From owner-freebsd-ipfw Sun Sep 22 18:30:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30B1B37B401 for ; Sun, 22 Sep 2002 18:30:49 -0700 (PDT) Received: from forrie.ne.client2.attbi.com (forrie.ne.client2.attbi.com [24.147.156.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6872243E3B for ; Sun, 22 Sep 2002 18:30:48 -0700 (PDT) (envelope-from forrie@forrie.com) Received: from workstation.forrie.com (internal-21.forrie.net. [192.168.1.21]) by forrie.ne.client2.attbi.com with id g8N1Ul032712 for ; Sun, 22 Sep 2002 21:30:47 -0400 (EDT) Message-Id: <5.1.1.6.2.20020922212833.00b4b7b0@192.168.1.1> X-Sender: forrie@192.168.1.1 X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Sun, 22 Sep 2002 21:30:45 -0400 To: freebsd-ipfw@freebsd.org From: Forrest Aldrich Subject: Forwarding/proxying of IM services Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-RAVMilter-Version: 8.3.0(snapshot 20010925) (forrie.ne.client2.attbi.com) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've not found a FAQ on this, as it applies to ipfw. I use a popular IM client called Trillian (http://www.trillian.cc). For the longest time (with IM generally), I've not been able to perform file transfers; this is because I'm behind a FreeBSD-4.7 NAT (ipfw + nat) firewall, with an internal RFC network. What I want to know is if there are rules I can implement with ipfw that will permit these file transfer services to work properly - or if I'd otherwise have to install some proxying program. Any pointers would be appreciated, and I will forward that info to the Trillian Forum for future users to see. Thanks! Forrest To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 23 0:12: 3 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEE4937B401 for ; Mon, 23 Sep 2002 00:12:00 -0700 (PDT) Received: from mail1.ing.nl (mail1.ing.nl [145.221.93.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B52F43E3B for ; Mon, 23 Sep 2002 00:11:59 -0700 (PDT) (envelope-from Danny.Carroll@mail.ing.nl) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Forwarding/proxying of IM services Date: Mon, 23 Sep 2002 09:09:21 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Forwarding/proxying of IM services Thread-Index: AcJioN/Z5XW7W3RxT9W/wnS4JRPMYAALLXCg Importance: normal From: To: , X-OriginalArrivalTime: 23 Sep 2002 07:09:21.0376 (UTC) FILETIME=[23D64600:01C262D0] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG No *really* being familiar with trillian, I'll try and answer this as it = applies to ICQ. It's been a while since I looked into this but I doubt much has changed. = I will also assume your firewall is completely open since, it really is = a NAT problem. This is actually really similar to the passive/active ftp problem for = firewalls. It basically centers around the fact that application developers, when = choosing protocols for their net apps, need to take into consideration = clients being on opposite sides of firewalls. Nat works by watching the outgoing connections a client works and = redirecting them on the way back in. Unfortunatly, it is not god, therefore when it comes accross something = it has no idea about it really has no option but to drop the packet (Or = forward to some default host, very unwise). Here is what happens when your ICQ wants to recieve a file: 1. Your client(trillian or ICQ) is told to expect a file from the = sender's client. 2. Your client then says "OK, send it to me on port AAAA". 3. The sender's client opens up a connection to the your IP address on = port AAAA and the file is transfered. Now, if you have nat, then the nat sofware is used to seeing packets = from the recipient on port BBBB (For the chat transfers), or worse, you = have not even been communicating with the client directly, but via an = ICQ server. So the Natd software sees this new connection, on port AAAA, and it has = NO idea who it is meant for. Nat get's around this in the case of active FTP transfers by actually = watching the FTP protocol for the handshaking (steps 1 and 2), and = redirects accordingly... But you can't expect Natd to implement every = different IM protocol out there, can you? At least not until the IM developers get their act together and = integrate their protocols. (Yeah right!) Sometimes, IM clients give the opption to skip the server and send = directly to the client for all transfers, but chances are you will get = firewalled at the recipients end anyway, so it's kind of a useless = workaround. The only thing you can do is watch what the software is *trying* to do = and see if you can get IPFW/Natd to open up enough to allow what you = need. For example, if you watch ICQ attempts and see that most of the time, = they are comming in on ports 8000 - 9000 (This is a guess), you *could* = tell natd to forward all these ports to one machine, and do all your = IM'ing from there. It's not really an elegant solution tho is it? -D -----Original Message----- From: Forrest Aldrich [mailto:forrie@forrie.com] Sent: 23 September 2002 03:31 To: freebsd-ipfw@freebsd.org Subject: Forwarding/proxying of IM services I've not found a FAQ on this, as it applies to ipfw. I use a popular IM client called Trillian (http://www.trillian.cc). = For=20 the longest time (with IM generally), I've not been able to perform file = transfers; this is because I'm behind a FreeBSD-4.7 NAT (ipfw + nat)=20 firewall, with an internal RFC network. What I want to know is if there are rules I can implement with ipfw that = will permit these file transfer services to work properly - or if I'd=20 otherwise have to install some proxying program. Any pointers would be appreciated, and I will forward that info to the=20 Trillian Forum for future users to see. Thanks! Forrest To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message -----------------------------------------------------------------=0A= ATTENTION:=0A= The information in this electronic mail message is private and=0A= confidential, and only intended for the addressee. Should you=0A= receive this message by mistake, you are hereby notified that=0A= any disclosure, reproduction, distribution or use of this=0A= message is strictly prohibited. Please inform the sender by=0A= reply transmission and delete the message without copying or=0A= opening it.=0A= =0A= Messages and attachments are scanned for all viruses known.=0A= If this message contains password-protected attachments, the=0A= files have NOT been scanned for viruses by the ING mail domain.=0A= Always scan attachments before opening them.=0A= ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 25 0:43:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9746F37B401; Wed, 25 Sep 2002 00:43:17 -0700 (PDT) Received: from 602pro.software602.sk (602pro.software602.sk [194.1.191.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A7D243E65; Wed, 25 Sep 2002 00:43:15 -0700 (PDT) (envelope-from juro@software602.sk) Received: from 194.1.191.22 ([194.1.191.22]) by 602pro.software602.sk (602Pro MESSAGING SERVER v. 4.0) id 2b3f7d5f; Wed, 25 Sep 2002 9:44:04 +0200 From: "Juraj Petrik" To: Cc: Subject: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease Date: Wed, 25 Sep 2002 09:41:44 +0200 Message-ID: <002201c26467$1fdf9270$7a01a8c0@pcjuro> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: High X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Disposition-Notification-To: "Juraj Petrik" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hello, can you help me, please, I'm trying to run firewall with using IPFilter, IPNAT and Dummynet, on FreeBSD I'm readed so much HOWTOs but, I can't do redirection to another server in internal network: rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box my server is now on LAN, not on DMZ. I'm using FreeBSD 4.7 prerelease from CVS. In kernel config have added: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=30 options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options DUMMYNET options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options RANDOM_IP_ID in /etc/rc.conf have: tcp_extensions="YES" gateway_enable="YES" portmap_enable="NO" #firewall_enable="YES" #firewall_type="/etc/dummynet.conf" #firewall_logging="NO" ipfilter_enable="YES" ipfilter_flags="" ipfilter_rules="/etc/ipf.conf" ipnat_enable="YES" ipnat_flags="" ipnat_rules="/etc/ipnat.conf" ipmon_enable="YES" ipmon_flags="-Dns -l block" in /etc/ipf.conf: pass in log all pass out log all in /etc/ipnat.conf: map rl0 192.168.1.0/24 -> 194.x.x.22/32 map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000 map rl0 192.168.1.0/24 -> 194.x.x.22/32 rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80 rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22 NAT from LAN to internet works OK, but from Internet I can't redirct connect to server on LAN (192.168.1.35) Please help me ANYBODY!!!! -jp- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 25 13:44:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C647E37B401; Wed, 25 Sep 2002 13:44:26 -0700 (PDT) Received: from isilon.com (isilon.com [65.101.129.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5895243E65; Wed, 25 Sep 2002 13:44:26 -0700 (PDT) (envelope-from billy@isilon.com) Received: from mouse.isilon.com (mouse.isilon.com [172.16.5.50]) by isilon.com (8.12.2/8.11.1) with ESMTP id g8PKiOUc023950; Wed, 25 Sep 2002 13:44:25 -0700 (PDT) (envelope-from billy@isilon.com) Date: Wed, 25 Sep 2002 13:43:23 -0700 (PDT) From: billy To: Juraj Petrik Cc: freebsd-security@FreeBSD.ORG, Subject: Re: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease In-Reply-To: <002201c26467$1fdf9270$7a01a8c0@pcjuro> Message-ID: <20020925134258.P75126-100000@mouse.isilon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 25 Sep 2002, Juraj Petrik wrote: > hello, > can you help me, please, > > I'm trying to run firewall with using > IPFilter, IPNAT and Dummynet, on FreeBSD > > I'm readed so much HOWTOs but, I can't do > redirection to another server in internal > network: > rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box > rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box > rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box > > my server is now on LAN, not on DMZ. > > I'm using FreeBSD 4.7 prerelease from CVS. > > In kernel config have added: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=30 > options IPFIREWALL_FORWARD > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > options DUMMYNET > > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options RANDOM_IP_ID > > in /etc/rc.conf have: > tcp_extensions="YES" > gateway_enable="YES" > portmap_enable="NO" > > #firewall_enable="YES" > #firewall_type="/etc/dummynet.conf" > #firewall_logging="NO" > > ipfilter_enable="YES" > ipfilter_flags="" > ipfilter_rules="/etc/ipf.conf" > > ipnat_enable="YES" > ipnat_flags="" > ipnat_rules="/etc/ipnat.conf" > > ipmon_enable="YES" > ipmon_flags="-Dns -l block" > > in /etc/ipf.conf: > pass in log all > pass out log all > > in /etc/ipnat.conf: > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp > > map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000 > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > > rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80 > rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22 > > NAT from LAN to internet works OK, > but from Internet I can't redirct connect to server > on LAN (192.168.1.35) > > Please help me ANYBODY!!!! > -jp- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 25 13:54:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ADBD37B401; Wed, 25 Sep 2002 13:54:52 -0700 (PDT) Received: from isilon.com (isilon.com [65.101.129.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05FCD43E77; Wed, 25 Sep 2002 13:54:52 -0700 (PDT) (envelope-from billy@isilon.com) Received: from mouse.isilon.com (mouse.isilon.com [172.16.5.50]) by isilon.com (8.12.2/8.11.1) with ESMTP id g8PKspUc024688; Wed, 25 Sep 2002 13:54:51 -0700 (PDT) (envelope-from billy@isilon.com) Date: Wed, 25 Sep 2002 13:53:50 -0700 (PDT) From: billy To: Juraj Petrik Cc: freebsd-security@FreeBSD.ORG, Subject: Re: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease In-Reply-To: <002201c26467$1fdf9270$7a01a8c0@pcjuro> Message-ID: <20020925134615.V75126-100000@mouse.isilon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sorry for the previous empty post. You don't seem to be using dummynet, ipfw, or ipdivert, so you should probably not have them turned on in the kernel. Are you sure that you don't have a rule that's blocking the redirect or the response from the relevant interfaces? I know that ipnat will not redirect packets out the same interface they came, but that doesn't seem to be a problem here. If you do an ipnat -l, do you see your rdr's in the listing, and do you see any active connections after you attempt to connect from the WAN side? -billy On Wed, 25 Sep 2002, Juraj Petrik wrote: > hello, > can you help me, please, > > I'm trying to run firewall with using > IPFilter, IPNAT and Dummynet, on FreeBSD > > I'm readed so much HOWTOs but, I can't do > redirection to another server in internal > network: > rl0 - WAN (194.x.x.0/24) 194.x.x.22 if FreeBSD box > rl1 - LAN (192.168.1.0/24) 192.168.1.22 if FreeBSD box > rl2 - DMZ (10.0.0.0/24) 10.0.0.22 if FreeBSD box > > my server is now on LAN, not on DMZ. > > I'm using FreeBSD 4.7 prerelease from CVS. > > In kernel config have added: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=30 > options IPFIREWALL_FORWARD > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > options DUMMYNET > > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK > options RANDOM_IP_ID > > in /etc/rc.conf have: > tcp_extensions="YES" > gateway_enable="YES" > portmap_enable="NO" > > #firewall_enable="YES" > #firewall_type="/etc/dummynet.conf" > #firewall_logging="NO" > > ipfilter_enable="YES" > ipfilter_flags="" > ipfilter_rules="/etc/ipf.conf" > > ipnat_enable="YES" > ipnat_flags="" > ipnat_rules="/etc/ipnat.conf" > > ipmon_enable="YES" > ipmon_flags="-Dns -l block" > > in /etc/ipf.conf: > pass in log all > pass out log all > > in /etc/ipnat.conf: > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > map rl0 0/0 -> 194.x.x.22/32 proxy port ftp ftp/tcp > > map rl0 192.168.1.0/24 -> 194.x.x.22/32 portmap tcp/udp 12500:60000 > map rl0 192.168.1.0/24 -> 194.x.x.22/32 > > rdr rl0 194.x.x.22/32 port 80 -> 192.168.1.35 port 80 > rdr rl0 194.x.x.22/32 port 22 -> 192.168.1.35 port 22 > > NAT from LAN to internet works OK, > but from Internet I can't redirct connect to server > on LAN (192.168.1.35) > > Please help me ANYBODY!!!! > -jp- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 26 3:28:48 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8643B37B401; Thu, 26 Sep 2002 03:28:46 -0700 (PDT) Received: from mel-rto2.wanadoo.fr (smtp-out-2.wanadoo.fr [193.252.19.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DDC643E6A; Thu, 26 Sep 2002 03:28:45 -0700 (PDT) (envelope-from le-hen_j@epita.fr) Received: from mel-rta8.wanadoo.fr (193.252.19.79) by mel-rto2.wanadoo.fr (6.5.007) id 3D89D999003EC090; Thu, 26 Sep 2002 12:28:32 +0200 Received: from darthvader (217.128.38.109) by mel-rta8.wanadoo.fr (6.5.007) id 3D8011E3007FFC1E; Thu, 26 Sep 2002 12:28:31 +0200 Message-ID: <056a01c26547$72e0be50$0200a8c0@darthvader> From: "jeremie le-hen" To: "billy" , "Juraj Petrik" Cc: , References: <20020925134615.V75126-100000@mouse.isilon.com> Subject: Re: IPNAT + IPFILTER + DUMMYNET + FreeBSD 4.7prerelease Date: Thu, 26 Sep 2002 12:28:25 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I know that ipnat will not redirect packets out the same interface they > came, but that doesn't seem to be a problem here. > the message That's not true. I've succeeded in using the same interface for incoming and outgoing packets through ipnat, using ip aliasing. Here is the configuration : # outgoing ip address ifconfig rl0 inet 10.251.21.32 netmask 0xFFFF0000 up # incoming one ifconfig rl0 inet 192.168.0.1 netmask 0xFFFFFF00 alias # ipnat rule map rl0 192.168.0.0/24 -> 10.251.21.32/32 I don't know if it works if outgoing ip address is on the same subnet as the incoming one, but i think yes. It would be useful if your network use an authentification to be allowed to go through your default router, and you don't have the relevant client software on some machines. This rule map rl0 10.251.21.41/32 -> 10.251.21.41/32 should work in my opinion. Regards, -- Jeremie Le Hen aka TataZ/TtZ le-hen_j@epita.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 26 9:46:43 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12CCB37B401; Thu, 26 Sep 2002 09:46:42 -0700 (PDT) Received: from mail.zimmer-medienhaus.de (roosevelt.zimmer-medienhaus.de [212.88.130.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84D5943E4A; Thu, 26 Sep 2002 09:46:40 -0700 (PDT) (envelope-from david.zimmer@zimmer-medienhaus.de) Message-id: Date: Thu, 26 Sep 2002 18:33:18 +0200 Subject: Forwarding selected broadcasts with ipfw To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Cc: dominik.brettnacher@zimmer-medienhaus.de From: "David Zimmer" MIME-Version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, we are using ipfw on FreeBSD 4.7 PRERELEASE as our main firewall. The box has 5 ethernet segments connected to it that serve - DMZ - DMZ Cisco CallManager - private LAN, Workstations - private LAN, Cisco IP Phones - public LAN, Internet Due to a new application that we are introducing we need to forward broadcast from the private LAN, Workstations into the DMZ. This is necessary for the clients to autoconnect to the server. I thought the forward action in the ipfw rule body could do this but I cannot get it to work. Here is what I did 1. I introduced a rule that should forward the packets, this rule looks like fwd 212.88.130.135 udp from any to 255.255.255.255 19813 2. The incoming packets match this rule according to the output of ipfw show 3. The forwarded packet never gets out onto any interface though, according to tcpdump My questions now are: a) What happens to the disapperaring packets b) is there a way to debug what happens to the packet after the above rule (#1) matches c) what other configuration might solve our problem Before we installed ipfw we just had a Cisco 3640 with several VLANs and appropriate access lists. Cisco offers the option of a so called "ip helper address" to forward selected broadcasts. Thanks for any help, David Zimmer ================================================================ David A. Zimmer Zimmer Medienhaus AG mailto: dz@zimmer-medienhaus.de Trierer Strasse 223-225 http://www.zimmer-medienhaus.de 66663 Merzig, Germany Phone: +49 6861 9312-0 Fax: +49 6861 9312-13 -- all kind of spam to this email address forbidden/keine Werbemails -- ================================================================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 26 9:49:15 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4419937B401; Thu, 26 Sep 2002 09:49:12 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id A404143E6E; Thu, 26 Sep 2002 09:49:11 -0700 (PDT) (envelope-from larse@ISI.EDU) Received: from isi.edu (iga0vwbiz3ogk53i@nik.isi.edu [128.9.168.58]) by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g8QGn4C07623; Thu, 26 Sep 2002 09:49:04 -0700 (PDT) Message-ID: <3D933A80.7070208@isi.edu> Date: Thu, 26 Sep 2002 09:49:04 -0700 From: Lars Eggert User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, de-de MIME-Version: 1.0 To: David Zimmer Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org, dominik.brettnacher@zimmer-medienhaus.de Subject: Re: Forwarding selected broadcasts with ipfw References: Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000801050701030508060001" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a cryptographically signed message in MIME format. --------------ms000801050701030508060001 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit David Zimmer wrote: > 1. I introduced a rule that should forward the packets, this rule looks > like > > fwd 212.88.130.135 udp from any to 255.255.255.255 19813 > > 2. The incoming packets match this rule according to the output of ipfw > show > > 3. The forwarded packet never gets out onto any interface though, > according to tcpdump What's the TTL on the broadcast packets? Lars -- Lars Eggert USC Information Sciences Institute --------------ms000801050701030508060001 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJtjCC AzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNV BAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkG CSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAw MDBaFw0wNDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2Vy dGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAw LjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZ gpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqd knWoJ67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFp AgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzAS BgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtH XfkBceX1U2xdedY9mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1M G7wD9LXrokefbKIMWI0xQgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZp h39Ins6ln+eE2MliYq0FxjCCAzkwggKioAMCAQICAwglQTANBgkqhkiG9w0BAQQFADCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMB4XDTAyMDgyNDE4NTMzOVoX DTAzMDgyNDE4NTMzOVowVDEPMA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYD VQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANI2Rrt4ggaQ/IrOsDeOm2H4/R5FRIL6JjDY3StE aogp1r23WKniQ1Vj98Nu5WxlaZ3Iam3Jen5T66H8u7rtMNpK4qAeAGoBsVeyVr1+CTFeuv+m xCh7BvBJwhLdm0zDaoDT05YKYZaqtsT+F286FWJQg31Xtf+vTKLVVrHcsafnteyal2NEt7Ac yZZfjsVLwxp2Lq3cwYfRQRoo7/yCVzS7HsgM6jmbO4taEMo4yC2rpnUbWEUCDTaCYgpAXzAl oiNk7GDh0wz2s5ZSnHRvNSBMAjCmpNtSYHfXFI1ANwrrrHIJ7Ei83+XN32PWY4OPzO3iown9 VR+vM+8lNx9OX28CAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJO VWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJ KoZIhvcNAQEEBQADgYEAXcrIlKmPLM/r8r3oz2ZLPLaT1AyMjYTZY2qq/R7SUtFa9BNlTIFh DG78QKfJ9lo2LMzTPQqMZgNLmj95GbNPI8P8OIq2K6MeCZWz08ROackqTFP6xWbIFIfXcBVR 1dZnDDyDKBBh05KkvyTPawSQyOBUeNBfQUyO4TE+3o58U8UwggM5MIICoqADAgECAgMIJUEw DQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx EjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z MDAeFw0wMjA4MjQxODUzMzlaFw0wMzA4MjQxODUzMzlaMFQxDzANBgNVBAQTBkVnZ2VydDEN MAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkqhkiG9w0BCQEWDWxh cnNlQGlzaS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNka7eIIGkPyK zrA3jpth+P0eRUSC+iYw2N0rRGqIKda9t1ip4kNVY/fDbuVsZWmdyGptyXp+U+uh/Lu67TDa SuKgHgBqAbFXsla9fgkxXrr/psQoewbwScIS3ZtMw2qA09OWCmGWqrbE/hdvOhViUIN9V7X/ r0yi1Vax3LGn57XsmpdjRLewHMmWX47FS8Madi6t3MGH0UEaKO/8glc0ux7IDOo5mzuLWhDK OMgtq6Z1G1hFAg02gmIKQF8wJaIjZOxg4dMM9rOWUpx0bzUgTAIwpqTbUmB31xSNQDcK66xy CexIvN/lzd9j1mODj8zt4qMJ/VUfrzPvJTcfTl9vAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIB ADAaMBgCAQQEE0wydU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVk dTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAF3KyJSpjyzP6/K96M9mSzy2k9QM jI2E2WNqqv0e0lLRWvQTZUyBYQxu/ECnyfZaNizM0z0KjGYDS5o/eRmzTyPD/DiKtiujHgmV s9PETmnJKkxT+sVmyBSH13AVUdXWZww8gygQYdOSpL8kz2sEkMjgVHjQX0FMjuExPt6OfFPF MYIDJzCCAyMCAQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx EjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZp Y2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4z MAIDCCVBMAkGBSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTAyMDkyNjE2NDkwNFowIwYJKoZIhvcNAQkEMRYEFDIpA3qDIRKgMlN69VY5 9EmPnoU2MFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0G CCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGB naCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMIJUEwDQYJ KoZIhvcNAQEBBQAEggEAq6XldKOs6OZSQFk3LcqfZzojvyGeOKjE+SPhELMzY9CQgcEJ6uur sZlafKlTw0wy/zn2Qdnekn2vZImznNhfm67RS4F6tdFVPhcpNt/obob7cIBuvH2WPiOetvUv /VE5hHJbe4gU9RUXRRrP/a6tylJRC0F8tSrz1b6Kl47mQCOEPpKhCYe14Y1gy58lQ2zXwxK8 SJauIuQYA6bt+zb9Mhfu5OaMHsvlsUZqdHHwEiyV5bgkBeV8oHkuR4DueZpCa33MOWMfZEUB mx4UweIYh5CBliQ4U5Qb2SoD7bhC+LXRX7ZjrMhPUUdBt01j/Z9vVWs8RYZnWIcYGXoHNufc WgAAAAAAAA== --------------ms000801050701030508060001-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 26 12:38:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4282237B401 for ; Thu, 26 Sep 2002 12:38:46 -0700 (PDT) Received: from orion.ipt.pt (orion.dee.estt.ipt.pt [193.137.5.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C77943E77 for ; Thu, 26 Sep 2002 12:38:40 -0700 (PDT) (envelope-from laa@orion.ipt.pt) Received: from localhost (laa@localhost) by orion.ipt.pt (8.11.6/8.11.6) with ESMTP id g8QJLQS04167; Thu, 26 Sep 2002 20:21:27 +0100 (WEST) (envelope-from laa@orion.ipt.pt) Date: Thu, 26 Sep 2002 20:21:26 +0100 (WEST) From: Luis Almeida To: freebsd-ipfw@freebsd.org Cc: laa@ipt.pt Subject: dummynet traffic shaping + nat + rc.firewall ? Message-ID: <20020926201014.Q4135-100000@orion.ipt.pt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Sorry if this mailing-list is just for developer people! Can anyone suggest the cause (or solution) for the following problem? I have setup a FreeBSD4.6.2 box to act as a gateway (NAT + IPFW with 2 NIC). I tried to use dummynet to shape the traffic and i created two pipes to control the upload and the download traffic (both pipes with same bandwith)(i am using rc.firewall file (simple) to setup the ipfw rules): ${fwcmd} add pipe 10 all from 192.168.1.0/24 to any out via ${oif} ${fwcmd} add pipe 20 all from any to 192.168.1.0/24 in via ${oif} ${fwcmd} pipe 10 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes ${fwcmd} pipe 20 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes The firewall and NAT runs is OK The problem is that i can limit the download traffic but the upload traffic is higher and not the same (it seems that the upload traffic do not pass by pipe 10) ---------------------------------------------------------------------- calypso# ipfw pipe show 00010: 200.000 Kbit/s 0 ms 20 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00020: 200.000 Kbit/s 0 ms 20 KB 1 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x000000ff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 51 ip 0.0.0.0/0 0.0.0.51/0 8564 1122119 0 0 43 ---------------------------------------------------------------------- Is there any right place to put those pipes on rc.firewall? (i.e. after or before the divert rule)? Is there any conflict with nat divert rule and (mask src-ip 0x000000ff) ? Thank you for your help, Bye Luis email: laa@ipt.pt ------------------------My rc.firewall firewall_type="simple" [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="fxp0" onet="193.137.5.0" omask="255.255.255.0" oip="193.137.5.9" # set these to your inside interface network and netmask and ip iif="fxp1" inet="192.168.1.0" imask="255.255.255.0" iip="192.168.1.1" setup_loopback # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, # DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} # Network Address Translation. This rule is placed here deliberately # so that it does not interfere with the surrounding address-checking # rules. If for example one of your internal LAN machines had its IP # address set to 192.0.2.1 then an incoming packet for it after being # translated by natd(8) would match the `deny' rule above. Similarly # an outgoing packet originated from it before being translated would # match the `deny' rule below. case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd all from any to any via ${natd_interface} fi ;; esac # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includesRESERVED-1, #DHCP auto-configuration NET-TEST, MULTICAST (class D), and class E) # on the outside interface ${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add pipe 10 all from 192.168.1.0/24 to any out via ${oif} ${fwcmd} add pipe 20 all from any to 192.168.1.0/24 in via ${oif} ${fwcmd} pipe 10 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes ${fwcmd} pipe 20 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of incoming email ${fwcmd} add pass tcp from any to ${oip} 25 setup # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any # Allow access to our WWW ${fwcmd} add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world ${fwcmd} add pass udp from ${oip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; ----------------------------my rc.conf------------------- ---------------------------------------- defaultrouter="193.137.5.1" gateway_enable="YES" hostname="calypso.ipt.pt" ifconfig_fxp0="inet 193.137.5.9 netmask 255.255.255.0" ifconfig_fxp1="inet 192.168.1.1 netmask 255.255.255.0" kern_securelevel_enable="NO" keymap="pt.iso.acc" linux_enable="YES" nfs_reserved_port_only="YES" sendmail_enable="YES" sshd_enable="YES" usbd_enable="NO" inetd_enable="NO" firewall_enable="YES" firewall_type="simple" firewall_quiet="NO" firewall_logging="NO" firewall_flags="" natd_enable="YES" natd_interface="fxp0" natd_flags="" named_enable="YES" # --- laa secure stuff portmap_enable="NO" icmp_drop_redirect="YES" icmp_log_redirect="YES" tcp_drop_synfin="YES" -------------------------- thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 26 15:18:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3963537B401 for ; Thu, 26 Sep 2002 15:18:20 -0700 (PDT) Received: from mailbox.cwa.co.nz (mailbox.cwa.co.nz [203.96.63.227]) by mx1.FreeBSD.org (Postfix) with SMTP id 06A5443E4A for ; Thu, 26 Sep 2002 15:18:14 -0700 (PDT) (envelope-from drew@corrupt.co.nz) Received: (qmail 24006 invoked by uid 1005); 26 Sep 2002 22:19:24 -0000 Received: from drew@corrupt.co.nz by mailbox by uid 1002 with qmail-scanner-1.11 (F-PROT: 3.12. Clear:. Processed in 0.207603 secs); 26 Sep 2002 22:19:24 -0000 Received: from cwa.co.nz (HELO drew) (203.96.59.39) by 0 with SMTP; 26 Sep 2002 22:19:23 -0000 Reply-To: From: "Drew Broadley" To: Subject: subscribe Date: Fri, 27 Sep 2002 10:24:40 +1200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG subscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 26 15:25: 7 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E594C37B401 for ; Thu, 26 Sep 2002 15:25:05 -0700 (PDT) Received: from garple.migus.org (pcp243391pcs.howard01.md.comcast.net [68.55.83.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3724D43E75 for ; Thu, 26 Sep 2002 15:25:05 -0700 (PDT) (envelope-from adam@migus.org) Received: from ganyopa (ganyopa.migus.org [192.168.4.2]) by garple.migus.org (8.12.2/8.12.2) with SMTP id g8QMXTlv014210; Thu, 26 Sep 2002 18:33:30 -0400 (EDT) From: "Adam Migus" To: "Luis Almeida" Cc: Subject: RE: dummynet traffic shaping + nat + rc.firewall ? Date: Thu, 26 Sep 2002 18:24:32 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20020926201014.Q4135-100000@orion.ipt.pt> Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I believe your problem might be caused by nat. The packet has already ran through nat by the time it reaches your rule. Thus the source address is that of ${oif}. Try moving the pipe 10 above the divert rule. Adam > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Luis Almeida > Sent: Thursday, September 26, 2002 3:21 PM > To: freebsd-ipfw@FreeBSD.ORG > Cc: laa@ipt.pt > Subject: dummynet traffic shaping + nat + rc.firewall ? > > > > > Hello > > Sorry if this mailing-list is just for developer people! > > Can anyone suggest the cause (or solution) for the following problem? > > I have setup a FreeBSD4.6.2 box to act as a gateway (NAT + IPFW with 2 > NIC). > I tried to use dummynet to shape the traffic and i created two pipes to > control the upload and the download traffic (both pipes with same > bandwith)(i am using rc.firewall file (simple) to setup the ipfw rules): > > ${fwcmd} add pipe 10 all from 192.168.1.0/24 to any out via ${oif} > ${fwcmd} add pipe 20 all from any to 192.168.1.0/24 in via ${oif} > ${fwcmd} pipe 10 config mask src-ip 0x000000ff bw 200Kbit/s queue > 20Kbytes > ${fwcmd} pipe 20 config mask dst-ip 0x000000ff bw 200Kbit/s queue > 20Kbytes > > The firewall and NAT runs is OK > > The problem is that i can limit the download traffic > but the upload traffic is higher and not the same (it seems that the > upload traffic do not pass by pipe 10) > > Is there any right place to put those pipes on rc.firewall? > (i.e. after or before the divert rule)? > Is there any conflict with nat divert rule and (mask src-ip 0x000000ff) ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message