From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 20 03:25:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90D7937B401 for ; Sun, 20 Apr 2003 03:25:50 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBC0C43FE0 for ; Sun, 20 Apr 2003 03:25:49 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h3KAPnBp006777; Sun, 20 Apr 2003 03:25:49 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h3KAPmHZ006776; Sun, 20 Apr 2003 03:25:48 -0700 (PDT) (envelope-from rizzo) Date: Sun, 20 Apr 2003 03:25:48 -0700 From: Luigi Rizzo To: Bill Fumerola Message-ID: <20030420032548.A6689@xorpc.icir.org> References: <0AF1BBDF1218F14E9B4CCE414744E70F07DE95@exchange.wanglobal.net> <20030419222712.GA92365@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030419222712.GA92365@elvis.mu.org>; from billf@mu.org on Sat, Apr 19, 2003 at 03:27:12PM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: skipto doesnt jump backwards X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 10:25:52 -0000 On Sat, Apr 19, 2003 at 03:27:12PM -0700, Bill Fumerola wrote: > On Sat, Apr 19, 2003 at 11:36:02PM +0200, Sten Daniel S?rsdal wrote: > > > > Are there any reasons to why skipto can't jump backwards? > > 10 print "no good reason" > 20 goto 10 the reason is that you cannot create loops in this way. In order to create loops you need some external help such as a misconfigured divert client. cheers luigi > yes you could detect this - for a cost. are there any reasons why you'd > want skipto to jump backwards? what problem are you trying to solve? > > -- > - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 21 09:07:09 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AAF2337B420 for ; Mon, 21 Apr 2003 09:07:08 -0700 (PDT) Received: from mx.novosoft.ru (mx.novosoft.ru [194.149.225.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77D3A43FA3 for ; Mon, 21 Apr 2003 09:07:06 -0700 (PDT) (envelope-from vlad@sas.nsk.su) Received: from www.demakova.net (www.demakova.net [194.149.227.234]) by mx.novosoft.ru (8.12.9/8.12.9) with SMTP id h3LG718n037073 for ; Mon, 21 Apr 2003 23:07:02 +0700 (NOVST) (envelope-from vlad@sas.nsk.su) Received: from localhost (world.demakova.net [194.149.227.254]) XAA32034 for ; Mon, 21 Apr 2003 23:06:54 +0700 X-Authentication-Warning: www.demakova.net: Host world.demakova.net [194.149.227.254] claimed to be localhost Date: Mon, 21 Apr 2003 23:03:03 +0700 From: vlad X-Mailer: The Bat! (v1.62 Christmas Edition) Personal X-Priority: 3 (Normal) Message-ID: <7354444376.20030421230303@sas.nsk.su> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw in freebsd 4.7 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: vlad List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 16:07:10 -0000 Hello! I have FreeBSD 4.7 installed. I need to add this rule into firewall: ipfw add divert 10000 ip from {not a.b.c.d/nn or not e.f.g.h/yy} to i.j.k.l/zz via ed0 but ipfw answers me: host '{' is unknown. I readed man page about grouping carefull, but cannot add this rule into firewall table. Can anyone explain this ipfw behavior? I cannot split this rule into two separated... waiting yours solution. Please, make copy of your answer to my email. -- Best regards, vlad mailto:vlad@sas.nsk.su From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 21 09:14:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A5AA37B404 for ; Mon, 21 Apr 2003 09:14:45 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D318B43FEA for ; Mon, 21 Apr 2003 09:14:44 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h3LGEiBp028862; Mon, 21 Apr 2003 09:14:44 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h3LGEiYL028861; Mon, 21 Apr 2003 09:14:44 -0700 (PDT) (envelope-from rizzo) Date: Mon, 21 Apr 2003 09:14:44 -0700 From: Luigi Rizzo To: vlad Message-ID: <20030421091444.A23150@xorpc.icir.org> References: <7354444376.20030421230303@sas.nsk.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <7354444376.20030421230303@sas.nsk.su>; from vlad@sas.nsk.su on Mon, Apr 21, 2003 at 11:03:03PM +0700 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw in freebsd 4.7 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 16:14:45 -0000 you are trying to use an IPFW2 option. You need to put "options IPFW2" in your kernel config file, and rebuild /sbin/ipfw with "make -DIPFW2" (and also upgrade kernel and sources to a recent RELENG_4 because there were several bugfix since 4.7) cheers luigi On Mon, Apr 21, 2003 at 11:03:03PM +0700, vlad wrote: > Hello! > > I have FreeBSD 4.7 installed. > I need to add this rule into firewall: > ipfw add divert 10000 ip from {not a.b.c.d/nn or not e.f.g.h/yy} to > i.j.k.l/zz via ed0 > > but ipfw answers me: > host '{' is unknown. > I readed man page about grouping carefull, but cannot add this