From owner-freebsd-ipfw Mon Oct 21 12:59:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8CAD37B401; Mon, 21 Oct 2002 12:59:09 -0700 (PDT) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 42DC143E6E; Mon, 21 Oct 2002 12:59:09 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) To: Maxim Konovalov Cc: stable@freebsd.org, ipfw@freebsd.org Subject: Re: Call for testers: ipfw(8) limit patch References: <20021021174100.Q1221-100000@news1.macomnet.ru> From: Dan Pelleg Date: 21 Oct 2002 15:58:53 -0400 In-Reply-To: <20021021174100.Q1221-100000@news1.macomnet.ru> Message-ID: Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Maxim Konovalov writes: > Hello -stable, > > A patch below fixes an incorrect logic in remove_dyn_rule() which > produces that famous message "OUCH! cannot remove rule..". The second > part of the patch limits "drop session" message rate. > > If you are using or would like to use ipfw(8) limit rules in RELENG_4 > please try this patch. Please sent your reports directly to me. > > Thanks in advance. > Is this for ipfw or for ipfw2? If it's for ipfw, please see kern/32600. http://www.freebsd.org/cgi/query-pr.cgi?pr=32600 -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 22 5:27:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 934EF37B401; Tue, 22 Oct 2002 05:27:14 -0700 (PDT) Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A16C343E3B; Tue, 22 Oct 2002 05:27:12 -0700 (PDT) (envelope-from maxim@macomnet.ru) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.6/8.11.6) with ESMTP id g9MCR4c1812483; Tue, 22 Oct 2002 16:27:04 +0400 (MSD) Date: Tue, 22 Oct 2002 16:27:04 +0400 (MSD) From: Maxim Konovalov X-X-Sender: Maxim Konovalov To: Dan Pelleg Cc: stable@FreeBSD.ORG, Subject: Re: Call for testers: ipfw(8) limit patch In-Reply-To: Message-ID: <20021022154503.U59161-100000@news1.macomnet.ru> References: <20021021174100.Q1221-100000@news1.macomnet.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Dan, On 23:58+0400, Oct 21, 2002, Dan Pelleg wrote: > Maxim Konovalov writes: > > > Hello -stable, > > > > A patch below fixes an incorrect logic in remove_dyn_rule() which > > produces that famous message "OUCH! cannot remove rule..". The second > > part of the patch limits "drop session" message rate. > > > > If you are using or would like to use ipfw(8) limit rules in RELENG_4 > > please try this patch. Please sent your reports directly to me. > > > > Thanks in advance. > > > > Is this for ipfw or for ipfw2? If it's for ipfw, please see kern/32600. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=32600 Thanks, your analysis seems correct to me. My fix in remove_dyn_rule() is pretty the same. Parent re-lookup in install_state() after EXPIRE_DYN_CHAIN() looks like correct work around too. Here is an updated patch: Index: sys/netinet/ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.35 diff -u -r1.131.2.35 ip_fw.c --- sys/netinet/ip_fw.c 29 Jul 2002 02:04:25 -0000 1.131.2.35 +++ sys/netinet/ip_fw.c 22 Oct 2002 11:29:42 -0000 @@ -696,11 +696,11 @@ if (zap) zap = force || TIME_LEQ( q->expire , time_second ); /* do not zap parent in first pass, record we need a second pass */ - if (q->dyn_type == DYN_LIMIT_PARENT) { + if (zap && q->dyn_type == DYN_LIMIT_PARENT) { max_pass = 1; /* we need a second pass */ - if (zap == 1 && (pass == 0 || q->count != 0) ) { + if (pass == 0 || q->count != 0) { zap = 0 ; - if (pass == 1) /* should not happen */ + if (pass == 1 && force) /* should not happen */ printf("OUCH! cannot remove rule, count %d\n", q->count); } @@ -987,8 +987,20 @@ } if (parent->count >= conn_limit) { EXPIRE_DYN_CHAIN(rule); /* try to expire some */ + /* + * The expiry might have removed the parent too. + * We lookup again, which will re-create if necessary. + */ + parent = lookup_dyn_parent(&id, rule); + if (parent == NULL) { + printf("add parent failed\n"); + return 1; + } if (parent->count >= conn_limit) { - printf("drop session, too many entries\n"); + if (fw_verbose && last_log != time_second) { + last_log = time_second; + printf("drop session, too many entries\n"); + } return 1; } } %%% -- Maxim Konovalov, MAcomnet, Internet Dept., system engineer phone: +7 (095) 796-9079, mailto:maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 22 12:26:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95CA237B401 for ; Tue, 22 Oct 2002 12:26:33 -0700 (PDT) Received: from smurf.jnielsen.net (12-254-140-119.client.attbi.com [12.254.140.