From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 27 03:59:04 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2A8137B401 for ; Sun, 27 Apr 2003 03:59:03 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-22-138.abo.wanadoo.fr [81.248.17.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5AC343FBD for ; Sun, 27 Apr 2003 03:59:02 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3RAx1Rs005430 for ; Sun, 27 Apr 2003 12:59:02 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: freebsd-ipfw@freebsd.org Date: Sun, 27 Apr 2003 12:59:02 +0200 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304271259.02025.ajacoutot@lphp.org> Subject: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2003 10:59:04 -0000 Hi ! I hope this is the right list for this, I couldn't get any answer from -questions. I'm having a problem with ipfw and dynamic rules timeout. For exemple, when I ssh to a distant machine, if I don't type anything for like 10 or 20 seconds, the connexion is dropped. I read this in ipfw man page: "Dynamic rules expire after some time, which depends on the status of the flow and the setting of some sysctl variables. See Section SYSCTL VARIABLES for more details. For TCP sessions, dynamic rules can be instructed to periodically send keepalive packets to refresh the state of the rule when it is about to expire." So I tried to following command and got this output: # sysctl -a | grep net.inet.ip.fw net.inet.ip.fw.enable: 1 net.inet.ip.fw.autoinc_step: 100 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 500 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 168 net.inet.ip.fw.dyn_max: 4096 net.inet.ip.fw.static_count: 27 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 1 net.inet.ip.fw.dyn_rst_lifetime: 1 net.inet.ip.fw.dyn_udp_lifetime: 10 net.inet.ip.fw.dyn_short_lifetime: 5 net.inet.ip.fw.dyn_keepalive: 1 So, obviously, keepalive should work. Is there anything I should do besides setting net.inet.ip.fw.dyn_keepalive to 1 (which is the default value). I'm running FreeBSD-4.8-RELEASE with IPFW2. Thanks in advance. Antoine From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 27 17:15:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BC7237B401 for ; Sun, 27 Apr 2003 17:15:35 -0700 (PDT) Received: from norton.palomine.net (norton.palomine.net [66.93.48.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 50A4A43F93 for ; Sun, 27 Apr 2003 17:15:34 -0700 (PDT) (envelope-from sullrich@palomine.net) Received: (qmail 20178 invoked by uid 1004); 28 Apr 2003 00:15:33 -0000 Date: Sun, 27 Apr 2003 20:15:33 -0400 From: SKU To: ipfw@freebsd.org Message-ID: <20030428001533.GA20138@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Traffic Shaper Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 00:15:35 -0000 Greetings, I am trying to use the following script to shape my incoming/outgoing traffic but keep running into some issues. Can anyone hit with me a clue bat to show me what I am doing wrong??? net.inet.ip.fw.one_pass: 1 -> 1 /sbin/ipfw pipe 1 config bw 250Kbits/s /sbin/ipfw pipe 2 config bw 155Kbytes/s /sbin/ipfw queue 1 config pipe 2 weight 1 ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument /sbin/ipfw queue 2 config pipe 2 weight 1 /sbin/ipfw queue 3 config pipe 1 weight 1 /sbin/ipfw queue 4 config pipe 1 weight 1 ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument /sbin/ipfw queue 5 config pipe 1 weight 10 /sbin/ipfw queue 6 config pipe 2 weight 10 /sbin/ipfw queue 7 config pipe 2 weight 1 ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument /sbin/ipfw queue 8 config pipe 1 weight 1 /sbin/ipfw queue 9 config pipe 1 weight 10 ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument /sbin/ipfw queue 10 config pipe 2 weight 10 ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument /sbin/ipfw add 105 queue 7 tcp from any 6800-6900 to any in /sbin/ipfw add 105 queue 7 udp from any 6800-6900 to any in /sbin/ipfw add 105 queue 8 tcp from any to any 6800-6900 out /sbin/ipfw add 105 queue 8 udp from any to any 6800-6900 out /sbin/ipfw add 105 queue 9 tcp from any to any 80 out /sbin/ipfw add 105 queue 10 tcp from any 80 to any in /sbin/ipfw add 105 queue 7 tcp from any to any 22 out /sbin/ipfw add 105 queue 8 tcp from any 22 to any in /sbin/ipfw add 105 queue 9 tcp from any to any 3389 out /sbin/ipfw add 105 queue 10 tcp from any 3389 to any in TIA, SKU From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 27 18:11:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A195737B401 for ; Sun, 27 Apr 2003 18:11:50 -0700 (PDT) Received: from russell.hamline.edu (russell.hamline.edu [138.192.24.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A5D943F3F for ; Sun, 27 Apr 2003 18:11:47 -0700 (PDT) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper [138.192.2.101]) by russell.hamline.edu (8.11.6+Sun/8.11.6) with ESMTP id h3S1Bkl15510 for ; Sun, 27 Apr 2003 20:11:46 -0500 (CDT) Received: from mendeleev.hamline.edu (mendeleev [138.192.2.109]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id h3S1Cadm001005 for ; Sun, 27 Apr 2003 20:12:40 -0500 (CDT) Received: from localhost (rjohanne@localhost) by mendeleev.hamline.edu (8.9.1b+Sun/8.9.1) with ESMTP id UAA02473 for ; Sun, 27 Apr 2003 20:08:11 -0500 (CDT) X-Authentication-Warning: mendeleev.hamline.edu: rjohanne owned process doing -bs Date: Sun, 27 Apr 2003 20:08:11 -0500 (CDT) From: Robert Johannes X-X-Sender: rjohanne@mendeleev.hamline.edu To: freebsd-ipfw@freebsd.org In-Reply-To: <200304271259.02025.ajacoutot@lphp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: nfs and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 01:11:51 -0000 I recently built a 4.8-stable system, with firewalling. It is not a gateway/router, just an nfs and samba server, but I built in the firewall so I can prohibit potential traffic from the router/gateway in case it was broken into. I'm using normal ipfw, with the following rules: allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any allow tcp from any to any established allow ip from any to any frag allow tcp from any to any setup allow ip from $nfsclient to $fileserver keep-state allow ip from xx.xx.xx.1 to $fileserver keep-state deny ip from any to any The router/gateway is at xx.xx.xx.254. I'm able to mount the filesystems from the $fileserver, but I'm not able to write a substantial amount of data to the filesystems; I can create a file by 'touching' one on the nfs filesyste, but I can't copy a big file onto the filesystem. I have successfully copied a file as big as the /etc/hosts files (a few bytes). >From watching tcpdump, it seems that any time there's significant i/o on the nfs filesystem, the fileserver stops responding, and I note the following lines repeated perhaps a hundred or more times: 15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560) 15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+) 15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+) 15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+) 15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+) 15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+) 15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+) 15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+) 15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+) At this point I get an "nfs: server $nfsserver not responding, timed out" message logged on the nfsclient. I'm pretty sure it has to do with my ipfw configuration, but I can't pinpoint the problem. Any ideas? robert From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 01:06:36 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9417A37B401 for ; Mon, 28 Apr 2003 01:06:36 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id F198E43F85 for ; Mon, 28 Apr 2003 01:06:35 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id CB47C10BF82; Mon, 28 Apr 2003 10:06:33 +0200 (CEST) Date: Mon, 28 Apr 2003 10:06:33 +0200 From: "Simon L. Nielsen" To: SKU Message-ID: <20030428080632.GH398@nitro.dk> References: <20030428001533.GA20138@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: <20030428001533.GA20138@palomine.net> User-Agent: Mutt/1.5.4i cc: ipfw@freebsd.org Subject: Re: Traffic Shaper Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 08:06:36 -0000 --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.04.27 20:15:33 -0400, SKU wrote: > Greetings, >=20 > I am trying to use the following script to shape my incoming/outgoing > traffic but keep running into some issues. Can anyone hit with me a > clue bat to show me what I am doing wrong??? > /sbin/ipfw queue 1 config pipe 2 weight 1 > ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument You don't have dummynet in your kernel. Either load is as a module with kldload or add the DUMMYNET option to your kernel. --=20 Simon L. Nielsen --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+rOEI8kocFXgPTRwRAprNAJ47gF8O8iI6xDi2677AWKKzv5RyfQCggoTC vlCZN2jD5TS0U/VXtei6l70= =/ZrC -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 03:28:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0D9D337B404 for ; Mon, 28 Apr 2003 03:28:20 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 178E743FDD for ; Mon, 28 Apr 2003 03:28:19 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id D143A54EDF for ; Mon, 28 Apr 2003 11:28:16 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id 7357721150; Mon, 28 Apr 2003 10:28:17 +0000 (GMT) Date: Mon, 28 Apr 2003 10:28:17 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030428102817.GA44721@rfc-networks.ie> References: <20030428001533.GA20138@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030428001533.GA20138@palomine.net> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: Traffic Shaper Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 10:28:20 -0000 SKU 41 lines of wisdom included: > I am trying to use the following script to shape my > incoming/outgoing traffic but keep running into some issues. Can > anyone hit with me a clue bat to show me what I am doing wrong??? > > ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument ... > ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument ... > ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument ... > ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument ... > ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument This immediately sounds (to me anyway) as if DUMMYNET isn't compiled into your kernel If you read ``dummynet(4)'' you'll see a ``KERNEL OPTIONS'' section. For information on how to compile a custom kernel, read the handbook. Phil. -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 05:13:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B04037B401 for ; Mon, 28 Apr 2003 05:13:29 -0700 (PDT) Received: from norton.palomine.net (norton.palomine.net [66.93.48.52]) by mx1.FreeBSD.org (Postfix) with SMTP id F1D9243F85 for ; Mon, 28 Apr 2003 05:13:28 -0700 (PDT) (envelope-from sullrich@palomine.net) Received: (qmail 50830 invoked by uid 1004); 28 Apr 2003 12:13:28 -0000 Date: Mon, 28 Apr 2003 08:13:28 -0400 From: SKU To: "Simon L. Nielsen" Message-ID: <20030428121328.GA50735@palomine.net> References: <20030428001533.GA20138@palomine.net> <20030428080632.GH398@nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030428080632.GH398@nitro.dk> User-Agent: Mutt/1.4.1i cc: SKU cc: ipfw@freebsd.org Subject: Re: Traffic Shaper Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 12:13:29 -0000 On Mon, Apr 28, 2003 at 10:06:33AM +0200, Simon L. Nielsen wrote: > You don't have dummynet in your kernel. Either load is as a module with > kldload or add the DUMMYNET option to your kernel. Actually I do have Dummynet in the kernel: pfw pipe show 00001: 250.