From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 10 11:02:47 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4134E16A401 for ; Mon, 10 Apr 2006 11:02:47 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4BD343D45 for ; Mon, 10 Apr 2006 11:02:46 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3AB2kPp092539 for ; Mon, 10 Apr 2006 11:02:46 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3AB2jlp092531 for freebsd-ipfw@freebsd.org; Mon, 10 Apr 2006 11:02:45 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 10 Apr 2006 11:02:45 GMT Message-Id: <200604101102.k3AB2jlp092531@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Apr 2006 11:02:47 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v 11 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/03] bin/91245 ipfw [patch] ipfw(8) sometimes treat ipv6 inpu o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 11 00:15:05 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21A5F16A400 for ; Tue, 11 Apr 2006 00:15:05 +0000 (UTC) (envelope-from test@krea.pl) Received: from krea.pl (pi20.poznan.sdi.tpnet.pl [213.76.217.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 163DF43D66 for ; Tue, 11 Apr 2006 00:15:04 +0000 (GMT) (envelope-from test@krea.pl) Received: by krea.pl (Postfix, from userid 1003) id A940F3BEE; Tue, 11 Apr 2006 01:13:08 +0200 (CEST) To: freebsd-ipfw@freebsd.org From: postcard.com Message-Id: <20060410231308.A940F3BEE@krea.pl> Date: Tue, 11 Apr 2006 01:13:08 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: You have received a postcard ! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 00:15:05 -0000 Hello friend ! You have just received a postcard from someone who cares about you! This is a part of the message: "Hy there! It has been a long time since I haven't heared about you! I've just found out about this service from Claire, a friend of mine who also told me that..." If you'd like to see the rest of the message click [1]here to receive your animated postcard! =================== Thank you for using www.yourpostcard.com 's services !!! Please take this opportunity to let your friends hear about us by sending them a postcard from our collection ! ================== References 1. http://www.felicitacards.xhost.ro/postcard.gif.exe From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 11 12:26:16 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D8A116A402 for ; Tue, 11 Apr 2006 12:26:16 +0000 (UTC) (envelope-from linux@giboia.org) Received: from adriana.dilk.com.br (adriana.dilk.com.br [200.250.23.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 12C8D43D49 for ; Tue, 11 Apr 2006 12:26:14 +0000 (GMT) (envelope-from linux@giboia.org) Received: (qmail 4230 invoked by uid 98); 11 Apr 2006 12:26:12 -0000 Received: from 10.0.0.95 by lda.dilk.com.br (envelope-from , uid 82) with qmail-scanner-1.25-st-qms (uvscan: v4.4.00/v4545. perlscan: 1.25-st-qms. Clear:RC:1(10.0.0.95):. Processed in 0.024101 secs); 11 Apr 2006 12:26:12 -0000 Received: from unknown (HELO giboia) (linux@giboia.org@10.0.0.95) by adriana.dilk.com.br with SMTP; 11 Apr 2006 12:26:12 -0000 Date: Tue, 11 Apr 2006 09:29:32 -0300 From: Gilberto Villani Brito To: freebsd-ipfw@freebsd.org Message-ID: <20060411092932.42148fd8@giboia> X-Mailer: Sylpheed-Claws 1.0.4 (GTK+ 1.2.10; i586-mandriva-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 12:26:16 -0000 Hi, I would make load-balancing using ipfw, but I have 2 routers in the same interface: FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%) |--> GW2 (200.xxx.xxx.2) (33%) How can I make load-balancing using ipfw??? I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) round-robin from any to any keep state probability 33%), but I would like use just one firewall. Gilberto From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 11 19:03:35 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38A8916A401 for ; Tue, 11 Apr 2006 19:03:35 +0000 (UTC) (envelope-from camebessi@epost.com) Received: from jacf.jnj.com (BSN-77-132-30.dial-up.dsl.siol.net [193.77.132.30]) by mx1.FreeBSD.org (Postfix) with SMTP id C63EF43D46 for ; Tue, 11 Apr 2006 19:03:33 +0000 (GMT) (envelope-from camebessi@epost.com) Message-ID: <000001c65d9a$460ea730$3242a8c0@pwg25> From: "Bessie Camel" To: freebsd-ipfw@freebsd.org Date: Tue, 11 Apr 2006 15:01:00 -0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: eiuui news X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bessie Camel List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 19:03:35 -0000 De i ar Home Ow j ne w r ,=20 =20 Your c d re r di o t doesn't matter to us !