From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 14 05:42:25 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 156F216A4CE for ; Sun, 14 Dec 2003 05:42:25 -0800 (PST) Received: from relay04.connectit.co.za (relay04.connectit.co.za [196.14.84.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4916D43D31 for ; Sun, 14 Dec 2003 05:42:22 -0800 (PST) (envelope-from cole@acenet.co.za) Received: from amavis by relay04.connectit.co.za with scanned-ok (Exim 4.05) id 1AVWVn-0005Qk-00 for freebsd-ipfw@freebsd.org; Sun, 14 Dec 2003 15:42:19 +0200 Received: from acenet.co.za ([196.25.152.246]) by relay04.connectit.co.za with esmtp (Exim 4.05) id 1AVWVn-0005Qa-00 for freebsd-ipfw@freebsd.org; Sun, 14 Dec 2003 15:42:19 +0200 Date: Sun, 14 Dec 2003 15:52:25 +0200 Message-Id: <200312141552.AA467796450@acenet.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Cole" To: X-Mailer: X-Virus-Scanned: by AMaViS snapshot-20020300 Subject: Queue and rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cole@acenet.co.za List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 13:42:25 -0000 Hi I have setup the following queues and pipes.#pipes $fwcmd pipe 1 config bw 3kbyte/s queue 0.5kbyte $fwcmd pipe 2 config bw 128kbits/s queue 5Kbyte #outgoing $fwcmd pipe 3 config bw 128kbits/s queue 5Kbyte #incoming $fwcmd pipe 4 config bw 64kbits/s queue 5Kbyte #outgoing $fwcmd pipe 5 config bw 64kbits/s queue 5Kbyte #incoming #queues $fwcmd queue 1 config pipe 2 weight 100 queue 10 #outgoing $fwcmd queue 2 config pipe 2 weight 50 queue 10 #outgoing $fwcmd queue 3 config pipe 3 weight 100 queue 10 #incoming $fwcmd queue 4 config pipe 3 weight 50 queue 10 #incoming I have also added the following 2 rules using the queues 1 and 3. 00202 queue 1 tcp from me to 196.34.*.* out via tun0 00203 queue 3 tcp from 196.34.*.* to me in via tun0 I put the *'s in just privacy sake, i have the full ip entered in the rules. Now i wanted to block certain ports like ssh to or from that ip. I added the rule below rules 202 and 203, and no matter if i specify, deny all, deny tcp and the port, i can still get to those ports. I.e. if i add "ipfw add 205 deny tcp from me to 196.34.*.* 22" it will still allow me to connect. I was wondering if its cause of the queue rules matching first and not bothering to check the rest. If this is the problem how do i do bandwidth shaping and then still use blocking/deny rules below those queue rules. Of if there is another problem that im not seeing or missing, or a solution that you know might work, please let me know. Im not subscribed to the mailing list so please reply to cole@acenet.co.za . Thanx /Cole From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 14 05:48:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A955716A4CE for ; Sun, 14 Dec 2003 05:48:15 -0800 (PST) Received: from apollo.laserfence.net (apollo.laserfence.net [196.44.69.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id B586643D09 for ; Sun, 14 Dec 2003 05:48:12 -0800 (PST) (envelope-from will@unfoldings.net) Received: from [127.0.0.1] (helo=localhost) by apollo.laserfence.net with esmtp (Exim 4.24; FreeBSD) id 1AVWbQ-00028s-Rk; Sun, 14 Dec 2003 15:48:08 +0200 Received: from apollo.laserfence.net ([127.0.0.1]) by localhost (apollo.laserfence.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06566-03; Sun, 14 Dec 2003 15:47:41 +0200 (SAST) Received: from [192.168.255.1] (helo=prometheus.home.laserfence.net) by apollo.laserfence.net with esmtp (Exim 4.24; FreeBSD) id 1AVWax-00028d-Bo; Sun, 14 Dec 2003 15:47:40 +0200 Received: from arista.home.laserfence.net ([192.168.0.10] helo=arista) by prometheus.home.laserfence.net with smtp (Exim 4.10) id 1AVWas-0009Bz-00; Sun, 14 Dec 2003 15:47:34 +0200 Message-ID: <008601c3c248$de9a16a0$0a00a8c0@arista> From: "Willie Viljoen" To: , References: <200312141552.AA467796450@acenet.co.za> Date: Sun, 14 Dec 2003 15:47:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by amavisd-new at laserfence.net Subject: Re: Queue and rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 13:48:15 -0000 sysctl net.inet.ip.fw.one_pass=1 :-) ----- Original Message ----- From: "Cole" To: Sent: Sunday, December 14, 2003 3:52 PM Subject: Queue and rules > Hi > > I have setup the following queues and pipes.