From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 7 06:59:52 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A170FE2A for ; Mon, 7 Jan 2013 06:59:52 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ie0-f179.google.com (mail-ie0-f179.google.com [209.85.223.179]) by mx1.freebsd.org (Postfix) with ESMTP id 731EBDF0 for ; Mon, 7 Jan 2013 06:59:52 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id k14so22682473iea.38 for ; Sun, 06 Jan 2013 22:59:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=/QxR0rSMWYvJVJhKuC3y6kLvUfnTdDA+ZY/floBE+RA=; b=M+hcEXf38XTwIs17LU8KPOf5FE7R1cnCqVHChYQN75UQnugzKPUOGJPeJ80AcOCBaa NW9RRBQ0wMzKtYg30EMjnPwP6Ww0iwFD+D2O7p02WRIBAtgvTjUOh+h7skE2BE/gTxh9 od4Vw6Zw+D4rJHM84fTeG/uQ+vvodrjI/M5u7X3rW93AWIzr36mv3Dup5EYv1VJdlgth +v5Opoo+yMulup8eVi9l1iYsnA1CnsEKUeyT1SvLTSaF2ZOvM+TmQnVRk4BHlvjVTo0e e0jaN+YNUzQuUiokqLz9CJnbtyZUm2Xu8jzezhR+dW3AH6pln4cZzrjSWePy0CUlrAaC XUOg== MIME-Version: 1.0 X-Received: by 10.50.156.196 with SMTP id wg4mr4996792igb.25.1357541986274; Sun, 06 Jan 2013 22:59:46 -0800 (PST) Received: by 10.64.51.98 with HTTP; Sun, 6 Jan 2013 22:59:46 -0800 (PST) In-Reply-To: <20130105233743.GA94797@onelab2.iet.unipi.it> References: <20130103082937.GB54360@onelab2.iet.unipi.it> <20130105233743.GA94797@onelab2.iet.unipi.it> Date: Mon, 7 Jan 2013 08:59:46 +0200 Message-ID: Subject: Re: Limit Session Bandwidth From: Sami Halabi To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 06:59:52 -0000 Hi, Thank you for the help. sysctl net.inet.ip.fw.one_pass=0 introduces some issues to my configuration limits in my current configuration, because limits aren't applied correctly since we continue after the pipe, eg: i had: 1900 pipe 1000 all from x.y.z.1 to any 2000 pipe 1001 all from any to x.y.z.1 2100 pipe 2000 all from x.y.z.0/24 to any 2100 pipe 2001 all from any to x.y.z.0/24 . . more pipes . .. 6500 allow all from any to any so the I had special limit(large) for x.y.z.1 IP but another limit in the whole /24 that i didn't want it to affect. any ideas how to solve it? i thought about skipto but I'm not sure how to use. Sami On Sun, Jan 6, 2013 at 1:37 AM, Luigi Rizzo wrote: > On Sat, Jan 05, 2013 at 02:51:07PM +0200, Sami Halabi wrote: > > Hi Luigi & Ozkan, > > > > Thanks for the response. > > > > Luigi i saw you said in some list never trust italians :), so i went step > > by step. > > first i put: > > me out from a pipe > > > > sysctl net.inet.ip.fw.one_pass=0 > > ipfw pipe 123 config bw 1Mbit/s mask all > > ipfw add 100 pipe 123 out > > > > ipfw add 120 allow ip from any to any > > > > Works like a charm. > > > > Next Step wil be: > > ipfw pipe 456 config bw 10Mbit/s > > > > ipfw sched 789 config mask all pipe 123 > > or it should be: > > ipfw sched 789 config mask all pipe 456 > > the latter. > > > ipfw add 110 queue 789 out > > > > > > whats is the correct configuration ? > > > > the mask options isn't well documented, in the handbook its not even > > mentiond. > > the manpage is slightly more up to date. > The handbook is probably years behind. > > cheers > luigi > > > same goes for scheduler... > > I got the feeling that only few here know the options very welll... maybe > > I'm wrong? > > > > Sami > > > > > > > > On Thu, Jan 3, 2013 at 12:46 PM, ?zkan KIRIK > wrote: > > > > > I think there is a mistake at the sched config line. it should be as > > > ipfw sched 789 config mask all pipe 456 > > > > > > > > > On Thu, Jan 3, 2013 at 10:29 AM, Luigi Rizzo > wrote: > > > > > >> ipfw sched 789 config mask all pipe 123 > > > > > > > > > > > > > > > -- > > Sami Halabi > > Information Systems Engineer > > NMS Projects Expert > > FreeBSD SysAdmin Expert > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 7 09:15:36 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 869C6A83 for ; Mon, 7 Jan 2013 09:15:36 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 4A479384 for ; Mon, 7 Jan 2013 09:15:35 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 2E6C773027; Mon, 7 Jan 2013 10:14:39 +0100 (CET) Date: Mon, 7 Jan 2013 10:14:39 +0100 From: Luigi Rizzo To: Sami Halabi Subject: Re: Limit Session Bandwidth Message-ID: <20130107091439.GA15263@onelab2.iet.unipi.it> References: <20130103082937.GB54360@onelab2.iet.unipi.it> <20130105233743.GA94797@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 09:15:36 -0000 On Mon, Jan 07, 2013 at 08:59:46AM +0200, Sami Halabi wrote: > Hi, > Thank you for the help. > > sysctl net.inet.ip.fw.one_pass=0 > introduces some issues to my configuration limits in my current > configuration, because limits aren't applied correctly since we continue > after the pipe, eg: > i had: > 1900 pipe 1000 all from x.y.z.1 to any > 2000 pipe 1001 all from any to x.y.z.1 > 2100 pipe 2000 all from x.y.z.0/24 to any > 2100 pipe 2001 all from any to x.y.z.0/24 > . > . > more pipes > . > .. > 6500 allow all from any to any > > so the I had special limit(large) for x.y.z.1 IP but another limit in the > whole /24 that i didn't want it to affect. > any ideas how to solve it? i thought about skipto but I'm not sure how to > use. > Sami one_pass = 0 essentially requires an accept rule after each pipe to behave similarly to the other case. How to do it depends on the configuration. Probably it would be good to make "one_pass" a per-pipe option. cheers luigi > On Sun, Jan 6, 2013 at 1:37 AM, Luigi Rizzo wrote: > > > On Sat, Jan 05, 2013 at 02:51:07PM +0200, Sami Halabi wrote: > > > Hi Luigi & Ozkan, > > > > > > Thanks for the response. > > > > > > Luigi i saw you said in some list never trust italians :), so i went step > > > by step. > > > first i put: > > > me out from a pipe > > > > > > sysctl net.inet.ip.fw.one_pass=0 > > > ipfw pipe 123 config bw 1Mbit/s mask all > > > ipfw add 100 pipe 123 out > > > > > > ipfw add 120 allow ip from any to any > > > > > > Works like a charm. > > > > > > Next Step wil be: > > > ipfw pipe 456 config bw 10Mbit/s > > > > > > ipfw sched 789 config mask all pipe 123 > > > or it should be: > > > ipfw sched 789 config mask all pipe 456 > > > > the latter. > > > > > ipfw add 110 queue 789 out > > > > > > > > > whats is the correct configuration ? > > > > > > the mask options isn't well documented, in