=20 =20 If you O z WN real e n st u at h e and want=20 I b MME v DI s AT a E c f as g h to s d pe f nd ANY way you like,=20 or simply wish to L k OWE k R your monthly=20 p c ayme f nt e s by a third or more,=20 here are the d z eal k s we have T h ODA n Y :=20 =20 $ 48 g 8 , 000 at a 3 , s 67% f p ixe a d - r r at h e=20 $ 3 i 72 , 000 at a 3 , x 90% v q ari l ab c le - r f at h e=20 $ 49 z 2 , 000 at a 3 , r 21% in z te g res p t - only=20 $ 2 h 48 , 000 at a 3 , n 36% f c ix p ed - r c at u e=20 $ 1 c 98 , 000 at a 3 h , 55% v e ari v ab d le - r t at w e=20 =20 H q urr l y, when these d a eal c s are gone,=20 they are gone ! =20 Don't worry about ap f pro c va t l, your=20 c e re f di l t will not d n isquali x fy you !=20 =20 V a is x it our si l te =20 =20 Sincerely, Bessie Camel=20 =20 A t pp w rov y al Manager From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 11 21:07:52 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52FE416A401 for ; Tue, 11 Apr 2006 21:07:52 +0000 (UTC) (envelope-from john.wood@nrl.navy.mil) Received: from s2.itd.nrl.navy.mil (s2.itd.nrl.navy.mil [132.250.83.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id DAD6843D46 for ; Tue, 11 Apr 2006 21:07:51 +0000 (GMT) (envelope-from john.wood@nrl.navy.mil) Received: from smtp.itd.nrl.navy.mil (smtp.itd.nrl.navy.mil [132.250.86.3]) by s2.itd.nrl.navy.mil (8.13.6+Sun/8.12.8) with SMTP id k3BL7nXt029388 for ; Tue, 11 Apr 2006 17:07:50 -0400 (EDT) Received: from [132.250.99.10] ([132.250.99.10]) by smtp.itd.nrl.navy.mil (SMSSMTP 4.1.11.41) with SMTP id M2006041117074620943 for ; Tue, 11 Apr 2006 17:07:48 -0400 Message-ID: <443C1AA3.9090705@nrl.navy.mil> Date: Tue, 11 Apr 2006 17:07:47 -0400 From: "John B. Wood" User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD 6.0 Buffer Overrrun System Crash X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Apr 2006 21:07:52 -0000 Hello, everyone. Several months ago I reported problems I was having in obtaining a stable bridging with Dummynet platform(Dell Dimension 3000) as a result of a receive buffer overrun on the em0 interface. Instead of using Dummynet pipes to set up a controlled packet loss (25%) scenario I tried bridging and IPFW without Dummynet as follows: ipfw add 100 prob 0.25 deny ip from any to any bridged ipfw add 200 allow ip from any to any bridged After several minutes of operating as expected the system crashes with the kernel message "em0: RX overrun" and the system has to be rebooted. This is the same error I got using Dummynet. I also tried John Nielsen's configuration (cf this mailing list 4/7/06) to no avail. Does anyone have a fix? Thanks for your time and comment. Sincerely, -- __ __ ______ __ John Wood / |\ / /\ / ____ \ / /\ Code 5551 / | ||/ / / / /\__/ /| / / / U.S. Naval Research Lab / /| |/ / / / /_/_/ / / / / / 4555 Overlook Avenue, SW / / | / / / ___ / / / / / Washington, DC 20375-5337 / / /| / / / /\_| |\_/ / /_/_ (202) 767-2608 /_/ / |_/ / /_/ / |_|| /_____/\ (202) 767-3377 (FAX) \_\/ \_\/ \_\/ \_\| \_____\/ e-mail: wood@itd.nrl.navy.mil WWW: http://server5550.itd.nrl.navy.mil If you work on your mind with your mind, how can you avoid immense confusion? - Seng-Ts'an From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 09:20:19 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04B6316A400 for ; Wed, 12 Apr 2006 09:20:19 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mgat.rdu.kirov.ru (mgat.rdu.kirov.ru [85.93.37.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EAB543D46 for ; Wed, 12 Apr 2006 09:20:17 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id 0C6ED33B5F; Wed, 12 Apr 2006 13:20:13 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id CC97F1543D; Wed, 12 Apr 2006 13:20:12 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id 1CA881543C; Wed, 12 Apr 2006 13:20:12 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id 2993A152A9; Wed, 12 Apr 2006 13:20:11 +0400 (MSD) Message-ID: <443CC64A.2000403@yandex.ru> Date: Wed, 12 Apr 2006 13:20:10 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: "John B. Wood" References: <443C1AA3.9090705@nrl.navy.mil> In-Reply-To: <443C1AA3.9090705@nrl.navy.mil> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 6.0 Buffer Overrrun System Crash X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 09:20:19 -0000 John B. Wood wrote: > After several minutes of operating as expected the system crashes with > the kernel message "em0: RX overrun" and the system has to be rebooted. You can try update your 6.0 system to the lastest RELENG_6 branch. em(4) driver now have more changes, may be this would help to you. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 21:46:20 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BDDD16A407 for ; Wed, 12 Apr 2006 21:46:20 +0000 (UTC) (envelope-from billf@elvis.mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF17C43D45 for ; Wed, 12 Apr 2006 21:46:19 +0000 (GMT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id A4BDD1A4D89; Wed, 12 Apr 2006 14:46:19 -0700 (PDT) Date: Wed, 12 Apr 2006 14:46:19 -0700 From: Bill Fumerola To: Gilberto Villani Brito Message-ID: <20060412214619.GT9364@elvis.mu.org> References: <20060411092932.42148fd8@giboia> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060411092932.42148fd8@giboia> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-MUORG-20060326 amd64 X-PGP-Key: 1024D/7F868268 X-PGP-Fingerprint: 5B2D 908E 4C2B F253 DAEB FC01 8436 B70B 7F86 8268 Cc: freebsd-ipfw@freebsd.org Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 21:46:20 -0000 On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote: > I would make load-balancing using ipfw, but I have 2 routers in the same interface: > > FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%) > |--> GW2 (200.xxx.xxx.2) (33%) > > How can I make load-balancing using ipfw??? > > I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) round-robin from any to any keep state probability 33%), but I would like use just one firewall. the same concept you're using applies to ipfw: # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any or if you have multiple interfaces: # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0 any laziness-induced syntax errors i've made notwithstanding those should work fine. remember to compile IPFIREWALL_FORWARD and enable ip forwarding. -- bill From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 22:16:28 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC64616A404 for ; Wed, 12 Apr 2006 22:16:28 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id C3FF743D45 for ; Wed, 12 Apr 2006 22:16:26 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 28912 invoked by uid 0); 12 Apr 2006 19:17:21 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(200.210.42.5):. Processed in 190.342443 secs); 12 Apr 2006 22:17:21 -0000 Received: from unknown (HELO ?10.69.69.69?) (200.210.42.5) by capeta.freebsdbrasil.com.br with SMTP; 12 Apr 2006 19:14:11 -0300 Message-ID: <443D7B71.5070004@freebsdbrasil.com.br> Date: Wed, 12 Apr 2006 19:13:05 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bill Fumerola References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> In-Reply-To: <20060412214619.GT9364@elvis.mu.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 22:16:28 -0000 Bill Fumerola wrote: > On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote: > >>I would make load-balancing using ipfw, but I have 2 routers in the same interface: >> >>FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%) >> |--> GW2 (200.xxx.xxx.2) (33%) >> >>How can I make load-balancing using ipfw??? >> >>I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) round-robin from any to any keep state probability 33%), but I would like use just one firewall. > > > the same concept you're using applies to ipfw: > > # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any > > or if you have multiple interfaces: > > # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0 > > any laziness-induced syntax errors i've made notwithstanding those should > work fine. remember to compile IPFIREWALL_FORWARD and enable ip forwarding. > > -- bill Very nice. How hard would it be to have "keep-state" working with "fwd" action? Also, what about some sort of algorith more similar to "plr" for "prob" action? As my understanding prob is really a probability, which does not mean say 33% of the packets will match (while plr says it will match - and drop the packet), it means 33% of probability, right? This would be different of 33% of matching rate. Lets think of a "rate" option for "matching rate", a ipfw add rate 0.33 fwd tcp from to any xmit em0 setup keep-state keep-state in this case would make all other packets from the given source IP to the given destination IP always get forwarded... Because as I see (I may be wrong) the above example may break sessions, right? Thinking on an https session, for example. Some packets would match the prob, some other would not. So what do we get? Some packets going out via link #1 and some other via link #2. The other end will not know about the incoming packets from the other link. The mentioned two features (which I have no idea how hard it would be to add), a plr-like sort of "prob" and