Date: Fri, 31 Aug 2007 12:43:47 +1200 From: Russell Fulton User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.95.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: beginners questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2007 00:44:22 -0000 Before you ask, yes I've RTFM ;) which was very imformative and there are still some things that I have missed. 1/ Is there a way of reloading rules while maintaining the state table or is this the default? (put another way does flush affect dynamic rules). 2/ we are using state and also shaping traffic via pipes. What interaction, if any is there between pipes and state? i.e. if a packet gets sent to a pipe will other traffic that is matched by the dynamic rule also get sent to the pipe? 3/ are pipes bidirectional? I.e. do I need to say add 02421 pipe 6 all from 130.216.95.0/24 to any add 02422 pipe 7 all from any to 130.216.95.0/24 Cheers and thanks Russell From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 1 14:03:31 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F195216A418 for ; Sat, 1 Sep 2007 14:03:30 +0000 (UTC) (envelope-from sid@merlin.com.ua) Received: from merlin.com.ua (Merlin.Com.UA [195.66.196.180]) by mx1.freebsd.org (Postfix) with ESMTP id A5F0013C4B7 for ; Sat, 1 Sep 2007 14:02:26 +0000 (UTC) (envelope-from sid@merlin.com.ua) Received: from H55_2.homeinet.loc (sid [192.168.55.2]) by merlin.com.ua (Postmaster) with ESMTP id B664033C0A5 for ; Sat, 1 Sep 2007 16:29:18 +0300 (EEST) Date: Sat, 1 Sep 2007 16:28:12 -0700 From: sid@merlin.com.ua X-Mailer: The Bat! (v2.10.03) Personal X-Priority: 3 (Normal) Message-ID: <85067517.20070901162812@merlin.com.ua> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------ECAA21029300643" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: dummynet / ipfw2: panic, double fault X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sid@merlin.com.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Sep 2007 14:03:31 -0000 ------------ECAA21029300643 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, all. I have some troubles with firewall. Its look to be unsolveable((. system tested is all 6.* and 7., include all "stable" and "release". main job of this computer which is tested is firewall for accounting, piping, manage access of customers. situation tested on other computers whith same result. you can repeat this problem by running this .sh script on any (include Generic) 6.* or 7.* version cut---------------------------- ifconfig em0 192.168.0.2/24 kldload ipfw kldload dummynet sysctl net.inet.ip.fw.one_pass=0 ipfw pipe 2 config bw 0 ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ipfw add 2 pipe 2 ip from any to any ping 192.168.0.1 cut--------------------------- result: panic, double fault. see image (real screen-shot ))) attach this script is not a real target, this is concentrate model of situation, which is discovered on a big firewall.... uname -a FreeBSD new-black.homei.net.ua 6.2-STABLE-200708 FreeBSD 6.2-STABLE-200708 #1: Sat Sep 1 11:40:14 UTC 2007 root@:/usr/src/sys/i386/compile/BLACKi386SMP i386 dmesg Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.2-STABLE-200708 #1: Sat Sep 1 11:40:14 UTC 2007 root@:/usr/src/sys/i386/compile/BLACKi386SMP ACPI APIC Table: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU E5310 @ 1.60GHz (1600.07-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x6f7 Stepping = 7 Features=0xbfebfbff Features2=0x4e33d,CX16,,,> AMD Features=0x20100000 AMD Features2=0x1 Cores per package: 4 real memory = 3489005568 (3327 MB) avail memory = 3413454848 (3255 MB) FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 cpu2 (AP): APIC ID: 2 cpu3 (AP): APIC ID: 3 cpu4 (AP): APIC ID: 4 cpu5 (AP): APIC ID: 5 cpu6 (AP): APIC ID: 6 cpu7 (AP): APIC ID: 7 ioapic0 irqs 0-23 on motherboard ioapic1 irqs 24-47 on motherboard kbd1 at kbdmux0 acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0 cpu0: on acpi0 acpi_throttle0: on cpu0 cpu1: on acpi0 acpi_throttle1: on cpu1 acpi_throttle1: failed to attach P_CNT device_attach: acpi_throttle1 attach returned 6 cpu2: on acpi0 acpi_throttle2: on cpu2 acpi_throttle2: failed to attach P_CNT device_attach: acpi_throttle2 attach returned 6 cpu3: on acpi0 acpi_throttle3: on cpu3 acpi_throttle3: failed to attach P_CNT device_attach: acpi_throttle3 attach returned 6 cpu4: on acpi0 acpi_throttle4: on cpu4 acpi_throttle4: failed to attach P_CNT device_attach: acpi_throttle4 attach returned 6 cpu5: on acpi0 acpi_throttle5: on cpu5 acpi_throttle5: failed to attach P_CNT device_attach: acpi_throttle5 attach returned 6 cpu6: on acpi0 acpi_throttle6: on cpu6 acpi_throttle6: failed to attach P_CNT device_attach: acpi_throttle6 attach returned 6 cpu7: on acpi0 acpi_throttle7: on cpu7 acpi_throttle7: failed to attach P_CNT device_attach: acpi_throttle7 attach returned 6 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: at device 2.0 on pci0 pci1: on pcib1 pcib2: irq 16 at device 0.0 on pci1 pci2: on pcib2 pcib3: irq 16 at device 0.0 on pci2 pci3: on pcib3 pcib4: irq 18 at device 2.0 on pci2 pci4: on pcib4 em0: port 0x2000-0x201f mem 0xd8100000-0xd811ffff irq 18 at device 0.0 on pci4 em0: Ethernet address: 00:30:48:60:35:9e em1: port 0x2020-0x203f mem 0xd8120000-0xd813ffff irq 19 at device 0.1 on pci4 em1: Ethernet address: 00:30:48:60:35:9f pcib5: at device 0.3 on pci1 pci5: on pcib5 em2: port 0x3000-0x303f mem 0xd8080000-0xd809ffff,0xd8000000-0xd803ffff irq 24 at device 1.0 on pci5 em2: Ethernet address: 00:1b:21:06:10:88 em3: port 0x3040-0x307f mem 0xd80a0000-0xd80bffff,0xd8040000-0xd807ffff irq 25 at device 1.1 on pci5 em3: Ethernet address: 00:1b:21:06:10:89 pci0: at device 8.0 (no driver attached) pcib6: irq 17 at device 28.0 on pci0 pci6: on pcib6 uhci0: port 0x1800-0x181f irq 17 at device 29.0 on pci0 uhci0: [GIANT-LOCKED] usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: port 0x1820-0x183f irq 19 at device 29.1 on pci0 uhci1: [GIANT-LOCKED] usb1: on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2: port 0x1840-0x185f irq 18 at device 29.2 on pci0 uhci2: [GIANT-LOCKED] usb2: on uhci2 usb2: USB revision 1.0 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3: port 0x1860-0x187f irq 16 at device 29.3 on pci0 uhci3: [GIANT-LOCKED] usb3: on uhci3 usb3: USB revision 1.0 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0: mem 0xd8600000-0xd86003ff irq 17 at device 29.7 on pci0 ehci0: [GIANT-LOCKED] usb4: EHCI version 1.0 usb4: companion controllers, 2 ports each: usb0 usb1 usb2 usb3 usb4: on ehci0 usb4: USB revision 2.0 uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered pcib7: at device 30.0 on pci0 pci7: on pcib7 pci7: at device 1.0 (no driver attached) isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1880-0x188f at device 31.1 on pci0 ata0: on atapci0 ata1: on atapci0 atapci1: port 0x18b0-0x18b7,0x18a4-0x18a7,0x18a8-0x18af,0x18a0-0x18a3,0x1890-0x189f mem 0xd8600400-0xd86007ff irq 19 at device 31.2 on pci0 ata2: on atapci1 ata3: on atapci1 pci0: at device 31.3 (no driver attached) acpi_button0: on acpi0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0 sio1: type 16550A fdc0: port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FAST] ppc0: port 0x378-0x37f,0x778-0x77f irq 7 drq 3 on acpi0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold ppbus0: on ppc0 plip0: on ppbus0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 orm0: at iomem 0xc0000-0xcafff on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounters tick every 0.968 msec ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding enabled, default to accept, logging disabled acd0: DVDR at ata0-slave UDMA33 ad4: 238475MB at ata2-master SATA150 ad6: 238475MB at ata3-master SATA150 ar0: 238475MB status: READY ar0: disk0 READY (master) using ad4 at ata2-master ar0: disk1 READY (mirror) using ad6 at ata3-master SMP: AP CPU #1 Launched! SMP: AP CPU #3 Launched! SMP: AP CPU #2 Launched! SMP: AP CPU #4 Launched! SMP: AP CPU #5 Launched! SMP: AP CPU #7 Launched! SMP: AP CPU #6 Launched! Trying to mount root from ufs:/dev/ar0s1a -- Saturday, September 1, 2007, 3:39:15 PM Sydorenko Olexandr AirBites Ukraine, Odessa Branch sid@merlin.com.ua http://airbites.net ------------ECAA21029300643--