the handbook its not even > > > mentiond. > > > > the manpage is slightly more up to date. > > The handbook is probably years behind. > > > > cheers > > luigi > > > > > same goes for scheduler... > > > I got the feeling that only few here know the options very welll... maybe > > > I'm wrong? > > > > > > Sami > > > > > > > > > > > > On Thu, Jan 3, 2013 at 12:46 PM, ?zkan KIRIK > > wrote: > > > > > > > I think there is a mistake at the sched config line. it should be as > > > > ipfw sched 789 config mask all pipe 456 > > > > > > > > > > > > On Thu, Jan 3, 2013 at 10:29 AM, Luigi Rizzo > > wrote: > > > > > > > >> ipfw sched 789 config mask all pipe 123 > > > > > > > > > > > > > > > > > > > > > -- > > > Sami Halabi > > > Information Systems Engineer > > > NMS Projects Expert > > > FreeBSD SysAdmin Expert > > > > > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 7 09:42:36 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7B8C04D5 for ; Mon, 7 Jan 2013 09:42:36 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 47C796E4 for ; Mon, 7 Jan 2013 09:42:35 +0000 (UTC) Received: from JRE-MBP-2.local (c-50-143-148-105.hsd1.ca.comcast.net [50.143.148.105]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r079FFim066923 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 7 Jan 2013 01:15:15 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <50EA921D.2090902@freebsd.org> Date: Mon, 07 Jan 2013 01:15:09 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Sami Halabi Subject: Re: Limit Session Bandwidth References: <20130103082937.GB54360@onelab2.iet.unipi.it> <20130105233743.GA94797@onelab2.iet.unipi.it> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw , Luigi Rizzo X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 09:42:36 -0000 On 1/6/13 10:59 PM, Sami Halabi wrote: > Hi, > Thank you for the help. > > sysctl net.inet.ip.fw.one_pass=0 > introduces some issues to my configuration limits in my current > configuration, because limits aren't applied correctly since we continue > after the pipe, eg: > i had: > 1900 pipe 1000 all from x.y.z.1 to any > 2000 pipe 1001 all from any to x.y.z.1 > 2100 pipe 2000 all from x.y.z.0/24 to any > 2100 pipe 2001 all from any to x.y.z.0/24 look at using the tablearg option with the pipe command. 1900 pipe tablearg all from table(1) to any 1902 pipe tablearg all from any to table(2) should allow you to do it all in 2 rules if you set up the table correctly. Tablearg in not mentioned in the 'pipe' command help entry but pipe IS mentioned in the tablearg section. let me know if it works! Julian > . > . > more pipes > . > .. > 6500 allow all from any to any > > so the I had special limit(large) for x.y.z.1 IP but another limit in the > whole /24 that i didn't want it to affect. > any ideas how to solve it? i thought about skipto but I'm not sure how to > use. > Sami > > > On Sun, Jan 6, 2013 at 1:37 AM, Luigi Rizzo wrote: > >> On Sat, Jan 05, 2013 at 02:51:07PM +0200, Sami Halabi wrote: >>> Hi Luigi & Ozkan, >>> >>> Thanks for the response. >>> >>> Luigi i saw you said in some list never trust italians :), so i went step >>> by step. >>> first i put: >>> me out from a pipe >>> >>> sysctl net.inet.ip.fw.one_pass=0 >>> ipfw pipe 123 config bw 1Mbit/s mask all >>> ipfw add 100 pipe 123 out >>> >>> ipfw add 120 allow ip from any to any >>> >>> Works like a charm. >>> >>> Next Step wil be: >>> ipfw pipe 456 config bw 10Mbit/s >>> >>> ipfw sched 789 config mask all pipe 123 >>> or it should be: >>> ipfw sched 789 config mask all pipe 456 >> the latter. >> >>> ipfw add 110 queue 789 out >>> >>> >>> whats is the correct configuration ? >>> >>> the mask options isn't well documented, in the handbook its not even >>> mentiond. >> the manpage is slightly more up to date. >> The handbook is probably years behind. >> >> cheers >> luigi >> >>> same goes for scheduler... >>> I got the feeling that only few here know the options very welll... maybe >>> I'm wrong? >>> >>> Sami >>> >>> >>> >>> On Thu, Jan 3, 2013 at 12:46 PM, ?zkan KIRIK >> wrote: >>>> I think there is a mistake at the sched config line. it should be as >>>> ipfw sched 789 config mask all pipe 456 >>>> >>>> >>>> On Thu, Jan 3, 2013 at 10:29 AM, Luigi Rizzo >> wrote: >>>>> ipfw sched 789 config mask all pipe 123 >>>> >>>> >>> >>> -- >>> Sami Halabi >>> Information Systems Engineer >>> NMS Projects Expert >>> FreeBSD SysAdmin Expert > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 7 11:06:47 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BFE0A6E for ; Mon, 7 Jan 2013 11:06:47 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A8E62F92 for ; Mon, 7 Jan 2013 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r07B6lml087904 for ; Mon, 7 Jan 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r07B6l70087902 for freebsd-ipfw@FreeBSD.org; Mon, 7 Jan 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Jan 2013 11:06:47 GMT Message-Id: <201301071106.r07B6l70087902@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/174749 ipfw Unexpected change of default route o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 44 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 7 16:09:18 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AC11D549 for ; Mon, 7 Jan 2013 16:09:18 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ie0-f175.google.com (mail-ie0-f175.google.com [209.85.223.175]) by mx1.freebsd.org (Postfix) with ESMTP id 8694E31A for ; Mon, 7 Jan 2013 16:09:18 +0000 (UTC) Received: by mail-ie0-f175.google.com with SMTP id qd14so23402772ieb.20 for ; Mon, 07 Jan 2013 08:09:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=NpPczywoYt+AqnjcI5fFrGJS+lTVNeK0T++iDjt5Lvo=; b=s72ZRx3rQh9U3/Ijr4UHu+oRmiPohR5J9idN7I8x+US6WaSRRSqnnRRq5esoRuSmGg +59AT9RrzmV2J9qvNp7sjjI94aA71EoSF+utJZSLG1C0QUmtgw9v3daZZS58Idsew7Oh GHrsdeSSxH398R2vhI3bfDPLUdc7Ji5Xe4ukrnCGuLyxxMAcsrS4SA2wipbBfYFGBuH3 wx9OibBYL4AD+JsU9niBC2VaQmqH/sBluGxP8npGfndBrKxNAj9KTDogPFmBWNSw/8eE ZR59TnDoC/yyJ0iYmRhCBIXFiDoyJreTzmTkgJBjlrunNndVVAmZaB+Lm7PHFKsUNj7A HJNg== MIME-Version: 1.0 X-Received: by 10.50.156.196 with SMTP id wg4mr6127358igb.25.1357574951942; Mon, 07 Jan 2013 08:09:11 -0800 (PST) Received: by 