From owner-freebsd-ipfw Sun Apr 8 2:11: 9 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 3C15D37B423; Sun, 8 Apr 2001 02:11:04 -0700 (PDT) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id SAA24340; Sun, 8 Apr 2001 18:10:52 +0900 (JST) To: Gunther Schadow Cc: snap-users@kame.net, users@ipv6.org, net@freebsd.org, ipfw@freebsd.org In-reply-to: gunther's message of Sun, 08 Apr 2001 05:10:46 GMT. <3ACFF2D6.13219EAB@aurora.regenstrief.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: Consolidating KAME SPD rules and IPFW / IPfilter. From: itojun@iijlab.net Date: Sun, 08 Apr 2001 18:10:52 +0900 Message-ID: <24338.986721052@coconut.itojun.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >To which I can only say that in IPv4 world and VPN, NAT is almost >mandatory. For me, using NAT allows me to set up VPN specific >routing for my special project within a corporate network without >bothering the network administrator with using FreeBSD instead of >their Cisco stuff for routing. FreeBSD/KAME needs NAT for allowing >it to being used in production environments today. NAT comes with >IPFW, which is where the circle closes. as mentioned before, there was an discussion about one of the freebsd mailing lists. there was a proposed patch just like below (the following patch works only for the latest KAME tree, not for FreeBSD tree). http://www.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.16&r2=1.17 the patch tries to do the following, i have no environment to test. http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Apr 8 16:57:32 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id D47D337B422; Sun, 8 Apr 2001 16:57:29 -0700 (PDT) (envelope-from itojun@coconut.itojun.org) Received: from coconut.itojun.org (localhost [127.0.0.1]) by coconut.itojun.org (Postfix) with ESMTP id 667694B0B; Mon, 9 Apr 2001 08:57:25 +0900 (JST) To: Gunther Schadow Cc: snap-users@kame.net, users@ipv6.org, net@freebsd.org, ipfw@freebsd.org In-reply-to: gunther's message of Sun, 08 Apr 2001 05:10:46 GMT. <3ACFF2D6.13219EAB@aurora.regenstrief.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: Consolidating KAME SPD rules and IPFW / IPfilter. From: itojun@iijlab.net Date: Mon, 09 Apr 2001 08:57:25 +0900 Message-ID: <2683.986774245@coconut.itojun.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >I am tempted to "outsource" the IPsec functionality away from the >kernel using a demon on a divert socket, just like NATD. This would >be more modular and keeps the kernel from panicing because of bugs >in IPsec -- I did have embarrassing kernel crashes, just when I bragged >about FreeBSD running rock solid :0(. checking - did you have kernel panics in kernel IPsec code (then pls send-pr), or you are just talking about an example? itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 9 3:53:13 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp2.mbox.com.au (smtp2.mbox.com.au [203.103.80.178]) by hub.freebsd.org (Postfix) with ESMTP id A069C37B422; Mon, 9 Apr 2001 03:53:08 -0700 (PDT) (envelope-from das@mbox.com.au) Received: from mbox.com.au (webmail.i7mail.com.au [192.168.20.4]) by smtp2.mbox.com.au (Sun Internet Mail Server sims.4.0.2000.05.17.04.13.p6) with ESMTP id <0GBI00MDAU85DU@smtp2.mbox.com.au>; Mon, 9 Apr 2001 18:52:53 +0800 (WST) Date: Mon, 09 Apr 2001 20:52:53 +1000 From: das@mbox.com.au Subject: multi-subnet windows file sharing? To: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Message-id: <35811835be84.35be84358118@mbox.com.au> MIME-version: 1.0 X-Mailer: Netscape Webmail Content-type: text/plain; charset=us-ascii Content-language: en Content-disposition: inline Content-transfer-encoding: 7BIT X-Accept-Language: en Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi guys, sorry about this question on this board, but I haven't met a microsloth person capable of answering my question. I have a freebsd box with 5 interfaces. 1 is used to connect to a cable modem. The other 4 cards connect to internal networks. --- ed0 --- freebsd4.2 box --- fxp0 = 10.0.255.254/16 --- fxp1 = 10.1.255.254/16 --- fxp2 = 10.2.255.254/16 --- ex0 = 10.3.255.254/16 On the 10.0/16 network exists a Windows 2000 professional/workstation machine with a printer. Can I use ipfw forwarding rules, or some other method, to allow clients on the other subnets to print to this server? I guess this means forwarding all sort of broadcast crap as well, but I haven't done any sniffing yet. I'm kind of hoping that somebody else out there has already done this. Do people think the MS box will cope, or will NAT be the go? Thanks, Dave Seddon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 9 22:21:40 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from jason.argos.org (64-205-228-106.client.dsl.net [64.205.228.106]) by hub.freebsd.org (Postfix) with ESMTP id 261BA37B42C for ; Mon, 9 Apr 2001 22:21:33 -0700 (PDT) (envelope-from mike@jason.argos.org) Received: (from mike@localhost) by jason.argos.org (8.10.1/8.10.1) id f3A5LSj21526; Tue, 10 Apr 2001 01:21:28 -0400 Date: Tue, 10 Apr 2001 01:21:28 -0400 From: Mike Nowlin To: das@mbox.com.au Cc: freebsd-ipfw@freebsd.org Subject: Re: multi-subnet windows file sharing? Message-ID: <20010410012128.A21387@argos.org> References: <35811835be84.35be84358118@mbox.com.