From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 26 11:01:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B2BC16A4CE for ; Mon, 26 Apr 2004 11:01:51 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3633843D1F for ; Mon, 26 Apr 2004 11:01:51 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i3QI1ps5045772 for ; Mon, 26 Apr 2004 11:01:51 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i3QI1oiT045766 for ipfw@freebsd.org; Mon, 26 Apr 2004 11:01:50 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 26 Apr 2004 11:01:50 -0700 (PDT) Message-Id: <200404261801.i3QI1oiT045766@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2004 18:01:51 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module o [2004/03/08] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 13 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 27 01:19:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CACBC16A4CF for ; Tue, 27 Apr 2004 01:19:04 -0700 (PDT) Received: from lath.rinet.ru (lath.rinet.ru [195.54.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08ABE43D67 for ; Tue, 27 Apr 2004 01:19:04 -0700 (PDT) (envelope-from oleg@rinet.ru) Received: from lath.rinet.ru (localhost [127.0.0.1]) by lath.rinet.ru (8.12.11/8.12.11) with ESMTP id i3R8J2Bl046552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Apr 2004 12:19:02 +0400 (MSD) (envelope-from oleg@rinet.ru) Received: from localhost (oleg@localhost)i3R8J2pY046549; Tue, 27 Apr 2004 12:19:02 +0400 (MSD) (envelope-from oleg@rinet.ru) Date: Tue, 27 Apr 2004 12:19:02 +0400 (MSD) From: Oleg Bulyzhin To: ipfw@freebsd.org Message-ID: <20040427113659.J44815@lath.rinet.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: noc@rinet.ru Subject: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2004 08:19:04 -0000 Hi! install_state() (in ip_fw2.c/RELENG_4) has following code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf("ipfw: install_state: entry already present, done \n"); } return 0; } (similar code is in ip_fw.c and in CURRENT) You can get such messages using this rules: ipfw add 10 skipto 20 tcp from any to any setup keep-state ipfw add 20 allow tcp from any to any setup keep-state This example is quite useless but there are _valid_ situations when you get your logs spammed with this error. For example i want to pass tcp connections to limited set of destination hosts and total number of client's tcp sessions should be limited. Ruleset might be like this (10.0.0.0/24 - client's network): 10 check-state 20 skipto 100 tcp from 10.0.0.0/24 to 192.168.0.1 setup keep-state 20 skipto 100 tcp from 10.0.0.0/24 to 192.168.0.2 setup keep-state 20 skipto 100 tcp from 10.0.0.0/24 to 192.168.0.3 setup keep-state 50 reset tcp from 10.0.0.0/24 to any 100 allow tcp from 10.0.0.0/24 to any setup limit src-addr 16 as result you will get the error for every client's tcp SYN packet to the allowed host (well, highest rate possible is 1 message/sec). I think install_state() should store cmd->o.opcode in static variable and error message should be printed only if current opcode or previous opcode equal to O_KEEP_STATE (cause chained keep-state rules are useless but, i think, chained limit rules may be useful). Any comments? -- Oleg. ================================================================ === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru === ================================================================ From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 29 13:00:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0EA116A510 for ; Thu, 29 Apr 2004 13:00:27 -0700 (PDT) Received: from natsmtp00.rzone.de (natsmtp00.rzone.de [81.169.145.