keeping FWD state, would solve the problem, wouldnt it? Also, I dont know what "probability" really means on PF. If it is really probability or a "rate match" spec. Try to figure it out correctly, or you might be doing the wrong thing... -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 22:24:11 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74C1116A401 for ; Wed, 12 Apr 2006 22:24:11 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 20E6543D73 for ; Wed, 12 Apr 2006 22:24:03 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 29246 invoked by uid 0); 12 Apr 2006 19:25:02 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(200.210.42.5):. Processed in 1.592831 secs); 12 Apr 2006 22:25:02 -0000 Received: from unknown (HELO ?10.69.69.69?) (200.210.42.5) by capeta.freebsdbrasil.com.br with SMTP; 12 Apr 2006 19:25:01 -0300 Message-ID: <443D7DFB.1090800@freebsdbrasil.com.br> Date: Wed, 12 Apr 2006 19:23:55 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> <443D7B71.5070004@freebsdbrasil.com.br> In-Reply-To: <443D7B71.5070004@freebsdbrasil.com.br> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Bill Fumerola Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 22:24:11 -0000 Patrick Tracanelli wrote: > Bill Fumerola wrote: > >> On Tue, Apr 11, 2006 at 09:29:32AM -0300, Gilberto Villani Brito wrote: >> >>> I would make load-balancing using ipfw, but I have 2 routers in the >>> same interface: >>> >>> FreeBSD (200.xxx.xxx.3) -------> GW1 (200.xxx.xxx.1) (63%) >>> |--> GW2 (200.xxx.xxx.2) (33%) >>> >>> How can I make load-balancing using ipfw??? >>> >>> I'm using pf (pass out on em0 route-to (em0 200.xxx.xxx.2) >>> round-robin from any to any keep state probability 33%), but I would >>> like use just one firewall. >> >> >> >> the same concept you're using applies to ipfw: >> >> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any >> >> or if you have multiple interfaces: >> >> # ipfw add prob 0.33 fwd 200.x.x.2 ip from any to any xmit em0 >> >> any laziness-induced syntax errors i've made notwithstanding those should >> work fine. remember to compile IPFIREWALL_FORWARD and enable ip >> forwarding. >> >> -- bill > > > Very nice. > > How hard would it be to have "keep-state" working with "fwd" action? > > Also, what about some sort of algorith more similar to "plr" for "prob" > action? As my understanding prob is really a probability, which does not > mean say 33% of the packets will match (while plr says it will match - > and drop the packet), it means 33% of probability, right? This would be > different of 33% of matching rate. Lets think of a "rate" option for > "matching rate", a > > ipfw add rate 0.33 fwd tcp from to any xmit em0 setup > keep-state > > keep-state in this case would make all other packets from the given > source IP to the given destination IP always get forwarded... > > Because as I see (I may be wrong) the above example may break sessions, > right? Thinking on an https session, for example. Some packets would > match the prob, some other would not. So what do we get? Some packets > going out via link #1 and some other via link #2. The other end will not > know about the incoming packets from the other link. > > The mentioned two features (which I have no idea how hard it would be to > add), a plr-like sort of "prob" and keeping FWD state, would solve the > problem, wouldnt it? > > Also, I dont know what "probability" really means on PF. If it is really > probability or a "rate match" spec. Try to figure it out correctly, or > you might be doing the wrong thing... > Well, I am sorry to read the code only after hiting the "send" button. The code for prob and plr seem to be the same... ip_dummynet.c: if ( fs->plr && random() < fs->plr ) goto dropit ; /* random pkt drop */ ip_fw2.c: case O_PROB: match = (random()<((ipfw_insn_u32 *)cmd)->d[0]); break; so again the question, is it really probability? I have no guarantee that, say "prob 0.33" or "plr 0.33" will really mean 33%, right? (hope wrong..) -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 22:42:33 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A17016A401 for ; Wed, 12 Apr 2006 22:42:33 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC15B43D45 for ; Wed, 12 Apr 2006 22:42:32 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k3CMgSsh054624; Wed, 12 Apr 2006 19:42:28 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 12 Apr 2006 19:42:25 -0300 User-Agent: KMail/1.9.1 References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> <443D7B71.5070004@freebsdbrasil.com.br> In-Reply-To: <443D7B71.5070004@freebsdbrasil.