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="J/dobhs11T7y2rNN" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <35811835be84.35be84358118@mbox.com.au>; from das@mbox.com.au on Mon, Apr 09, 2001 at 08:52:53PM +1000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 0, das@mbox.com.au wrote: > Hi guys, sorry about this question on this board, but I haven't met a=20 > microsloth person capable of answering my question. >=20 > I have a freebsd box with 5 interfaces. 1 is used to connect to a=20 > cable modem. The other 4 cards connect to internal networks. >=20 > --- ed0 --- freebsd4.2 box --- fxp0 =3D 10.0.255.254/16 > --- fxp1 =3D 10.1.255.254/16=20 > --- fxp2 =3D 10.2.255.254/16=20 > --- ex0 =3D 10.3.255.254/16=20 >=20 > On the 10.0/16 network exists a Windows 2000 professional/workstation=20 > machine with a printer. Can I use ipfw forwarding rules, or some other= =20 > method, to allow clients on the other subnets to print to this server? >=20 > I guess this means forwarding all sort of broadcast crap as well, but I= =20 > haven't done any sniffing yet. I'm kind of hoping that somebody else=20 > out there has already done this. Do people think the MS box will cope,= =20 > or will NAT be the go? Just did this not too long ago... Best way I've found is to run Samba (in the ports) on the router - it doesn't need to offer any services, but it's a much cleaner way (and friendlier to Windeath) of doing this kind of thing. Basically, Samba can act as a domain master browser and "spread the word" about shares offered on other subnets. =20 There's a big section on doing this in the Samba docs... mike --J/dobhs11T7y2rNN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjrSmFgACgkQJol4I8h9Gd91nACggc+txbiIPvXkK3DePtRQrSDj hQUAn2B8LYxEPl9JdG5h6FCEGN5rLBDb =eo5R -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 10 3: 5: 4 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from tech.pcx.si (tech.pcx.si [212.18.46.56]) by hub.freebsd.org (Postfix) with ESMTP id 69D0E37B423; Tue, 10 Apr 2001 03:04:46 -0700 (PDT) (envelope-from cuk@cuk.nu) Received: from cuk.nu (bsd.pcx.si [192.168.1.4]) by tech.pcx.si (Postfix) with ESMTP id 31262F8A01; Tue, 10 Apr 2001 12:04:44 +0200 (CEST) Message-ID: <3AD2DB66.FA4A4F75@cuk.nu> Date: Tue, 10 Apr 2001 12:07:34 +0200 From: Marko Cuk Organization: Pcx computers d.o.o., Tehnika X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-stable@freebsd.org, freebsd-ipfw@freebsd.org Subject: NATd & high internal load - help Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello !! I have problems with high load on FBSD box. First I had the 4.2 STABLE , then I cvsuped to 4.3-RC. Same thing. When high traffic occurs on 100mbit hub, to wich is fxp0 connected, load and processor usage on natd process is very high and after a while it won't pass packets anymore to outside world. The configuration: -Celeron 400 and BX motherboard, 512Mb RAM PC100. -fxp Intel 10/100 cards fxp0 - connected to hub and interface has routable IP, because it has a network behind fxp1 - connected to outside world Routing is working, everything was ok. Then I want to set an alias to fxp0 with 192.168.x.x unregistered class and make NATd working and to hide most of client computers and leave the routable IPs for servers, etc. It's very strange. I have NATd at home and it is working without any problems. The MAXUSERS variable is set to 196 and netstat -m: 261/944/14336 mbufs in use (current/peak/max): 236 mbufs allocated to data 25 mbufs allocated to packet headers 206/438/3584 mbuf clusters in use (current/peak/max) 1112 Kbytes allocated to network (10% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines Top: last pid: 9475; load averages: 0.97, 0.51, 0.35 up 8+09:49:40 11:47:42 48 processes: 4 running, 44 sleeping CPU states: 14.0% user, 0.0% nice, 71.3% system, 9.3% interrupt, 5.4% idle Mem: 170M Active, 246M Inact, 58M Wired, 20M Cache, 61M Buf, 6752K Free Swap: 2000M Total, 48K Used, 2000M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 9475 root 36 0 448K 228K RUN 0:12 28.87% 24.56% ping /etc/rc.conf firewall_enable="YES" firewall_type="/etc/rc.pcx" firewall_script="/etc/rc.firewall" firewall_quiet="YES" natd_program="/sbin/natd" natd_enable="YES" natd_flags="-f /etc/natd.conf" /etc/natd.conf interface fxp1 <-----if I put an IP here, it's the same problem #log yes log_denied yes unregistered_only yes #use_sockets yes #same_ports yes #dynamic yes I also comment those things as Blaz Zupan told me. ipfw natd rule: add 80 divert natd ip from any to any via fxp1 Now I don't have any idea, what to do ? Did I miss something ? What did I do wrong ? I have also 84 ipfw rules for firewall ( most of them reset and deny and a few dummynet pipes ). Is the processor too slow for that ? Cuk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 10 3:11:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from tech.pcx.si (tech.pcx.si [212.18.46.56]) by hub.freebsd.org (Postfix) with ESMTP id EEFCD37B422; Tue, 10 