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 655CB43E42 for ; Tue, 22 Oct 2002 12:26:32 -0700 (PDT) (envelope-from john@jnielsen.net) Received: from buff.local (buff.local [192.168.0.10]) by smurf.jnielsen.net (8.12.6/8.12.6) with ESMTP id g9MJsNxo051546 for ; Tue, 22 Oct 2002 13:54:23 -0600 (MDT) (envelope-from john@jnielsen.net) Content-Type: text/plain; charset="us-ascii" From: John Nielsen To: ipfw@freebsd.org Subject: skip past end of rules Date: Tue, 22 Oct 2002 13:30:38 -0600 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210221330.38113.john@jnielsen.net> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm seeing the following message repeatedly on a 4.7-R box using IPFW2: +++ ipfw: ouch!, skip past end of rules, denying packet Some points of interest: I don't have any skipto rules in my ruleset. The same ruleset worked without complaining under 4.6.2-R. (I haven't made any ipfw2-dependent changes yet). The firewall appears to be functioning properly despite the messages. The firewall serves a very network, yet the message has only shown up ~50= =20 times in the past 24 hours. (It appears more frequently during times of=20 high network usage). I am using dummynet pipes for bandwidth limiting. net.inet.ip.fw.one_pass is set to 0. This obviously isn't a show-stopper, but it is a bit worrisome. I'd like= to=20 know if this is a known bug or if I should submit a PR on it. I'd also=20 like to isolate the problem a bit better, but I need some suggestions on=20 how to do so. Thanks, JN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 22 22:19:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8320337B401 for ; Tue, 22 Oct 2002 22:19:28 -0700 (PDT) Received: from mta2.srv.hcvlny.cv.net (mta2.srv.hcvlny.cv.net [167.206.5.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EF8943E4A for ; Tue, 22 Oct 2002 22:19:28 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta2.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4F00JSD5GDWZ@mta2.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Wed, 23 Oct 2002 01:19:25 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9N5JQpg044696 for ; Wed, 23 Oct 2002 01:19:27 -0400 (EDT envelope-from agapon@excite.com) Date: Wed, 23 Oct 2002 01:19:26 -0400 (EDT) From: Andriy Gapon Subject: ipfw: ether_output_frame -> bdg_forward X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org Message-id: <20021023005503.V44234-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG After using my firewall with layer2-specific rules and both net.link.ether.ipfw=1 and net.link.ether.bridge_ipfw=1, and after looking into the code in bridge.c /bdg_forward()/ and if_ethersubr.c /ether_output_frame()/, I am under impression that a packet passed to ether_output_frame() on a bridged interface will not undergo firewall checking in either ether_output_frame() (looks like a packet is handed off to bdg_forward() before any ipfw-related code) or bdg_forward() (there is a comment saying "Only if firewall is loaded, enabled, and the packet is not from ether_output() (src==NULL, or we would filter it twice)", which doesn't seem to be correct). Have I missed something ? -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Oct 23 17:19:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D6E637B401 for ; Wed, 23 Oct 2002 17:19:39 -0700 (PDT) Received: from mta10.srv.hcvlny.cv.net (mta10.srv.hcvlny.cv.net [167.206.5.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD84943E6E for ; Wed, 23 Oct 2002 17:19:38 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta10.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4G00GNIM4TBF@mta10.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Wed, 23 Oct 2002 20:17:17 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9O0Gppg080241 for ; Wed, 23 Oct 2002 20:16:52 -0400 (EDT envelope-from agapon@excite.com) Date: Wed, 23 Oct 2002 20:16:51 -0400 (EDT) From: Andriy Gapon Subject: Re: Natd plus statefull connections impossible? (revisited) X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org Message-id: <20021023200139.R79979-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Revisiting this issue, here are 2 ideas that I have encountered: 1. since NAT is a stateful process in its own self, you usually don't want to have stateful rules for packets that were successfully translated to destine to your private network. It is easy quite to construct rules that divert proper packets to natd and allow 'natd recognized' packets immediately after divert rule(s). You can put other rules (e.g. stateful rules for gateway itself) after you are done with translated packets. This has added benefit in the case you use natd redirect_*, since you won't need to have a special matching ipfw rule for each redirect_* option. 