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 1.280 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 1 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 Only certain weights refuse to work and I have no idea why. Thanks, SKU From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 07:39:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7CDC37B401 for ; Mon, 28 Apr 2003 07:39:55 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35FAA43F85 for ; Mon, 28 Apr 2003 07:39:55 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 5C5BF10BF90; Mon, 28 Apr 2003 16:39:54 +0200 (CEST) Date: Mon, 28 Apr 2003 16:39:54 +0200 From: "Simon L. Nielsen" To: SKU Message-ID: <20030428143954.GL398@nitro.dk> References: <20030428001533.GA20138@palomine.net> <20030428080632.GH398@nitro.dk> <20030428121328.GA50735@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sHrvAb52M6C8blB9" Content-Disposition: inline In-Reply-To: <20030428121328.GA50735@palomine.net> User-Agent: Mutt/1.5.4i cc: SKU cc: ipfw@freebsd.org Subject: Re: Traffic Shaper Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 14:39:56 -0000 --sHrvAb52M6C8blB9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.04.28 08:13:28 -0400, SKU wrote: >=20 > Actually I do have Dummynet in the kernel: >=20 > pfw pipe show > 00001: 250.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00002: 1.280 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > q00001: weight 1 pipe 1 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 >=20 > Only certain weights refuse to work and I have no idea why. Strange.. works fine here : [root@arthur:simon] /sbin/ipfw pipe 1 config bw 250Kbits/s [root@arthur:simon] /sbin/ipfw pipe 2 config bw 155Kbytes/s [root@arthur:simon] /sbin/ipfw queue 1 config pipe 2 weight 1 [root@arthur:simon] /sbin/ipfw queue 2 config pipe 2 weight 1 [root@arthur:simon] /sbin/ipfw queue 3 config pipe 1 weight 1 [root@arthur:simon] ipfw pipe show 00001: 250.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 1.240 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 1 pipe 2 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00002: weight 1 pipe 2 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00003: weight 1 pipe 1 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 [root@arthur:simon] uname -a FreeBSD arthur.nitro.dk 4.8-STABLE FreeBSD 4.8-STABLE #0: Thu Apr 24 12:53:= 37 CEST 2003 simon@arthur.nitro.dk:/usr/obj/usr/src/sys/ARTHUR i386 I'm using IPFW2 but I don't know if that matters. Which FreeBSD version are you using ? --=20 Simon L. Nielsen --sHrvAb52M6C8blB9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+rT068kocFXgPTRwRAmf7AJ9k/+6sSMHsfdCTezNxeF1LaENEGgCgiuaQ V09Pv1CXqjmTzZ4ARiv6aas= =kKVU -----END PGP SIGNATURE----- --sHrvAb52M6C8blB9-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 09:14:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C413737B401 for ; Mon, 28 Apr 2003 09:14:17 -0700 (PDT) Received: from norton.palomine.net (norton.palomine.net [66.93.48.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 2374043F85 for ; Mon, 28 Apr 2003 09:14:17 -0700 (PDT) (envelope-from sullrich@palomine.net) Received: (qmail 60489 invoked by uid 1004); 28 Apr 2003 16:14:16 -0000 Date: Mon, 28 Apr 2003 12:14:16 -0400 From: SKU To: "Simon L. Nielsen" Message-ID: <20030428161416.GA60455@palomine.net> References: <20030428001533.GA20138@palomine.net> <20030428080632.GH398@nitro.dk> <20030428121328.GA50735@palomine.net> <20030428143954.GL398@nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030428143954.GL398@nitro.dk> User-Agent: Mutt/1.4.1i cc: SKU cc: ipfw@freebsd.org cc: SKU Subject: Re: Traffic Shaper Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 16:14:18 -0000 On Mon, Apr 28, 2003 at 04:39:54PM +0200, Simon L. Nielsen wrote: > On 2003.04.28 08:13:28 -0400, SKU wrote: > Strange.. works fine here : Bummer... > I'm using IPFW2 but I don't know if that matters. Which FreeBSD version > are you using ? 4.8 Stable as of 2 days ago, using IPFW2. -SKU From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 09:41:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB8A637B401 for ; Mon, 28 Apr 2003 09:41:20 -0700 (PDT) Received: from ciistr1.ist.utl.pt (ciistr1.ist.utl.pt [193.136.128.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CCF343F93 for ; Mon, 28 Apr 2003 09:41:18 -0700 (PDT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from dequim.ist.utl.pt (bio98.ist.utl.pt [193.136.165.131]) id 110CA47E8F for ; Mon, 28 Apr 2003 17:41:23 +0100 (WEST) Message-ID: <3EAD5A4C.5000506@dequim.ist.utl.pt> Date: Mon, 28 Apr 2003 17:43:56 +0100 From: Bruno Afonso User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030406 X-Accept-Language: pt, en, en-us MIME-Version: 1.0 To: ipfw@freebsd.org References: <20030428001533.GA20138@palomine.net> <20030428080632.GH398@nitro.dk> <20030428121328.GA50735@palomine.net> <20030428143954.GL398@nitro.dk> <20030428161416.GA60455@palomine.net> In-Reply-To: <20030428161416.GA60455@palomine.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Traffic Shaper Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 16:41:21 -0000 SKU wrote: >>I'm using IPFW2 but I don't know if that matters. Which FreeBSD version >>are you using ? > > > 4.8 Stable as of 2 days ago, using IPFW2. do you get the same with ipfw ? You may have found a ipfw2 bug :-) -- Bruno Miguel Afonso Biological Eng. student. D.E.Q. @ I.S.T. - Portugal From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 11:01:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E03A337B401 for ; Mon, 28 Apr 2003 11:01:34 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E191443FDD for ; Mon, 28 Apr 2003 11:01:32 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3SI1WUp073169 for ; Mon, 28 Apr 2003 11:01:32 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3SI1WXr073137 for ipfw@freebsd.org; Mon, 28 Apr 2003 11:01:32 -0700 (PDT) Date: Mon, 28 Apr 2003 11:01:32 -0700 (PDT) Message-Id: <200304281801.h3SI1WXr073137@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 18:01:35 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 14:16:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC2C337B401 for ; Mon, 28 Apr 2003 14:16:52 -0700 (PDT) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4BB443FAF for ; Mon, 28 Apr 2003 14:16:49 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by sccrmhc03.attbi.com (sccrmhc03) with ESMTP id <20030428211648003006emeee>; Mon, 28 Apr 2003 21:16:48 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h3SLGlki042055; Mon, 28 Apr 2003 14:16:47 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h3SLGhNt042054; Mon, 28 Apr 2003 14:16:43 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 28 Apr 2003 14:16:43 -0700 From: "Crist J. Clark" To: Robert Johannes Message-ID: <20030428211643.GA41761@blossom.cjclark.org> References: <200304271259.02025.ajacoutot@lphp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: nfs and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 21:16:53 -0000 On Sun, Apr 27, 2003 at 08:08:11PM -0500, Robert Johannes wrote: [snip] > I'm using normal ipfw, with the following rules: > > allow ip from any to any via lo0 > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > allow tcp from any to any established > allow ip from any to any frag > allow tcp from any to any setup > allow ip from $nfsclient to $fileserver keep-state > allow ip from xx.xx.xx.1 to $fileserver keep-state > deny ip from any to any > > > The router/gateway is at xx.xx.xx.254. I'm able to mount the filesystems > from the $fileserver, but I'm not able to write a substantial amount of > data to the filesystems; I can create a file by 'touching' one on the nfs > filesyste, but I can't copy a big file onto the filesystem. I have > successfully copied a file as big as the /etc/hosts files (a few bytes). > >From watching tcpdump, it seems that any time there's significant i/o on > the nfs filesystem, the fileserver stops responding, and I note the > following lines repeated perhaps a hundred or more times: > > 15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560) > 15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+) > 15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+) > 15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+) > 15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+) > 15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+) > 15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+) > 15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+) > 15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+) > > At this point I get an "nfs: server $nfsserver not responding, timed out" > message logged on the nfsclient. > > I'm pretty sure it has to do with my ipfw configuration, but I can't > pinpoint the problem. Any ideas? It looks like those fragments should be passing the 'frag' rule. Check if those fragments are really being dropped. Turn on logging in the last 'deny' rule to see for sure. If that's not it, the log might give you a clue as to what the problem really is anyway. The possible way around this is to do NFS over TCP which won't generate the hella-huge UDP packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 14:18:41 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00B8C37B401 for ; Mon, 28 Apr 2003 14:18:41 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD57943F85 for ; Mon, 28 Apr 2003 14:18:39 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by sccrmhc01.attbi.com (sccrmhc01) with ESMTP id <2003042821183800100e6884e>; Mon, 28 Apr 2003 21:18:39 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h3SLIcki042076; Mon, 28 Apr 2003 14:18:38 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h3SLIbD3042075; Mon, 28 Apr 2003 14:18:37 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 28 Apr 2003 14:18:37 -0700 From: "Crist J. Clark" To: Antoine Jacoutot Message-ID: <20030428211837.GB41761@blossom.cjclark.org> References: <200304271259.02025.ajacoutot@lphp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200304271259.02025.ajacoutot@lphp.org> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 21:18:41 -0000 On Sun, Apr 27, 2003 at 12:59:02PM +0200, Antoine Jacoutot wrote: > Hi ! > > I hope this is the right list for this, I couldn't get any answer from > -questions. > I'm having a problem with ipfw and dynamic rules timeout. > For exemple, when I ssh to a distant machine, if I don't type anything for > like 10 or 20 seconds, the connexion is dropped. Are you using natd(8)? If so, check the archives for one of the bazillion times 'keep-state'-natd(8) issues have been discussed. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 28 15:39:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C60B37B401; Mon, 28 Apr 2003 15:39:06 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-52.abo.wanadoo.fr [193.252.221.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id D94D743F75; Mon, 28 Apr 2003 15:39:02 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3SMcvRs017306; Tue, 29 Apr 2003 00:38:57 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: "Crist J. Clark" , "Crist J. Clark" Date: Tue, 29 Apr 2003 00:38:59 +0200 User-Agent: KMail/1.5.1 References: <200304271259.02025.ajacoutot@lphp.org> <20030428211837.GB41761@blossom.cjclark.org> In-Reply-To: <20030428211837.GB41761@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304290038.59573.ajacoutot@lphp.org> cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2003 22:39:07 -0000 On Monday 28 April 2003 23:18, Crist J. Clark wrote: > > I hope this is the right list for this, I couldn't get any answer from > > -questions. > > I'm having a problem with ipfw and dynamic rules timeout. > > For exemple, when I ssh to a distant machine, if I don't type anything > > for like 10 or 20 seconds, the connexion is dropped. > > Are you using natd(8)? If so, check the archives for one of the > bazillion times 'keep-state'-natd(8) issues have been discussed. Yes I am. I already did search the archives. Unfortunately, the archives go back to... March 2003. I asked this question in a lot of places, including forums but no one could give me an answer, so I guess I hasn't been discussed a bazillion times. But thanks anyway. Antoine From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 03:38:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AADC37B401 for ; Tue, 29 Apr 2003 03:38:49 -0700 (PDT) Received: from ciistr1.ist.utl.pt (ciistr1.ist.utl.pt [193.136.128.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id E94C443F3F for ; Tue, 29 Apr 2003 03:38:48 -0700 (PDT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from dequim.ist.utl.pt (bio98.ist.utl.pt [193.136.165.131]) id 90C9347DF7 for ; Tue, 29 Apr 2003 11:38:58 +0100 (WEST) Message-ID: <3EAE56E5.50208@dequim.ist.utl.pt> Date: Tue, 29 Apr 2003 11:41:41 +0100 From: Bruno Afonso User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3) Gecko/20030406 X-Accept-Language: pt, en, en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <200304271259.02025.ajacoutot@lphp.org> <20030428211837.GB41761@blossom.cjclark.org> <200304290038.59573.ajacoutot@lphp.org> In-Reply-To: <200304290038.59573.ajacoutot@lphp.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 10:38:49 -0000 Antoine Jacoutot wrote: > On Monday 28 April 2003 23:18, Crist J. Clark wrote: > >>>I hope this is the right list for this, I couldn't get any answer from >>>-questions. >>>I'm having a problem with ipfw and dynamic rules timeout. >>>For exemple, when I ssh to a distant machine, if I don't type anything >>>for like 10 or 20 seconds, the connexion is dropped. >> >>Are you using natd(8)? If so, check the archives for one of the >>bazillion times 'keep-state'-natd(8) issues have been discussed. > > > Yes I am. > I already did search the archives. Unfortunately, the archives go back to... > March 2003. > I asked this question in a lot of places, including forums but no one could > give me an answer, so I guess I hasn't been discussed a bazillion times. > But thanks anyway. > > Antoine http://marc.theaimsgroup.com/?l=freebsd-ipfw&r=1&w=2 enjoy -- Bruno Miguel Afonso Biological Eng. student. D.E.Q. @ I.S.T. - Portugal From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 04:29:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E17937B404 for ; Tue, 29 Apr 2003 04:29:08 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-52.abo.wanadoo.fr [193.252.221.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 089EE43F93 for ; Tue, 29 Apr 2003 04:29:06 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from srv01.lphp.org.local (localhost [127.0.0.1]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3TBT1Rs001173; Tue, 29 Apr 2003 13:29:01 +0200 (CEST) (envelope-from ajacoutot@lphp.org) Received: (from www@localhost) by srv01.lphp.org.local (8.12.8p1/8.12.8/Submit) id h3TBT1kw001172; Tue, 29 Apr 2003 13:29:01 +0200 (CEST) (envelope-from ajacoutot@lphp.org) X-Authentication-Warning: srv01.lphp.org.local: www set sender to ajacoutot@lphp.org using -f Received: from 81.57.102.175 ( [81.57.102.175]) as user ajacoutot@localhost by webmail.lphp.org with HTTP; Tue, 29 Apr 2003 13:29:01 +0200 Message-ID: <1051615741.3eae61fd690ec@webmail.lphp.org> Date: Tue, 29 Apr 2003 13:29:01 +0200 From: Antoine Jacoutot To: Bruno Afonso MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 / FreeBSD-4.7 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 11:29:08 -0000 Selon Bruno Afonso : > http://marc.theaimsgroup.com/?l=freebsd-ipfw&r=1&w=2 > enjoy Well, thanks a lot... I'm happy I have nothing to do this afternoon... ;-) -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..." From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 04:29:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74F1537B401 for ; Tue, 29 Apr 2003 04:29:08 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-52.abo.wanadoo.fr [193.252.221.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id D879843F85 for ; Tue, 29 Apr 2003 04:29:05 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from srv01.lphp.org.local (localhost [127.0.0.1]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3TBT0Rs001163; Tue, 29 Apr 2003 13:29:00 +0200 (CEST) (envelope-from ajacoutot@lphp.org) Received: (from www@localhost) by srv01.lphp.org.local (8.12.8p1/8.12.8/Submit) id h3TBRcQo001162; Tue, 29 Apr 2003 13:27:38 +0200 (CEST) (envelope-from ajacoutot@lphp.org) X-Authentication-Warning: srv01.lphp.org.local: www set sender to ajacoutot@lphp.org using -f Received: from 81.57.102.175 ( [81.57.102.175]) as user ajacoutot@localhost by webmail.lphp.org with HTTP; Tue, 29 Apr 2003 13:27:38 +0200 Message-ID: <1051615658.3eae61aa2a44c@webmail.lphp.org> Date: Tue, 29 Apr 2003 13:27:38 +0200 From: Antoine Jacoutot To: Bruno Afonso MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 / FreeBSD-4.7 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 11:29:09 -0000 Selon Bruno Afonso : > http://marc.theaimsgroup.com/?l=freebsd-ipfw&r=1&w=2 > enjoy Well, thanks a lot... I'm happy I have nothing to do this afternoon... ;-) -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..." From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 06:43:56 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2D5037B401 for ; Tue, 29 Apr 2003 06:43:56 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-52.abo.wanadoo.fr [193.252.221.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D43143FBF for ; Tue, 29 Apr 2003 06:43:52 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3TDhkRs002059; Tue, 29 Apr 2003 15:43:46 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: Bruno Afonso , freebsd-ipfw@freebsd.org Date: Tue, 29 Apr 2003 15:43:47 +0200 User-Agent: KMail/1.5.1 References: <200304271259.02025.ajacoutot@lphp.org> <200304290038.59573.ajacoutot@lphp.org> <3EAE56E5.50208@dequim.ist.utl.pt> In-Reply-To: <3EAE56E5.50208@dequim.ist.utl.pt> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304291543.47991.ajacoutot@lphp.org> Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 13:43:57 -0000 On Tuesday 29 April 2003 12:41, Bruno Afonso wrote: > http://marc.theaimsgroup.com/?l=freebsd-ipfw&r=1&w=2 > enjoy OK, so after reading the archives, I saw that there was no solution to my problem, so what I did is: sysctl net.inet.ip.fw.dyn_syn_lifetime=300 The default is 20, so it gives a little more time. But I still have problem from time to time (clients behind the firewall get disconnected from an internet news server after a while reading an article, web clients from the internet to the web server get disconnected while reading mail from webmail...). Should I go like: sysctl net.inet.ip.fw.dyn_syn_lifetime=100000000000000000 or is it just stupid ? (I'm sure this is stupid, but I can't find any solution). Thanks a lot for your help. Antoine From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 06:49:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCAA337B416 for ; Tue, 29 Apr 2003 06:49:29 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 0DE9B43FAF for ; Tue, 29 Apr 2003 06:49:25 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 60383 invoked from network); 29 Apr 2003 13:49:23 -0000 Received: from queequeg.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 29 Apr 2003 13:49:23 -0000 Message-ID: <3EAE82E3.1080704@tenebras.com> Date: Tue, 29 Apr 2003 06:49:23 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, zh-cn, zh-tw MIME-Version: 1.0 To: Antoine Jacoutot References: <200304271259.02025.ajacoutot@lphp.org> <200304290038.59573.ajacoutot@lphp.org> <3EAE56E5.50208@dequim.ist.utl.pt> <200304291543.47991.ajacoutot@lphp.org> In-Reply-To: <200304291543.47991.ajacoutot@lphp.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org cc: Bruno Afonso Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 13:49:30 -0000 Antoine Jacoutot wrote: > sysctl net.inet.ip.fw.dyn_syn_lifetime=300 > The default is 20, so it gives a little more time. But I still have problem > from time to time (clients behind the firewall get disconnected from an > internet news server after a while reading an article, web clients from the > internet to the web server get disconnected while reading mail from > webmail...). You're diddling the wrong MIB value. dyn_syn_lifetime is for half-open connections (three-way handshake not complete). It's dyn_ack_lifetime that you want to set. But if the problem is lack of keepalives, you could try net.inet.ip.fw.dyn_ack_lifetime=300 net.inet.tcp.always_keepalive=1 net.inet.tcp.keepidle=60000 net.inet.tcp.keepintvl=60000 net.inet.tcp.keepinit=60000 and make sure the firewall keepalive options are on. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 07:17:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2443137B401 for ; Tue, 29 Apr 2003 07:17:10 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-52.abo.wanadoo.fr [193.252.221.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA4CD43FB1 for ; Tue, 29 Apr 2003 07:17:06 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3TEGoRs002234; Tue, 29 Apr 2003 16:16:50 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: Michael Sierchio Date: Tue, 29 Apr 2003 16:16:52 +0200 User-Agent: KMail/1.5.1 References: <200304271259.02025.ajacoutot@lphp.org> <200304291543.47991.ajacoutot@lphp.org> <3EAE82E3.1080704@tenebras.com> In-Reply-To: <3EAE82E3.1080704@tenebras.