Apr 2001 03:11:30 -0700 (PDT) (envelope-from cuk@nu.cuk.nu) Received: from nu.cuk.nu (bsd.pcx.si [192.168.1.4]) by tech.pcx.si (Postfix) with ESMTP id 1EE79F8A04; Tue, 10 Apr 2001 12:11:28 +0200 (CEST) Message-ID: <3AD2DCFA.83888C38@nu.cuk.nu> Date: Tue, 10 Apr 2001 12:14:18 +0200 From: Marko Cuk Organization: Pcx computers d.o.o., Tehnika X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-stable@freebsd.org, freebsd-ipfw@freebsd.org Subject: NATd & high internal load - help Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello !! I have problems with high load on FBSD box. First I had the 4.2 STABLE , then I cvsuped to 4.3-RC. Same thing. When high traffic occurs on 100mbit hub, to wich is fxp0 connected, load and processor usage on natd process is very high and after a while it won't pass packets anymore to outside world. The configuration: -Celeron 400 and BX motherboard, 512Mb RAM PC100. -fxp Intel 10/100 cards fxp0 - connected to hub and interface has routable IP, because it has a network behind fxp1 - connected to outside world Routing is working, everything was ok. Then I want to set an alias to fxp0 with 192.168.x.x unregistered class and make NATd working and to hide most of client computers and leave the routable IPs for servers, etc. It's very strange. I have NATd at home and it is working without any problems. The MAXUSERS variable is set to 196 and netstat -m: 261/944/14336 mbufs in use (current/peak/max): 236 mbufs allocated to data 25 mbufs allocated to packet headers 206/438/3584 mbuf clusters in use (current/peak/max) 1112 Kbytes allocated to network (10% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines Top: last pid: 9475; load averages: 0.97, 0.51, 0.35 up 8+09:49:40 11:47:42 48 processes: 4 running, 44 sleeping CPU states: 14.0% user, 0.0% nice, 71.3% system, 9.3% interrupt, 5.4% idle Mem: 170M Active, 246M Inact, 58M Wired, 20M Cache, 61M Buf, 6752K Free Swap: 2000M Total, 48K Used, 2000M Free PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND 9475 root 36 0 448K 228K RUN 0:12 28.87% 24.56% ping /etc/rc.conf firewall_enable="YES" firewall_type="/etc/rc.pcx" firewall_script="/etc/rc.firewall" firewall_quiet="YES" natd_program="/sbin/natd" natd_enable="YES" natd_flags="-f /etc/natd.conf" /etc/natd.conf interface fxp1 <-----if I put an IP here, it's the same problem #log yes log_denied yes unregistered_only yes #use_sockets yes #same_ports yes #dynamic yes I also comment those things as Blaz Zupan told me. ipfw natd rule: add 80 divert natd ip from any to any via fxp1 Now I don't have any idea, what to do ? Did I miss something ? What did I do wrong ? I have also 84 ipfw rules for firewall ( most of them reset and deny and a few dummynet pipes ). Is the processor too slow for that ? Cuk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 10 16:31:58 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id 2936937B422; Tue, 10 Apr 2001 16:31:55 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id D1F9281D01; Tue, 10 Apr 2001 18:31:54 -0500 (CDT) Date: Tue, 10 Apr 2001 18:31:54 -0500 From: Bill Fumerola To: Marko Cuk Cc: freebsd-stable@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: NATd & high internal load - help Message-ID: <20010410183154.H75584@elvis.mu.org> References: <3AD2DB66.FA4A4F75@cuk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AD2DB66.FA4A4F75@cuk.nu>; from cuk@cuk.nu on Tue, Apr 10, 2001 at 12:07:34PM +0200 X-Operating-System: FreeBSD 4.3-FEARSOME-20010328 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Apr 10, 2001 at 12:07:34PM +0200, Marko Cuk wrote: > > I have also 84 ipfw rules for firewall ( most of them reset and deny and > a few dummynet pipes ). > Is the processor too slow for that ? Depending on the order of these rules: possibly. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 11 6:32: 3 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from moebius2.Space.Net (moebius2.Space.Net [195.30.1.100]) by hub.freebsd.org (Postfix) with SMTP id 4FA4C37B422 for ; Wed, 11 Apr 2001 06:32:00 -0700 (PDT) (envelope-from mh@Space.Net) Received: (qmail 23295 invoked by uid 1408); 11 Apr 2001 13:31:58 -0000 Date: Wed, 11 Apr 2001 15:31:58 +0200 From: Martin Hasenbein To: freebsd-ipfw@freebsd.org Subject: ipfw rules Message-ID: <20010411153157.K75756@Space.Net> Reply-To: Martin Hasenbein Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i Organization: SpaceNet AG, Muenchen, Germany X-Operating-System: FreeBSD/3.3-RELEASE (i386) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I#M trying to build a firewall with ipfw, but still have some problems with the rules. Does anyone have good links on how to configure ipfw or maybe example rulesets? I'm using static IP-Adresses no NAT. \thx\martin -- -------------------------------------------------------------------- Martin Hasenbein Phone (Fax): (+49) 89 1216376-1 (3) \|/ Weiglstr.9 mailto:martin@hasenbein.com @ @ D-80636 München http://martin.hasenbein.com -oOO-(_)-OOo-------------------------------------------------------- On the 8th day, god created Unix ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 11 13: 9:33 