rule > into firewall table. > > Can anyone explain this ipfw behavior? > I cannot split this rule into two separated... > waiting yours solution. > > Please, make copy of your answer to my email. > -- > Best regards, > vlad mailto:vlad@sas.nsk.su > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 21 09:17:31 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E497E37B401 for ; Mon, 21 Apr 2003 09:17:31 -0700 (PDT) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4BB3D43FDF for ; Mon, 21 Apr 2003 09:17:31 -0700 (PDT) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id D3D1410BF94; Mon, 21 Apr 2003 18:17:29 +0200 (CEST) Date: Mon, 21 Apr 2003 18:17:29 +0200 From: "Simon L. Nielsen" To: vlad Message-ID: <20030421161728.GB1230@nitro.dk> References: <7354444376.20030421230303@sas.nsk.su> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CUfgB8w4ZwR/yMy5" Content-Disposition: inline In-Reply-To: <7354444376.20030421230303@sas.nsk.su> User-Agent: Mutt/1.5.4i cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw in freebsd 4.7 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 16:17:32 -0000 --CUfgB8w4ZwR/yMy5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.04.21 23:03:03 +0700, vlad wrote: > I have FreeBSD 4.7 installed. > I need to add this rule into firewall: > ipfw add divert 10000 ip from {not a.b.c.d/nn or not e.f.g.h/yy} to > i.j.k.l/zz via ed0 Are you sure that using ipfw2? See the manpage for information about ipfw2 on FreeBSD 4. Other than that you should also add spaces before/after the brackets. E.g. : { not a.b.c.d/nn or not e.f.g.h/yy } --=20 Simon L. Nielsen --CUfgB8w4ZwR/yMy5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+pBmY8kocFXgPTRwRApWvAKDQ02xOmDs7u8/jdRRMpBolKUbaIACfS/U+ P1HEXP72Cn4WK9OzQWj2TuM= =6Sep -----END PGP SIGNATURE----- --CUfgB8w4ZwR/yMy5-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 21 11:01:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 219B337B401 for ; Mon, 21 Apr 2003 11:01:34 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A70343FE5 for ; Mon, 21 Apr 2003 11:01:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h3LI1VUp033419 for ; Mon, 21 Apr 2003 11:01:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h3LI1Ue3033389 for ipfw@freebsd.org; Mon, 21 Apr 2003 11:01:30 -0700 (PDT) Date: Mon, 21 Apr 2003 11:01:30 -0700 (PDT) Message-Id: <200304211801.h3LI1Ue3033389@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 18:01:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2003/01/05] bin/46785 ipfw [patch] add sets information to ipfw2 -h o [2003/01/15] bin/47120 ipfw [patch] Sanity check in ipfw(8) o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 22 02:55:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B7AC37B401 for ; Tue, 22 Apr 2003 02:55:26 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B47C643FE3 for ; Tue, 22 Apr 2003 02:55:25 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h3M9tPBp034326; Tue, 22 Apr 2003 02:55:25 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h3M9tPSk034325; Tue, 22 Apr 2003 02:55:25 -0700 (PDT) (envelope-from rizzo) Date: Tue, 22 Apr 2003 02:55:25 -0700 From: Luigi Rizzo To: yossman Message-ID: <20030422025525.A33894@xorpc.icir.org> References: <1107.66.46.224.251.1050689830.squirrel@ssl.yossman.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1107.66.46.224.251.1050689830.squirrel@ssl.yossman.net>; from yossman@yossman.net on Fri, Apr 18, 2003 at 02:17:10PM -0400 cc: freebsd-ipfw@freebsd.org cc: yossman@waterloo.yossman.net Subject: Re: ipfw dummynet: limiting packets per second (limit pps)? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 09:55:26 -0000 On Fri, Apr 18, 2003 at 02:17:10PM -0400, yossman wrote: ... > good day, i've been searching for the last while for a way to use > FreeBSD's ipfw and dummynet implementations to limit the number of packets > per second destined for any matching network traffic pipe. oddly, i can't > find very much information on doing this at all, save for a patch written ... > is there some reason limiting packets per second is not an option at the > moment? or does the capability already exist, and i'm just looking in the > wrong places? any hints would be appreciated, thanks! the original motivation for dummynet was to work as a traffic shaper, i.e. release data from the network interface at most at the programmed rate. The natural way to express this type of behaviour is in terms of bandwidth, and a queue to store the input traffic that is to be released at the desired rate. Limiting traffic to X pps generally means picking an interval of T seconds and making sure that in each of those intervals the first T*X packets are let out without delay, and the excess is simply thrown away. Besides the differences in