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304291616.52730.ajacoutot@lphp.org> cc: freebsd-ipfw@freebsd.org cc: Bruno Afonso Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 14:17:10 -0000 On Tuesday 29 April 2003 15:49, Michael Sierchio wrote: > Antoine Jacoutot wrote: > > sysctl net.inet.ip.fw.dyn_syn_lifetime=300 > > The default is 20, so it gives a little more time. But I still have > > problem from time to time (clients behind the firewall get disconnected > > from an internet news server after a while reading an article, web > > clients from the internet to the web server get disconnected while > > reading mail from webmail...). > > You're diddling the wrong MIB value. dyn_syn_lifetime is for > half-open connections (three-way handshake not complete). > It's dyn_ack_lifetime that you want to set. But if the problem > is lack of keepalives, you could try Yes, but strangely, it works. The dyn_ack_lifetime is at 300 by default, so I don't think I need top change that. Here are the default values on my system (I didn't touch any value, and it looks similar to the ones you suggested except some values are even bigger): net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.tcp.always_keepalive: 1 net.inet.tcp.keepidle: 7200000 net.inet.tcp.keepintvl: 75000 net.inet.tcp.keepinit: 75000 > and make sure the firewall keepalive options are on. You mean: net.inet.ip.fw.dyn_keepalive: 1 Antoine ps: do you need more informations, like my IPFW ruleset or so ? From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 07:28:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B90BB37B401 for ; Tue, 29 Apr 2003 07:28:37 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 0A24943FB1 for ; Tue, 29 Apr 2003 07:28:37 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 60628 invoked from network); 29 Apr 2003 14:28:35 -0000 Received: from queequeg.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 29 Apr 2003 14:28:35 -0000 Message-ID: <3EAE8C13.8080009@tenebras.com> Date: Tue, 29 Apr 2003 07:28:35 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, zh-cn, zh-tw MIME-Version: 1.0 To: Antoine Jacoutot References: <200304271259.02025.ajacoutot@lphp.org> <200304291543.47991.ajacoutot@lphp.org> <3EAE82E3.1080704@tenebras.com> <200304291616.52730.ajacoutot@lphp.org> In-Reply-To: <200304291616.52730.ajacoutot@lphp.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org cc: Bruno Afonso Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 14:28:38 -0000 Antoine Jacoutot wrote: > net.inet.tcp.keepidle: 7200000 That's a very long time, longer that the five minutes you keep rules alive for. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 07:34:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBC9537B40A for ; Tue, 29 Apr 2003 07:34:39 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-52.abo.wanadoo.fr [193.252.221.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA34943F75 for ; Tue, 29 Apr 2003 07:34:35 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3TEYQRs002388; Tue, 29 Apr 2003 16:34:26 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: Michael Sierchio Date: Tue, 29 Apr 2003 16:34:28 +0200 User-Agent: KMail/1.5.1 References: <200304271259.02025.ajacoutot@lphp.org> <200304291616.52730.ajacoutot@lphp.org> <3EAE8C13.8080009@tenebras.com> In-Reply-To: <3EAE8C13.8080009@tenebras.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304291634.28223.ajacoutot@lphp.org> cc: freebsd-ipfw@freebsd.org cc: Bruno Afonso Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 14:34:40 -0000 On Tuesday 29 April 2003 16:28, Michael Sierchio wrote: > Antoine Jacoutot wrote: > > net.inet.tcp.keepidle: 7200000 > > That's a very long time, longer that the five minutes > you keep rules alive for. OK, so should I low it ? I'm sorry to seem so newbie about it, but I never had this problem on other platforms so I'm cautious. The thing I don't understand is this: IPFW2 ENHANCEMENTS [...] keepalives ipfw1 does not generate keepalives for stateful sessions. As a consequence, it might cause idle sessions to drop because the lifetime of the dynamic rules expires. [...] net.inet.ip.fw.dyn_keepalive: 1 Enables generation of keepalive packets for keep-state rules on TCP sessions. A keepalive is generated to both sides of the con- nection every 5 seconds for the last 20 seconds of the lifetime of the rule. So, since I have this sysctl set to 1, why is my connexion reset ? Doesn't it keeps generating keepalives or what ? Basically, I would like keepalives generated forever, until I (or a client) close the connexion to a server. Antoine From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 13:38:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2355737B404 for ; Tue, 29 Apr 2003 13:38:46 -0700 (PDT) Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id D97D243FBF for ; Tue, 29 Apr 2003 13:38:44 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by sccrmhc03.attbi.com (sccrmhc03) with ESMTP id <2003042920384400300fp942e>; Tue, 29 Apr 2003 20:38:44 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h3TKchki022747; Tue, 29 Apr 2003 13:38:43 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h3TKcgsP022746; Tue, 29 Apr 2003 13:38:42 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 29 Apr 2003 13:38:42 -0700 From: "Crist J. Clark" To: Antoine Jacoutot Message-ID: <20030429203842.GB22678@blossom.cjclark.org> References: <200304271259.02025.ajacoutot@lphp.org> <20030428211837.GB41761@blossom.cjclark.org> <200304290038.59573.ajacoutot@lphp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200304290038.59573.ajacoutot@lphp.org> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 20:38:46 -0000 On Tue, Apr 29, 2003 at 12:38:59AM +0200, Antoine Jacoutot wrote: > On Monday 28 April 2003 23:18, Crist J. Clark wrote: > > > I hope this is the right list for this, I couldn't get any answer from > > > -questions. > > > I'm having a problem with ipfw and dynamic rules timeout. > > > For exemple, when I ssh to a distant machine, if I don't type anything > > > for like 10 or 20 seconds, the connexion is dropped. > > > > Are you using natd(8)? If so, check the archives for one of the > > bazillion times 'keep-state'-natd(8) issues have been discussed. > > Yes I am. > I already did search the archives. Unfortunately, the archives go back to... > March 2003. Not sure where you're looking there, but when I BSD Google for "ipfw natd keep-state" the first link is, http://docs.freebsd.org/mail/archive/2002/freebsd-ipfw/20020804.freebsd-ipfw.html And in my mail in that thread, I link further back to, http://docs.freebsd.org/cgi/getmsg.cgi?fetch=13412+0+archive/2002/freebsd-net/20020217.freebsd-net -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 16:00:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC87137B401 for ; Tue, 29 Apr 2003 16:00:51 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-101.abo.wanadoo.fr [193.252.221.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id A41B243F3F for ; Tue, 29 Apr 2003 16:00:49 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3TN0iRs067855; Wed, 30 Apr 2003 01:00:44 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: cjclark@alum.mit.edu, freebsd-ipfw@freebsd.org Date: Wed, 30 Apr 2003 01:00:42 +0200 User-Agent: KMail/1.5.1 References: <200304271259.02025.ajacoutot@lphp.org> <200304290038.59573.ajacoutot@lphp.org> <20030429203842.GB22678@blossom.cjclark.org> In-Reply-To: <20030429203842.GB22678@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304300100.42983.ajacoutot@lphp.org> Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2003 23:00:52 -0000 On Tuesday 29 April 2003 22:38, Crist J. Clark wrote: > Not sure where you're looking there, but when I BSD Google for "ipfw > natd keep-state" the first link is, > > http://docs.freebsd.org/mail/archive/2002/freebsd-ipfw/20020804.freebsd-ipf >w.html Thanks, I guess I put in the wrong keywords. I read all of this and came to the conclusion that there was no solution to this problem, at least I can't see one. I guess I'll have to build my firewall with something else. But thanks. Antoine From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 29 21:59:01 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BBDE37B401 for ; Tue, 29 Apr 2003 21:59:01 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A3C943FBD for ; Tue, 29 Apr 2003 21:59:00 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by sccrmhc01.attbi.com (sccrmhc01) with ESMTP id <2003043004585900100nkvqfe>; Wed, 30 Apr 2003 04:58:59 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h3U4wvki023949; Tue, 29 Apr 2003 21:58:58 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h3U4wuj6023948; Tue, 29 Apr 2003 21:58:56 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 29 Apr 2003 21:58:56 -0700 From: "Crist J. Clark" To: Antoine Jacoutot Message-ID: <20030430045856.GA23926@blossom.cjclark.org> References: <200304271259.02025.ajacoutot@lphp.org> <200304290038.59573.ajacoutot@lphp.org> <20030429203842.GB22678@blossom.cjclark.org> <200304300100.42983.ajacoutot@lphp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200304300100.42983.ajacoutot@lphp.org> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 04:59:01 -0000 On Wed, Apr 30, 2003 at 01:00:42AM +0200, Antoine Jacoutot wrote: > On Tuesday 29 April 2003 22:38, Crist J. Clark wrote: > > Not sure where you're looking there, but when I BSD Google for "ipfw > > natd keep-state" the first link is, > > > > http://docs.freebsd.org/mail/archive/2002/freebsd-ipfw/20020804.freebsd-ipf > >w.html > > Thanks, I guess I put in the wrong keywords. > I read all of this and came to the conclusion that there was no solution to > this problem, at least I can't see one. > I guess I'll have to build my firewall with something else. > > But thanks. I think several of the articles point to the easiest solution: Don't use keep-state rules in conjunction with natd(8). Keep-state doesn't offer you anything more than using natd(8) with stateless rules for the vast majority of policies. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 30 00:14:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 283D237B401 for ; Wed, 30 Apr 2003 00:14:28 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-5-101.abo.wanadoo.fr [193.252.221.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id E83C843FBF for ; Wed, 30 Apr 2003 00:14:26 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3U7EIRs070050; Wed, 30 Apr 2003 09:14:18 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: cjclark@alum.mit.edu, "Crist J. Clark" Date: Wed, 30 Apr 2003 09:14:18 +0200 User-Agent: KMail/1.5.1 References: <200304271259.02025.ajacoutot@lphp.org> <200304300100.42983.ajacoutot@lphp.org> <20030430045856.GA23926@blossom.cjclark.org> In-Reply-To: <20030430045856.GA23926@blossom.cjclark.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304300914.18382.ajacoutot@lphp.org> cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 07:14:28 -0000 On Wednesday 30 April 2003 06:58, Crist J. Clark wrote: > I think several of the articles point to the easiest solution: Don't > use keep-state rules in conjunction with natd(8). Keep-state doesn't > offer you anything more than using natd(8) with stateless rules for > the vast majority of policies. Yes, thanks, that's what I though too. I guess I'll just have to write a new "stateless" ruleset (I always used keep-state). Regards. Antoine From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 30 05:24:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0054637B401 for ; Wed, 30 Apr 2003 05:24:28 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-21-42.abo.wanadoo.fr [81.51.116.