#pipes > $fwcmd pipe 1 config bw 3kbyte/s queue 0.5kbyte > $fwcmd pipe 2 config bw 128kbits/s queue 5Kbyte #outgoing > $fwcmd pipe 3 config bw 128kbits/s queue 5Kbyte #incoming > $fwcmd pipe 4 config bw 64kbits/s queue 5Kbyte #outgoing > $fwcmd pipe 5 config bw 64kbits/s queue 5Kbyte #incoming > > #queues > $fwcmd queue 1 config pipe 2 weight 100 queue 10 #outgoing > $fwcmd queue 2 config pipe 2 weight 50 queue 10 #outgoing > $fwcmd queue 3 config pipe 3 weight 100 queue 10 #incoming > $fwcmd queue 4 config pipe 3 weight 50 queue 10 #incoming > > I have also added the following 2 rules using the queues 1 and 3. > > 00202 queue 1 tcp from me to 196.34.*.* out via tun0 > 00203 queue 3 tcp from 196.34.*.* to me in via tun0 > > I put the *'s in just privacy sake, i have the full ip entered in the rules. > > Now i wanted to block certain ports like ssh to or from that ip. I added the rule below rules 202 and 203, and no matter if i specify, deny all, deny tcp and the port, i can still get to those ports. I.e. if i add "ipfw add 205 deny tcp from me to 196.34.*.* 22" it will still allow me to connect. > > I was wondering if its cause of the queue rules matching first and not bothering to check the rest. If this is the problem how do i do bandwidth shaping and then still use blocking/deny rules below those queue rules. > Of if there is another problem that im not seeing or missing, or a solution that you know might work, please let me know. > Im not subscribed to the mailing list so please reply to cole@acenet.co.za . > > Thanx > /Cole > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 14 05:50:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5990C16A4CE for ; Sun, 14 Dec 2003 05:50:06 -0800 (PST) Received: from apollo.laserfence.net (apollo.laserfence.net [196.44.69.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5AF143D2D for ; Sun, 14 Dec 2003 05:50:02 -0800 (PST) (envelope-from will@unfoldings.net) Received: from [127.0.0.1] (helo=localhost) by apollo.laserfence.net with esmtp (Exim 4.24; FreeBSD) id 1AVWdD-00029t-LO; Sun, 14 Dec 2003 15:49:59 +0200 Received: from apollo.laserfence.net ([127.0.0.1]) by localhost (apollo.laserfence.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04027-10; Sun, 14 Dec 2003 15:49:42 +0200 (SAST) Received: from [192.168.255.1] (helo=prometheus.home.laserfence.net) by apollo.laserfence.net with esmtp (Exim 4.24; FreeBSD) id 1AVWcu-00029g-7b; Sun, 14 Dec 2003 15:49:41 +0200 Received: from arista.home.laserfence.net ([192.168.0.10] helo=arista) by prometheus.home.laserfence.net with smtp (Exim 4.10) id 1AVWcr-0009C7-00; Sun, 14 Dec 2003 15:49:37 +0200 Message-ID: <008e01c3c249$27604e90$0a00a8c0@arista> From: "Willie Viljoen" To: , Date: Sun, 14 Dec 2003 15:49:54 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by amavisd-new at laserfence.net Subject: Re: Queue and rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2003 13:50:06 -0000 Sorry, that should have been: sysctl net.inet.ip.fw.one_pass=0 Also, to make it stick after a reboot: echo net.inet.ip.fw.one_pass=0 >> /etc/sysctl.conf Will ----- Original Message ----- From: "Willie Viljoen" To: ; Sent: Sunday, December 14, 2003 3:47 PM Subject: Re: Queue and rules > sysctl net.inet.ip.fw.one_pass=1 > > :-) > > ----- Original Message ----- > From: "Cole" > To: > Sent: Sunday, December 14, 2003 3:52 PM > Subject: Queue and rules > > > > Hi > > > > I have setup the following queues and pipes.