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200604121942.25737.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on msrv.matik.com.br X-Virus-Status: Clean Cc: Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 22:42:33 -0000 On Wednesday 12 April 2006 19:13, Patrick Tracanelli wrote: > > Also, what about some sort of algorith more similar to "plr" for "prob" > action? As my understanding prob is really a probability, which does not > mean say 33% of the packets will match (while plr says it will match - > and drop the packet), it means 33% of probability, right? This would be > different of 33% of matching rate. Lets think of a "rate" option for > "matching rate", a > "probably" not a good choice to generate packet-loss when trying kind of lo= ad=20 balance prob generates random rate (fwd in this case) plr generates random packet _loss_ rate=20 I think the latter option create artificial kind of bw limit Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 12 23:07:01 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CB0C16A400 for ; Wed, 12 Apr 2006 23:07:01 +0000 (UTC) (envelope-from billf@elvis.mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 673BE43D45 for ; Wed, 12 Apr 2006 23:07:01 +0000 (GMT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 5CD381A4D8B; Wed, 12 Apr 2006 16:07:01 -0700 (PDT) Date: Wed, 12 Apr 2006 16:07:01 -0700 From: Bill Fumerola To: AT Matik Message-ID: <20060412230701.GV9364@elvis.mu.org> References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> <443D7B71.5070004@freebsdbrasil.com.br> <200604121942.25737.asstec@matik.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200604121942.25737.asstec@matik.com.br> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-MUORG-20060326 amd64 X-PGP-Key: 1024D/7F868268 X-PGP-Fingerprint: 5B2D 908E 4C2B F253 DAEB FC01 8436 B70B 7F86 8268 Cc: freebsd-ipfw@freebsd.org Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Apr 2006 23:07:01 -0000 On Wed, Apr 12, 2006 at 07:42:25PM -0300, AT Matik wrote: > On Wednesday 12 April 2006 19:13, Patrick Tracanelli wrote: > > Also, what about some sort of algorith more similar to "plr" for "prob" > > action? As my understanding prob is really a probability, which does not > > mean say 33% of the packets will match (while plr says it will match - > > and drop the packet), it means 33% of probability, right? This would be > > different of 33% of matching rate. Lets think of a "rate" option for > > "matching rate", a > > > > "probably" not a good choice to generate packet-loss when trying kind of load > balance > > prob generates random rate (fwd in this case) > plr generates random packet _loss_ rate > > I think the latter option create artificial kind of bw limit yes the two share only a math equation. even if they behaved the same (match v. drop), the two wouldn't be equivalent because you get all of dummynet's queueing/dropping characteristics. -- bill From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 13 00:07:14 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85E9A16A401 for ; Thu, 13 Apr 2006 00:07:14 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 6BA5D43D60 for ; Thu, 13 Apr 2006 00:07:08 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 33612 invoked by uid 0); 12 Apr 2006 21:08:07 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(200.210.42.5):. Processed in 2.404083 secs); 13 Apr 2006 00:08:07 -0000 Received: from unknown (HELO ?10.69.69.69?) (200.210.42.5) by capeta.freebsdbrasil.com.br with SMTP; 12 Apr 2006 21:08:05 -0300 Message-ID: <443D9624.4010407@freebsdbrasil.com.br> Date: Wed, 12 Apr 2006 21:07:00 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: AT Matik References: <20060411092932.42148fd8@giboia> <20060412214619.GT9364@elvis.mu.org> <443D7B71.5070004@freebsdbrasil.com.br> <200604121942.25737.asstec@matik.com.br> In-Reply-To: <200604121942.25737.asstec@matik.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 00:07:14 -0000 AT Matik wrote: > On Wednesday 12 April 2006 19:13, Patrick Tracanelli wrote: > >>Also, what about some sort of algorith more similar to "plr" for "prob" >>action? As my understanding prob is really a probability, which does not >>mean say 33% of the packets will match (while plr says it will match - >>and drop the packet), it means 33% of probability, right? This would be >>different of 33% of matching rate. Lets think of a "rate" option for >>"matching rate", a >> > > > "probably" not a good choice to generate packet-loss when trying kind of load > balance > > prob generates random rate (fwd in this case) > plr generates random packet _loss_ rate > > I think