From owner-freebsd-ipfw Sun Jun 17 22:53:56 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx7.port.ru (mx7.port.ru [194.67.23.44]) by hub.freebsd.org (Postfix) with ESMTP id 44F7537B401 for ; Sun, 17 Jun 2001 22:53:53 -0700 (PDT) (envelope-from skif_dk@mail.ru) Received: from [213.59.88.91] (helo=admin.vitcom.ru) by mx7.port.ru with esmtp (Exim 3.14 #1) id 15Bryy-00012E-00 for freebsd-ipfw@freebsd.org; Mon, 18 Jun 2001 09:53:52 +0400 Date: Mon, 18 Jun 2001 09:53:32 +0400 From: Konstantin X-Mailer: The Bat! (v1.51) Reply-To: Konstantin X-Priority: 3 (Normal) Message-ID: <112245671.20010618095332@mail.ru> Disposition-Notification-To: skif_dk@mail.ru To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG subscribe skif_dk@mail.ru list To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 18 18:40:35 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from jasper.nighttide.net (jasper.nighttide.net [209.222.117.162]) by hub.freebsd.org (Postfix) with ESMTP id 26C1A37B401 for ; Mon, 18 Jun 2001 18:40:30 -0700 (PDT) (envelope-from darren@nighttide.net) Received: from localhost (darren@localhost) by jasper.nighttide.net (8.11.3/8.11.2) with ESMTP id f5J1eBX00592; Mon, 18 Jun 2001 21:40:12 -0400 (EDT) (envelope-from darren@nighttide.net) Date: Mon, 18 Jun 2001 21:40:11 -0400 (EDT) From: Darren Henderson To: Luigi Rizzo Cc: Subject: Re: buckets & sysctl In-Reply-To: <200106091127.NAA61182@info.iet.unipi.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, Got a chance to try the change to ipfw you mentioned in your message, (see below). There are mixxed results. This does allow you to effect the number of buckets in use at boot time through /etc/sysctl.conf and everything appears to work fine. I do see a number of buckets that aren't being used but that may change as the system runs. Would expect the hash distribution to be flatter after a few hours. However, this does not appear to allow you to change the number of buckets in use after the system is up. It may be operator error...I may not be doing the right things to cause that bit of code to be re-executed. I flush the ipfw rules and then use sysctl to write a new value and then rerun my firewall rules to load things back in there. The current bucket count remains unchanged. I don't know the code so I can't really hazard much of a guess. Could it perhaps be the default deny rule that messes things up? I would have guessed that the prohibition in the man page about resetting this while there were rule applied to the dynamic rules and not the static ones though. Not sure when the bit of code you discussed below is executed. At any rate it does allow one to reset the number of buckets at boot time which is certainly a step forward, thank you. I'll let you know if I observer any adverse effects over the next few days. Now if I can figure out how to keep to two dynamic rules from being created for natd' packets... - Darren On Sat, 9 Jun 2001, Luigi Rizzo wrote: > > > > I can't seem to get the number of buckets ipfw uses to increase. > > you are right, there is some bug in the part of code which handles > updates to dyn_buckets. > The actual variable used is curr_dyn_buckets, which in my intentions > should be set to the power of 2 closest to dyn_buckets -- but as > you can see in the code there is no place where the variable is > actually set. This should be done in add_dyn_rule, probably something > like this in /sys/netinet/ip_fw.c > > u_int32_t i = dyn_buckets ; > while ( i > 0 && (i & 1) == 0 ) > i >>= 1 ; > if (i != 1) /* not a power of 2 */ > dyn_buckets = curr_dyn_buckets ; /* reset */ > else { > + curr_dyn_buckets = dyn_buckets ; /* update */ > if (ipfw_dyn_v != NULL) > free(ipfw_dyn_v, M_IPFW); > ipfw_dyn_v = malloc(curr_dyn_buckets * sizeof r, > > but i want to look at the code a bit more carefully before committing this. > If you want to test this patch, i'd be glad to know how it works > for you. > > cheers > luigi > -----------------------------------+------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) > Mobile +39-347-0373137 > -----------------------------------+------------------------------------- > ______________________________________________________________________ Darren Henderson darren@nighttide.net Help fight junk e-mail, visit http://www.cauce.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 21 8:40:29 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 1853F37B401 for ; Thu, 21 Jun 2001 08:40:26 -0700 (PDT) (envelope-from carock@epctech.com) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.2/8.11.2) with SMTP id f5LFeOX07603 for ; Thu, 21 Jun 2001 10:40:24 -0500 (CDT) Reply-To: From: "Chuck Rock" To: Subject: Natd and IPFW ( I think I've asked before with no help)... Date: Thu, 21 Jun 2001 10:40:23 -0500 Message-ID: <001801c0fa68$7c955c80$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG We are deploying FreeBSD firewalls with NATD running as well. Problem 1. We have aliased real IP's on an interface, but natd.cf only lets us forward ports from the original interface IP, not from the aliased IP's. So we have to like four network cards and multiple firewalls to accomplish the desired routing of ports by real IP address to internal private IP's. Has anyone fixed this, or come up with a better solution? Problem 2. We also use Portsentry, and when we forward ports with natd, they forward BEFORE portsentry can see them. So if we have an internal machine as a mail server, and forward a real IP to an internal IP for port 25, but we use portsentry to watch traffic on that real IP, it never sees portscans on IP because natd never passes the packets that don't match the forwarding to the level that Portsentry is watching. Would running natd from rc.local aleviate this? Is that possible? Thanks for your help, Chuck Rock Internet Services Manager EPC Inc. http://www.epctech.com http://www.epconline.com http://www.pconramp.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 21 10:43:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 8DA3337B407 for ; Thu, 21 Jun 2001 10:43:26 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f5LJ5rb15106; Thu, 21 Jun 2001 14:05:53 -0500 (CDT) (envelope-from nick@rogness.net) Date: Thu, 21 Jun 2001 14:05:53 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Chuck Rock Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Natd and IPFW ( I think I've asked before with no help)... In-Reply-To: <001801c0fa68$7c955c80$1805010a@epconline.