10.64.51.98 with HTTP; Mon, 7 Jan 2013 08:09:11 -0800 (PST) Date: Mon, 7 Jan 2013 18:09:11 +0200 Message-ID: Subject: rules fore core router From: Sami Halabi To: freebsd-ipfw Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2013 16:09:18 -0000 Hi, i have a core router that i want to enable firewall on it. is these enough for a start: ipfw add 100 allow all from any to any via lo0 ipfw add 25000 allow all from me to any ipfw add 25100 allow ip from "table(7)" to me dst-port 179 #ipfw add 25150 allow ip from "table(7)" to me ipfw add 25200 allow ip from "table(8)" to me dst-port 161 #ipfw add 25250 allow ip from "table(8)" to me ipfw add 25300 allow all from any to me dst-port 22 ipfw add 25400 allow icmp from any to any ipfw add 25500 deny all from any to me ipfw add 230000 allow all from any to any while table-7 are my BGP peers, table-8 my NMS. do i need to open anything more? any routing protocol/forwarding plan issues? another thing: i plan to add the following rule ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to do anything else? Thanks in advance, -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 14:45:02 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 62118C51; Tue, 8 Jan 2013 14:45:02 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) by mx1.freebsd.org (Postfix) with ESMTP id 2F9CE686; Tue, 8 Jan 2013 14:45:02 +0000 (UTC) Received: by mail-ie0-f180.google.com with SMTP id c10so554502ieb.25 for ; Tue, 08 Jan 2013 06:44:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=2mE4DGCuWJd5YLeI5VG6lmZKM0mm6grd5LcQmBfj+Gw=; b=OasCVaHoGTk8DMD6NWkOoy17vqIO86jP3tIUoDvOt7ikvoL6AxaH1uzsUW07f4uRPb aQDlf+t8WW+Yn+2KbYOkEXRgMNJIg1hcrQg1YZLfYwqFYlvbgF3pJ4HowygZd3Fuh8aQ GH+AoRXzzlJIBmO1EqAVdIqxtYz1/3rQEZuqc/C/QPMrVIBPDJ4T8C2PncgfGtqduEQ2 AqWZk7192cTe/cGDB0Z0LWQS4I/xXSqQ0MbrRBDmMqdmCCHxt4Bm7qtVynuHqQgLz/h2 tNPpow91ELBBSvfsf/CGbPOx9XTEI4tVf5y4qDofpzs37qSHEJY1IXu324pDZff56fYX D0zA== MIME-Version: 1.0 Received: by 10.50.222.226 with SMTP id qp2mr9328671igc.103.1357656295255; Tue, 08 Jan 2013 06:44:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 06:44:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 06:44:55 -0800 (PST) Date: Tue, 8 Jan 2013 16:44:55 +0200 Message-ID: Subject: firewall rules for core router From: Sami Halabi To: freebsd-ipfw , freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 14:45:02 -0000 Anh one? =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 18:09,= =D7=9E=D7=90=D7=AA "Sami Halabi" : > Hi, > i have a core router that i want to enable firewall on it. > is these enough for a start: > > ipfw add 100 allow all from any to any via lo0 > ipfw add 25000 allow all from me to any > ipfw add 25100 allow ip from "table(7)" to me dst-port 179 > #ipfw add 25150 allow ip from "table(7)" to me > ipfw add 25200 allow ip from "table(8)" to me dst-port 161 > #ipfw add 25250 allow ip from "table(8)" to me > ipfw add 25300 allow all from any to me dst-port 22 > ipfw add 25400 allow icmp from any to any > ipfw add 25500 deny all from any to me > ipfw add 230000 allow all from any to any > > while table-7 are my BGP peers, table-8 my NMS. > > do i need to open anything more? any routing protocol/forwarding plan > issues? > > > another thing: > i plan to add the following rule > ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any > > will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs t= o > do anything else? > Thanks in advance, > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 17:02:11 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 295AB18E for ; Tue, 8 Jan 2013 17:02:11 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id D27D2D86 for ; Tue, 8 Jan 2013 17:02:10 +0000 (UTC) Received: from JRE-MBP-2.local (c-50-143-148-105.hsd1.ca.comcast.net [50.143.148.105]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r08H22hc074468 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 8 Jan 2013 09:02:03 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <50EC5105.8050007@freebsd.org> Date: Tue, 08 Jan 2013 09:01:57 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Sami Halabi Subject: Re: firewall rules for core router References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 17:02:11 -0000 On 1/8/13 6:44 AM, Sami Halabi wrote: > Anh one? > בתאריך 7 בינו 2013 18:09, מאת "Sami Halabi" : > >> Hi, >> i have a core router that i want to enable firewall on it. >> is these enough for a start: >> >> ipfw add 100 allow all from any to any via lo0 >> ipfw add 25000 allow all from me to any >> ipfw add 25100 allow ip from "table(7)" to me dst-port 179 >> #ipfw add 25150 allow ip from "table(7)" to me >> ipfw add 25200 allow ip from "table(8)" to me dst-port 161 >> #ipfw add 25250 allow ip from "table(8)" to me >> ipfw add 25300 allow all from any to me dst-port 22 >> ipfw add 25400 allow icmp from any to any >> ipfw add 25500 deny all from any to me >> ipfw add 230000 allow all from any to any >> >> while table-7 are my BGP peers, table-8 my NMS. >> >> do i need to open anything more? any routing protocol/forwarding plan >> issues? I see nothing wrong.. it'll do what you want it that's what you want :-) you trust yourself and you allow ssh and BGP and NMS incoming and icmp everywhere but you won't be able to start outgoing ssh sessions because the return packets will be coming back to ephemeral ports. several ways to get around htat , like using keep-state, or just blocking INIT packets differently (see "established") >> >> >> another thing: >> i plan to add the following rule >> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any >> >> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to >> do anything else? w.x.y.z needs to know to accept those packets as they will still be aimed at w.x.y.z. (dest addr) if this machine is w.x.y.z then this command will achieve that. otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's freebsd) or to change the packet, which will require you run it through natd. (or use a nat rule) >> Thanks in advance, >> >> -- >> Sami Halabi >> Information Systems Engineer >> NMS Projects Expert >> FreeBSD SysAdmin Expert >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 18:36:01 