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65CC64409A for ; Wed, 30 Apr 2003 05:24:26 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from sta01 (sta01.lphp.org.local [192.168.0.4]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3UCOOQB061311 for ; Wed, 30 Apr 2003 14:24:24 +0200 (CEST) (envelope-from ajacoutot@lphp.org) From: Antoine Jacoutot To: freebsd-ipfw@freebsd.org Date: Wed, 30 Apr 2003 14:24:24 +0200 User-Agent: KMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200304301424.24536.ajacoutot@lphp.org> Subject: Re: ipfw dynamic rule timeout --> find a solution, but need confirmation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 12:24:28 -0000 Hi ! In my problem with keep-state+ipfw2+natd, I came to the following solution which seems to work well. Now, I would like to be sure that there's no security issue with that (expecially with the sysctl variable), so if you feel like it, please comment the following configuration. Thanks in advance. Antoine ### Configuration ### sysctl variables: net.inet.ip.fw.dyn_syn_lifetime=300 # same as net.inet.ip.fw.dyn_ack_lifetime rc.conf: natd_flags="-log_denied -log_facility LOG_WARNING -use_sockets -same_ports -unregistered_only -dynamic" firewall ruleset (tun0 being the outsite interface): # Firewall Command - quiet mode (suppress rule display) fwcmd="/sbin/ipfw -q add" # Flush out the list before we begin. /sbin/ipfw -q -f flush # Setup Loopback ${fwcmd} 100 pass all from any to any via lo0 ${fwcmd} 200 deny log all from any to 127.0.0.0/8 ${fwcmd} 300 deny log ip from 127.0.0.0/8 to any # Stop spoofing ${fwcmd} 400 deny all from 192.168.0.0/24 to any in via tun0 ### The following rule is disabled since we have a dynamic @ip ### ${fwcmd} add 500 deny all from ${outside_net}:${outside_mask} to any in via vr0 # Stop RFC1918 nets on the outside interface ${fwcmd} 600 deny all from any to 10.0.0.0/8 via tun0 ${fwcmd} 700 deny all from any to 172.16.0.0/12 via tun0 ${fwcmd} 800 deny all from any to 192.168.0.0/16 via tun0 # Stop draft-manning-dsua-03.txt nets ${fwcmd} 900 deny all from any to 0.0.0.0/8 via tun0 ${fwcmd} 1000 deny all from any to 169.254.0.0/16 via tun0 ${fwcmd} 1100 deny all from any to 192.0.2.0/24 via tun0 ${fwcmd} 1200 deny all from any to 224.0.0.0/4 via tun0 ${fwcmd} 1300 deny all from any to 240.0.0.0/4 via tun0 # Network address Translation # This rule is placed here deliberately so that it does not interfere with the surrounding address-checking rules ${fwcmd} 1400 divert natd all from any to any via tun0 # Stop RFC1918 nets on the outside interface (following of rules 600, 700 and 800 because NAT is now on) ${fwcmd} 1500 deny all from 10.0.0.0/8 to any via tun0 ${fwcmd} 1600 deny all from 172.16.0.0/12 to any via tun0 ${fwcmd} 1700 deny all from 192.168.0.0/16 to any via tun0 # From man 8 ipfw: use of dynamic rules ${fwcmd} 1800 check-state ${fwcmd} 1900 deny log tcp from any to any established ${fwcmd} 2000 allow tcp from 192.168.0.0/24 to any setup keep-state ${fwcmd} 2100 allow tcp from me to any setup keep-state ${fwcmd} 2200 allow udp from 192.168.0.0/24 to any keep-state ${fwcmd} 2300 allow udp from me to any keep-state ${fwcmd} 2400 deny log udp from any to any # Reset ident incoming connections ${fwcmd} 2500 reset log tcp from any to me 113 in recv tun0 setup # Deny & log suspicious packets (like nmap scans) $fwcmd 2600 deny log tcp from any to any in tcpflags syn,fin # Allow some icmp # echo reply (0), destination unreachable (3), source quench (4), echo request (8), time-to-live exceeded (11), IP header bad (12) ${fwcmd} 2700 pass icmp from any to any icmptype 0,3,4,8,11,12 # Allow IP fragments to pass through ${fwcmd} 2800 pass all from any to any frag # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 # find a way to allow FTP inbound ${fwcmd} 2900 pass tcp from any to me 22,25,53,80,110 in recv tun0 setup keep-state ${fwcmd} 3000 pass udp from any to me 53 in recv tun0 keep-state # Reject & log everything else ${fwcmd} 65000 deny log all from any to any From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 30 09:53:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EE1637B401 for ; Wed, 30 Apr 2003 09:53:54 -0700 (PDT) Received: from metroplex.netnation.com (metroplex.netnation.com [204.174.223.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7863343F93 for ; Wed, 30 Apr 2003 09:53:53 -0700 (PDT) (envelope-from freebsd@code-space.com) Received: from [66.120.33.26] (helo=neptune) by metroplex.netnation.com with asmtp (Exim 3.36 #1) id 19Auq8-0001kZ-00; Wed, 30 Apr 2003 09:53:52 -0700 From: "C_Ahlers" To: "'Antoine Jacoutot'" , Date: Wed, 30 Apr 2003 09:53:49 -0700 Organization: code-space.com Message-ID: <000401c30f39$136f0020$0501a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-Reply-To: <200304301424.24536.ajacoutot@lphp.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@code-space.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 16:53:55 -0000 I realize that the following info is not exactly what you have been looking for - but it is in the spirit of building that perfect firewall... I would just like to point out that rules 200 and 300 that deal with traffic to and from 127.0.0.0/8 are NOT necessary. The reason for this is simple: FreeBSD doesn't allow that traffic, regardless of the presence of a firewall or not. If you take a look at some source code, specifically: \src\sys\netinet\ip_input.c (~ line 357) \src\sys\netinet\ip_output.c (~ line 807) you will see code like the following: /* 127/8 must not appear on wire - RFC1122 */ if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET || (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) { if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) { ipstat.ips_badaddr++; goto bad; } } The packets are simply dropped... So this means you have 2 less rules to worry about that just clutter your ruleset. C_Ahlers freebsd@code-space.com -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Antoine Jacoutot Sent: Wednesday, April 30, 2003 5:24 AM To: freebsd-ipfw@freebsd.org Subject: Re: ipfw dynamic rule timeout --> find a solution, but needconfirmation Hi ! In my problem with keep-state+ipfw2+natd, I came to the following solution which seems to work well. Now, I would like to be sure that there's no security issue with that (expecially with the sysctl variable), so if you feel like it, please comment the following configuration. Thanks in advance. Antoine ### Configuration ### sysctl variables: net.inet.ip.fw.dyn_syn_lifetime=300 # same as net.inet.ip.fw.dyn_ack_lifetime rc.conf: natd_flags="-log_denied -log_facility LOG_WARNING -use_sockets -same_ports -unregistered_only -dynamic" firewall ruleset (tun0 being the outsite interface): # Firewall Command - quiet mode (suppress rule display) fwcmd="/sbin/ipfw -q add" # Flush out the list before we begin. /sbin/ipfw -q -f flush # Setup Loopback ${fwcmd} 100 pass all from any to any via lo0 ${fwcmd} 200 deny log all from any to 127.0.0.0/8 ${fwcmd} 300 deny log ip from 127.0.0.0/8 to any # Stop spoofing ${fwcmd} 400 deny all from 192.168.0.0/24 to any in via tun0 ### The following rule is disabled since we have a dynamic @ip ### ${fwcmd} add 500 deny all from ${outside_net}:${outside_mask} to any in via vr0 # Stop RFC1918 nets on the outside interface ${fwcmd} 600 deny all from any to 10.0.0.0/8 via tun0 ${fwcmd} 700 deny all from any to 172.16.0.0/12 via tun0 ${fwcmd} 800 deny all from any to 192.168.0.0/16 via tun0 # Stop draft-manning-dsua-03.txt nets ${fwcmd} 900 deny all from any to 0.0.0.0/8 via tun0 ${fwcmd} 1000 deny all from any to 169.254.0.0/16 via tun0 ${fwcmd} 1100 deny all from any to 192.0.2.0/24 via tun0 ${fwcmd} 1200 deny all from any to 224.0.0.0/4 via tun0 ${fwcmd} 1300 deny all from any to 240.0.0.0/4 via tun0 # Network address Translation # This rule is placed here deliberately so that it does not interfere with the surrounding address-checking rules ${fwcmd} 1400 divert natd all from any to any via tun0 # Stop RFC1918 nets on the outside interface (following of rules 600, 700 and 800 because NAT is now on) ${fwcmd} 1500 deny all from 10.0.0.0/8 to any via tun0 ${fwcmd} 1600 deny all from 172.16.0.0/12 to any via tun0 ${fwcmd} 1700 deny all from 192.168.0.0/16 to any via tun0 # From man 8 ipfw: use of dynamic rules ${fwcmd} 1800 check-state ${fwcmd} 1900 deny log tcp from any to any established ${fwcmd} 2000 allow tcp from 192.168.0.0/24 to any setup keep-state ${fwcmd} 2100 allow tcp from me to any setup keep-state ${fwcmd} 2200 allow udp from 192.168.0.0/24 to any keep-state ${fwcmd} 2300 allow udp from me to any keep-state ${fwcmd} 2400 deny log udp from any to any # Reset ident incoming connections ${fwcmd} 2500 reset log tcp from any to me 113 in recv tun0 setup # Deny & log suspicious packets (like nmap scans) $fwcmd 2600 deny log tcp from any to any in tcpflags syn,fin # Allow some icmp # echo reply (0), destination unreachable (3), source quench (4), echo request (8), time-to-live exceeded (11), IP header bad (12) ${fwcmd} 2700 pass icmp from any to any icmptype 0,3,4,8,11,12 # Allow IP fragments to pass through ${fwcmd} 2800 pass all from any to any frag # Allow access to our FTP, SSH, SMTP, DNS, WWW, POP3 # find a way to allow FTP inbound ${fwcmd} 2900 pass tcp from any to me 22,25,53,80,110 in recv tun0 setup keep-state ${fwcmd} 3000 pass udp from any to me 53 in recv tun0 keep-state # Reject & log everything else ${fwcmd} 65000 deny log all from any to any _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 30 10:04:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3754837B401 for ; Wed, 30 Apr 2003 10:04:02 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-21-42.abo.wanadoo.fr [81.51.116.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5884943FBF for ; Wed, 30 Apr 2003 10:04:00 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from srv01.lphp.org.local (localhost [127.0.0.1]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h3UH3uQB063403; Wed, 30 Apr 2003 19:03:56 +0200 (CEST) (envelope-from ajacoutot@lphp.org) Received: (from www@localhost) by srv01.lphp.org.local (8.12.8p1/8.12.8/Submit) id h3UH3sb1063402; Wed, 30 Apr 2003 19:03:54 +0200 (CEST) (envelope-from ajacoutot@lphp.org) X-Authentication-Warning: srv01.lphp.org.local: www set sender to ajacoutot@lphp.org using -f Received: from sta01.lphp.org.local (sta01.lphp.org.local [192.168.0.4]) by webmail.lphp.org (IMP) with HTTP for ; Wed, 30 Apr 2003 19:03:54 +0200 Message-ID: <1051722234.3eb001fabde38@webmail.lphp.org> Date: Wed, 30 Apr 2003 19:03:54 +0200 From: Antoine Jacoutot To: "" References: <000401c30f39$136f0020$0501a8c0@neptune> In-Reply-To: <000401c30f39$136f0020$0501a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-4.8 cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 17:04:02 -0000 Selon C_Ahlers : > I realize that the following info is not exactly what you have been > looking for - but it is in the spirit of building that perfect > firewall... :-)) > I would just like to point out that rules 200 and 300 that deal with > traffic to and from 127.0.0.0/8 are NOT necessary. > The reason for this is simple: FreeBSD doesn't allow that traffic, > regardless of the presence of a firewall or not. > If you take a look at some source code, specifically: > \src\sys\netinet\ip_input.c (~ line 357) > \src\sys\netinet\ip_output.c (~ line 807) > you will see code like the following: [...] > The packets are simply dropped... > So this means you have 2 less rules to worry about that just clutter > your ruleset. Great advice, thanks. So you think setting: net.inet.ip.fw.dyn_syn_lifetime=300 net.inet.ip.fw.dyn_ack_lifetime=300 is OK, right ? Thanks a lot for all the help ! -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..." From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 10:41:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 969BD37B401; Thu, 1 May 2003 10:41:58 -0700 (PDT) Received: from russell.hamline.edu (russell.hamline.edu [138.192.24.