#pipes > > $fwcmd pipe 1 config bw 3kbyte/s queue 0.5kbyte > > $fwcmd pipe 2 config bw 128kbits/s queue 5Kbyte #outgoing > > $fwcmd pipe 3 config bw 128kbits/s queue 5Kbyte #incoming > > $fwcmd pipe 4 config bw 64kbits/s queue 5Kbyte #outgoing > > $fwcmd pipe 5 config bw 64kbits/s queue 5Kbyte #incoming > > > > #queues > > $fwcmd queue 1 config pipe 2 weight 100 queue 10 #outgoing > > $fwcmd queue 2 config pipe 2 weight 50 queue 10 #outgoing > > $fwcmd queue 3 config pipe 3 weight 100 queue 10 #incoming > > $fwcmd queue 4 config pipe 3 weight 50 queue 10 #incoming > > > > I have also added the following 2 rules using the queues 1 and 3. > > > > 00202 queue 1 tcp from me to 196.34.*.* out via tun0 > > 00203 queue 3 tcp from 196.34.*.* to me in via tun0 > > > > I put the *'s in just privacy sake, i have the full ip entered in the > rules. > > > > Now i wanted to block certain ports like ssh to or from that ip. I added > the rule below rules 202 and 203, and no matter if i specify, deny all, deny > tcp and the port, i can still get to those ports. I.e. if i add "ipfw add > 205 deny tcp from me to 196.34.*.* 22" it will still allow me to connect. > > > > I was wondering if its cause of the queue rules matching first and not > bothering to check the rest. If this is the problem how do i do bandwidth > shaping and then still use blocking/deny rules below those queue rules. > > Of if there is another problem that im not seeing or missing, or a > solution that you know might work, please let me know. > > Im not subscribed to the mailing list so please reply to cole@acenet.co.za > . > > > > Thanx > > /Cole > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 15 11:03:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 416A116A4CE for ; Mon, 15 Dec 2003 11:03:17 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 999A343D45 for ; Mon, 15 Dec 2003 11:02:55 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id hBFJ2tFR040816 for ; Mon, 15 Dec 2003 11:02:55 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id hBFJ2sB4040810 for ipfw@freebsd.org; Mon, 15 Dec 2003 11:02:54 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 15 Dec 2003 11:02:54 -0800 (PST) Message-Id: <200312151902.hBFJ2sB4040810@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2003 19:03:17 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 15 11:39:24 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E69416A4D2 for ; Mon, 15 Dec 2003 11:39:24 -0800 (PST) Received: from mail.ee.gatech.edu (mail.ee.gatech.edu [130.207.225.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAE1B43D35 for ; Mon, 15 Dec 2003 11:39:22 -0800 (PST) (envelope-from junfeng@ece.gatech.edu) Received: from secure2.ece.gatech.edu (seiya.ece.gatech.edu [130.207.225.101]) by mail.ee.gatech.edu (8.12.10/8.12.9) with SMTP id hBFJdDUP025735; Mon, 15 Dec 2003 14:39:15 -0500 (EST) Received: from 65.106.15.98 (SquirrelMail authenticated user junfeng) by secure2.ece.gatech.edu with HTTP; Mon, 15 Dec 2003 14:39:15 -0500 (EST) Message-ID: <64995.65.106.15.98.1071517155.squirrel@secure2.ece.gatech.edu> Date: Mon, 15 Dec 2003 14:39:15 -0500 (EST) From: junfeng@ece.gatech.edu To: luigi@iet.unipi.it User-Agent: SquirrelMail/1.4.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal References: In-Reply-To: X-Virus-Scanned: by amavisd-new X-SPAM: NO cc: freebsd-ipfw@freebsd.org Subject: dummynet dropping TCP packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2003 19:39:24 -0000 Hi! all, I am using dummynet to simulate a network-connection with 65ms propagation delay. Dummynet is installed on a workstation with two network-cards, and is configured as a bridge (no IP for these interfaces). One network-card is connected to a Video Server (IP:192.168.200.100), which sends out 2Mbps video stream. The other network card is connected to a video client (IP:192.168.200.50), which receives video packets and does ARQ if there are packet loss. The feedback message is TCP. We simulate random loss of video packet at server end. And use dummynet to control the propagation delay between server and client. Here are the commands I used to control dummynet HZ=1000 ipfw flush ipfw add pipe 100 ip from any to any ipfw pipe 100 config delay 65ms And I observed that some TCP packets are dropped when they are sent from client to server. And then the operating system needs to retransmit these lost TCP packets after TCP time out, which causes extra delay in ARQ. I ever tried to seperate TCP from UDP packets and I got same result. ipfw add pipe 100 TCP from any to any ipfw add pipe 200 not TCP from any to any ipfw pipe 100 config delay 65ms ipfw pipe 200 config delay 65ms Also, I tried to use the bi-direction pipes, but seems that all traffic going through dummynet is in-bound traffic, so there is no packet goes through second pipe (pipe 200). ipfw add pipe 100 ip from any to any in ipfw add pipe 200 ip from any to any out ipfw pipe 100 config delay 65ms ipfw pipe 200 config delay 65ms Is there any error in my configuration? Thanks! Junfeng From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 18 08:01:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C55816A4CE for ; Thu, 18 Dec 2003 08:01:16 -0800 (PST) Received: from inferno.eagle.ca (inferno.eagle.ca [209.167.16.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EB8043D3F for ; Thu, 18 Dec 2003 08:01:15 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from [192.168.1.102] (sfw2.eagle.ca [209.167.58.74]) by inferno.eagle.ca (8.12.8/8.12.3) with ESMTP id hBIFuriE067242 for ; Thu, 18 Dec 2003 10:56:53 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) From: Steve Bertrand To: freebsd-ipfw@freebsd.org Content-Type: text/plain Message-Id: <1071763256.543.10.camel@ptp.northnetworks.ca> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Thu, 18 Dec 2003 11:00:56 -0500 Content-Transfer-Encoding: 7bit Subject: 4.9->5.x and using IPFW2 features X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2003 16:01:16 -0000 I am curious to know if I do a cvsup from 4.9 to 5.x, and make the kernel using the existing 4.9 config file that I have built, will the IPFW2 feature set be available to me by default, or do I have to (or should I) use the config file that comes with the src upgrade? Also, just a note about a prior post, we were not able to get our perl IPFW script to run out of rc.conf with the firewall_script directive. Is it safe to load it out of rc.d startup directory, or should this be avoided? Tks, -- Steve Bertrand President/CTO, Northumberland Network Services t: 905.352.2688 w: www.northnetworks.ca From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 18 08:13:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E625816A4CE for ; Thu, 18 Dec 2003 08:13:03 -0800 (PST) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CC6D43D48 for ; Thu, 18 Dec 2003 08:12:14 -0800 (PST) (envelope-from yamamoto436@oki.com) Received: from aoi.okilab.oki.co.jp (localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id BAA31662 for ; Fri, 19 Dec 2003 01:12:04 +0900 Received: (qmail 24818 invoked from network); 19 Dec 2003 01:12:11 +0900 Received: from tulip.okilab.oki.co.jp (172.24.23.187) by aoi.okilab.oki.co.jp with SMTP; 19 Dec 2003 01:12:11 +0900 Received: from localhost (tulip [172.24.23.187])hBIGCDHL028108 for ; Fri, 19 Dec 2003 01:12:13 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Fri, 19 Dec 2003 01:12:13 +0900 (JST) Message-Id: <20031219.011213.27797873.yamamoto436@oki.com> To: freebsd-ipfw@freebsd.org From: Hideki Yamamoto In-Reply-To: <1071763256.543.10.camel@ptp.northnetworks.ca> References: <1071763256.543.10.camel@ptp.northnetworks.ca> X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: IPFW for IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2003 16:13:04 -0000 Hi, I am interested in ipfw for IPv6, especially on dummynet. Does someone have information on ipfw for IPv6? Thanks in advance. ----------------------------------------------------------------- Hideki YAMAMOTO | Broadband Media Solutions Department | E-mail: yamamoto436@oki.com Broadband Media Company | Tel: +81-3-3455-0870 Oki Electric Industry Co., Ltd. | FAX: +81-3-3798-7670 From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 18 08:26:24 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88BD516A4CE for ; Thu, 18 Dec 2003 08:26:24 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B2F943D68 for ; Thu, 18 Dec 2003 08:26:08 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id hBIGQ5SN002339; Thu, 18 Dec 2003 08:26:05 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id hBIGQ5kI002338; Thu, 18 Dec 2003 08:26:05 -0800 (PST) (envelope-from rizzo) Date: Thu, 18 Dec 2003 08:26:05 -0800 From: Luigi Rizzo To: Hideki Yamamoto Message-ID: <20031218082605.A2252@xorpc.icir.org> References: <1071763256.543.10.camel@ptp.northnetworks.ca> <20031219.011213.27797873.yamamoto436@oki.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031219.011213.27797873.yamamoto436@oki.com>; from yamamoto436@oki.com on Fri, Dec 19, 2003 at 01:12:13AM +0900 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW for IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2003 16:26:24 -0000 On Fri, Dec 19, 2003 at 01:12:13AM +0900, Hideki Yamamoto wrote: > > Hi, > > I am interested in ipfw for IPv6, especially on dummynet. > Does someone have information on ipfw for IPv6? Two students of mine have a basically working version of ipfw2 for ipv6 (with dummynet too). I need to review the code before making patches available, though. In the detail, the layer2 version of the code (where ipv6 fields are matched within ether_input()/ether_output(), are ok, whereas the layer3 version (call from ip6input(), ip6output()) need a bit more debugging when used with dummynet because suspending and resuming computation within ip6output() is tricky for the amount of state around -- that was time consuming in ipv4 as well. cheers luigi > Thanks in advance. > ----------------------------------------------------------------- > Hideki YAMAMOTO | > Broadband Media Solutions Department | E-mail: yamamoto436@oki.com > Broadband Media Company | Tel: +81-3-3455-0870 > Oki Electric Industry Co., Ltd. | FAX: +81-3-3798-7670 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 18 15:06:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF76C16A4CE for ; Thu, 18 Dec 2003 15:06:08 -0800 (PST) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16D8643D45 for ; Thu, 18 Dec 2003 15:06:05 -0800 (PST) (envelope-from yamamoto436@oki.com) Received: from aoi.okilab.oki.co.jp (localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id IAA06893 for ; Fri, 19 Dec 2003 08:05:50 +0900 Received: (qmail 32551 invoked from network); 19 Dec 2003 08:06:01 +0900 Received: from tulip.okilab.oki.co.jp (172.24.23.187) by aoi.okilab.oki.co.jp with SMTP; 19 Dec 2003 08:06:01 +0900 Received: from localhost (tulip [172.24.23.187])hBIN62HL029145; Fri, 19 Dec 2003 08:06:03 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Fri, 19 Dec 2003 08:06:02 +0900 (JST) Message-Id: <20031219.080602.26517061.yamamoto436@oki.com> To: rizzo@icir.org From: Hideki Yamamoto In-Reply-To: <20031218082605.A2252@xorpc.icir.org> References: <1071763256.543.10.camel@ptp.northnetworks.ca> <20031219.011213.27797873.yamamoto436@oki.com> <20031218082605.A2252@xorpc.icir.org> X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW for IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Dec 2003 23:06:09 -0000 Dear Luigi, I am very happy to hear that you and your student are working on this