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [216.33.66.196]) by hub.freebsd.org (Postfix) with ESMTP id C2B3D37B422 for ; Wed, 11 Apr 2001 13:09:31 -0700 (PDT) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 9156E81D05; Wed, 11 Apr 2001 15:09:31 -0500 (CDT) Date: Wed, 11 Apr 2001 15:09:31 -0500 From: Bill Fumerola To: Martin Hasenbein Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw rules Message-ID: <20010411150931.O75584@elvis.mu.org> References: <20010411153157.K75756@Space.Net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010411153157.K75756@Space.Net>; from mh-freebsd-ipfw@space.Net on Wed, Apr 11, 2001 at 03:31:58PM +0200 X-Operating-System: FreeBSD 4.3-FEARSOME-20010328 i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Apr 11, 2001 at 03:31:58PM +0200, Martin Hasenbein wrote: > I#M trying to build a firewall with ipfw, but still have some problems with > the rules. Does anyone have good links on how to configure ipfw or maybe > example rulesets? I'm using static IP-Adresses no NAT. man ipfw and /etc/rc.firewall -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 11 23:31:22 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 13FFF37B616 for ; Wed, 11 Apr 2001 23:31:17 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta7/8.12.0.Beta7) id f3C6VGqL081798; Wed, 11 Apr 2001 23:31:16 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15061.19380.659608.578985@horsey.gshapiro.net> Date: Wed, 11 Apr 2001 23:31:16 -0700 From: Gregory Neil Shapiro To: freebsd-ipfw@freebsd.org Subject: ipfw dynamic rulesets broken for me X-Mailer: VM 6.91 under 21.2 (beta42) "Poseidon" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I tried switching from using the established check to keeping state and it isn't work as expected. Dynamic rules timeout on open connections (e.g., ssh connections that I haven't used for about 10 minutes but are still open). Also, by the time a TCP connection goes from CLOSE_WAIT to LAST_ACK, the dynamic rule is gone and the LAST_ACK is denied (and therefore the connection lingers). I've included my fairly simple ipfw ruleset below. Any help is appreciated. # Clear the list -f flush # localhost add 01000 allow ip from any to any via lo0 # Check state table add 02000 check-state add 02000 deny log tcp from any to any established # Stop RFC1918 nets add 10010 deny log ip from 10.0.0.0/8 to any add 10010 deny log ip from any to 10.0.0.0/8 add 10127 deny log ip from 127.0.0.0/8 to any add 10127 deny log ip from any to 127.0.0.0/8 add 10172 deny log ip from 172.16.0.0/12 to any add 10172 deny log ip from any to 172.16.0.0/12 add 10192 deny log ip from 192.168.0.0/16 to any add 10192 deny log ip from any to 192.168.0.0/16 # Open for services we want to offer # ssh, smtp, identd add 20000 allow tcp from any to me 22,25,113 setup in keep-state # Allow DHCP to work add 20068 allow udp from any 67 to me 68 in # Allow outgoing connections add 30000 allow tcp from me to any setup out keep-state add 30010 allow udp from me to any out keep-state add 30020 allow icmp from me to any out keep-state # Denies we don't care to log add 40000 deny udp from any 138 to any 138 in # Never assume the kernel default add 65534 deny log ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 0:31:37 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from moebius2.Space.Net (moebius2.Space.Net [195.30.1.100]) by hub.freebsd.org (Postfix) with SMTP id 79FCD37B61D for ; Thu, 12 Apr 2001 00:31:26 -0700 (PDT) (envelope-from mh@Space.Net) Received: (qmail 61554 invoked by uid 1408); 12 Apr 2001 07:31:25 -0000 Date: Thu, 12 Apr 2001 09:31:25 +0200 From: Martin Hasenbein To: freebsd-ipfw@freebsd.org Subject: what about this ruleset? Message-ID: <20010412093125.A60060@Space.Net> Reply-To: Martin Hasenbein Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i Organization: SpaceNet AG, Muenchen, Germany X-Operating-System: FreeBSD/3.3-RELEASE (i386) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi everybody, what do you think about this ruleset? This is the ruleset of my server. I need the following services available: SSH incoming and outgoing SMTP incoming and outgoing FTP outgoing Ping incoming and outgoing POP3 incoming Samba NFS I have official IP-Adresses and don't make NAT. work = my server home = my workstation router = my router tupac = my girlfriends windows-box ### Setup ###### fwcmd="/sbin/ipfw" ${fwcmd} -f flush # 00100 & 00200 loopback # 00300 tcp # 00400 udp # 00500 kiddie logging (netbus etc) # 00600 icmp logging ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 205 deny log all from any to 10.0.0.0/8 via fxp0 ${fwcmd} add 206 deny log all from any to 172.16.0.0/12 via fxp0 ${fwcmd} add 207 deny log all from any to 192.168.0.0/16 via fxp0 ${fwcmd} add 208 deny log all from 10.0.0.0/8 to any via fxp0 ${fwcmd} add 209 deny log all from 172.16.0.0/12 to any via fxp0 ${fwcmd} add 210 deny log all from 192.168.0.0/16 to any via fxp0 ${fwcmd} add 211 deny log all from any to 0.0.0.0/8 via fxp0 ${fwcmd} add 212 deny log all from any to 169.254.0.0/16 via fxp0 ${fwcmd} add 213 deny log all from any to 192.0.2.0/24 via fxp0 ${fwcmd} add 