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F0F1229E; Tue, 8 Jan 2013 18:36:01 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ia0-f179.google.com (mail-ia0-f179.google.com [209.85.210.179]) by mx1.freebsd.org (Postfix) with ESMTP id 974812AB; Tue, 8 Jan 2013 18:36:01 +0000 (UTC) Received: by mail-ia0-f179.google.com with SMTP id o25so645043iad.24 for ; Tue, 08 Jan 2013 10:35:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=PTtyXYZXiTLv0MMOYEsvVVJdYImDrXg6pPu0dYCKjF4=; b=H4m7cquLH6pQ1LqS8/EaerBGNSwGAWCVv90plWpqHAcGqd3KPCzBX3ylmYHRVMKTY/ R4fv6E+tGrkjpjHKaoTDOvwolG7z7ixjwiMmruJrETKoPWJ0tjuhldNohgOmjds21oTZ rmHdo7UFafVFUt6mIW6FOlBpw0kNJ6w8mSIKBjA2G2eB95McVcAXDPvEfULDoesoCUNu Wve08xPPelp3aTx6OorimIOLkCiC4ggyEEJUc3P20RzG9pxiblpsj81Scz8h3cIlDFRR ZB5uiT2LfS4kVgy0POn/7Y40oL/1mF14OaMZ3eqBR1zzvCRbcDTyQ3mM/e8CnPM0HH76 5j5g== MIME-Version: 1.0 X-Received: by 10.50.156.196 with SMTP id wg4mr10145520igb.25.1357670155242; Tue, 08 Jan 2013 10:35:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 10:35:55 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 10:35:55 -0800 (PST) In-Reply-To: <50EC5105.8050007@freebsd.org> References: <50EC5105.8050007@freebsd.org> Date: Tue, 8 Jan 2013 20:35:55 +0200 Message-ID: Subject: Re: firewall rules for core router From: Sami Halabi To: Julian Elischer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 18:36:02 -0000 Thank you for your response. about fwd: w.x.y.z is a router.. do i still need something? will it forward the packet correctly? =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 19:02,= =D7=9E=D7=90=D7=AA "Julian Elischer" : > On 1/8/13 6:44 AM, Sami Halabi wrote: > >> Anh one? >> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 18:= 09, =D7=9E=D7=90=D7=AA "Sami Halabi" : >> >> Hi, >>> i have a core router that i want to enable firewall on it. >>> is these enough for a start: >>> >>> ipfw add 100 allow all from any to any via lo0 >>> ipfw add 25000 allow all from me to any >>> ipfw add 25100 allow ip from "table(7)" to me dst-port 179 >>> #ipfw add 25150 allow ip from "table(7)" to me >>> ipfw add 25200 allow ip from "table(8)" to me dst-port 161 >>> #ipfw add 25250 allow ip from "table(8)" to me >>> ipfw add 25300 allow all from any to me dst-port 22 >>> ipfw add 25400 allow icmp from any to any >>> ipfw add 25500 deny all from any to me >>> ipfw add 230000 allow all from any to any >>> >>> while table-7 are my BGP peers, table-8 my NMS. >>> >>> do i need to open anything more? any routing protocol/forwarding plan >>> issues? >>> >> I see nothing wrong.. it'll do what you want it that's what you want :-) > > you trust yourself > and you allow ssh and BGP and NMS incoming > and icmp everywhere > but you won't be able to start outgoing ssh sessions because the return > packets will be coming back to ephemeral ports. > > several ways to get around htat , like using keep-state, or just blocking > INIT packets differently (see "established") > > >>> >>> another thing: >>> i plan to add the following rule >>> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any >>> >>> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs >>> to >>> do anything else? >>> >> > w.x.y.z needs to know to accept those packets as they will still be aimed > at w.x.y.z. (dest addr) > if this machine is w.x.y.z then this command will achieve that. > otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's > freebsd) or to change the packet, > which will require you run it through natd. (or use a nat rule) > > > Thanks in advance, >>> >>> -- >>> Sami Halabi >>> Information Systems Engineer >>> NMS Projects Expert >>> FreeBSD SysAdmin Expert >>> >>> ______________________________**_________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/**mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@**freebsd.org= >> " >> >> >> > From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 19:11:47 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1B118F51 for ; Tue, 8 Jan 2013 19:11:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id CC5166A8 for ; Tue, 8 Jan 2013 19:11:46 +0000 (UTC) Received: from JRE-MBP-2.local (c-50-143-148-105.hsd1.ca.comcast.net [50.143.148.105]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r08JBfVg074902 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 8 Jan 2013 11:11:42 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <50EC6F68.6080202@freebsd.org> Date: Tue, 08 Jan 2013 11:11:36 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Sami Halabi Subject: Re: firewall rules for core router References: <50EC5105.8050007@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 19:11:47 -0000 On 1/8/13 10:35 AM, Sami Halabi wrote: > > Thank you for your response. > about fwd: > w.x.y.z is a router.. do i still need something? will it forward the > packet correctly? > It will send them to where-ever it thinks they were originally sent to. > בתאריך 8 בינו 2013 19:02, מאת "Julian Elischer" >: > > On 1/8/13 6:44 AM, Sami Halabi wrote: > > Anh one? > בתאריך 7 בינו 2013 18:09, מאת "Sami Halabi" > >: > > Hi, > i have a core router that i want to enable firewall on it. > is these enough for a start: > > ipfw add 100 allow all from any to any via lo0 > ipfw add 25000 allow all from me to any > ipfw add 25100 allow ip from "table(7)" to me dst-port 179 > #ipfw add 25150 allow ip from "table(7)" to me > ipfw add 25200 allow ip from "table(8)" to me dst-port 161 > #ipfw add 25250 allow ip from "table(8)" to me > ipfw add 25300 allow all from any to me dst-port 22 > ipfw add 25400 allow icmp from any to any > ipfw add 25500 deny all from any to me > ipfw add 230000 allow all from any to any > > while table-7 are my BGP peers, table-8 my NMS. > > do i need to open anything more? any routing > protocol/forwarding plan > issues? > > I see nothing wrong.. it'll do what you want it that's what you > want :-) > > you trust yourself > and you allow ssh and BGP and NMS incoming > and icmp everywhere > but you won't be able to start outgoing ssh sessions because the > return packets will be coming back to ephemeral ports. > > several ways to get around htat , like using keep-state, or just > blocking INIT packets differently (see "established") > > > > another thing: > i plan to add the following rule > ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any > > will this work?, does my peer (ISP, with Cisco/Juniper > equipment) needs to > do anything else? > > > w.x.y.z needs to know to accept those packets as they will still > be aimed at w.x.y.z. (dest addr) > if this machine is w.x.y.z then this command will achieve that. > otherwise you will need to either have a 'fwd' rule on w.x.y.z. > (if it's freebsd) or to change the packet, > which will require you run it through natd. (or use a nat rule) > > > Thanks in advance, > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > > _______________________________________________ > freebsd-ipfw@freebsd.org > mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org > " > > > From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 8 19:22:55 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 26279421; Tue, 8 Jan 2013 19:22:55 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-ie0-f170.google.com (mail-ie0-f170.google.com [209.85.223.170]) by mx1.freebsd.org (Postfix) with ESMTP id CF1FF71B; Tue, 8 Jan 2013 19:22:54 +0000 (UTC) Received: by mail-ie0-f170.google.com with SMTP id k10so1021517iea.1 for ; Tue, 08 Jan 2013 11:22:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BV+7/vg5eHIPD4pfOKAru8Oc1KBqv4i43ZlXZW+dyt4=; b=GPKbNkc98CXuncCnGn8I4MnkhjMLalmwkdGs4aG96zfruzfCs2aY/M8PhCLV3iJAhe WWSvgS4wIaa2GvQtqogWzoSZYZKpNEJ+vF21WT2OSa7ZcxOBPjO0L1zaBcRgIu/iMXe6 NqPa1Ay+jsAFpJlHCGjZWhJJvCi4fKrD6t8O2ODafptjQ3Ki0LC5y0w4/EpkqmvJi6vm 0WTWMfaV1hdDNlvtx6eGfY9iqDgeVEkBIqIpXRNAUAoR03zCnRZ5DpbjDsZWgSBuiCyR yH83iP5kMxHF3oul3dRPcLPWzpPLTrpWsHtdoZLlf1PsKVN9zdrJWvc5jKilZ0jJunjl pInw== MIME-Version: 1.0 Received: by 10.50.222.226 with SMTP id qp2mr10302797igc.103.1357672974061; Tue, 08 Jan 2013 11:22:54 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 11:22:53 -0800 (PST) Received: by 10.64.51.98 with HTTP; Tue, 8 Jan 2013 11:22:53 -0800 (PST) In-Reply-To: <50EC6F68.6080202@freebsd.org> References: <50EC5105.8050007@freebsd.org> <50EC6F68.6080202@freebsd.org> Date: Tue, 8 Jan 2013 21:22:53 +0200 Message-ID: Subject: Re: firewall rules for core router From: Sami Halabi To: Julian Elischer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2013 19:22:55 -0000 that exactly what i need, all address space in use is public Thank sgain, Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 21:11,= =D7=9E=D7=90=D7=AA "Julian Elischer" : > > On 1/8/13 10:35 AM, Sami Halabi wrote: >> >> Thank you for your response. >> about fwd: >> w.x.y.z is a router.. do i still need something? will it forward the packet correctly? > > > It will send them to where-ever it thinks they were originally sent to. > > >> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 8 =D7=91=D7=99=D7=A0=D7=95 2013 19:= 02, =D7=9E=D7=90=D7=AA "Julian Elischer" : >>> >>> On 1/8/13 6:44 AM, Sami Halabi wrote: >>>> >>>> Anh one? >>>> =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 7 =D7=91=D7=99=D7=A0=D7=95 2013 1= 8:09, =D7=9E=D7=90=D7=AA "Sami Halabi" : >>>> >>>>> Hi, >>>>> i have a core router that i want to enable firewall on it. >>>>> is these enough for a start: >>>>> >>>>> ipfw add 100 allow all from any to any via lo0 >>>>> ipfw add 25000 allow all from me to any >>>>> ipfw add 25100 allow ip from "table(7)" to me dst-port 179 >>>>> #ipfw add 25150 allow ip from "table(7)" to me >>>>> ipfw add 25200 allow ip from "table(8)" to me dst-port 161 >>>>> #ipfw add 25250 allow ip from "table(8)" to me >>>>> ipfw add 25300 allow all from any to me dst-port 22 >>>>> ipfw add 25400 allow icmp from any to any >>>>> ipfw add 25500 deny all from any to me >>>>> ipfw add 230000 allow all from any to any >>>>> >>>>> while table-7 are my BGP peers, table-8 my NMS. >>>>> >>>>> do i need to open anything more? any routing protocol/forwarding plan >>>>> issues? >>> >>> I see nothing wrong.. it'll do what you want it that's what you want :-= ) >>> >>> you trust yourself >>> and you allow ssh and BGP and NMS incoming >>> and icmp everywhere >>> but you won't be able to start outgoing ssh sessions because the return packets will be coming back to ephemeral ports. >>> >>> several ways to get around htat , like using keep-state, or just blocking INIT packets differently (see "established") >>> >>>>> >>>>> >>>>> another thing: >>>>> i plan to add the following rule >>>>> ipfw add 26000 fwd w.x.y.z all from a.b.c.0/24 to any >>>>> >>>>> will this work?, does my peer (ISP, with Cisco/Juniper equipment) needs to >>>>> do anything else? >>> >>> >>> w.x.y.z needs to know to accept those packets as they will still be aimed at w.x.y.z. (dest addr) >>> if this machine is w.x.y.z then this command will achieve that. >>> otherwise you will need to either have a 'fwd' rule on w.x.y.z. (if it's freebsd) or to change the packet, >>> which will require you run it through natd. (or use a nat rule) >>> >>> >>>>> Thanks in advance, >>>>> >>>>> -- >>>>> Sami Halabi >>>>> Information Systems Engineer >>>>> NMS Projects Expert >>>>> FreeBSD SysAdmin Expert >>>>> >>>> _______________________________________________ >>>> freebsd-ipfw@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org= " >>>> >>>> >>> > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 10 10:40:02 2013 Return-Path: Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F213A4A9 for ; Thu, 10 Jan 2013 10:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id E156F28B for ; Thu, 10 Jan 2013 10:40:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0AAe15l093472 for ; Thu, 10 Jan 2013 10:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0AAe16k093471; Thu, 10 Jan 2013 10:40:01 GMT (envelope-from gnats) Date: Thu, 10 Jan 2013 10:40:01 GMT Message-Id: <201301101040.r0AAe16k093471@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org Cc: From: Krzysztof Barcikowski Subject: Re: kern/174749: Unexpected change of default route X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Krzysztof Barcikowski List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 10:40:03 -0000 The following reply was made to PR kern/174749; it has been noted by