matter. I hope you will release the beta or something as soon as possible. By the way, does it run on FreeBSD 5.1 base or 4.9? Regards, Hideki Yamamoto From: Luigi Rizzo Subject: Re: IPFW for IPv6 Date: Thu, 18 Dec 2003 08:26:05 -0800 Message-ID: <20031218082605.A2252@xorpc.icir.org> > On Fri, Dec 19, 2003 at 01:12:13AM +0900, Hideki Yamamoto wrote: > > > > Hi, > > > > I am interested in ipfw for IPv6, especially on dummynet. > > Does someone have information on ipfw for IPv6? > > Two students of mine have a basically working version of > ipfw2 for ipv6 (with dummynet too). I need to review the code > before making patches available, though. > > In the detail, the layer2 version of the code (where ipv6 fields > are matched within ether_input()/ether_output(), are ok, > whereas the layer3 version (call from ip6input(), ip6output()) > need a bit more debugging when used with dummynet because suspending > and resuming computation within ip6output() is tricky for the > amount of state around -- that was time consuming in ipv4 as well. > > cheers > luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 01:37:23 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5F9516A4CE for ; Fri, 19 Dec 2003 01:37:23 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8802E43D49 for ; Fri, 19 Dec 2003 01:37:21 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id hBJ9bLSN004164; Fri, 19 Dec 2003 01:37:21 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id hBJ9bKa5004161; Fri, 19 Dec 2003 01:37:20 -0800 (PST) (envelope-from rizzo) Date: Fri, 19 Dec 2003 01:37:20 -0800 From: Luigi Rizzo To: Hideki Yamamoto Message-ID: <20031219013720.C2830@xorpc.icir.org> References: <1071763256.543.10.camel@ptp.northnetworks.ca> <20031219.011213.27797873.yamamoto436@oki.com> <20031218082605.A2252@xorpc.icir.org> <20031219.080602.26517061.yamamoto436@oki.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031219.080602.26517061.yamamoto436@oki.com>; from yamamoto436@oki.com on Fri, Dec 19, 2003 at 08:06:02AM +0900 cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW for IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2003 09:37:23 -0000 On Fri, Dec 19, 2003 at 08:06:02AM +0900, Hideki Yamamoto wrote: > > Dear Luigi, > > I am very happy to hear that you and your student are working > on this matter. I hope you will release the beta or something > as soon as possible. > By the way, does it run on FreeBSD 5.1 base or 4.9? it is 4.9 but since it is based on ipfw2 there should be no trouble in porting it to 5.x which is something we plan to do as well. cheers luigi > Regards, > Hideki Yamamoto > > From: Luigi Rizzo > Subject: Re: IPFW for IPv6 > Date: Thu, 18 Dec 2003 08:26:05 -0800 > Message-ID: <20031218082605.A2252@xorpc.icir.org> > > > On Fri, Dec 19, 2003 at 01:12:13AM +0900, Hideki Yamamoto wrote: > > > > > > Hi, > > > > > > I am interested in ipfw for IPv6, especially on dummynet. > > > Does someone have information on ipfw for IPv6? > > > > Two students of mine have a basically working version of > > ipfw2 for ipv6 (with dummynet too). I need to review the code > > before making patches available, though. > > > > In the detail, the layer2 version of the code (where ipv6 fields > > are matched within ether_input()/ether_output(), are ok, > > whereas the layer3 version (call from ip6input(), ip6output()) > > need a bit more debugging when used with dummynet because suspending > > and resuming computation within ip6output() is tricky for the > > amount of state around -- that was time consuming in ipv4 as well. > > > > cheers > > luigi > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 03:12:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 836A816A4CE for ; Fri, 19 Dec 2003 03:12:38 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 722AE43D50 for ; Fri, 19 Dec 2003 03:12:24 