the latter option create artificial kind of bw limit > > Joćo Tt is certainly the deal, according to the code as I mentioned in the later message. This is why a "rate" option would do this job better than prob which make use of random(). Anyway according to my tests this random() approach gets very close to a percentage. From more elaborated to simple tests such as: # ipfw add 1 prob 0.33 deny icmp from me to any out icmptypes 8 # ping 10.69.69.1 [.. and there ping(1) goes...] --- 10.69.69.1 ping statistics --- 28 packets transmitted, 18 packets received, 35% packet loss round-trip min/avg/max/stddev = 0.229/0.280/0.359/0.036 ms One can easily find out we get really close to the desired behaviour, except that the order it happens is really random (which means that with a small amount of tests, say, fewer packets, one might have distorted results). So I believe the lack of a "fwd keep-state"-like behavior is more significant than the rate-with-precision stuff, when the matter is balancing... -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 13 01:17:05 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10FCD16A409 for ; Thu, 13 Apr 2006 01:17:05 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E3E043D46 for ; Thu, 13 Apr 2006 01:17:00 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k3D1GxMO060219; Wed, 12 Apr 2006 22:16:59 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 12 Apr 2006 22:16:56 -0300 User-Agent: KMail/1.9.1 References: <20060411092932.42148fd8@giboia> <200604121942.25737.asstec@matik.com.br> <443D9624.4010407@freebsdbrasil.com.br> In-Reply-To: <443D9624.4010407@freebsdbrasil.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200604122216.57305.asstec@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on msrv.matik.com.br X-Virus-Status: Clean Cc: Subject: Re: Load-balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 01:17:05 -0000 On Wednesday 12 April 2006 21:07, Patrick Tracanelli wrote: > > Tt is certainly the deal, according to the code as I mentioned in the > later message. This is why a "rate" option would do this job better than > prob which make use of random(). > > Anyway according to my tests this random() approach gets very close to a > percentage. From more elaborated to simple tests such as: > > # ipfw add 1 prob 0.33 deny icmp from me to any out icmptypes 8 > # ping 10.69.69.1 > [.. and there ping(1) goes...] > --- 10.69.69.1 ping statistics --- > 28 packets transmitted, 18 packets received, 35% packet loss > round-trip min/avg/max/stddev =3D 0.229/0.280/0.359/0.036 ms > I am not sure what you try to prove here. random means that the packets are randomly processed and not in any sequenc= e=20 to get most close to the defined rate.=20 Probably exactly to 33% if you define .33 since 0=3D0 and 1=3D100% but sinc= e ipfw=20 does not split packets when only 5 are send you get something close to 33%= =20 what is then 1 or 2 packets (based on 5) and that this one or two packets c= an=20 be ANY of the 5. but repeat your ping with -c 99 and you probably see always 33 packages > > So I believe the lack of a "fwd keep-state"-like behavior is more > significant than the rate-with-precision stuff, when the matter is > balancing... ?? in your first msg you said: >>keep-state in this case would make all other packets from the given=20 >>source IP to the given destination IP always get forwarded... >>Because as I see (I may be wrong) the above example may break sessions, in this case the keep-state rules will probably be broken since "prob" is= =20 processed before keep-state=20 I believe you could use keep-state in case of policy-routing but not togeth= er=20 with prob but policy-routing is not load-balancing, what makes out of both = an=20 "one-or-the-other" option I guess with keep-state you can not get any balance and may break balance=20 since you can not know how much traffic the source Ip might demand, overall= =20 keep-state do catch only tcp and perhaps udp =20 you said also: >>right? Thinking on an https session, for example. Some packets would=20 >>match the prob, some other would not. So what do we get? Some packets=20 >>going out via link #1 and some other via link #2. The other end will not= =20 >>know about the incoming packets from the other link. since we are talking load-balancing we suppose we have a route to our IP(s)= =20 from both links the dst-ip do not know which route the packet went from but from it's defau= lt=20 gateway and does not check it either, the dst-ip cares if it comes from the= =20 original IP and eventual if it has the correct sequence so it does not matt= er=20 if it comes which route since it comes in on the right interface from which= =20 it goes back to the GW and this is where the further route decision is made= =20 then. Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 13 11:50:34 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C5E916A402 for ; Thu, 13 Apr 2006 11:50:34 +0000 (UTC) (envelope-from hunreal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1473D43D5A for ; Thu, 13 Apr 2006 11:50:29 +0000 (GMT) (envelope-from hunreal@gmail.com) Received: by wproxy.gmail.com with SMTP id i7so75675wra for ; Thu, 13 Apr 2006 04:50:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=dP4QSccZVk9U/g138oRa0G+1MPYJHBGWi61cXUejHISkhnE2XsihBOZLz0K5cHFk+HRdVNhQFi2XH769uIZ2riqVHoXsVEmeZMvKaMN3477gg4ZJArK4s1xVATgwr6wVKVSpipPeU/sDAwmn1OmpJVAEiaptwf5jrEtTLeu430k= Received: by 10.54.98.14 with SMTP id v14mr353522wrb; Thu, 13 Apr 2006 04:42:40 -0700 (PDT) Received: by 10.54.96.8 with HTTP; Thu, 13 Apr 2006 04:44:09 -0700 (PDT) Message-ID: <9b6b59500604130444q3e4032cai907919aa77780c52@mail.gmail.com> Date: Thu, 13 Apr 2006 19:44:09 +0800 From: hshh To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Still ARP Spoof question. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 11:50:34 -0000 I have some FreeBSD box, include 4.11, 6.0, 6.1-PRERELEASE. They are in the same network, and all compiled with IPFW2 support. In that network, there are another server, and not mine. I can't control them either. One day, maybe one computer was hacked, and sent my server by fake ARP packet. That's ARP Spoof, but it make a fake gateway to attack my server. dmesg can show this message like: arp: x.x.x.254 moved from 00:02:b3:52:5d:25 to 02:e0:52:14:37:4a on fxp0 x.x.x.254 is gateway of that network, and 02:e0:52:14:37:4a is MAC of real gateway. 00:02:b3:52:5d:25 is fake MAC, 00:11:22:33:44:55 was seen too. I tried to use ``arp -S x.x.x.254 02:e0:52:14:37:4a'', and not work. After some seconds, my server can't communication with gateway. I tried to use ipfw2 to deny these packet, ``deny ip from any to any MAC an= y 00:02:b3:52:5d:25 layer2'', not work either. Although I tune ``net.link.ether.ipfw'' from 0 to 1, still not work. What can I do? I can't touch the switch, can't touch the gateway either. An= y good idea to help me? From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 13 16:25:01 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7D6C16A402 for ; Thu, 13 Apr 2006 16:25:01 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5461043D45 for ; Thu, 13 Apr 2006 16:25:00 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVER (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 5282A24C741 for ; Thu, 13 Apr 2006 18:01:20 +0200 (CEST) Date: Thu, 13 Apr 2006 19:24:56 +0300 From: vladone X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <742376878.20060413192456@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <9b6b59500604130444q3e4032cai907919aa77780c52@mail.gmail.com> References: <9b6b59500604130444q3e4032cai907919aa77780c52@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Still ARP Spoof question. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 16:25:01 -0000 Hello hshh, Thursday, April 13, 2006, 2:44:09 PM, you wrote: > I have some FreeBSD box, include 4.11, 6.0, 6.1-PRERELEASE. > They are in the same network, and all compiled with IPFW2 support. > In that network, there are another server, and not mine. I can't control > them either. > One day, maybe one computer was hacked, and sent my server by fake ARP > packet. > That's ARP Spoof, but it make a fake gateway to attack my server. > dmesg can show this message like: > arp: x.x.x.254 moved from 00:02:b3:52:5d:25 to 02:e0:52:14:37:4a on fxp0 > x.x.x.254 is gateway of that network, and 02:e0:52:14:37:4a is MAC of real > gateway. > 00:02:b3:52:5d:25 is fake MAC, 00:11:22:33:44:55 was seen too. > I tried to use ``arp -S x.x.x.254 02:e0:52:14:37:4a'', and not work. After > some seconds, > my server can't communication with gateway. > I tried to use ipfw2 to deny these packet, ``deny ip from any to any MAC any > 00:02:b3:52:5d:25 layer2'', > not work either. Although I tune ``net.link.ether.ipfw'' from 0 to 1, still > not work. > What can I do? I can't touch the switch, can't touch the gateway either. Any > good idea to help me? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" I think that, u receive this from kernel anyway, because is an error that is processed by kernel. With firewall u can block packets to pass throught an interface. This is my opinion. -- Best regards, vladone mailto:vladone@spaingsm.