214 deny log all from any to 224.0.0.0/4 via fxp0 ${fwcmd} add 215 deny log all from any to 240.0.0.0/4 via fxp0 ${fwcmd} add 216 deny log all from 0.0.0.0/8 to any via fxp0 ${fwcmd} add 217 deny log all from 169.254.0.0/16 to any via fxp0 ${fwcmd} add 218 deny log all from 192.0.2.0/24 to any via fxp0 ${fwcmd} add 219 deny log all from 224.0.0.0/4 to any via fxp0 ${fwcmd} add 220 deny log all from 240.0.0.0/4 to any via fxp0 ${fwcmd} add 300 pass tcp from work to any out xmit fxp0 setup ${fwcmd} add 301 pass tcp from any to any established ${fwcmd} add 302 pass tcp from any to work 22 in recv fxp0 setup ${fwcmd} add 303 pass tcp from any to work 25 in recv fxp0 setup ${fwcmd} add 304 pass tcp from any to work 110 in recv fxp0 setup ${fwcmd} add 305 pass tcp from any 20 to work 1024-65535 in recv fxp0 setup ${fwcmd} add 306 reset tcp from any to work 113 in recv fxp0 setup ${fwcmd} add 307 reset log tcp from any to any in recv fxp0 setup ${fwcmd} add 400 pass log udp from home to work in recv fxp0 ${fwcmd} add 402 pass udp from any 53 to work in recv fxp0 ${fwcmd} add 403 pass udp from work to any 53 out xmit fxp0 ${fwcmd} add 404 pass log udp from tupac to work 137-139 via fxp0 ${fwcmd} add 405 pass log udp from work to any 33434-33534 ${fwcmd} add 406 unreach port log udp from any to any in recv fxp0 ${fwcmd} add 600 pass icmp from work to any icmptypes 0,3,4,8,11,12 out xmit fxp0 ${fwcmd} add 601 pass icmp from any to work icmptypes 0,3,4,8,11,12 in recv fxp0 ${fwcmd} add 602 deny icmp from any to any in recv fxp0 ${fwcmd} add 700 deny all from any to 255.255.255.255 ${fwcmd} add 701 deny log all from any to any Any suggestions, comments, tips, tricks ........ \thx\martin -- -------------------------------------------------------------------- Martin Hasenbein Phone (Fax): (+49) 89 1216376-1 (3) \|/ Weiglstr.9 mailto:martin@hasenbein.com @ @ D-80636 München http://martin.hasenbein.com -oOO-(_)-OOo-------------------------------------------------------- On the 8th day, god created Unix ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 9:50:54 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from xogw.odey.co.uk (ip03.odey.adsl.uk.xo.com [195.147.191.155]) by hub.freebsd.org (Postfix) with ESMTP id 9D24C37B446; Thu, 12 Apr 2001 09:50:46 -0700 (PDT) (envelope-from B.Sutton@odey.co.uk) Received: (from nobody@localhost) by xogw.odey.co.uk (8.11.2/8.11.2) id f3CHoOx79755; Thu, 12 Apr 2001 17:50:24 GMT (envelope-from B.Sutton@odey.co.uk) X-Authentication-Warning: xogw.odey.co.uk: nobody set sender to using -f Received: from odeydom.odey.co.uk(192.168.100.4) by xogw.odey.co.uk via smap (V2.1/2.1+anti-relay+anti-spam) id xma079262; Thu, 12 Apr 01 17:47:13 GMT To: das@mbox.com.au Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: multi-subnet windows file sharing? X-Mailer: Lotus Notes Release 5.0.4a July 24, 2000 Message-ID: From: "Blair Sutton/Odey" Date: Thu, 12 Apr 2001 17:53:21 +0100 X-MIMETrack: Serialize by Router on odeydom/Odey(Release 5.0.6a |January 17, 2001) at 04/12/2001 05:53:18 PM, Serialize complete at 04/12/2001 05:53:18 PM MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG You can also create a WINS server. This doesn't have to run on the router but must have a routable IP address within your network system. Another solution is to configure your router to forward ethernet packets. I don't know how to do this but I you can read the bridge (4) manpage and the BRIDGE option in your kernel conf. Hope this helps in addition. Blair das@mbox.com.au Sent by: owner-freebsd-ipfw@FreeBSD.ORG 09/04/2001 11:52 To: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG cc: Subject: multi-subnet windows file sharing? Hi guys, sorry about this question on this board, but I haven't met a microsloth person capable of answering my question. I have a freebsd box with 5 interfaces. 1 is used to connect to a cable modem. The other 4 cards connect to internal networks. --- ed0 --- freebsd4.2 box --- fxp0 = 10.0.255.254/16 --- fxp1 = 10.1.255.254/16 --- fxp2 = 10.2.255.254/16 --- ex0 = 10.3.255.254/16 On the 10.0/16 network exists a Windows 2000 professional/workstation machine with a printer. Can I use ipfw forwarding rules, or some other method, to allow clients on the other subnets to print to this server? I guess this means forwarding all sort of broadcast crap as well, but I haven't done any sniffing yet. I'm kind of hoping that somebody else out there has already done this. Do people think the MS box will cope, or will NAT be the go? Thanks, Dave Seddon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 9:56:41 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130]) by hub.freebsd.org (Postfix) with ESMTP id C3D9A37B424; Thu, 12 Apr 2001 09:56:39 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.2/8.11.2) with ESMTP id f3CGuci23431; Thu, 12 Apr 2001 10:56:38 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200104121656.f3CGuci23431@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: Gregory Neil Shapiro Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw dynamic rulesets broken for me In-reply-to: Your message of "Wed, 11 Apr 2001 23:31:16 PDT." <15061.19380.659608.578985@horsey.gshapiro.net> Date: Thu, 12 Apr 2001 10:56:38 -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >>>>> "Gregory" == Gregory Neil Shapiro writes: Gregory> I tried switching from using the established check to Gregory> keeping state and it isn't work as expected. Dynamic Gregory> rules timeout on open connections (e.g., ssh connections Gregory> that I haven't used for about 10 minutes but are still Gregory> open). ipfw has insanely short timeouts for the keep-state engine. Add this to /etc/sysctl.conf (adjusted to a suitable value for your network): # TCP connections time out after eight hours. net.inet.ip.fw.dyn_ack_lifetime=28800 --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 10: 1:47 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 5CE3C37B43F for ; Thu, 12 Apr 2001 10:01:45 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0.Beta7/8.12.0.Beta7) id f3CH1iwP054922; Thu, 12 Apr 2001 10:01:44 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15061.57208.578708.358266@horsey.gshapiro.net> Date: Thu, 12 Apr 2001 10:01:44 -0700 From: Gregory Neil Shapiro To: Lyndon Nerenberg Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw dynamic rulesets broken for me In-Reply-To: <200104121656.f3CGuci23431@orthanc.ab.ca> References: <15061.19380.659608.578985@horsey.gshapiro.net> <200104121656.f3CGuci23431@orthanc.ab.ca> X-Mailer: VM 6.91 under 21.2 (beta42) "Poseidon" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG lyndon> ipfw has insanely short timeouts for the keep-state engine. A note to the ipfw maintainers, this should work out of the box so it's less of a support hassle. lyndon> Add this to /etc/sysctl.conf (adjusted to a suitable value lyndon> for your network): lyndon> # TCP connections time out after eight hours. lyndon> net.inet.ip.fw.dyn_ack_lifetime=28800 Thanks, I'll give it a try and see if it solves all of the problems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 12:13:27 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id 5FA4E37B446 for ; Thu, 12 Apr 2001 12:13:24 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3CJDEE66076 for ; Thu, 12 Apr 2001 14:13:18 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14nmWo-0000Fn-00 for ; Thu, 12 Apr 2001 14:13:14 -0500 To: freebsd-ipfw@freebsd.org Subject: Beating a dead horse - ipfw and FTP From: Kirk Strauser Date: 12 Apr 2001 14:13:14 -0500 Message-ID: <87puei53ud.fsf@pooh.honeypot> Lines: 23 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've read a lot of the mailing list archives regarding ipfw and FTP. The basic consensus seems to be that FTP Is Bad and that it shouldn't be used. OK, on a technical level, I agree. Unfortunately, it's still somewhat hard to get away from. In particular, look at the FreeBSD ports system which relies heavily on using FTP to fetch source tarballs - that alone is reason enough for me to maintain usability for this antiquated protocol. Add in the fact that I have several user workstations that periodically fetch files (darn those Debian users :) ) and I'm pretty well stuck. So, has anyone agreed on a best-practices method of allowing outgoing FTP connections through ipfw? It seems like the ideal would be for someone to add an FTP method to ipfw's keep-state mechanism, but that doesn't seem to exist right now. The next best solution, to me, would be an ipfw-aware FTP proxy that can dynamically open and close ports. Does such a thing exist? If so, and there are more than one, are any of them recommended? I'm thinking that a final last-ditch-effort solution would be to write a two-part FTP proxy server so half of the server lives outside the firewall and the other half is inside, and the two halves communicate via a secure link. This might actually be a Good Thing, but darned if I'd even know where to begin such a project. -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 12:17:43 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id E405B37B446 for ; Thu, 12 Apr 2001 12:17:39 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id VAA74511; Thu, 12 Apr 2001 21:16:23 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200104121916.VAA74511@info.iet.unipi.it> Subject: Re: Beating a dead horse - ipfw and FTP In-Reply-To: <87puei53ud.fsf@pooh.honeypot> from Kirk Strauser at "Apr 12, 2001 02:13:14 pm" To: Kirk Strauser Date: Thu, 12 Apr 2001 21:16:23 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG we have stateful ipfw and passive ftp -- the combination of the two should give you the protection that you want. Am i wrong ? cheers luigi > I've read a lot of the mailing list archives regarding ipfw and FTP. The > basic consensus seems to be that FTP Is Bad and that it shouldn't be used. > OK, on a technical level, I agree. Unfortunately, it's still somewhat hard > to get away from. In particular, look at the FreeBSD ports system which > relies heavily on using FTP to fetch source tarballs - that alone is reason > enough for me to maintain usability for this antiquated protocol. Add in > the fact that I have several user workstations that periodically fetch