2. or, you can use this quite elegant ruleset utilizing skipto rule http://www.unixfaq.ru/index.pl?req=qs&id=286 the page is in Russian, but rules are in ipfw-ish :-) and each has a comment in English. Decide for yourself, do you trust natd and could use a tiny perfomance benefit, or you want to be as secure as possible double-checking natd with ipfw. -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 24 0:57:47 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5009A37B401 for ; Thu, 24 Oct 2002 00:57:46 -0700 (PDT) Received: from freecris.bmm.it (freecris.biella.bmm.it [213.144.77.133]) by mx1.FreeBSD.org (Postfix) with SMTP id 58F9F43E4A for ; Thu, 24 Oct 2002 00:57:44 -0700 (PDT) (envelope-from deana@bmm.it) Received: (qmail 18464 invoked by alias); 24 Oct 2002 07:57:46 -0000 Received: from unknown (HELO there) (127.0.0.1) by localhost.biella.bmm.it with SMTP; 24 Oct 2002 07:57:46 -0000 Content-Type: text/plain; charset="iso-8859-15" From: Cristiano Deana Message-Id: <200210240951.06541@freecris> To: ipfw@FreeBSD.ORG Subject: ipfw2. Date: Thu, 24 Oct 2002 09:57:45 +0200 X-Mailer: KMail [version 1.3.2] X-Faccina: ONdM ;-) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What am I missing? # uname -sv FreeBSD FreeBSD 4.7-STABLE #14: Fri Oct 18 15:04:59 CEST 2002 # dmesg | grep ipfw ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to deny, logging limited to 100 packets/entry by default # ifconfig xl0 | grep inet inet 213.144.77.133 netmask 0xffffff80 broadcast 213.144.77.255 # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 10000 allow log icmp from 213.144.77.0/24{199,200,201} to 213.144.77.133 11000 deny log icmp from any to 213.144.77.133 65000 allow ip from any to any 65535 deny ip from any to any # pinging from 213.144.77.200 to 213.144.77.133 # tail /var/log/security Oct 24 09:38:58 freecris /kernel: ipfw: 11000 Deny ICMP:8.0 213.144.77.200 213.144.77.133 in via xl0 Oct 24 09:39:12 freecris last message repeated 2 times # ipfw show | grep icmp 10000 0 0 allow log icmp from 213.144.77.0/24{199,200,201} to 213.144.77.133 11000 33 2772 deny log icmp from any to 213.144.77.133 I think i'm missing some basic rule. Why icmp packets coming from 213.144.77.200 didn't match rules #10000? Thanks in advance, cris. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Oct 24 2:44:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6449A37B404 for ; Thu, 24 Oct 2002 02:44:17 -0700 (PDT) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8B0543E65 for ; Thu, 24 Oct 2002 02:44:16 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9O9i8pJ052158; Thu, 24 Oct 2002 02:44:08 -0700 (PDT) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9O9i8Kw052157; Thu, 24 Oct 2002 02:44:08 -0700 (PDT) (envelope-from rizzo) Date: Thu, 24 Oct 2002 02:44:08 -0700 From: Luigi Rizzo To: Cristiano Deana Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2. Message-ID: <20021024024408.A52106@carp.icir.org> References: <200210240951.06541@freecris> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200210240951.06541@freecris>; from deana@bmm.it on Thu, Oct 24, 2002 at 09:57:45AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG There is a bug in the rule for matching sets, i swapped src and dst addresses... Fix is below, i am going to commit it soon. thanks for the report luigi Index: ip_fw2.c =================================================================== RCS file: /home/iguana/u2/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.6.2.3 diff -u -r1.6.2.3 ip_fw2.c --- ip_fw2.c 21 Aug 2002 05:34:07 -0000 1.6.2.3 +++ ip_fw2.c 24 Oct 2002 09:38:28 -0000 @@ -1604,8 +1604,8 @@ u_int32_t *d = (u_int32_t *)(cmd+1); u_int32_t addr = cmd->opcode == O_IP_DST_SET ? - args->f_id.src_ip : - args->f_id.dst_ip; + args->f_id.dst_ip : + args->f_id.src_ip; if (addr < d[0]) break; On Thu, Oct 24, 2002 at 09:57:45AM +0200, Cristiano Deana wrote: > What am I missing? > > # uname -sv > FreeBSD FreeBSD 4.7-STABLE #14: Fri Oct 18 15:04:59 CEST 2002 > > # dmesg | grep ipfw > ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to > deny, logging limited to 100 packets/entry by default > > # ifconfig xl0 | grep inet > inet 213.144.77.133 netmask 0xffffff80 broadcast 213.144.77.255 > > # ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 10000 allow log icmp from 213.144.77.0/24{199,200,201} to 213.144.77.133 > 11000 deny log icmp from any to 213.144.77.133 > 65000 allow ip from any to any > 65535 deny ip from any to any > > # pinging from 213.144.77.200 to 213.144.77.133 > > # tail /var/log/security > Oct 24 09:38:58 freecris /kernel: ipfw: 11000 Deny ICMP:8.0 213.144.77.200 > 213.144.77.133 in via xl0 > Oct 24 09:39:12 freecris last message repeated 2 times > > # ipfw show | grep icmp > 10000 0 0 allow log icmp from 213.144.77.0/24{199,200,201} > to 213.144.77.133 > 11000 33 2772 deny log icmp from any to 213.144.77.133 > > I think i'm missing some basic rule. > Why icmp packets coming from 213.144.77.200 didn't match rules #10000? > > Thanks in advance, > cris. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message