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1AXIRT-000Do7-F6; Fri, 19 Dec 2003 19:05:11 +0800 Message-Id: <6.0.0.22.2.20031219190701.02927da0@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Fri, 19 Dec 2003 19:14:39 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: firewalls@securityfocus.com Subject: Dummynet pipes and MRTG X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2003 11:12:38 -0000 Hi, I need to view the traffic utilization of dummynet pipes in ipfw2. I'm using FreeBSD 5.2 current. I'm also using MRTG to draw graphics from ipfw show rule-number command. Is there any method or program like MRTG to draw bandwidth utilizations of dummynet pipes? Can I use MRTG for this purpose? I hope somebody in this list point me to the right direction. thanks in advance, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 19 16:30:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A08B16A4CE for ; Fri, 19 Dec 2003 16:30:35 -0800 (PST) Received: from moutvdomng.kundenserver.de (moutvdom.kundenserver.de [212.227.126.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78D9C43D49 for ; Fri, 19 Dec 2003 16:30:29 -0800 (PST) (envelope-from liamfoy@sepulcrum.org) Received: from [212.227.126.220] (helo=mrelayng.kundenserver.de) by moutvdomng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AXV0m-0003my-00 for freebsd-ipfw@freebsd.org; Sat, 20 Dec 2003 01:30:28 +0100 Received: from [217.43.129.115] (helo=sepulcrum.org) by mrvdomng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AXV0m-0000oq-00 for freebsd-ipfw@freebsd.org; Sat, 20 Dec 2003 01:30:28 +0100 Message-ID: <3FE39775.6090207@sepulcrum.org> Date: Sat, 20 Dec 2003 00:27:33 +0000 From: Liam Foy User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031114 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20031219200048.F08DF16A4F7@hub.freebsd.org> In-Reply-To: <20031219200048.F08DF16A4F7@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd-ipfw Digest, Vol 39, Issue 3 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Dec 2003 00:30:35 -0000 freebsd-ipfw-request@freebsd.org wrote: >Send freebsd-ipfw mailing list submissions to > freebsd-ipfw@freebsd.org > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >or, via email, send a message with subject or body 'help' to > freebsd-ipfw-request@freebsd.org > >You can reach the person managing the list at > freebsd-ipfw-owner@freebsd.org > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of freebsd-ipfw digest..." > > >Today's Topics: > > 1. Re: IPFW for IPv6 (Hideki Yamamoto) > 2. Re: IPFW for IPv6 (Luigi Rizzo) > 3. Dummynet pipes and MRTG (Ganbold) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Fri, 19 Dec 2003 08:06:02 +0900 (JST) >From: Hideki Yamamoto >Subject: Re: IPFW for IPv6 >To: rizzo@icir.org >Cc: freebsd-ipfw@freebsd.org >Message-ID: <20031219.080602.26517061.yamamoto436@oki.com> >Content-Type: Text/Plain; charset=us-ascii > > >Dear Luigi, > >I am very happy to hear that you and your student are working >on this matter. I hope you will release the beta or something >as soon as possible. >By the way, does it run on FreeBSD 5.1 base or 4.9? > >Regards, >Hideki Yamamoto > >From: Luigi Rizzo >Subject: Re: IPFW for IPv6 >Date: Thu, 18 Dec 2003 08:26:05 -0800 >Message-ID: <20031218082605.A2252@xorpc.icir.org> > > > >>On Fri, Dec 19, 2003 at 01:12:13AM +0900, Hideki Yamamoto wrote: >> >> >>>Hi, >>> >>>I am interested in ipfw for IPv6, especially on dummynet. >>>Does someone have information on ipfw for IPv6? >>> >>> >>Two students of mine have a basically working version of >>ipfw2 for ipv6 (with dummynet too). I need to review the code >>before making patches available, though. >> >>In the detail, the layer2 version of the code (where ipv6 fields >>are matched within ether_input()/ether_output(), are ok, >>whereas the layer3 version (call from ip6input(), ip6output()) >>need