terms of operations (shaping almost always introduces some delay, whereas limiting never delays traffic), the implementation of traffic shaping is also more expensive than traffic limiting -- you need queues and timers for the former, whereas the latter can be simply implemented with a counter and a timestamp for each flow. For a simple implementation of a "pps X" option i would suggest simply defining a new "ipfw2" opcode O_PPS which would match only up to X packets in each 1-second interval. The implementation would be something like this: typedef struct _ipfw_insn_pps { ipfw_insn o; uint32_t ts; /* start of measuring period */ uint32_t limit; uint32_t count; } ipfw_insn_pps; and the action would be case O_PPS: { ipfw_insn_pps *x = (ipfw_insn_pps *)cmd; if (x->ts != time_second || x->count < x->limit) { match = 1; if (x->ts != time_second) { x->ts = time_second; x->count = 0; } else x->count++; } break; } its use would be something like this: ipfw add 1000 accept ip from A to B pps 50 ipfw add 1000 deny ip from A to B A slightly more complex implementation that handles masks etc. is probably best done by extending dummynet pipes to handle counts and limits as shown above. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56122 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 22 13:06:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B212137B401 for ; Tue, 22 Apr 2003 13:06:12 -0700 (PDT) Received: from BAY0-HMR13.adinternal.hotmail.com (bay0-hmr13.bay0.hotmail.com [65.54.241.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1942D43FAF for ; Tue, 22 Apr 2003 13:06:12 -0700 (PDT) (envelope-from jetman516@hotmail.com) Received: from hotmail.com ([207.68.164.82]) by BAY0-HMR13.adinternal.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Tue, 22 Apr 2003 13:06:11 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 22 Apr 2003 13:06:11 -0700 Received: from 216.66.58.184 by DAV25.sea2.internal.hotmail.com with DAV; Tue, 22 Apr 2003 20:06:11 +0000 X-Originating-IP: [216.66.58.184] X-Originating-Email: [jetman516@hotmail.com] From: "The Jetman" To: "FBSD IPFW" Date: Tue, 22 Apr 2003 12:48:29 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Message-ID: X-OriginalArrivalTime: 22 Apr 2003 20:06:11.0650 (UTC) FILETIME=[9EE2EA20:01C3090A] Subject: [Q2-4.8-R] Can Anyone Help With Questions About MAC Filtering and IPFW2 ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: The Jetman List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 20:06:13 -0000 I'm using 4.8-RELEASE to implement MAC-filtering bridge for my wireless network. Altho I am relatively new w/ FBSD (since Apr '02), I've been getting the desired results writing my own rules for IPFW. My 1st attempt w/ IPFW2 was successful, but I can't figure out why ! dc0 is the incoming (the anonymous one, w/o an IP addr) interface. 00100 allow ip from any to any MAC any a:b:c:d:e:f in via dc0 00200 allow ip from any to any MAC a:b:c:d:e:f any out via dc0 00300 allow ip from any to any MAC b:c:d:e:f:g any in via dc0 00400 allow ip from any to any MAC any b:c:d:e:f:g out via dc0 00500 deny log ip from any to any MAC any any in via dc0 00600 allow ip from any to any 65535 allow ip from any to any Only rules 100, 200, 500, and 600 fire. Rules 100 and 200 fire for obvious reasons (bec they match the patterns I've anticipated.) Bec of how IP-based IPFW1 rules work, I *thought* one would have to have matching inbound/outbound rules WRT to MAC filtering. What's most baffling is that non-approved MAC addrs are blocked as desired [at rule 500] as hoped, but legal traffic is permitted back thru the bridge to its sender [via rule 600.] WHY ???? I'm only showing the simplest example of the scripts I've been experimenting with. I've got other scripts that do permit other MACs thru the bridge (either wireless of Ethernet) while blocking everyone else, so I'm very close to what I want. My principal concern is that I don't rely on bogus (ie. broken) behavior of IPFW2, only to discover at some unspecified time in the future, this was never really working and my LAN was never really protected. Or worse still, after I start making the script more complex, something unrelated goes wrong. The only help I've been able to find is a single site, where a guy showed his 1st effort at an IPFW2 script, intending to do the same thing I'm trying to do. I used his 1st script, as a starting place for my efforts. Beyond this, I haven't been able find any other instructive refs to IPFW2 on the web or in the FBSD mail list archives. TIA....Jet =============== From the desk of Jethro Wright, III ================ + Never attribute to malice that which is adequately explained by + + incompetence. + === jetman516@hotmail.com ===================== Hanlon's Razor ===