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E1F943FB1; Thu, 1 May 2003 10:41:55 -0700 (PDT) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper [138.192.2.101]) by russell.hamline.edu (8.11.6+Sun/8.11.6) with ESMTP id h41Hfr522653; Thu, 1 May 2003 12:41:53 -0500 (CDT) Received: from mendeleev.hamline.edu (mendeleev [138.192.2.109]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id h41Hgfdm016367; Thu, 1 May 2003 12:42:46 -0500 (CDT) Received: from localhost (rjohanne@localhost) by mendeleev.hamline.edu (8.9.1b+Sun/8.9.1) with ESMTP id MAA02413; Thu, 1 May 2003 12:38:13 -0500 (CDT) X-Authentication-Warning: mendeleev.hamline.edu: rjohanne owned process doing -bs Date: Thu, 1 May 2003 12:38:12 -0500 (CDT) From: Robert Johannes X-X-Sender: rjohanne@mendeleev.hamline.edu To: "Crist J. Clark" In-Reply-To: <20030428211643.GA41761@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: nfs and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 17:41:59 -0000 I've tried your suggestion, and even added a log option to the frag rule below, but I don't see anything being denied or dropped from the nfsclient. Instead, the frags are accepted, but it is as if the server doesn't have anything to say back, and so it never says anything back. Meanwhile, the nfsclient keeps sending the frag traffic to the server. I've not tried the tcp option for nfs yet, my main concern being performance. I read that performance for tcp nfs is not on per with udp nfs. Any other suggestions? thanks robert On Mon, 28 Apr 2003, Crist J. Clark wrote: > On Sun, Apr 27, 2003 at 08:08:11PM -0500, Robert Johannes wrote: > [snip] > > > I'm using normal ipfw, with the following rules: > > > > allow ip from any to any via lo0 > > deny ip from any to 127.0.0.0/8 > > deny ip from 127.0.0.0/8 to any > > allow tcp from any to any established > > allow ip from any to any frag > > allow tcp from any to any setup > > allow ip from $nfsclient to $fileserver keep-state > > allow ip from xx.xx.xx.1 to $fileserver keep-state > > deny ip from any to any > > > > > > The router/gateway is at xx.xx.xx.254. I'm able to mount the filesystems > > from the $fileserver, but I'm not able to write a substantial amount of > > data to the filesystems; I can create a file by 'touching' one on the nfs > > filesyste, but I can't copy a big file onto the filesystem. I have > > successfully copied a file as big as the /etc/hosts files (a few bytes). > > >From watching tcpdump, it seems that any time there's significant i/o on > > the nfs filesystem, the fileserver stops responding, and I note the > > following lines repeated perhaps a hundred or more times: > > > > 15:04:32.619887 $nfsclient > $nfsserver: (frag 7506:340@32560) > > 15:04:32.619906 $nfsclient > $nfsserver: (frag 7506:1480@31080+) > > 15:04:32.619934 $nfsclient > $nfsserver: (frag 7506:1480@29600+) > > 15:04:32.619949 $nfsclient > $nfsserver: (frag 7506:1480@28120+) > > 15:04:32.619962 $nfsclient > $nfsserver: (frag 7506:1480@26640+) > > 15:04:32.619975 $nfsclient > $nfsserver: (frag 7506:1480@25160+) > > 15:04:32.619987 $nfsclient > $nfsserver: (frag 7506:1480@23680+) > > 15:04:32.619998 $nfsclient > $nfsserver: (frag 7506:1480@22200+) > > 15:04:32.620009 $nfsclient > $nfsserver: (frag 7506:1480@20720+) > > > > At this point I get an "nfs: server $nfsserver not responding, timed out" > > message logged on the nfsclient. > > > > I'm pretty sure it has to do with my ipfw configuration, but I can't > > pinpoint the problem. Any ideas? > > It looks like those fragments should be passing the 'frag' rule. Check > if those fragments are really being dropped. Turn on logging in the > last 'deny' rule to see for sure. If that's not it, the log might give > you a clue as to what the problem really is anyway. > > The possible way around this is to do NFS over TCP which won't > generate the hella-huge UDP packets. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 11:32:08 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0792837B401 for ; Thu, 1 May 2003 11:32:08 -0700 (PDT) Received: from dns.balticom.lv (dns.balticom.lv [217.199.104.32]) by mx1.FreeBSD.org (Postfix) with SMTP id 5DBB243FAF for ; Thu, 1 May 2003 11:32:05 -0700 (PDT) (envelope-from dzelde@parks.lv) Received: (qmail 1494 invoked from network); 1 May 2003 18:27:44 -0000 Received: from unknown (HELO dzelde) (213.180.111.146) by dns.balticom.lv with SMTP; 1 May 2003 18:27:44 -0000 Message-ID: <001f01c31010$5da8ca90$0a00a8c0@dzelde> From: "Martins Dzelde" To: Date: Thu, 1 May 2003 21:34:57 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: ipfw + http : apache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 18:32:08 -0000 Hi, Priori I installed Apache2.0, whcich worked fine, then I added natd and ipfw for internet connection sharing on the same FreeBSD box and the web server stopped working properly. That is, the server is running and listening to the adress X:80, but I cant access the web content on my server. Now, if I turn off the firewall by > sysctl net.inet.ip.fw.enable=0 than it works fine... from an outside computer I can access my web doccuments but can not access them when I turn on the firewall. I have the followign rules set: ipfw add 00100 divert natd all from any to any ipfw add 00200 allow ip from any to any The Firewall default configuration is to deny all from any to any, hence there is the final rule ... 65535 deny ip from any to any when cheking the ipfw counters with ipfw -a list, the I get that the only the first two are used and there is no use of the rule 65535 ie: 00100 xxx xxx divert 8668 ip from any to any 00200 xxx xxx allow ip from any to any 65535 0 0 deny ip from any to any Please, help me to allow the outside world access my http documents. Thanks in advance, Martins. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 12:13:44 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1F3637B404 for ; Thu, 1 May 2003 12:13:44 -0700 (PDT) Received: from metroplex.netnation.com (metroplex.netnation.com [204.174.223.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC27443FDD for ; Thu, 1 May 2003 12:13:43 -0700 (PDT) (envelope-from freebsd@code-space.com) Received: from [66.120.33.26] (helo=neptune) by metroplex.netnation.com with asmtp (Exim 3.36 #1) id 19BJV0-00039z-00; Thu, 01 May 2003 12:13:42 -0700 From: "C_Ahlers" To: "'Antoine Jacoutot'" Date: Thu, 1 May 2003 12:13:40 -0700 Organization: code-space.com Message-ID: <000001c31015$c6c73ed0$0501a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal In-Reply-To: <1051722234.3eb001fabde38@webmail.lphp.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@code-space.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 19:13:45 -0000 Here are my settings for one of my firewalls that is nearly identical to your situation: 1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd 2) net.inet.ip.fw.dyn_syn_lifetime=20 3) net.inet.ip.fw.dyn_ack_lifetime=300 4) net.inet.ip.fw.dyn_keepalive=1 These settings are working just fine for me. I am curious as to how you are determining that the dynamic rule are timing-out prematurely. Remember, just because keep-alive type packets are going back and forth does not prevent a server application (that you are connected to) from using some other mechanism to decide if the client is inactive, causing the server to disconnect. For example: 1) From my PC behind the firewall, I ftp'd ftp.freebsd.org connectd, logged in, and did "ls -l" then I just sat there. 2) then at my firewall console I repeatedly typed: ipfw -Sad list | grep "192.168.1.2" (192.168.1.2 is the IP of the PC) 3) This allowed me to observe the dynamic rules along with the timeout value for the rule. And what I found was that after 300 seconds, the timeout value started counting down again with a fresh 300 seconds. Yet, after 90 seconds of being connected without typing any commands to the ftp server, it disconnected. Why? because no keep-alives were being sent? Or the dynamic rules timed-out and were torn down? No, the server got tired of waiting for commands. C_Ahlers freebsd@code-space.com -----Original Message----- From: Antoine Jacoutot [mailto:ajacoutot@lphp.org] Sent: Wednesday, April 30, 2003 10:04 AM To: freebsd@code-space.com Cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation Selon C_Ahlers : > I realize that the following info is not exactly what you have been > looking for - but it is in the spirit of building that perfect > firewall... :-)) > I would just like to point out that rules 200 and 300 that deal with > traffic to and from 127.0.0.0/8 are NOT necessary. > The reason for this is simple: FreeBSD doesn't allow that traffic, > regardless of the presence of a firewall or not. > If you take a look at some source code, specifically: > \src\sys\netinet\ip_input.c (~ line 357) > \src\sys\netinet\ip_output.c (~ line 807) > you will see code like the following: [...] > The packets are simply dropped... > So this means you have 2 less rules to worry about that just clutter > your ruleset. Great advice, thanks. So you think setting: net.inet.ip.fw.dyn_syn_lifetime=300 net.inet.ip.fw.dyn_ack_lifetime=300 is OK, right ? Thanks a lot for all the help ! -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..." From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 12:48:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2423537B401 for ; Thu, 1 May 2003 12:48:17 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 571EB43FAF for ; Thu, 1 May 2003 12:48:16 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id 469C254ED1 for ; Thu, 1 May 2003 20:48:14 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id 3866F21150; Thu, 1 May 2003 19:48:13 +0000 (GMT) Date: Thu, 1 May 2003 19:48:13 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030501194813.GB62220@rfc-networks.ie> References: <001f01c31010$5da8ca90$0a00a8c0@dzelde> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001f01c31010$5da8ca90$0a00a8c0@dzelde> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: ipfw + http : apache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 19:48:17 -0000 Martins Dzelde 43 lines of wisdom included: > Hi, > > Priori I installed Apache2.0, whcich worked fine, then I added natd and ipfw > for internet connection sharing on the same FreeBSD box and the web server > stopped working properly. That is, the server is running and listening to > the adress X:80, but I cant access the web content on my server. > > Now, if I turn off the firewall by > > > sysctl net.inet.ip.fw.enable=0 > > than it works fine... from an outside computer I can access my web > doccuments but can not access them when I turn on the firewall. > > I have the followign rules set: > > ipfw add 00100 divert natd all from any to any > ipfw add 00200 allow ip from any to any > > The Firewall default configuration is to deny all from any to any, hence > there is the final rule > > ... 