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id F15C943D41 for ; Thu, 29 Apr 2004 13:00:24 -0700 (PDT) (envelope-from andrea@ae4u.de) Received: from ae4u.de (mail.engel-kg.com [62.80.41.218]) by post.webmailer.de (8.12.10/8.12.10) with ESMTP id i3TK0N5d029137 for ; Thu, 29 Apr 2004 22:00:23 +0200 (MEST) Message-ID: <40917B46.7020308@ae4u.de> Date: Thu, 29 Apr 2004 22:01:42 +0000 From: "Andrea E." Organization: http://www.ae4u.de/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5b) Gecko/20030903 X-Accept-Language: de-de, en-us, en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw with NAT and ARP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2004 20:00:27 -0000 Hi, I am a newbie and my question is very easy perhaps. I work with FreeBSD 5.2.1 I would like to configure a firewall with to interfaces (xl0 = LAN, xl1 = External) For NAT I have configured like discribed in the manualpage of natd: ipfw -f flush ipfw add divert natd all from any to any via xl1 ipfw add allow all from any to any -> all is fine. But, I wont so a simple firewall and for this reason, first I want to configure the ICMP-protocol: ip_ext => External IP-Address ipfw -f flush ipfw add divert natd all from any to any via xl1 ipfw add allow icmp from $ip_ext to any icmptypes 8 out via xl1 ipfw add allow icmp from any to $ip_ext icmptypes 0 in via xl1 -> It's not ok. With "ethereal" no pakets are going out (test from an other system, connected with a HUP.) When testing "ping" from external to external IP-Adress of my firewall, the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell xxx.xxx.xxx.xxx fails -> seems to have a problem to let ARP through the firewall. Above -> "ipfw add allow all from any to any" let ARP through the firewall. So I think, thats the configuration of the rest of my computer (like kernel, rc.conf, etc. ist ok) And there are no ARP-protocol in /etc/protocols, so I don't know, what I can do now. There is a bug: After restarting system with above configuration of icmp-protocol no ping-request is going out. After a flush of all rules and configuring of "ipfw add allow all from any to any" ping-request get an answer. Very interesting is to flush all rules und to configure the firewall like the first configuring (to allow special rules for icmp-protocol -> all works very fine. ping-request get an answer. Whenn restarting system the ping-request get no answer again, I mean, the ping-request is not send out. Can anybody help me? Hope to get an answer. I hope you can understand me, my English isn't very well. Greatings from Berlin, Andrea E. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 00:20:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 306A616A4CE for ; Fri, 30 Apr 2004 00:20:30 -0700 (PDT) Received: from web41210.mail.yahoo.com (web41210.mail.yahoo.com [66.218.93.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 211C043D5C for ; Fri, 30 Apr 2004 00:20:30 -0700 (PDT) (envelope-from arisdr_99@yahoo.com) Message-ID: <20040430072030.36886.qmail@web41210.mail.yahoo.com> Received: from [152.118.24.3] by web41210.mail.yahoo.com via HTTP; Fri, 30 Apr 2004 08:20:30 BST Date: Fri, 30 Apr 2004 08:20:30 +0100 (BST) From: =?iso-8859-1?q?Aris=20Dwi=20Rahmana?= To: freebsd-ipfw@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: compiling problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2004 07:20:30 -0000 Hi, I am a newbie, i have a problem when trying to compile Freebsd kernel, i have followed the instruction that Luigi Rizzo told about ipfw2/dummynet installation. There is an error message : "lp_dummynet.h:147:field 'ip6opt' has incomplete type". I use Freebsd 4.9 stable Can anybody help me? I am sorry if my english is not very well Jakarta ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 09:14:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20D2116A4CF for ; Fri, 30 Apr 2004 09:14:16 -0700 (PDT) Received: from profi.kharkov.ua (ats36sas-22.kharkov.ukrtel.net [195.5.17.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73BDD43D69 for ; Fri, 30 Apr 2004 09:14:15 -0700 (PDT) (envelope-from greg@profi.kharkov.ua) Received: by profi.kharkov.ua (Postfix, from userid 1002) id 4EF52387156; Fri, 30 Apr 2004 19:15:12 +0300 (EEST) Date: Fri, 30 Apr 2004 19:15:12 +0300 From: Gregory Edigarov To: ipfw@freebsd.org Message-ID: <20040430161512.GA97449@profi.kharkov.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: help me X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2004 16:14:16 -0000 Hello, The following is my rc.firewall. If I turn on rules no 600-800, everything works just fine, butn compromising the whole system security, because of the rule 800. But without it, nothing works. What should I do? Yet another thing: soon I will need to allow access to natd for the IP 192.168.7.70 when it is passed from any of the ppp interfaces. How can I do this? #!/bin/sh ipfw -f flush ipfw add 100 check-state ipfw add 200 allow all from any to any via lo0 ipfw add 300 deny all from 10.0.0.0/8 to any in via tun0 ipfw add 400 deny all from 172.16.0.0/12 to any in via tun0 ipfw add 500 deny all from 192.168.0.0/16 to any in via tun0 #ipfw add 600 divert natd all from 192.168.5.220 to any out xmit tun0 #ipfw add 700 divert natd all from any to any in recv tun0 #ipfw add 800 allow all from any to any ipfw add 900 allow icmp from me to any keep-state ipfw add 950 allow icmp from 192.168.5.0/24 to me ipfw add 1000 deny all from any to any frag ipfw add 1100 deny all from 192.168.5.0/24 to any xmit tun0 ipfw add 1200 deny all from 192.168.7.0/24 to any xmit tun0 ipfw add 1300 allow gre from 192.168.5.0/24 to me ipfw add 1400 allow gre from me to any ipfw add 1500 allow udp from me to any keep-state ipfw add 1600 allow tcp from me to any keep-state ipfw add 1700 allow tcp from any to any established ipfw add 1800 allow tcp from any to me 25 setup ipfw add 1900 allow tcp from any to me ssh setup ipfw add 2000 allow tcp from 192.168.7.0/24 to me 3128 setup ipfw add 2100 allow tcp from 192.168.7.0/24 to me 2080 setup via ppp\* ipfw add 2200 allow tcp from 192.168.7.0/24 to me pop3 setup via ppp\* ipfw add 2300 allow tcp from any to me http setup via tun0 ipfw add 2400 allow tcp from 192.168.7.0/24 to me setup via ppp\* ipfw add 2500 allow tcp from 192.168.5.0/24 to me pptp setup ipfw add 2600 allow tcp from 192.168.5.0/24 to me ftp\\-data-ftp setup via sk0 ipfw add 2700 allow udp from 192.168.7.0/24 to me 53 ipfw add 2800 allow udp from 192.168.5.0/24 to me 53 ipfw add 2900 allow tcp from any to me 53 setup ipfw add 3000 deny log all from any to any -- With best regards, Gregory Edigarov ------------------------------------------------------------------------------ profi.kharkov.ua Systems Administrator ------------------------------------------------------------------------------ From owner-freebsd-ipfw@FreeBSD.ORG Sat May 1 01:47:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E77716A4CF for ; Sat, 1 May 2004 01:47:40 -0700 (PDT) Received: from blair.epifora.com (blair.epifora.com [207.139.168.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCE5643D41 for ; Sat, 1 May 2004 01:47:39 -0700 (PDT) (envelope-from drvince@anonymnet.net) Received: from localhost (localhost.epifora.com [127.0.0.1]) by blair.epifora.com (Postfix) with ESMTP id C5F60165948 for ; Sat, 1 May 2004 04:47:58 -0400 (EDT) Received: from mail.anonymnet.net ([205.205.52.19]) by localhost (blair.epifora.