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 13 21:10:16 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4657416A400 for ; Thu, 13 Apr 2006 21:10:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B928843D45 for ; Thu, 13 Apr 2006 21:10:15 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k3DLAFQt081711 for ; Thu, 13 Apr 2006 21:10:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k3DLAFeh081709; Thu, 13 Apr 2006 21:10:15 GMT (envelope-from gnats) Date: Thu, 13 Apr 2006 21:10:15 GMT Message-Id: <200604132110.k3DLAFeh081709@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Maxim Konovalov Cc: Subject: kern/63724 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Maxim Konovalov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Apr 2006 21:10:16 -0000 The following reply was made to PR kern/63724; it has been noted by GNATS. From: Maxim Konovalov To: Alex de Kruijff Cc: bug-followup@freebsd.org Subject: kern/63724 Date: Fri, 14 Apr 2006 01:05:01 +0400 (MSD) Alex, ipfw rule #31600 counters show packets just do not reach it and all subsequent rules. We need the whole ipfw ruleset. Can you check the problem persists in recent FreeBSD releases? -- Maxim Konovalov From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 15 11:18:52 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C36016A400 for ; Sat, 15 Apr 2006 11:18:52 +0000 (UTC) (envelope-from hunreal@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9714E43D45 for ; Sat, 15 Apr 2006 11:18:51 +0000 (GMT) (envelope-from hunreal@gmail.com) Received: by wproxy.gmail.com with SMTP id i7so355101wra for ; Sat, 15 Apr 2006 04:18:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=t7tGm/FpCQSMNJntWift1uUj0FVdmP9oHRJd+fFC2/RmHMaD0HQdkyRKf0yrJv8l6o0Phqbr8xqUKkxBcgdmkMyKgrybGtg/U0Fa5L8mpCF4vEwOwf/S6n9tQtqLn2yKNYZ0QfFzUS4uKxbpOp37nIF/dtCoWYu089F2qV6KpXg= Received: by 10.54.152.15 with SMTP id z15mr2346083wrd; Sat, 15 Apr 2006 04:18:51 -0700 (PDT) Received: by 10.54.96.8 with HTTP; Sat, 15 Apr 2006 04:18:50 -0700 (PDT) Message-ID: <9b6b59500604150418t3d41ebfdw6ada6d8040499ea7@mail.gmail.com> Date: Sat, 15 Apr 2006 19:18:50 +0800 From: hshh To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Still ARP Spoof question. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Apr 2006 11:18:52 -0000 So, is it no way to defend arp spoof attack by FreeBSD? From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 15 12:46:43 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4F3A16A401 for ; Sat, 15 Apr 2006 12:46:43 +0000 (UTC) (envelope-from dmitry@atlantis.dp.ua) Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6F9343D48 for ; Sat, 15 Apr 2006 12:46:39 +0000 (GMT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k3FCkTxc055739; Sat, 15 Apr 2006 15:46:29 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Sat, 15 Apr 2006 15:46:29 +0300 (EEST) From: Dmitry Pryanishnikov To: hshh In-Reply-To: <9b6b59500604150418t3d41ebfdw6ada6d8040499ea7@mail.gmail.com> Message-ID: <20060415151040.P28900@atlantis.atlantis.dp.ua> References: <9b6b59500604150418t3d41ebfdw6ada6d8040499ea7@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-ipfw@freebsd.org Subject: Re: Still ARP Spoof question. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Apr 2006 12:46:44 -0000 Hello! On Sat, 15 Apr 2006, hshh wrote: > So, is it no way to defend arp spoof attack by FreeBSD? It has always worked for me to simply set up static ARP entries using arp -S hostname ether_addr At least, under RELENG_4 this prevents IP <=> MAC pair from being overwritten. I believe that it isn't broken in newer branches. So ipfw isn't needed to solve this particular task. However, you should'n forget that your FreeBSD host doesn't control ARP tables in other computers and switches on your LAN. So this static ARP can only guarantee that _your_ computer will always send IP packets to the hardware with proper MAC. It's not sufficient to guard against ARP spoofing just on one communication endpoint. Suppose you have the following LAN: +--------+ COMP1-----I Switch I-----COMP2 I I-----COMP3 +--------+ Your computer is COMP1, you've set static ARP entry for COMP2 in it's ARP table. However, COMP2 still asks your (COMP1) MAC address. If malicious COMP3 will send ARP reply with the self MAC address, COMP2 will send packets for COMP1 to COMP3's MAC. Switch also has it's own MAC forwarding table, and it can also be spoofed by COMP3's ARP replies (if switch isn't intelligent enough to drop such a replies like 3COM Superstacks with port security feature). You task can't be solved by just COMP1 whatever OS it's running. Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE