From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 4 00:30:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57C3937B401; Mon, 4 Aug 2003 00:30:02 -0700 (PDT) Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21CF043F3F; Mon, 4 Aug 2003 00:30:00 -0700 (PDT) (envelope-from ari.suutari@syncrontech.com) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])h747TosV053777; Mon, 4 Aug 2003 10:29:52 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37]) h747Tjk6076265; Mon, 4 Aug 2003 10:29:47 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) From: Ari Suutari Organization: Syncron Tech Oy To: Christian Kratzer , Christian Kratzer , Luigi Rizzo Date: Mon, 4 Aug 2003 10:29:45 +0300 User-Agent: KMail/1.5.2 References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030706234624.A45394@xorpc.icir.org> <20030710110751.L84774@majakka.cksoft.de> In-Reply-To: <20030710110751.L84774@majakka.cksoft.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308041029.45598.ari.suutari@syncrontech.com> X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang) cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 07:30:02 -0000 Hi, On Thursday 10 July 2003 12:12, Christian Kratzer wrote: > Hi, > > We applied the patch to a RELENG_4 system but can't seem to be able to > catch packets based on them having ipsec history or not. > > We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. > > We currently have an ipsec esp tunnel running between two locations without > any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are > now being filtered by our ipfw ruleset. > > We can't match any packets based on the ipsec or not ipsec flags in ipfw2. > > I just wanted to ask if somebody knows the obvious before I start digging > my head in the code. I did my quick testing on 5.1-RELEASE system, but I cannot really understand why the change wouldn't work on RELENG_4 also. It uses only one call which works on RELENG_4 (otherwise a system *without* IPSEC_FILTERGIF wouldn't work as expected). I have really tested with KAME ipsec. Are you using FAST_IPSEC ? Ari S. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 4 11:01:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4F7F37B401 for ; Mon, 4 Aug 2003 11:01:28 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79E6343F93 for ; Mon, 4 Aug 2003 11:01:21 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h74I1LUp066057 for ; Mon, 4 Aug 2003 11:01:21 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h74I1K0d066051 for freebsd-ipfw@freebsd.org; Mon, 4 Aug 2003 11:01:20 -0700 (PDT) Date: Mon, 4 Aug 2003 11:01:20 -0700 (PDT) Message-Id: <200308041801.h74I1K0d066051@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 18:01:29 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/09/02] bin/42318 ipfw NATD redirect limitations 1 problem total. Non-critical problems From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 4 11:01:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F3FA37B40A for ; Mon, 4 Aug 2003 11:01:45 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 825E843FCB for ; Mon, 4 Aug 2003 11:01:41 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h74I1fUp066433 for ; Mon, 4 Aug 2003 11:01:41 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h74I1eoa066428 for ipfw@freebsd.org; Mon, 4 Aug 2003 11:01:40 -0700 (PDT) Date: Mon, 4 Aug 2003 11:01:40 -0700 (PDT) Message-Id: <200308041801.h74I1eoa066428@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2003 18:01:46 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/01/26] kern/47529 ipfw natd/ipfw lose TCP packets for firewalled o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 2 problems total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo 8 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 5 03:41:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7741B37B40A; Tue, 5 Aug 2003 03:41:55 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D599B43FCB; Tue, 5 Aug 2003 03:41:54 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h75AfpkN049547; Tue, 5 Aug 2003 03:41:51 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h75AfkUN049546; Tue, 5 Aug 2003 03:41:46 -0700 (PDT) (envelope-from rizzo) Date: Tue, 5 Aug 2003 03:41:45 -0700 From: Luigi Rizzo To: Ari Suutari Message-ID: <20030805034145.B49439@xorpc.icir.org> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030706234624.A45394@xorpc.icir.org> <20030710110751.L84774@majakka.cksoft.de> <200308041029.45598.ari.suutari@syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200308041029.45598.ari.suutari@syncrontech.com>; from ari.suutari@syncrontech.com on Mon, Aug 04, 2003 at 10:29:45AM +0300 cc: Christian Kratzer cc: Christian Kratzer cc: sam@FreeBSD.org cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 10:41:55 -0000 Ari, maybe the problem was with FAST_IPSEC, i seem to remember a related MFC recently... [Sam, this is about the 'ipsec' dummynet option which was reported as not working with RELENG_4...] cheers luigi On Mon, Aug 04, 2003 at 10:29:45AM +0300, Ari Suutari wrote: > Hi, > > On Thursday 10 July 2003 12:12, Christian Kratzer wrote: > > Hi, > > > > We applied the patch to a RELENG_4 system but can't seem to be able to > > catch packets based on them having ipsec history or not. > > > > We have "options IPSEC_FILTERGIF" and "options IPFW2" in our kernel config. > > > > We currently have an ipsec esp tunnel running between two locations without > > any gif tunnels. IPSEC_FILTERGIF seems to be working fine as packets are > > now being filtered by our ipfw ruleset. > > > > We can't match any packets based on the ipsec or not ipsec flags in ipfw2. > > > > I just wanted to ask if somebody knows the obvious before I start digging > > my head in the code. > > I did my quick testing on 5.1-RELEASE system, but I cannot really > understand why the change wouldn't work on RELENG_4 also. > It uses only one call which works on RELENG_4 (otherwise a system > *without* IPSEC_FILTERGIF wouldn't work as expected). > > I have really tested with KAME ipsec. Are you using FAST_IPSEC ? > > Ari S. > From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 5 04:22:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B043B37B401; Tue, 5 Aug 2003 04:22:27 -0700 (PDT) Received: from ns1.cksoft.de (ns1.cksoft.de [62.111.66.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3402143F75; Tue, 5 Aug 2003 04:22:26 -0700 (PDT) (envelope-from ck-lists@cksoft.de) Received: from majakka.cksoft.de (p508A859E.dip0.t-ipconnect.de [80.138.133.158]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by ns1.cksoft.de (Postfix) with ESMTP id C8A5E15C008; Tue, 5 Aug 2003 13:22:20 +0200 (CEST) Received: from majakka.cksoft.de (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id EEF7844C8C; Tue, 5 Aug 2003 13:22:19 +0200 (CEST) Received: by majakka.cksoft.de (Postfix, from userid 1000) id 1F88E44C87; Tue, 5 Aug 2003 13:22:19 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by majakka.cksoft.de (Postfix) with ESMTP id 184B244ABA; Tue, 5 Aug 2003 13:22:19 +0200 (CEST) Date: Tue, 5 Aug 2003 13:22:19 +0200 (CEST) From: Christian Kratzer X-X-Sender: ck@majakka.cksoft.de To: Luigi Rizzo In-Reply-To: <20030805034145.B49439@xorpc.icir.org> Message-ID: <20030805125910.Y22923@majakka.cksoft.de> References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030710110751.L84774@majakka.cksoft.de> <20030805034145.B49439@xorpc.icir.org> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on majakka.cksoft.de cc: freebsd-ipfw@FreeBSD.org cc: Christian Kratzer cc: sam@FreeBSD.org cc: Ari Suutari Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Christian Kratzer List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 11:22:28 -0000 Hi, On Tue, 5 Aug 2003, Luigi Rizzo wrote: > Ari, > maybe the problem was with FAST_IPSEC, i seem to remember a related > MFC recently... > > [Sam, this is about the 'ipsec' dummynet option which was reported > as not working with RELENG_4...] ok looks like problem solved for me. The problem we had seemed to be the ipsec option not working. We have since been able to build a case where this works for us. We have also discoverd in which cases ipsec_filtergif does not work in which cases the ipsec flag can of course not be checked either. I feel comfortable with the facts now so here's the situation. Case1 (this is working) ----------------------- We have setup ipsec/racoon on a freebsd box and w2k and xp clients using the micorosft l2tp/ipsec client to connect to it. The windows clients do transport mode ipsec to the freebsd 4.8 box and then build a ppptp connection to the l2tpd daemon on the freebsd box. The l2tp traffic to udp/1701 on the freebsd box is protected by ipsec. We now needed to ensure that udp/1701 on the vpn gateway is only avaiable to the windows clients that are connecting over the ipsec connection. This is working fine with # l2tpd ${fwcmd} add pass log udp from any to me 1701 ipsec This allows udp/1701 packaets coming in from to external interface if ipsec has been properly setup. This also means that my initial diagnosis was not correct. IPSEC_FILTERGIF and the ipsec patch work fine on FreeBSD stable and also on 5.1-RELEASE I have tested the setup with both boxes. Sorry for stirring everything up. We are also not using FAST_IPSEC Case2: ------ In my original rules I was trying to build the nat rules on a box so that only packets not destined for the ipsec vpn would be natted. This would have simplified our nat configuration to just ${fwcmd} add divert natd all from any to any via ${oif} ipsec The problem with this seemed to be that outgoing packets would pass through the divert rules before having ipsec applied if originating from the local host. Also returning packets did not alway get tagged early enough. The were also other issues with the ways we had setup our ipfw rules like filtering some things with "${oif} in" and "${oif} out". I will have to do more thinking about that. I still do not fully understand at which point the kernel encrypts and decrypts ipsec packets in relation to when ipfw rules are handled and if the current setup causes problems with filtering outgoing packets ... Thanks for the help and again sorry for stirring up everything. Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here! From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 5 04:56:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1DD737B401; Tue, 5 Aug 2003 04:56:22 -0700 (PDT) Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 062DE43F75; Tue, 5 Aug 2003 04:56:21 -0700 (PDT) (envelope-from ari.suutari@syncrontech.com) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])h75BuEsV058199; Tue, 5 Aug 2003 14:56:14 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37]) h75BuCk6093375; Tue, 5 Aug 2003 14:56:12 +0300 (EEST) (envelope-from ari.suutari@syncrontech.com) From: Ari Suutari Organization: Syncron Tech Oy To: Christian Kratzer , Christian Kratzer , Luigi Rizzo Date: Tue, 5 Aug 2003 14:56:11 +0300 User-Agent: KMail/1.5.2 References: <200307070113.h671DPeG082710@freefall.freebsd.org> <20030805034145.B49439@xorpc.icir.org> <20030805125910.Y22923@majakka.cksoft.de> In-Reply-To: <20030805125910.Y22923@majakka.cksoft.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308051456.11854.ari.suutari@syncrontech.com> X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang) cc: Christian Kratzer cc: sam@FreeBSD.org cc: freebsd-ipfw@FreeBSD.org Subject: Re: kern/53624: patches for ipfw2 to support ipsec packet filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 11:56:23 -0000 Hi, On Tuesday 05 August 2003 14:22, Christian Kratzer wrote: > > Case1 (this is working) > ----------------------- > This is working fine with Good. > Case2: > ------ > > The problem with this seemed to be that outgoing packets would pass through > the divert rules before having ipsec applied if originating from the local > host. Also returning packets did not alway get tagged early enough. > Since the packets pass through ipfw both encrypted and unencrypted, I think the flow is something like: outgoing packets: ipfw -> natd(does NAT) -> ipfw -> ipsec (encrypts) -> ipfw -> natd(DOES nothing) -> ipfw -> network incoming packets: network -> ipfw -> natd(does nothing) -> ipfw -> ipsec(decrypts) -> ipfw -> natd(does NAT) -> ipfw -> to rest of network stack This is how I *think* it works. I'm not very, very sure. I have one test box running which does nat before ipsec tunnel and it works correctly. Ari S. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 6 04:26:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8A6237B401 for ; Wed, 6 Aug 2003 04:26:42 -0700 (PDT) Received: from netlx014.civ.utwente.nl (netlx014.civ.utwente.nl [130.89.1.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 488A143FBF for ; Wed, 6 Aug 2003 04:26:41 -0700 (PDT) (envelope-from r.s.a.vandomburg@student.utwente.nl) Received: from student.utwente.nl (gog.student.utwente.nl [130.89.165.107]) by netlx014.civ.utwente.nl (8.11.4/HKD) with ESMTP id h76BQcY14241 for ; Wed, 6 Aug 2003 13:26:38 +0200 Message-ID: <3F30E5EE.2060105@student.utwente.nl> Date: Wed, 06 Aug 2003 13:26:38 +0200 From: Roderick van Domburg Organization: University of Twente User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.76.4.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-UTwente-MailScanner: Found to be clean Subject: PR regarding ipfw2 on sparc64 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 11:26:43 -0000 Hello there, Could you please take a look at PR/54712 regarding the currently broken ipfw2 on sparc64? Thomas Moestl has submitted a fix, but it hasn't been committed yet. Thanks in advance! Regards, Roderick From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 6 05:11:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F12837B404 for ; Wed, 6 Aug 2003 05:11:49 -0700 (PDT) Received: from mta07-svc.ntlworld.com (mta07-svc.ntlworld.com [62.253.162.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id 757B843F3F for ; Wed, 6 Aug 2003 05:11:47 -0700 (PDT) (envelope-from andywhite@ntlworld.ie) Received: from deskgx ([81.98.89.6]) by mta07-svc.ntlworld.com (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id <20030806121145.DSBZ27190.mta07-svc.ntlworld.com@deskgx> for ; Wed, 6 Aug 2003 13:11:45 +0100 From: "Andrew White" To: Date: Wed, 6 Aug 2003 13:11:54 +0100 Message-ID: <000001c35c13$ed1d24b0$3201a8c0@deskgx> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: NEWBIE: Help with Dual ISP load balance IPFW/NATD CPU optimizaion X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 12:11:49 -0000 Hi, Firstly apologies if this is to the wrong list. I am trying to load balance two ISP's as below with Freebsd 5.1 Using this firewall rule list below, the CPU get's maxed out at 1.2mb, I suspect that my ruleset needs to be optimized, when running natd -v, I see packets go to both NAT Deamons but only out one per flow. Natd run as below natd -p 8868 -dynamic -interface aue0 natd -p 8869 -dynamic -interface tun0 There are some duplicate rules here, but I use this for accounting to try and analyse traffic flows to workout the order of events It does seem to work well otherwise, despite 1 kernel panic sofar Any help or comments appreciated. /Andrew ISP1 ISP2 Cable Modem ADSL 600kbs/128kbs 1mb/256kbs 172.16.1.1/23 10.0.0.1/23 | | | | | | | | DHCP PPPOE 172.16.1.5 10.0.1.15 *aue0*******************tun0* * FreeBSD * *************ep0************* 192.168.1.254 | | ***** Private LAN 192.168.1.0/24 # allow local traffic 00100 allow ip from 192.168.1.0/24 to 192.168.1.0/24 00125 allow ip from 127.0.0.0/24 to 192.168.1.0/24 00130 allow ip from 192.168.1.0/24 to 127.0.0.0/24 00150 allow ip from 127.0.0.0/24 to 127.0.0.0/24 via lo0 # stop simple incoming attempts from internet 00200 deny tcp from any to any setup in via tun0 00250 deny tcp from any to any setup in via aue0 #send incoming traffic to natd 00400 divert 8869 ip from any to any in via tun0 00450 divert 8868 ip from any to any in via aue0 #if flow is already going via NATD, send it back to same NATD 00500 check-state # send 38% of traffic to isp 1 as 600k = 38% of 1mb + 600k 00600 prob 0.380000 skipto 700 ip from 192.168.1.0/24 to any out keep-state # remaining 62% of traffic send to isp2 00650 skipto 900 ip from 192.168.1.0/24 to any out keep-state #nat everything that get's here, should be ok as local allowed in first lines to go direct 00700 divert 8868 ip from 192.168.1.0/24 to any in 00750 divert 8868 ip from 192.168.1.0/24 to any out 00900 divert 8869 ip from 192.168.1.0/24 to any out 00950 divert 8869 ip from 192.168.1.0/24 to any in #policy route to send traffic to correct isp 02000 fwd 172.16.1.1 ip from 172.16.1.5 to any 02500 fwd 10.0.0.1 ip from 10.0.1.5 to any #break out traffic to allow accounting to show me what's going where 30000 allow ip from any to 192.168.1.0/24 30100 allow ip from any to any in via tun0 30200 allow ip from any to any in via aue0 30300 allow ip from any to any out via tun0 30400 allow ip from any to any out via aue0 65000 allow ip from any to any 65535 deny ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 6 10:32:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7558737B401 for ; Wed, 6 Aug 2003 10:32:29 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01FA643F93 for ; Wed, 6 Aug 2003 10:32:29 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h76HWSkN022987; Wed, 6 Aug 2003 10:32:28 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h76HWSSV022986; Wed, 6 Aug 2003 10:32:28 -0700 (PDT) (envelope-from rizzo) Date: Wed, 6 Aug 2003 10:32:28 -0700 From: Luigi Rizzo To: Roderick van Domburg Message-ID: <20030806103228.A22458@xorpc.icir.org> References: <3F30E5EE.2060105@student.utwente.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F30E5EE.2060105@student.utwente.nl>;01:26:38PM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: PR regarding ipfw2 on sparc64 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 17:32:29 -0000 On Wed, Aug 06, 2003 at 01:26:38PM +0200, Roderick van Domburg wrote: > Hello there, > > Could you please take a look at PR/54712 regarding the currently broken > ipfw2 on sparc64? Thomas Moestl has submitted a fix, but it hasn't been > committed yet. i will commit this and another bugfix before the weekend, thanks for reminiding cheers luigi > Thanks in advance! > > Regards, > > Roderick > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 9 23:02:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AAC737B401 for ; Sat, 9 Aug 2003 23:02:55 -0700 (PDT) Received: from ivoti.terra.com.br (ivoti.terra.com.br [200.176.3.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C20E43F85 for ; Sat, 9 Aug 2003 23:02:54 -0700 (PDT) (envelope-from mybsd@terra.com.br) Received: from gunga.terra.com.br (gunga.terra.com.br [200.176.3.45]) by ivoti.terra.com.br (Postfix) with ESMTP id 7E4AB79C0C6 for ; Sun, 10 Aug 2003 03:02:52 -0300 (BRT) Received: from terra.com.br (camboa.terra.com.br [200.176.3.187]) (authenticated user mybsd) by gunga.terra.com.br (Postfix) with ESMTP id 6F45A128013 for ; Sun, 10 Aug 2003 03:02:52 -0300 (BRT) Date: Sun, 10 Aug 2003 03:02:52 -0300 Message-Id: MIME-Version: 1.0 X-Sensitivity: 3 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable From: "=?iso-8859-1?Q?mybsd?=" To: "=?iso-8859-1?Q?freebsd-ipfw?=" X-XaM3-API-Version: 3.2 R28 (B53 pl3) X-type: 0 X-SenderIP: 200.176.12.193 Subject: fixing ip address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2003 06:02:55 -0000 I=B4m tring to set a rule to fix ip address with mac. Something like:=0D=0A= =0D=0Aipfw add 400 allow log tcp from 192.168.1.1 to any mac any a:b:c:d:= e:f=0D=0A=0D=0AThis rule doesn=B4t work. Firewall logs: deny mac out=0D=0A= =0D=0AWhat are I missing?=0D=0A=0D=0AThanks=0D=0A