files > (darn those Debian users :) ) and I'm pretty well stuck. > > So, has anyone agreed on a best-practices method of allowing outgoing FTP > connections through ipfw? It seems like the ideal would be for someone to > add an FTP method to ipfw's keep-state mechanism, but that doesn't seem to > exist right now. The next best solution, to me, would be an ipfw-aware FTP > proxy that can dynamically open and close ports. Does such a thing exist? > If so, and there are more than one, are any of them recommended? > > I'm thinking that a final last-ditch-effort solution would be to write a > two-part FTP proxy server so half of the server lives outside the firewall > and the other half is inside, and the two halves communicate via a secure > link. This might actually be a Good Thing, but darned if I'd even know > where to begin such a project. > -- > Kirk Strauser > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 14:57:51 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id E86D237B443 for ; Thu, 12 Apr 2001 14:57:47 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3CLvkE67047 for ; Thu, 12 Apr 2001 16:57:46 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14np62-0000Hi-00 for ; Thu, 12 Apr 2001 16:57:46 -0500 To: freebsd-ipfw@freebsd.org Subject: Re: Beating a dead horse - ipfw and FTP References: <200104121916.VAA74511@info.iet.unipi.it> From: Kirk Strauser Date: 12 Apr 2001 16:57:46 -0500 In-Reply-To: <200104121916.VAA74511@info.iet.unipi.it> Message-ID: <87bsq1hjc5.fsf@pooh.honeypot> Lines: 22 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 2001-04-12T19:16:23Z, Luigi Rizzo writes: > we have stateful ipfw and passive ftp -- the combination of the two should > give you the protection that you want. Am i wrong ? Unfortunately, yes. The annoying part is that there is no way to tell what port the FTP server will want you to connect to ahead of time: 1. Connect from client to server port 21 2. Ask the server what port to connect to for data transmission 3. Connect from client port 20 to the specified port on the server The old style was even worse: 1. Connect from client to server port 21 2. Connect from server to client port 20 So, there's no way to know what port to open (for step 3 of the first listing) in advance. -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 15: 1:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 8CF5837B424 for ; Thu, 12 Apr 2001 15:01:55 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id AAA75489; Fri, 13 Apr 2001 00:00:40 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200104122200.AAA75489@info.iet.unipi.it> Subject: Re: Beating a dead horse - ipfw and FTP In-Reply-To: <87bsq1hjc5.fsf@pooh.honeypot> from Kirk Strauser at "Apr 12, 2001 04:57:46 pm" To: Kirk Strauser Date: Fri, 13 Apr 2001 00:00:40 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > At 2001-04-12T19:16:23Z, Luigi Rizzo writes: > > > we have stateful ipfw and passive ftp -- the combination of the two should > > give you the protection that you want. Am i wrong ? > > Unfortunately, yes. The annoying part is that there is no way to tell what > port the FTP server will want you to connect to ahead of time: > > 1. Connect from client to server port 21 > 2. Ask the server what port to connect to for data transmission > 3. Connect from client port 20 to the specified port on the server so set a dynamic rule on the server which lets in connections from port 20 on the client side. cheers luigi > The old style was even worse: > > 1. Connect from client to server port 21 > 2. Connect from server to client port 20 > > So, there's no way to know what port to open (for step 3 of the first > listing) in advance. > -- > Kirk Strauser > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 15: 3:15 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id 4FAFA37B43E for ; Thu, 12 Apr 2001 15:03:13 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3CM3CE67097 for ; Thu, 12 Apr 2001 17:03:12 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14npBI-0000Hs-00 for ; Thu, 12 Apr 2001 17:03:12 -0500 To: freebsd-ipfw@freebsd.org Subject: Using recv and xmit together? From: Kirk Strauser Date: 12 Apr 2001 17:03:12 -0500 Message-ID: <8766g9hj33.fsf@pooh.honeypot> Lines: 18 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I want to allow connections from internal clients to external servers. I had originally thought that: ipfw add allow tcp from to \ keep-state out recv xmit or some close variation would work. Instead, I'm finding that I seem to need to split this into two rules: ipfw add allow tcp from to \ keep-state in recv ipfw add allow tcp from to \ keep-state out xmit Is this correct? I really hope that I'm misreading the situation (you can only look at firewall rules for so many hours before things get fuzzy). -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 12 15:13:23 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id EAD7437B43E for ; Thu, 12 Apr 2001 15:13:20 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3CMDJE67156 for ; Thu, 12 Apr 2001 17:13:20 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14npL5-0000IV-00 