65535 deny ip from any to any > > when cheking the ipfw counters with ipfw -a list, the I get that the only > the first two are used and there is no use of the rule 65535 ie: > > 00100 xxx xxx divert 8668 ip from any to any > 00200 xxx xxx allow ip from any to any > 65535 0 0 deny ip from any to any > > Please, help me to allow the outside world access my http documents. is NATD running? ps auxwww | grep natd Phil. -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 15:15:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AC8737B401 for ; Thu, 1 May 2003 15:15:48 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 282BD43FAF for ; Thu, 1 May 2003 15:15:47 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP id <2003050122154605100m4j55e>; Thu, 1 May 2003 22:15:46 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h41MFjki085463; Thu, 1 May 2003 15:15:45 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h41MFh2F085462; Thu, 1 May 2003 15:15:43 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 1 May 2003 15:15:43 -0700 From: "Crist J. Clark" To: Robert Johannes Message-ID: <20030501221543.GA85403@blossom.cjclark.org> References: <20030428211643.GA41761@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: nfs and ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 22:15:48 -0000 On Thu, May 01, 2003 at 12:38:12PM -0500, Robert Johannes wrote: > I've tried your suggestion, and even added a log option to the frag rule > below, but I don't see anything being denied or dropped from the > nfsclient. Instead, the frags are accepted, but it is as if the server > doesn't have anything to say back, and so it never says anything back. > Meanwhile, the nfsclient keeps sending the frag traffic to the > server. Is the server sending back any ICMP type 11 code 1? > I've not tried the tcp option for nfs yet, my main concern being > performance. I read that performance for tcp nfs is not on per with udp > nfs. That depends on who you ask. Many people insist TCP performance is better. It depends a lot on how you use it and whether you tune NFS appropriately for each type of transport. And tuning NFS is much more an art than a science. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 15:30:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D43F37B401 for ; Thu, 1 May 2003 15:30:49 -0700 (PDT) Received: from mx1.lphp.org (APastourelles-107-1-4-166.abo.wanadoo.fr [193.253.178.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 624F643FBD for ; Thu, 1 May 2003 15:30:47 -0700 (PDT) (envelope-from ajacoutot@lphp.org) Received: from srv01.lphp.org.local (localhost [127.0.0.1]) by mx1.lphp.org (8.12.8p1/8.12.8) with ESMTP id h41MUfQB074669; Fri, 2 May 2003 00:30:42 +0200 (CEST) (envelope-from ajacoutot@lphp.org) Received: (from www@localhost) by srv01.lphp.org.local (8.12.8p1/8.12.8/Submit) id h41MUexg074668; Fri, 2 May 2003 00:30:40 +0200 (CEST) (envelope-from ajacoutot@lphp.org) X-Authentication-Warning: srv01.lphp.org.local: www set sender to ajacoutot@lphp.org using -f Received: from sta01.lphp.org.local (sta01.lphp.org.local [192.168.0.4]) by webmail.lphp.org (IMP) with HTTP for ; Fri, 2 May 2003 00:30:40 +0200 Message-ID: <1051828240.3eb1a0107e282@webmail.lphp.org> Date: Fri, 2 May 2003 00:30:40 +0200 From: Antoine Jacoutot To: "" References: <000001c31015$c6c73ed0$0501a8c0@neptune> In-Reply-To: <000001c31015$c6c73ed0$0501a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 / FreeBSD-4.8 cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 22:30:49 -0000 Selon C_Ahlers : > Here are my settings for one of my firewalls that is nearly identical to > your situation: > 1) FreeBSD 4.7-RELEASE + IPFW2 + Dynamic rules + natd > 2) net.inet.ip.fw.dyn_syn_lifetime=20 > 3) net.inet.ip.fw.dyn_ack_lifetime=300 > 4) net.inet.ip.fw.dyn_keepalive=1 > These settings are working just fine for me. > I am curious as to how you are determining that the dynamic rule are > timing-out prematurely. > Remember, just because keep-alive type packets are going back and forth > does not prevent a server application (that you are connected to) from > using some other mechanism to decide if the client is inactive, causing > the server to disconnect. Yes, I understand that. Since, it is kind of annoying because every 20 secconds, I get disconnected from ssh, newsgroup, and I can't get connected to MSN messenger more than those 20 seconds. If I set net.inet.ip.fw.dyn_syn_lifetime=300, it gets reset to 300 sec, 20 seconds before the end at the same moment net.inet.ip.fw.dyn_ack_lifetime gets reset... and everything workqs fine (MSN Messenger too). My concern was about setting net.inet.ip.fw.dyn_syn_lifetime, is it unsecure or so ? I am not expert enough to tell if it would be a bad idea or not. Thanks for your help. -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..." From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 16:04:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D27737B401 for ; Thu, 1 May 2003 16:04:38 -0700 (PDT) Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE52743FBF for ; Thu, 1 May 2003 16:04:37 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org (12-234-159-107.client.attbi.com[12.234.159.107]) by rwcrmhc53.attbi.com (rwcrmhc53) with ESMTP id <2003050123043705300f5s3pe>; Thu, 1 May 2003 23:04:37 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.8p1/8.12.3) with ESMTP id h41N4aki085754; Thu, 1 May 2003 16:04:36 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h41N4ZO0085753; Thu, 1 May 2003 16:04:35 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 1 May 2003 16:04:35 -0700 From: "Crist J. Clark" To: Martins Dzelde Message-ID: <20030501230435.GB85493@blossom.cjclark.org> References: <001f01c31010$5da8ca90$0a00a8c0@dzelde> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001f01c31010$5da8ca90$0a00a8c0@dzelde> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + http : apache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 23:04:38 -0000 On Thu, May 01, 2003 at 09:34:57PM +0300, Martins Dzelde wrote: [snip] > when cheking the ipfw counters with ipfw -a list, the I get that the only > the first two are used and there is no use of the rule 65535 ie: > > 00100 xxx xxx divert 8668 ip from any to any > 00200 xxx xxx allow ip from any to any > 65535 0 0 deny ip from any to any Does natd(8) have the "deny_incoming" switch set? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 20:59:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3F6C37B401 for ; Thu, 1 May 2003 20:59:14 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B91743F75 for ; Thu, 1 May 2003 20:59:14 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from zidane.cc.vt.edu (IDENT:mirapoint@zidane-lb.cc.vt.edu [10.1.1.13]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h423xDnN480487 for ; Thu, 1 May 2003 23:59:13 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by zidane.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BJC06389; Thu, 1 May 2003 23:59:12 -0400 (EDT) Received: (qmail 4533 invoked from network); 2 May 2003 03:59:52 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 2 May 2003 03:59:52 -0000 Message-ID: <001a01c3105f$3073d160$6511a8c0@benspiece> From: "Ben Pfountz" To: Date: Thu, 1 May 2003 23:59:11 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: ipfw2 on 4.8-stable accepts broadcast dhcp requests? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 03:59:15 -0000 I am running 4.8-stable updated a few days ago. I am using a firewall that filters clients based on their MAC address, and I noticed a new client could acquire a DHCP lease from the server. After staring at my ruleset for a few hours, I decided to try removing all rules, except for the default to deny rule. I tried to renew a DHCP lease from the client and immediately dhcpd complained about not having permission to send a response back to the client. I assume the dhcp request that was sent to the server (a broadcast packet) passed through the firewall, and the response from dhcpd (a directed packet) was blocked by the firewall as it tried to leave the system. I am using IPFW2, with: net.link.ether.ipfw: 1 net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 0 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 Is this the correct behavior for IPFW2? ----- Ben Pfountz Computer Science Undergraduate, Virginia Tech Computer Systems Engineer, Center for Power Electronic Systems From owner-freebsd-ipfw@FreeBSD.ORG Thu May 1 23:28:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04F7837B401 for ; Thu, 1 May 2003 23:28:51 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8212D43FA3 for ; Thu, 1 May 2003 23:28:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h426SoKF015523; Thu, 1 May 2003 23:28:50 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h426SoN0015522; Thu, 1 May 2003 23:28:50 -0700 (PDT) (envelope-from rizzo) Date: Thu, 1 May 2003 23:28:50 -0700 From: Luigi Rizzo To: Ben Pfountz Message-ID: <20030501232850.A15489@xorpc.icir.org> References: <001a01c3105f$3073d160$6511a8c0@benspiece> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <001a01c3105f$3073d160$6511a8c0@benspiece>; from netprince@vt.edu on Thu, May 01, 2003 at 11:59:11PM -0400 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 06:28:51 -0000 could it be that dhcp uses bpf to send the packet ? In that case, it will bypass the firewall, even if you have ether.ipfw set cheers luigi On Thu, May 01, 2003 at 11:59:11PM -0400, Ben Pfountz wrote: > I am running 4.8-stable updated a few days ago. I am using a firewall that > filters clients based on their MAC address, and I noticed a new client could > acquire a DHCP lease from the server. After staring at my ruleset for a few > hours, I decided to try removing all rules, except for the default to deny > rule. I tried to renew a DHCP lease from the client and immediately dhcpd > complained about not having permission to send a response back to the > client. > > I assume the dhcp request that was sent to the server (a broadcast packet) > passed through the firewall, and the response from dhcpd (a directed packet) > was blocked by the firewall as it tried to leave the system. > > I am using IPFW2, with: > net.link.ether.ipfw: 1 > net.inet.ip.fw.enable: 1 > net.inet.ip.fw.one_pass: 0 > net.inet.ip.fw.debug: 1 > net.inet.ip.fw.verbose: 1 > > Is this the correct behavior for IPFW2? > > ----- > Ben Pfountz > Computer Science Undergraduate, Virginia Tech > Computer Systems Engineer, Center for Power Electronic Systems > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri May 2 05:28:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79FFB37B404 for ; Fri, 2 May 2003 05:28:58 -0700 (PDT) Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3F3F43F93 for ; Fri, 2 May 2003 05:28:57 -0700 (PDT) (envelope-from netprince@vt.edu) Received: from vivi.cc.vt.edu (IDENT:mirapoint@vivi-lb.cc.vt.edu [10.1.1.12]) by lennier.cc.vt.edu (8.12.8/8.12.8) with ESMTP id h42CSvnP485868 for ; Fri, 2 May 2003 08:28:57 -0400 (EDT) Received: from ben.pfountz.com (Snell.vpec.vt.edu [128.173.89.238]) by vivi.cc.vt.edu (Mirapoint Messaging Server MOS 3.3.2-CR) with ESMTP id BCQ63026; Fri, 2 May 2003 08:28:55 -0400 (EDT) Received: (qmail 15074 invoked from network); 2 May 2003 12:29:34 -0000 Received: from bpfountz.princenet (HELO benspiece) (192.168.17.101) by digitalpimp.princenet with SMTP; 2 May 2003 12:29:34 -0000 Message-ID: <000801c310a6$65dcca90$6511a8c0@benspiece> From: "Ben Pfountz" To: "Luigi Rizzo" References: <001a01c3105f$3073d160$6511a8c0@benspiece> <20030501232850.A15489@xorpc.icir.org> Date: Fri, 2 May 2003 08:28:55 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 12:28:58 -0000 Yes, I think thats it, thank you for the clarification. Ben ----- Original Message ----- From: "Luigi Rizzo" To: "Ben Pfountz" Cc: Sent: Friday, May 02, 2003 2:28 AM Subject: Re: ipfw2 on 4.8-stable accepts broadcast dhcp requests? > could it be that dhcp uses bpf to send the packet ? In that > case, it will bypass the firewall, even if you have ether.ipfw set > > cheers > luigi > > On Thu, May 01, 2003 at 11:59:11PM -0400, Ben Pfountz wrote: > > I am running 4.8-stable updated a few days ago. I am using a firewall that > > filters clients based on their MAC address, and I noticed a new client could > > acquire a DHCP lease from the server. After staring at my ruleset for a few > > hours, I decided to try removing all rules, except for the default to deny > > rule. I tried to renew a DHCP lease from the client and immediately dhcpd > > complained about not having permission to send a response back to the > > client. > > > > I assume the dhcp request that was sent to the server (a broadcast packet) > > passed through the firewall, and the response from dhcpd (a directed packet) > > was blocked by the firewall as it tried to leave the system. > > > > I am using IPFW2, with: > > net.link.ether.ipfw: 1 > > net.inet.ip.fw.enable: 1 > > net.inet.ip.fw.one_pass: 0 > > net.inet.ip.fw.debug: 1 > > net.inet.ip.fw.verbose: 1 > > > > Is this the correct behavior for IPFW2? > > > > ----- > > Ben Pfountz > > Computer Science Undergraduate, Virginia Tech > > Computer Systems Engineer, Center for Power Electronic Systems > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Fri May 2 05:35:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E04BC37B404 for ; Fri, 2 May 2003 05:35:12 -0700 (PDT) Received: from dns.balticom.lv (dns.balticom.lv [217.199.104.32]) by mx1.FreeBSD.org (Postfix) with SMTP id E5A0D43F75 for ; Fri, 2 May 2003 05:35:10 -0700 (PDT) (envelope-from dzelde@parks.lv) Received: (qmail 1223 invoked from network); 2 May 2003 12:30:43 -0000 Received: from unknown (HELO dzelde) (213.180.111.146) by dns.balticom.lv with SMTP; 2 May 2003 12:30:43 -0000 Message-ID: <000801c310a7$ae021220$0a00a8c0@dzelde> From: "Martins Dzelde" To: Date: Fri, 2 May 2003 15:38:05 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: ipfw + http : apache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 12:35:13 -0000 Probably, my description of the situation was ambiguous. On my little network I have three computers A, B, and C : A - FreeBSD box, where I have installed the daemons like natd, ipfw and apache2, etc. This computer is connected to internet and is supposed to share the connection for computers B & C B,C - Windows boxes, uses the shared internet connection from the computer A. Then, if the ipfw is turned OFF, the boxes B & C cannot access Internet, whereas from the box A I can access Internet as well as my apache2 web pages. These web pages on box A I can access also from any other computer connected to the Internet; whereas, when I turn ON ipfw, Internet sharing works fine (meaning I can browse the web from boxes A & B) but I cannot access those apache2 documents on box A. I have tried to test, where does those packets go if I try access the web page but all I get from 'ipfw -a list' is > 00100 xxx xxx divert 8668 ip from any to any > 00200 xxx xxx allow ip from any to any > 65535 0 0 deny ip from any to any which I understand as that those packets heading to my apache2 server on port 80 are allowed to go and no traffic is denied... but I still cannot access my web pages on the box A. > Does natd(8) have the "deny_incoming" switch set? > > -- > Crist J. Clark | cjclark at alum.mit.edu > | cjclark at jhu.edu> > http://people.freebsd.org/~cjc/ | cjc at freebsd.org It doesn't have the switch set. And I suppose it shouldn't be, should it? > is NATD running? > > ps auxwww | grep natd > > Phil. Yes, natd is running correctly. Thank you for suggestions and, please, I would really appreaciate some more. Martins. From owner-freebsd-ipfw@FreeBSD.ORG Fri May 2 09:33:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 494B237B401 for ; Fri, 2 May 2003 09:33:12 -0700 (PDT) Received: from schurli.wu-wien.ac.at (schurli.wu-wien.ac.at [137.208.16.32]) by mx1.FreeBSD.org (Postfix) with SMTP id 7322A43F3F for ; Fri, 2 May 2003 09:33:10 -0700 (PDT) (envelope-from georg-ipfw@graf.priv.at) Received: (qmail 80215 invoked by uid 1001); 2 May 2003 16:33:09 -0000 Date: Fri, 2 May 2003 18:33:09 +0200 From: Georg Graf To: freebsd-ipfw@freebsd.org Message-ID: <20030502163309.GB76931@graf.priv.at> Mail-Followup-To: freebsd-ipfw@freebsd.org References: <000801c310a7$ae021220$0a00a8c0@dzelde> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000801c310a7$ae021220$0a00a8c0@dzelde> User-Agent: Mutt/1.4i Subject: Re: ipfw + http : apache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 16:33:12 -0000 On Fri, May 02, 2003 at 03:38:05PM +0300, Martins Dzelde wrote: [...] > > 00100 xxx xxx divert 8668 ip from any to any > > 00200 xxx xxx allow ip from any to any > > 65535 0 0 deny ip from any to any I'm missing the interface of the internet connection of box A in rule 100. You should also check that natd is running with the "-interface xxxy" option. Search for "RUNNING NATD" in man natd. hth, -- Georg Graf http://georg.graf.priv.at/ PGP Key ID: 0xA5232AD5 Gobergasse 43/2 A-1130 Wien Tel: +43 1 8796723 From owner-freebsd-ipfw@FreeBSD.ORG Fri May 2 10:44:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C394B37B401 for ; Fri, 2 May 2003 10:44:27 -0700 (PDT) Received: from holmes.peterlink.ru (holmes.peterlink.ru [195.242.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36C4643FBD for ; Fri, 2 May 2003 10:44:26 -0700 (PDT) (envelope-from maxes@peterlink.ru) Received: from stapleton.peterlink.ru (stapleton.peterlink.ru [195.242.2.5]) by holmes.peterlink.ru (8.12.6/8.12.6) with ESMTP id h42HiNpu021651 for ; Fri, 2 May 2003 21:44:24 +0400 (MSD) Received: from buratino.peterlink.ru (madmax@buratino.peterlink.ru [195.242.2.70])h42HiKOu056537 for ; Fri, 2 May 2003 21:44:20 +0400 (MSD) Received: from localhost (madmax@localhost) by buratino.peterlink.ru (8.9.1/8.9.1) with ESMTP id VAA22428 for ; Fri, 2 May 2003 21:44:20 +0400 (MSD) Date: Fri, 2 May 2003 21:44:19 +0400 (MSD) From: maxes@peterlink.ru X-X-Sender: madmax@buratino.peterlink.ru To: freebsd-ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: src-limit trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 May 2003 17:44:28 -0000 I use ipfw2 with dynamic rule like this: ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit src-addr 20 1) In my case, command "ipfw -d sh" can show some "LIMIT" rule without corresponding "PARENT" rule, for example: ipfw -d sh | grep remote.ip 00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80 It's full output, I repeat - no corresponding PARENT rule. 2) If net.inet.ip.fw.dyn_keepalive=1, then on host accumulated FIN_WAIT_2 connections. For example: netstat -an | grep WAIT_2 | wc -l 2178 This FIN_WAIT_2 connection live very long period - 1-1.5 month. But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 " then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2 connections decrease to "normal" - 20-40. I set MSL to 7500. Question is: Why live single LIMIT rule whithout PARENT ? Why this connection not closed ? In FreeBSD FIN_WAIT_2 has timer - after 2*MSL (30 sec in my case) this connection would be closed, isn't ? But with keep-alive this connection's show in netstat, show in ipfw rules. b.r. Kozin Maxim From owner-freebsd-ipfw@FreeBSD.ORG Sat May 3 23:28:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 817AB37B401 for ; Sat, 3 May 2003 23:28:26 -0700 (PDT) Received: from ns1.interbgc.com (mail.interbgc.com [217.9.224.3]) by mx1.FreeBSD.org (Postfix) with SMTP id 9BFFB43FBD for ; Sat, 3 May 2003 23:28:23 -0700 (PDT) (envelope-from misho@interbgc.com) Received: (qmail 94430 invoked from network); 4 May 2003 06:28:19 -0000 Received: from misho.cablebg.net (HELO misho) (217.18.242.155) by mail.interbgc.com with SMTP; 4 May 2003 06:28:19 -0000 Message-ID: <002601c31206$5ab1a080$9bf212d9@interbgc.com> From: "Mihail Balikov" To: References: Date: Sun, 4 May 2003 09:28:19 +0300 Organization: Inter-Bg-Com Ltd. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: Re: src-limit trouble X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mihail Balikov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2003 06:28:26 -0000 this happens when you have more than one rule with "limit" . I have small patch for 4.7 regards, Mihail Balikov ----- Original Message ----- From: To: Sent: Friday, May 02, 2003 8:44 PM Subject: src-limit trouble > > I use ipfw2 with dynamic rule like this: > ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit src-addr 20 > > 1) > In my case, command "ipfw -d sh" can show some "LIMIT" rule without > corresponding "PARENT" rule, for example: > ipfw -d sh | grep remote.ip > 00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80 > > It's full output, I repeat - no corresponding PARENT rule. > > 2) > If net.inet.ip.fw.dyn_keepalive=1, then > on host accumulated FIN_WAIT_2 connections. > For example: > netstat -an | grep WAIT_2 | wc -l > 2178 > > This FIN_WAIT_2 connection live very long period - 1-1.5 month. > But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 " > then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2 > connections decrease to "normal" - 20-40. I set MSL to 7500. > > Question is: > Why live single LIMIT rule whithout PARENT ? > Why this connection not closed ? > In FreeBSD FIN_WAIT_2 has timer - after 2*MSL (30 sec in > my case) this connection would be closed, isn't ? But with keep-alive > this connection's show in netstat, show in ipfw rules. > > b.r. > Kozin Maxim > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >