From owner-freebsd-ipfw Tue Sep 10 11:55:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E970237B400 for ; Tue, 10 Sep 2002 11:55:15 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9C9F43E6E for ; Tue, 10 Sep 2002 11:55:07 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g8AIsMv03097; Tue, 10 Sep 2002 15:54:24 -0300 Message-ID: <3D7E3FDE.6070805@tcoip.com.br> Date: Tue, 10 Sep 2002 15:54:22 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 vs. ipfw1 and 4.7 References: <20020902082743.D87097@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > People, > now that the release of 4.7 is approaching, i would really appreciate > if you could give ipfw2 a try and see whether it breaks anything > in your rulesets. Also have a look at the manpage highlighting the > differences between ipfw1 and ipfw2 to see if your rulesets can be > simplified/made more efficient. I love ipfw2, even though the breakage of fwd caused me a huge headache. Just the set feature would be enough to endear me to it. Now I have a reasonably resilient system for firewall rule changes, at last. And just being able to type sh /etc/rc.firewall... :-) As a side note, the man page mentions that 32 sets are available, but set 31 is illegal when I try to use it (and sometimes produce very weird results indeed). -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net Never, ever lie to someone you love unless you're absolutely sure they'll never find out the truth. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 10 22:30:34 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1558C37B400 for ; Tue, 10 Sep 2002 22:30:32 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC9B043E4A for ; Tue, 10 Sep 2002 22:30:31 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g8B5UUIb084801; Tue, 10 Sep 2002 22:30:30 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g8B5UT1f084800; Tue, 10 Sep 2002 22:30:29 -0700 (PDT) (envelope-from rizzo) Date: Tue, 10 Sep 2002 22:30:29 -0700 From: Luigi Rizzo To: "Daniel C. Sobral" Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 vs. ipfw1 and 4.7 Message-ID: <20020910223029.D84624@iguana.icir.org> References: <20020902082743.D87097@iguana.icir.org> <3D7E3FDE.6070805@tcoip.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D7E3FDE.6070805@tcoip.com.br>; from dcs@tcoip.com.br on Tue, Sep 10, 2002 at 03:54:22PM -0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Sep 10, 2002 at 03:54:22PM -0300, Daniel C. Sobral wrote: > Luigi Rizzo wrote: > > People, > > now that the release of 4.7 is approaching, i would really appreciate > > if you could give ipfw2 a try and see whether it breaks anything > > in your rulesets. Also have a look at the manpage highlighting the > > differences between ipfw1 and ipfw2 to see if your rulesets can be > > simplified/made more efficient. > > I love ipfw2, even though the breakage of fwd caused me a huge headache. which reminds me, i have to fix the byte order in port numbers in fwd actions... > As a side note, the man page mentions that 32 sets are available, but > set 31 is illegal when I try to use it (and sometimes produce very weird > results indeed). i guess i have to clarify the wording -- the manpage says Each rule is associated to a set_number in the range 0..31, with the latter reserved for the default rule. Sets can be individu- with wich i meant to say that you cannot use set 31 for anything else, nor disable it. What "weird results" were you seeing ? cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 11 4:29:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D405C37B400 for ; Wed, 11 Sep 2002 04:29:34 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E4D143E3B for ; Wed, 11 Sep 2002 04:29:29 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g8BBT0v06775; Wed, 11 Sep 2002 08:29:01 -0300 Message-ID: <3D7F28FC.8030403@tcoip.com.br> Date: Wed, 11 Sep 2002 08:29:00 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 vs. ipfw1 and 4.7 References: <20020902082743.D87097@iguana.icir.org> <3D7E3FDE.6070805@tcoip.com.br> <20020910223029.D84624@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > On Tue, Sep 10, 2002 at 03:54:22PM -0300, Daniel C. Sobral wrote: > >>Luigi Rizzo wrote: >> >>>People, >>>now that the release of 4.7 is approaching, i would really appreciate >>>if you could give ipfw2 a try and see whether it breaks anything >>>in your rulesets. Also have a look at the manpage highlighting the >>>differences between ipfw1 and ipfw2 to see if your rulesets can be >>>simplified/made more efficient. >> >>I love ipfw2, even though the breakage of fwd caused me a huge headache. > > > which reminds me, i have to fix the byte order in port numbers in > fwd actions... > > >>As a side note, the man page mentions that 32 sets are available, but >>set 31 is illegal when I try to use it (and sometimes produce very weird >>results indeed). > > > i guess i have to clarify the wording -- the manpage says > > Each rule is associated to a set_number in the range 0..31, with > the latter reserved for the default rule. Sets can be individu- > > with wich i meant to say that you cannot use set 31 for anything else, > nor disable it. > > What "weird results" were you seeing ? I printed a funny error message, I didn't try to track it down, though. I use a complex set of shell functions to simplify my rules-writting (in fact, the convertion to or-rules was easily done, with no modifications required of the rules themselves). What I recall clearly was a weird number (16-something -- five or six digits long). That was produced at the beginning of my rules, in which I disabled and deleted set 31 (my script now adds all rules in a disabled set, and swap it with the main set only if all rules are added succesfully). > > cheers > luigi -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net Money can't buy love, but it improves your bargaining position. -- Christopher Marlowe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Sep 13 4:49:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D28A137B400 for ; Fri, 13 Sep 2002 04:49:09 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5808343E65 for ; Fri, 13 Sep 2002 04:49:08 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g8DBl6x27808 for ; Fri, 13 Sep 2002 08:47:06 -0300 Message-ID: <3D81D03A.8050009@tcoip.com.br> Date: Fri, 13 Sep 2002 08:47:06 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@FreeBSD.ORG Subject: ipfw2 and rc.firewall Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG rc.firewall, atm, has the following: ############ # Flush out the list before we begin. # ${fwcmd} -f flush What *I* am using, post-ipfw2, is the following: if [ -z ${IPFWSET} ] then # Clear and disable ipfw delete set 30 IPFWSET="set 30" ipfw set disable 30 fi then ${IPFWSET} in each rule, and then: ipfw set swap 0 `echo ${IPFWSET} | cut -d ' ' -f 2` at the end. This insert all rules on set 30, disabled, and then swap all of them at once, _if_ rc.firewall is succesfully executed to the end. It also makes it easy to roll back if you need. Switching between the two forms depending on whether you have ipfw2 or not relatively simple. The rules themselves, if IPFWSET is unset, will work fine under ipfw1. All we would need is someway to tell ipfw2 and ipfw1 appart so that we can select between flush and the disabled set at the beginning/end of rc.firewall. What do you people think? -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net It's not enough to be Hungarian; you must have talent too. -- Alexander Korda To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Sep 13 11:11: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACE3437B405 for ; Fri, 13 Sep 2002 11:11:04 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id D93A343E77 for ; Fri, 13 Sep 2002 11:11:02 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g8DIB2Ib013659; Fri, 13 Sep 2002 11:11:02 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g8DIB1Hj013658; Fri, 13 Sep 2002 11:11:01 -0700 (PDT) (envelope-from rizzo) Date: Fri, 13 Sep 2002 11:11:01 -0700 From: Luigi Rizzo To: "Daniel C. Sobral" Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 and rc.firewall Message-ID: <20020913111101.A13603@iguana.icir.org> References: <3D81D03A.8050009@tcoip.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D81D03A.8050009@tcoip.com.br>; from dcs@tcoip.com.br on Fri, Sep 13, 2002 at 08:47:06AM -0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 13, 2002 at 08:47:06AM -0300, Daniel C. Sobral wrote: ... > work fine under ipfw1. All we would need is someway to tell ipfw2 and > ipfw1 appart so that we can select between flush and the disabled set at > the beginning/end of rc.firewall. you can use some ipfw2-only feature e.g. firewall=ipfw1; ipfw set show 2> /dev/null || firewall=ipfw2 echo "You are using $firewall" cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Sep 13 11:16:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8655A37B400 for ; Fri, 13 Sep 2002 11:16:32 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C57B43E6A for ; Fri, 13 Sep 2002 11:16:30 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g8DIGGx08715; Fri, 13 Sep 2002 15:16:16 -0300 Message-ID: <3D822B6F.6010007@tcoip.com.br> Date: Fri, 13 Sep 2002 15:16:15 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 and rc.firewall References: <3D81D03A.8050009@tcoip.com.br> <20020913111101.A13603@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > On Fri, Sep 13, 2002 at 08:47:06AM -0300, Daniel C. Sobral wrote: > ... > >>work fine under ipfw1. All we would need is someway to tell ipfw2 and >>ipfw1 appart so that we can select between flush and the disabled set at >>the beginning/end of rc.firewall. > > > you can use some ipfw2-only feature e.g. > > firewall=ipfw1; ipfw set show 2> /dev/null || firewall=ipfw2 > echo "You are using $firewall" Yes, as much as I hate this kind of test, it's one we could do. :-) Except for redirecting stdio also to /dev/null, just in case it _is_ ipfw2. :-) At any rate, I'd live *some* feedback on the subject from the community at large before making such a change! :-) If nothing else, it kind of appropriates set 30 for it's own use. -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net Television has proved that people will look at anything rather than each other. -- Ann Landers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Sep 13 11:18:40 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18FC937B43B for ; Fri, 13 Sep 2002 11:18:33 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5C3743E6E for ; Fri, 13 Sep 2002 11:18:32 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g8DIIWIb013737; Fri, 13 Sep 2002 11:18:32 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g8DIIWwl013736; Fri, 13 Sep 2002 11:18:32 -0700 (PDT) (envelope-from rizzo) Date: Fri, 13 Sep 2002 11:18:32 -0700 From: Luigi Rizzo To: "Daniel C. Sobral" Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 and rc.firewall Message-ID: <20020913111832.A13673@iguana.icir.org> References: <3D81D03A.8050009@tcoip.com.br> <20020913111101.A13603@iguana.icir.org> <3D822B6F.6010007@tcoip.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D822B6F.6010007@tcoip.com.br>; from dcs@tcoip.com.br on Fri, Sep 13, 2002 at 03:16:15PM -0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 13, 2002 at 03:16:15PM -0300, Daniel C. Sobral wrote: ... > At any rate, I'd live *some* feedback on the subject from the community > at large before making such a change! :-) If nothing else, it kind of > appropriates set 30 for it's own use. no big deal, we have 29 sets left, plus those who care will certainly have their own version of rc.firewall, and those who don't care don't care... cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Sep 13 13: 4:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBE0037B400 for ; Fri, 13 Sep 2002 13:04:14 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D8F543E4A for ; Fri, 13 Sep 2002 13:04:14 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17pwfh-0004fC-00 for freebsd-ipfw@freebsd.org; Fri, 13 Sep 2002 16:04:09 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 17pwfg-000K7W-00 for freebsd-ipfw@freebsd.org; Fri, 13 Sep 2002 16:04:08 -0400 Date: Fri, 13 Sep 2002 16:04:08 -0400 From: "Scott M. Nolde" To: freebsd-ipfw@freebsd.org Subject: queues and firewalling Message-ID: <20020913200408.GA90537@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm trying to set up a firewall which has (at this moment) eight queues. Four are input and four are output queues. Each queue has an associated pipe and bandwidth limitation. This is, for the most part scripted so I can add a tcp or udp port and rerun the script quickly to move things around. The generic structure is this: 1. read in defaults 2. deny certain traffic (RFC 1918) at the external nic 3. divert for NAT 4. do some custom allow and deny stuff 5. begin adding rules for queuing (include tcp, udp, and esp) 6. define pipes for the queues 7. define bandwidth for the pipes 8. pass established 9. allow tcp from my LAN to any keep state 10. allow tcp from my ext nic to LAN keep-state 11. allow tcp from any to LAN keep-state 12. allow tcp from any to ext nic keep-state 13. allow tcp from ext nic to any keep-state 14. do udp and icmp filtering... For some odd reason (pebcak?) irc, www, and other services originating from the LAN or the firewall/nat box don't ever get connected. The firewall can be found here: http://www.smnolde.com:7080/ipfw/rc.ipfw.error Pipe and queue output can be found here (near the end): http://www.smnolde.com:7080/ipfw/rc.ipfw-test.show If anyone can offer assistance I'd be most grateful. -- Scott Nolde vGPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message