a bit more debugging when used with dummynet because suspending >>and resuming computation within ip6output() is tricky for the >>amount of state around -- that was time consuming in ipv4 as well. >> >> cheers >> luigi >> >> > >------------------------------ > >Message: 2 >Date: Fri, 19 Dec 2003 01:37:20 -0800 >From: Luigi Rizzo >Subject: Re: IPFW for IPv6 >To: Hideki Yamamoto >Cc: freebsd-ipfw@freebsd.org >Message-ID: <20031219013720.C2830@xorpc.icir.org> >Content-Type: text/plain; charset=us-ascii > >On Fri, Dec 19, 2003 at 08:06:02AM +0900, Hideki Yamamoto wrote: > > >>Dear Luigi, >> >>I am very happy to hear that you and your student are working >>on this matter. I hope you will release the beta or something >>as soon as possible. >>By the way, does it run on FreeBSD 5.1 base or 4.9? >> >> > >it is 4.9 but since it is based on ipfw2 there should be >no trouble in porting it to 5.x which is something we plan to >do as well. > > cheers > luigi > > > >>Regards, >>Hideki Yamamoto >> >>From: Luigi Rizzo >>Subject: Re: IPFW for IPv6 >>Date: Thu, 18 Dec 2003 08:26:05 -0800 >>Message-ID: <20031218082605.A2252@xorpc.icir.org> >> >> >> >>>On Fri, Dec 19, 2003 at 01:12:13AM +0900, Hideki Yamamoto wrote: >>> >>> >>>>Hi, >>>> >>>>I am interested in ipfw for IPv6, especially on dummynet. >>>>Does someone have information on ipfw for IPv6? >>>> >>>> >>>Two students of mine have a basically working version of >>>ipfw2 for ipv6 (with dummynet too). I need to review the code >>>before making patches available, though. >>> >>>In the detail, the layer2 version of the code (where ipv6 fields >>>are matched within ether_input()/ether_output(), are ok, >>>whereas the layer3 version (call from ip6input(), ip6output()) >>>need a bit more debugging when used with dummynet because suspending >>>and resuming computation within ip6output() is tricky for the >>>amount of state around -- that was time consuming in ipv4 as well. >>> >>> cheers >>> luigi >>> >>> >>_______________________________________________ >>freebsd-ipfw@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > >------------------------------ > >Message: 3 >Date: Fri, 19 Dec 2003 19:14:39 +0800 >From: Ganbold >Subject: Dummynet pipes and MRTG >To: freebsd-ipfw@freebsd.org >Cc: firewalls@securityfocus.com >Message-ID: <6.0.0.22.2.20031219190701.02927da0@202.179.0.80> >Content-Type: text/plain; charset="us-ascii"; format=flowed > >Hi, > >I need to view the traffic utilization of dummynet pipes in ipfw2. I'm >using FreeBSD 5.2 current. >I'm also using MRTG to draw graphics from ipfw show rule-number command. >Is there any method or program like MRTG to draw bandwidth utilizations of >dummynet pipes? >Can I use MRTG for this purpose? >I hope somebody in this list point me to the right direction. > >thanks in advance, > >Ganbold > > >------------------------------ > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >End of freebsd-ipfw Digest, Vol 39, Issue 3 >******************************************* > > > On Fri, Dec 19, 2003 at 01:12:13AM +0900, Hideki Yamamoto wrote: >Hi, > >I am interested in ipfw for IPv6, especially on dummynet. >Does someone have information on ipfw for IPv6? > > Two students of mine have a basically working version of ipfw2 for ipv6 (with dummynet too). I need to review the code before making patches available, though. In the detail, the layer2 version of the code (where ipv6 fields are matched within ether_input()/ether_output(), are ok, whereas the layer3 version (call from ip6input(), ip6output()) need a bit more debugging when used with dummynet because suspending and resuming computation within ip6output() is tricky for the amount of state around -- that was time consuming in ipv4 as well. cheers luigi Once you have a somewhat stable working model of it running, I would be pleased to test it before releasing it:). Liam-Foy