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 21 Jun 2001, Chuck Rock wrote: > We are deploying FreeBSD firewalls with NATD running as well. > > Problem 1. > We have aliased real IP's on an interface, but natd.cf only lets us > forward ports from the original interface IP, not from the aliased > IP's. So we have to like four network cards and multiple firewalls to > accomplish the desired routing of ports by real IP address to internal > private IP's. > > Has anyone fixed this, or come up with a better solution? I'm not clear on what you are saying here. alias_address option of nat will let you specify your outside address...it doesn't have to be bound to any interface. redirect_address works like Static NAT if that is what you want. Please Clarify what you mean...from the outside to the inside OR from the inside to the outside? > > Problem 2. > We also use Portsentry, and when we forward ports with natd, they > forward BEFORE portsentry can see them. So if we have an internal > machine as a mail server, and forward a real IP to an internal IP for > port 25, but we use portsentry to watch traffic on that real IP, it > never sees portscans on IP because natd never passes the packets that > don't match the forwarding to the level that Portsentry is watching. Hmmm, not sure what to do here. I'm not sure how PortSentry works. If it uses BPF to watch traffic it should work, so it must not use that... Is Port sentry listening on the outside interface? > > Would running natd from rc.local aleviate this? Is that possible? > That has nothing to do with it. That just deals with loading progams when booting the system. ANd yes, you can start natd from rc.local. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 21 12:42:24 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2]) by hub.freebsd.org (Postfix) with ESMTP id 151C337B401 for ; Thu, 21 Jun 2001 12:42:16 -0700 (PDT) (envelope-from carock@epconline.net) Received: from therock (betterguard.epconline.net [207.206.185.193]) by kira.epconline.net (8.11.2/8.11.2) with SMTP id f5LJgFX35616 for ; Thu, 21 Jun 2001 14:42:15 -0500 (CDT) From: "Chuck Rock" To: Subject: RE: Natd and IPFW ( I think I've asked before with no help)... Date: Thu, 21 Jun 2001 14:42:15 -0500 Message-ID: <003101c0fa8a$46041f40$1805010a@epconline.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal In-Reply-To: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I misunderstood my techs... The forwarding of aliased IP's is working fine. The port forwarding for aliased IP's they couldn't get working. I'm going to make sure we've tried all the possible commands for forwarding ports before I post again. What I'm told now is that the aliased real IP's on an interface can't be forwarded by port number to an internal IP. xl0 has inet=206.206.206.206 and alias IP of 206.206.206.207 and they want to forward port 80 coming into the alias ip 206.206.206.207 to 10.0.0.1 and port 25 coming into 206.206.206.207 to 10.0.0.2 They haven't figured out how to get this working. If anyone has succesfully done this, a little help figuring out which of the three port forwarding command sytax's to use would be great. The portsentry problem is a question for them (Psionic). It appears any aliased IP's that are forwarded by NAT are not protected by Portsentry. If they are just aliases, and not forwarded by NAT, Portsentry will successfuly add portscans to IPFW. Thanks for your help. Chuck > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Nick Rogness > Sent: Thursday, June 21, 2001 2:06 PM > To: Chuck Rock > Cc: freebsd-ipfw@FreeBSD.ORG > Subject: Re: Natd and IPFW ( I think I've asked before with no help)... > > > On Thu, 21 Jun 2001, Chuck Rock wrote: > > > We are deploying FreeBSD firewalls with NATD running as well. > > > > Problem 1. > > We have aliased real IP's on an interface, but natd.cf only lets us > > forward ports from the original interface IP, not from the aliased > > IP's. So we have to like four network cards and multiple firewalls to > > accomplish the desired routing of ports by real IP address to internal > > private IP's. > > > > Has anyone fixed this, or come up with a better solution? > > I'm not clear on what you are saying here. > alias_address option of nat will let you specify your outside > address...it doesn't have to be bound to any interface. > > redirect_address works like Static NAT if that is what you want. > > Please Clarify what you mean...from the outside to the inside OR > from the inside to the outside? > > > > > Problem 2. > > We also use Portsentry, and when we forward ports with natd, they > > forward BEFORE portsentry can see them. So if we have an internal > > machine as a mail server, and forward a real IP to an internal IP for > > port 25, but we use portsentry to watch traffic on that real IP, it > > never sees portscans on IP because natd never passes the packets that > > don't match the forwarding to the level that Portsentry is watching. > > Hmmm, not sure what to do here. I'm not sure how PortSentry > works. If it uses BPF to watch traffic it should work, so it must > not use that... > > Is Port sentry listening on the outside interface? > > > > > Would running natd from rc.local aleviate this? Is that possible? > > > That has nothing to do with it. That just deals with loading > progams when booting the system. ANd yes, you can start natd from > rc.local. > > > Nick Rogness > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 21 13: 4:14 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 91BAC37B407 for ; Thu, 21 Jun 2001 13:04:10 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f5LLQdX16104; Thu, 21 Jun 2001 16:26:39 -0500 (CDT) (envelope-from nick@rogness.net) Date: Thu, 21 Jun 2001 16:26:39 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Chuck Rock Cc: freebsd-ipfw@FreeBSD.ORG Subject: RE: Natd and IPFW ( I think I've asked before with no help)... In-Reply-To: <003101c0fa8a$46041f40$1805010a@epconline.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 21 Jun 2001, Chuck Rock wrote: This belongs on freebsd-questions list...answering question there. [snip] Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message