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08215-08 for ; Sat, 1 May 2004 04:47:57 -0400 (EDT) Received: from mail.anonymnet.net (mail.anonymnet.net [205.205.52.19]) by mail.anonymnet.net (Postfix) with ESMTP id 0A782165923 for ; Sat, 1 May 2004 04:47:57 -0400 (EDT) From: "DrVince" To: freebsd-ipfw@freebsd.org Date: Sat, 1 May 2004 03:47:56 -0500 Message-Id: <20040501081016.M31613@anonymnet.net> X-Mailer: Open WebMail 2.30 20040131 X-OriginatingIP: 205.205.52.19 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: UID help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 May 2004 08:47:40 -0000 Hi, I would like IPFW to account the bandwidth used by users transfering their files using sftp. Can it be done? DrVince DrVince@anonymnet.net From owner-freebsd-ipfw@FreeBSD.ORG Sat May 1 22:18:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE22716A4CE for ; Sat, 1 May 2004 22:18:06 -0700 (PDT) Received: from web40602.mail.yahoo.com (web40602.mail.yahoo.com [66.218.78.139]) by mx1.FreeBSD.org (Postfix) with SMTP id B3F6643D2D for ; Sat, 1 May 2004 22:18:06 -0700 (PDT) (envelope-from pjn0211@yahoo.com) Message-ID: <20040502051806.68324.qmail@web40602.mail.yahoo.com> Received: from [202.183.248.166] by web40602.mail.yahoo.com via HTTP; Sun, 02 May 2004 06:18:06 BST Date: Sun, 2 May 2004 06:18:06 +0100 (BST) From: =?iso-8859-1?q?Supote=20Leelasupphakorn?= To: freebsd-ipfw@FreeBSD.org In-Reply-To: <20040502051621.92149.qmail@web40614.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: andrea@ae4u.de Subject: Re: ipfw with NAT and ARP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 May 2004 05:18:07 -0000 Hi Andrea E. From my understand if you'd like to ping from EXTERNAL ip to EXTERNAL ip, the firewall is not involve because it will reach each other directly. Could you confirm that you'd like to "ping from EXTERNAL ip to EXTERNAL ip" so someone can find out the solution ? Cheers, pjn --- Supote Leelasupphakorn wrote: > Hi, > > I am a newbie and my question is very easy perhaps. I work > with > FreeBSD > 5.2.1 > > I would like to configure a firewall with to interfaces (xl0 = > LAN, xl1 > = External) > > For NAT I have configured like discribed in the manualpage of > natd: > > ipfw -f flush > ipfw add divert natd all from any to any via xl1 > ipfw add allow all from any to any > > -> all is fine. > > But, I wont so a simple firewall and for this reason, first I > want to > configure the ICMP-protocol: > > ip_ext => External IP-Address > > ipfw -f flush > ipfw add divert natd all from any to any via xl1 > ipfw add allow icmp from $ip_ext to any icmptypes 8 out via > xl1 > ipfw add allow icmp from any to $ip_ext icmptypes 0 in via > xl1 > > -> It's not ok. With "ethereal" no pakets are going out (test > from an > other system, connected with a HUP.) > > When testing "ping" from external to external IP-Adress of my > firewall, > the ARP-request: to broadcast Who has xxx.xxx.xxx.xxx? Tell > xxx.xxx.xxx.xxx fails > > -> seems to have a problem to let ARP through the firewall. > > Above -> "ipfw add allow all from any to any" let ARP through > the > firewall. So I think, thats the configuration of the rest of > my > computer > (like kernel, rc.conf, etc. ist ok) > > And there are no ARP-protocol in /etc/protocols, so I don't > know, what I > can do now. > > There is a bug: > After restarting system with above configuration of > icmp-protocol no > ping-request is going out. After a flush of all rules and > configuring of > "ipfw add allow all from any to any" ping-request get an > answer. > Very interesting is to flush all rules und to configure the > firewall > like the first configuring (to allow special rules for > icmp-protocol -> > all works very fine. ping-request get an answer. Whenn > restarting system > the ping-request get no answer again, I mean, the ping-request > is not > send out. > > Can anybody help me? Hope to get an answer. > > I hope you can understand me, my English isn't very well. > > Greatings from Berlin, > > Andrea E. > > > ________________________________________________________________________ > Yahoo! Messenger - Communicate instantly..."Ping" > your friends today! Download Messenger Now > http://uk.messenger.yahoo.com/download/index.html ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html