for ; Thu, 12 Apr 2001 17:13:19 -0500 To: freebsd-ipfw@freebsd.org Subject: Re: Beating a dead horse - ipfw and FTP References: <200104122200.AAA75489@info.iet.unipi.it> From: Kirk Strauser Date: 12 Apr 2001 17:13:19 -0500 In-Reply-To: <200104122200.AAA75489@info.iet.unipi.it> Message-ID: <87eluxsr5s.fsf@pooh.honeypot> Lines: 16 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 2001-04-12T22:00:40Z, Luigi Rizzo writes: > Kirk Strauser wrote: > > 1. Connect from client to server port 21 > > 2. Ask the server what port to connect to for data transmission > > 3. Connect from client port 20 to the specified port on the server > > so set a dynamic rule on the server which lets in connections from > port 20 on the client side. I think that I botched that explanation. Could someone better at explaining these things than I am jump in? -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 14 8:58:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from johnnydang.net (cp160443-a.mtgmry1.md.home.com [65.1.242.45]) by hub.freebsd.org (Postfix) with ESMTP id 49BF637B496 for ; Sat, 14 Apr 2001 08:58:43 -0700 (PDT) (envelope-from johnny.dang@johnnydang.net) Received: from localhost (johnny_dang@localhost) by johnnydang.net (8.11.1/8.11.1) with ESMTP id f3EG1PL05248 for ; Sat, 14 Apr 2001 12:01:26 -0400 (EDT) (envelope-from johnny.dang@johnnydang.net) X-Authentication-Warning: johnnydang.net: johnny_dang owned process doing -bs Date: Sat, 14 Apr 2001 12:01:25 -0400 (EDT) From: Johnny Dang X-Sender: johnny_dang@johnnydang.net To: FreeBSD IpFW Subject: Question about DSL and Cable Modem at the same time Message-ID: Organization: JOHNNYDANG.NET MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello all, Happy Easter to all and I really enjoy reading this mailing list. I have a question about IPFW. Let's say I have a FreeBSD box with two NICs (as normal people do): xl0 is with @HOME and xl1 is for the LAN (192.168.1.x). Since Cable is just for speed, I plan to have a DSL line as a backup and running other services while it is not backup for the Cable. Can I just add another NIC as xl2? Here is my plan: xl0=DHCP from Cable xl1=192.168.1.1 (DHCPD) xl2=DSL.DSL.DSL.DSL On the rc.conf, command out the xl2 default router, has NATD and rc.firewall uses the xl0 as its interface. Then when cable is down, uncommand the entry for xl0, uncommand the xl2 default router, and change the interface from NATD and rc.firewall xl2; reboot the router. Will it work? However, in this way, I cannot use the DSL line (since I have to command out the default router).. Any other idea? I do not want to add another box? I just want to add DSL line as the backup (I love the Cable Modem speed 3M for downloading).... Thanks for your input ++++++++++++++++++++++++++++++++++++++++++++++++++ "The instructions said to use Windows 98 or better, so I installed FreeBSD...It is working now!..." ++++++++++++++++++++++++++++++++++++++++++++++++++ Johnny Dang Senior Network Engineer/MCSE + Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 14 12:12:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp1.pandora.be (hercules.telenet-ops.be [195.130.132.33]) by hub.freebsd.org (Postfix) with SMTP id 2CCE937B440 for ; Sat, 14 Apr 2001 12:12:16 -0700 (PDT) (envelope-from voutah@detroit.org) Received: (qmail 16050 invoked from network); 14 Apr 2001 19:12:09 -0000 Received: from unknown (HELO BRAZIL) ([213.224.80.41]) (envelope-sender ) by hercules.telenet-ops.be (qmail-ldap-1.03) with SMTP for ; 14 Apr 2001 19:12:09 -0000 From: "Voutah" To: Subject: ipfw/natd and MAC adresses Date: Sat, 14 Apr 2001 21:09:30 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, My cable provider doesn't allow me to connect more than one computer to the modem and they check this using various methods, like portscanning and checking MAC addresses. My inside computers (win2k, slackware and win98) need to be totally invisible to the outside. Does natd/ipfw hide the inside MAC and IP address ? Do I need to take any special precautions ? thanks, Voutah To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 14 14: 3:46 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 509E937B496 for ; Sat, 14 Apr 2001 14:03:44 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f3EM9S659751; Sat, 14 Apr 2001 17:09:28 -0500 (CDT) (envelope-from nick@rogness.net) Date: Sat, 14 Apr 2001 17:09:27 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Voutah Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw/natd and MAC adresses In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 14 Apr 2001, Voutah wrote: > Hi, > > My cable provider doesn't allow me to connect more than one computer to the > modem and they check this using various methods, like portscanning and > checking MAC addresses. My inside computers (win2k, slackware and win98) > need to be totally invisible to the outside. Does natd/ipfw hide the inside > MAC and IP address ? Do I need to take any special precautions ? Yes. Those machines on the inside of your network will not be visible from the outside cable network. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message