GNATS. From: Krzysztof Barcikowski To: bug-followup@FreeBSD.org, radek.krejca@starnet.cz Cc: Subject: Re: kern/174749: Unexpected change of default route Date: Thu, 10 Jan 2013 11:26:28 +0100 Hello, Kindly please take a look at the following threads, similar problem appears: http://lists.freebsd.org/pipermail/freebsd-net/2012-March/031879.html http://lists.freebsd.org/pipermail/freebsd-net/2012-September/033209.html http://lists.freebsd.org/pipermail/freebsd-net/2012-September/033394.html I've also received email from other user reporting this problem: "Hello fellow. I found a thread in FreeBSD-net mailing list, where you was told about unexpectedly changed (on some kind of junk address) static routes http://lists.freebsd.org/pipermail/freebsd-net/2012-March/031879.html. I have a similar problem, but with default gateway. I think I found one more likeness in our systems, I am using renamed vlan interface. It was made in rc.conf by ifconfig_vlan3400_name="comstar_w". Do you have something like that in your rc.conf? Or maybe you already found solution for these trouble? Thanks." Best regards! Chris From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 10 11:40:01 2013 Return-Path: Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E67EBEEB for ; Thu, 10 Jan 2013 11:40:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id C6DA677F for ; Thu, 10 Jan 2013 11:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0ABe1Be004001 for ; Thu, 10 Jan 2013 11:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0ABe1J0004000; Thu, 10 Jan 2013 11:40:01 GMT (envelope-from gnats) Date: Thu, 10 Jan 2013 11:40:01 GMT Message-Id: <201301101140.r0ABe1J0004000@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org Cc: From: =?iso-8859-2?Q?Radek_Krej=E8a?= Subject: RE: kern/174749: Unexpected change of default route X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: =?iso-8859-2?Q?Radek_Krej=E8a?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 11:40:02 -0000 The following reply was made to PR kern/174749; it has been noted by GNATS. From: =?iso-8859-2?Q?Radek_Krej=E8a?= To: 'Krzysztof Barcikowski' , "bug-followup@FreeBSD.org" Cc: Subject: RE: kern/174749: Unexpected change of default route Date: Thu, 10 Jan 2013 12:29:15 +0100 Hi, thank you for response, because problem is very bad for us, because our= customers leave us. I have script which checks default route and switch it= back and send e-mail to me so situation is better. To problem - in your text: > From: Krzysztof Barcikowski [mailto:krzysiek@airnet.opole.pl] > Sent: Thursday, January 10, 2013 11:26 AM > To: bug-followup@FreeBSD.org; Radek Krej=E8a > Subject: Re: kern/174749: Unexpected change of default route >=20 > Hello, > Kindly please take a look at the following threads, similar problem appea= rs: > http://lists.freebsd.org/pipermail/freebsd-net/2012-March/031879.html > http://lists.freebsd.org/pipermail/freebsd-net/2012-September/033209.html > http://lists.freebsd.org/pipermail/freebsd-net/2012-September/033394.html >=20 > I've also received email from other user reporting this problem: >=20 > "Hello fellow. > I found a thread in FreeBSD-net mailing list, where you was told > about unexpectedly changed (on some kind of junk address) static routes > http://lists.freebsd.org/pipermail/freebsd-net/2012-March/031879.html. > I have a similar problem, but with default gateway. > I think I found one more likeness in our systems, I am using renamed > vlan interface. It was made in rc.conf > by ifconfig_vlan3400_name=3D"comstar_w". > Do you have something like that in your rc.conf? > Or maybe you already found solution for these trouble? I have some points to above: - route monitor is useless - it only tells, that default route is changed a= nd pid of process - but process doesnt exists at watching time.... - i have clean system, only with PF nat (it could be interesting) - situation is the same on 8.2 and 9.0 (9.1 not tested) - change is in reaction on traffic - in time of change, threre is a lot of = garbage on network I find out that ip of bad default route is used for traffic long time ago b= efore change - udp traffic, I think, that it is torrent (or something simil= ar) traffic. There could be 10 changes per minute (like yesterday).=20 I wrote script, which store all traffic (collected over tcpdump) in 10 seco= nd files and in case of change stops collecting and deleting old logs - but= I havent time to analyze it yet (i have about 200 vlans and 500 Mbit traff= ic on this router). My konwledge of internet protocols is on bad level also= .... Here are a little of commands on machine (mpd is new and wasnt installed du= ring monitoring, snmpd too): root@nat-62 /root# cat /etc/rc.conf nat_number=3D"62" ipv6_defaultrouter=3D"2a02:768:0:4000::4000" ifconfig_em0_ipv6=3D"inet6 2a02:768:0:4000::${nat_number}" keymap=3D"us.iso" # enable routing gateway_enable=3D"YES" # enable ssh sshd_enable=3D"YES" # enable packet filter pf_enable=3D"YES" # Enable PF (load module if requi= red) pf_rules=3D"/etc/pf.conf" # rules definition file for pf pf_flags=3D"" # additional flags for pfctl star= tup pflog_enable=3D"NO" # start pflogd(8) pflog_logfile=3D"/var/log/pflog" # where pflogd should store the l= ogfile pflog_flags=3D"" # additional flags for pflogd sta= rtup pfsync_enable=3D"NO" # Expose pf state to other hosts = for syncing # enable snmp snmpd_enable=3D"YES" snmpd_flags=3D"-a" snmpd_pidfile=3D"/var/run/snmpd.pid" fprobe_enable=3D"YES" fprobe_server=3D"some_server" ifconfig_em1=3D"up" ipv6_activate_all_interfaces=3D"YES" # Set to YES to set up for IPv6. ipv6_gateway_enable=3D"YES" # Set to YES if this host will be= a gateway. radvd_enable=3D"YES" ntpdate_enable=3D"YES" # Run ntpdate to sync time on boo= t (or NO). ntpd_enable=3D"YES" mpd_enable=3D"YES" init_nat_enable=3D"YES" root@nat-62 /root# ifconfig -l em0 em1 lo0 vlan1208 vlan1210 vlan1212 vlan1214 vlan1216 vlan1218 vlan1220 = vlan1222 vlan1224 vlan1226 vlan1228 vlan1230 vlan1232 vlan1234 vlan1236 vla= n1238 vlan1240 vlan1248 vlan1246 vlan1244 vlan1242 vlan1207 vlan100 vlan106= vlan107 vlan1001 vlan1003 vlan1005 vlan1007 vlan1009 vlan1011 vlan1013 vla= n1015 vlan1017 vlan1019 vlan1021 vlan453 vlan1206 vlan1023 vlan1025 vlan102= 7 vlan1029 vlan1031 vlan1033 vlan1035 vlan1037 vlan332 vlan345 vlan341 vlan= 327 vlan333 vlan335 vlan336 vlan334 vlan337 vlan338 vlan339 vlan340 vlan342= vlan343 vlan449 vlan329 vlan448 vlan401 vlan402 vlan403 vlan1051 vlan801 v= lan297 vlan299 Important point - I have this machine diskless, readonly, dhclient isnt run= ning: root@nat-62 /root# ps -uax USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMM= AND root 11 371.5 0.0 0 64 ?? RL 19Dec12 111079:00.52 [idl= e] root 0 11.1 0.0 0 192 ?? DLs 19Dec12 4491:00.35 [ker= nel] root 12 10.4 0.0 0 288 ?? WL 19Dec12 3404:19.05 [int= r] root 1159 1.3 0.1 22332 3428 ?? Ss 19Dec12 615:51.38 /usr= /sbin/ntpd -c /etc/ntp.conf -p /var/run/ntpd.pid -f /var/db/ntpd.drift root 70422 0.4 0.0 14636 1604 1- S 9:07PM 5:59.16 sh .= /reset_gw root 1 0.0 0.0 6280 424 ?? ILs 19Dec12 0:01.22 /sbi= n/init -- root 2 0.0 0.0 0 16 ?? DL 19Dec12 0:00.00 [sct= p_iterator] root 3 0.0 0.0 0 16 ?? DL 19Dec12 0:00.00 [xpt= _thrd] root 4 0.0 0.0 0 16 ?? DL 19Dec12 0:01.22 [pag= edaemon] root 5 0.0 0.0 0 16 ?? DL 19Dec12 0:00.00 [vmd= aemon] root 6 0.0 0.0 0 16 ?? DL 19Dec12 0:00.02 [pag= ezero] root 7 0.0 0.0 0 16 ?? DL 19Dec12 0:30.66 [buf= daemon] root 8 0.0 0.0 0 16 ?? DL 19Dec12 0:09.11 [vnl= ru] root 9 0.0 0.0 0 16 ?? DL 19Dec12 3:37.36 [syn= cer] root 10 0.0 0.0 0 16 ?? DL 19Dec12 0:00.00 [aud= it] root 13 0.0 0.0 0 48 ?? DL 19Dec12 0:02.22 [geo= m] root 14 0.0 0.0 0 16 ?? DL 19Dec12 58:39.99 [yar= row] root 15 0.0 0.0 0 128 ?? DL 19Dec12 1:19.63 [usb= ] root 16 0.0 0.0 0 16 ?? DL 19Dec12 0:20.35 [acp= i_thermal] root 17 0.0 0.0 0 16 ?? DL 19Dec12 0:04.53 [acp= i_cooling1] root 18 0.0 0.0 0 16 ?? DL 19Dec12 0:11.27 [sof= tdepflush] root 33 0.0 0.0 0 16 ?? DL 19Dec12 0:01.36 [md0= ] root 107 0.0 0.0 0 16 ?? DL 19Dec12 0:00.15 [md1= ] root 112 0.0 0.0 0 16 ?? DL 19Dec12 0:00.00 [md2= ] root 117 0.0 0.0 0 16 ?? DL 19Dec12 0:00.00 [md3= ] root 122 0.0 0.0 0 16 ?? DL 19Dec12 0:00.32 [md4= ] root 127 0.0 0.0 0 16 ?? DL 19Dec12 0:00.00 [md5= ] root 139 0.0 0.0 0 16 ?? DL 19Dec12 0:01.77 [md6= ] root 712 0.0 0.1 10372 3280 ?? Is 19Dec12 0:00.02 /sbi= n/devd root 731 0.0 0.0 0 16 ?? DL 19Dec12 5:55.99 [pfp= urge] root 927 0.0 0.0 12184 1448 ?? Ss 19Dec12 0:15.95 /usr= /sbin/syslogd -s root 1052 0.0 0.0 0 64 ?? DL 19Dec12 0:00.00 [ng_= queue] root 1062 0.0 0.1 33532 6128 ?? S 19Dec12 29:38.98 /usr= /local/sbin/snmpd -p /var/run/snmpd.pid -a root 1075 0.0 0.4 35504 16400 ?? Ss 19Dec12 178:17.51 /usr= /local/sbin/fprobe -iem1 -fvlan&&ip -B4096 -r2 -q10000 -t10000:10000000 -K1= 8 something root 1197 0.0 0.1 46876 3808 ?? Is 19Dec12 0:02.02 /usr= /sbin/sshd root 1204 0.0 0.1 20384 3432 ?? Ss 19Dec12 0:20.92 send= mail: accepting connections (sendmail) smmsp 1208 0.0 0.1 20384 3224 ?? Is 19Dec12 0:00.22 send= mail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) root 1214 0.0 0.0 14260 1440 ?? Is 19Dec12 0:04.18 /usr= /sbin/cron -s root 57633 0.0 0.1 68016 4728 ?? Is 12:21PM 0:00.02 sshd= : darius [priv] (sshd) darius 58105 0.0 0.1 68016 4740 ?? S 12:21PM 0:00.01 sshd= : darius@pts/0 (sshd) root 86691 0.0 0.0 14636 1604 ?? S 12:24PM 0:00.00 sh .= /reset_gw root 86692 0.0 0.0 10052 1136 ?? S 12:24PM 0:00.00 /sbi= n/route get default root 86693 0.0 0.0 16424 1272 ?? S 12:24PM 0:00.00 grep= gateway root 86694 0.0 0.0 10056 920 ?? S 12:24PM 0:00.00 cut = -d: -f2 root 86695 0.0 0.0 10056 968 ?? S 12:24PM 0:00.00 tr -= d root 1281 0.0 0.0 41300 1904 v0 Is 19Dec12 0:00.01 logi= n [pam] (login) jvelisek 8423 0.0 0.1 17668 2468 v0 I 19Dec12 0:00.01 -csh= (csh) root 8426 0.0 0.1 44572 2652 v0 I 19Dec12 0:00.01 sudo= su -l root 8427 0.0 0.0 41296 1796 v0 I 19Dec12 0:00.00 su -= l root 8428 0.0 0.1 17668 2464 v0 I+ 19Dec12 0:00.01 -su = (csh) root 1282 0.0 0.0 12184 1100 v1 Is+ 19Dec12 0:00.00 /usr= /libexec/getty Pc ttyv1 root 1283 0.0 0.0 12184 1100 v2 Is+ 19Dec12 0:00.00 /usr= /libexec/getty Pc ttyv2 root 1284 0.0 0.0 12184 1100 v3 Is+ 19Dec12 0:00.00 /usr= /libexec/getty Pc ttyv3 root 1285 0.0 0.0 12184 1100 v4 Is+ 19Dec12 0:00.00 /usr= /libexec/getty Pc ttyv4 root 1286 0.0 0.0 12184 1100 v5 Is+ 19Dec12 0:00.00 /usr= /libexec/getty Pc ttyv5 root 1287 0.0 0.0 12184 1100 v6 Is+ 19Dec12 0:00.00 /usr= /libexec/getty Pc ttyv6 root 1288 0.0 0.0 12184 1100 v7 Is+ 19Dec12 0:00.00 /usr= /libexec/getty Pc ttyv7 darius 58106 0.0 0.1 17668 2540 0 Is 12:21PM 0:00.01 -csh= (csh) root 58889 0.0 0.0 41304 1888 0 I 12:21PM 0:00.00 su -= l root 59480 0.0 0.1 17668 2856 0 S 12:21PM 0:00.02 -su = (csh) root 86696 0.0 0.0 14328 1272 0 R+ 12:24PM 0:00.00 ps -= uax If you need any more informations please let me know.=20 Radek From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 10 19:41:50 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0D38AE9C for ; Thu, 10 Jan 2013 19:41:50 +0000 (UTC) (envelope-from tretuliy2@gmail.com) Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) by mx1.freebsd.org (Postfix) with ESMTP id A3D063E9 for ; Thu, 10 Jan 2013 19:41:49 +0000 (UTC) Received: by mail-ob0-f175.google.com with SMTP id vb8so966685obc.20 for ; Thu, 10 Jan 2013 11:41:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=j1VcWYK8aUyP2KcVjENvVHXkB+czLyZlVjfKxDfEQrw=; b=DYXHxq8iKuwvXGqzMUiAHSEL+zv6sw9vnmX1+SxecNQKt42q9mp5cwSAiEOTk7ewCV IT7ZndGGiapWpddVWf84IyTX+6Nr+WSN1zGAKLvc5nEwMZpt/chbwgXdDsT46f05cuBr 9I3ndZ8uZR0rPDjtMyPnewWTHGxwzPa/b9Bzw0pR+bQ8yOK3r03Jql0VHf/KPnWwJQ/k mn0AIkzwPDdemD6iuRPDaFNen8AUYCo8gMPLe/rtx1ntqxT1HvIt+KOSaaADCq6GphYt Lu6E2YZq7aVGtB4PVv+EdokH+P7ciWxpBLKY1Wwgh7h20XTtkWg/Vq+zNzaxniGrW3S1 5gyQ== MIME-Version: 1.0 Received: by 10.60.172.229 with SMTP id bf5mr41913043oec.81.1357846908871; Thu, 10 Jan 2013 11:41:48 -0800 (PST) Sender: tretuliy2@gmail.com Received: by 10.76.69.68 with HTTP; Thu, 10 Jan 2013 11:41:48 -0800 (PST) In-Reply-To: <201301101140.r0ABe1J0004000@freefall.freebsd.org> References: <201301101140.r0ABe1J0004000@freefall.freebsd.org> Date: Thu, 10 Jan 2013 21:41:48 +0200 X-Google-Sender-Auth: bUU-ws_tdvIOEvLYt7n1WDX46R0 Message-ID: Subject: Re: kern/174749: Unexpected change of default route From: Vadim Urazaev To: =?ISO-8859-2?Q?Radek_Krej=E8a?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 19:41:50 -0000 Do you have net-snmp installed on your system ? I did two things and problem is disappears for now (I live without changing default route longer then ever now) 1. I disabled snmpd 2. I installed and started to use "bird" routing daemon. With configuration like this. protocol kernel world { persist; # Don't remove routes on bird shutdown scan time 20; # Scan kernel routing table every 20 seconds import none; # Default is import all export filter { if (net =3D 0.0.0.0/0) then { if proto =3D "def" then accept; } reject; }; } protocol device { } protocol static def { preference 1000; # Default preference of routes route 0.0.0.0/0 via x.x.x.x; # My default gateway } I don`t know is it helps or not at all, but you should try if you in desperate situation as you told. 2013/1/10 Radek Krej=C4=8Da > The following reply was made to PR kern/174749; it has been noted by GNAT= S. > > From: =3D?iso-8859-2?Q?Radek_Krej=3DE8a?=3D > To: 'Krzysztof Barcikowski' , > "bug-followup@FreeBSD.org" > Cc: > Subject: RE: kern/174749: Unexpected change of default route > Date: Thu, 10 Jan 2013 12:29:15 +0100 > > Hi, thank you for response, because problem is very bad for us, because > our=3D > customers leave us. I have script which checks default route and switch > it=3D > back and send e-mail to me so situation is better. > > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 10 19:46:59 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E19FE2B9 for ; Thu, 10 Jan 2013 19:46:59 +0000 (UTC) (envelope-from radek.krejca@starnet.cz) Received: from EXCHANGE.mail.starnet.cz (exchange.mail.starnet.cz [92.62.224.72]) by mx1.freebsd.org (Postfix) with ESMTP id 4AB0E644 for ; Thu, 10 Jan 2013 19:46:59 +0000 (UTC) Received: from EXCHANGE.mail.starnet.cz ([fe80::7534:a1f0:da0:e34d]) by EXCHANGE.mail.starnet.cz ([fe80::7534:a1f0:da0:e34d%15]) with mapi; Thu, 10 Jan 2013 20:46:57 +0100 From: =?utf-8?B?UmFkZWsgS3JlasSNYQ==?= To: 'Vadim Urazaev' Date: Thu, 10 Jan 2013 20:46:56 +0100 Subject: RE: kern/174749: Unexpected change of default route Thread-Topic: kern/174749: Unexpected change of default route Thread-Index: Ac3vaolcFEcmyVKrTKi1EAnYP4qaNQAABtfw Message-ID: References: <201301101140.r0ABe1J0004000@freefall.freebsd.org> In-Reply-To: Accept-Language: cs-CZ Content-Language: cs-CZ X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: cs-CZ MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2013 19:46:59 -0000 SGksDQoNCkRvIHlvdSBoYXZlIG5ldC1zbm1wIGluc3RhbGxlZCBvbiB5b3VyIHN5c3RlbSA/DQoN CkN1cnJlbnRseSB5ZXMsIGJ1dCBkdXJpbmcgZXhwcmltZW50cyBJIGhhdmUgcmVhbGx5IGNsZWFu IGltYWdlLCB3aXRob3V0IGFueSBwb3J0IGFuZCB3aXRob3V0IGFueSBydW5uaW5nIHNlcnZpY2Ug ZXhjZXB0IFBGLg0KDQpJIGRpZCB0d28gdGhpbmdzIGFuZCBwcm9ibGVtIGlzIGRpc2FwcGVhcnMg Zm9yIG5vdyAoSSBsaXZlIHdpdGhvdXQgY2hhbmdpbmcgZGVmYXVsdCByb3V0ZSBsb25nZXIgdGhl biBldmVyIG5vdykNCg0KMS4gSSBkaXNhYmxlZCBzbm1wZA0KMi4gSSBpbnN0YWxsZWQgYW5kIHN0 YXJ0ZWQgdG8gdXNlICJiaXJkIiByb3V0aW5nIGRhZW1vbi4NCldpdGggY29uZmlndXJhdGlvbiBs aWtlIHRoaXMuDQoNCkkgaGF2ZSBzY3JpcHQgd2hpY2ggY2hlY2sgZGVmYXVsdCByb3V0ZSBtYW55 IHRpbWVzIHBlciBzZWNvbmQgYW5kIGlmIHRoZXJlIGlzIGNoYW5nZSwgc2NyaXB0IHB1dCBpdCBi YWNrLg0KDQpJIHRoaW5nLCB0aGF0IGlzIGltcG9ydGFudCB0byBmaW5kIHRoaXMgYnVnIOKAkyBJ IHRoaW5nIHRoYXQgaXMgdmVyeSBiaWcgYW5kIGRhbmdlcm91cyBidWcsIGJlY2F1c2UgdGhlcmUg aXMgd2F5IHRvIGNoYW5nZSByb3V0aW5nIG9ubHkgd2l0aCB0cmFmZmljIG9uIGNsZWFuIHN5c3Rl bS4NCg0KUmFkZWsNCg== From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 11 05:46:07 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C3670C40; Fri, 11 Jan 2013 05:46:07 +0000 (UTC) (envelope-from tretuliy2@gmail.com) Received: from mail-oa0-f49.google.com (mail-oa0-f49.google.com [209.85.219.49]) by mx1.freebsd.org (Postfix) with ESMTP id 59AC8FC9; Fri, 11 Jan 2013 05:46:06 +0000 (UTC) Received: by mail-oa0-f49.google.com with SMTP id l10so1428766oag.22 for ; Thu, 10 Jan 2013 21:46:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=iLznxLRRWgzttZoFQMWQpy/523xMOJXLc0XEPCzZwhs=; b=Xk/myrUBFMqGkQKt6JvGr4BGfVoAKA5DQ2uB6Zf+wUP1xlIqiUGN8EbBoMWIC/gjAI KLQXXeCNQJ+q+K4Ub12vOjcLAMPPjyfG/PpFdkk3Mu3AwiRttcArZyZTtJophZ9vFBDq YgyC0qNiuOy5kVcYe+LSo2/Pfi4m11paSoi2gGyuOQGryaD6Gg0AFjVW7/wrIqlP2Xk8 NafCn88Hhfr7f5PymaJNPWi/H4aLAP/Cjfq4cjIhzo12VbMV/Mx9N8WlbYFFg5cIzzAW eDahc0ORaHs9+171ZpSK25VE2uRtBEn2ccBEx724S8vptdYXNLrLYqvOLqixdIoYTzhn 5yLw== MIME-Version: 1.0 Received: by 10.60.8.199 with SMTP id t7mr42229176oea.26.1357883166269; Thu, 10 Jan 2013 21:46:06 -0800 (PST) Sender: tretuliy2@gmail.com Received: by 10.76.69.68 with HTTP; Thu, 10 Jan 2013 21:46:05 -0800 (PST) Received: by 10.76.69.68 with HTTP; Thu, 10 Jan 2013 21:46:05 -0800 (PST) In-Reply-To: References: <201301101140.r0ABe1J0004000@freefall.freebsd.org> Date: Fri, 11 Jan 2013 07:46:05 +0200 X-Google-Sender-Auth: CmxXwGcLRdw2KYEg_h4xe7C71lk Message-ID: Subject: RE: kern/174749: Unexpected change of default route From: Vadim Urazaev To: =?ISO-8859-2?Q?Radek_Krej=E8a?= Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org, freebsd-hackers@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2013 05:46:07 -0000 Do some body know how can we debug kernel memory corruption on live system? We need to find out which function/subsystem is cause of this mess. Or maybe is there some way to lock particular memory area, where default gateway lies and watch which subsystem will cause system crash? From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 12 08:10:01 2013 Return-Path: Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AC7F5107 for ; Sat, 12 Jan 2013 08:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 9E595A3B for ; Sat, 12 Jan 2013 08:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r0C8A17v004308 for ; Sat, 12 Jan 2013 08:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r0C8A1qH004307; Sat, 12 Jan 2013 08:10:01 GMT (envelope-from gnats) Date: Sat, 12 Jan 2013 08:10:01 GMT Message-Id: <201301120810.r0C8A1qH004307@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org Cc: From: Mark Linimon Subject: Re: kern/174749: Unexpected change of default route X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Mark Linimon List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jan 2013 08:10:01 -0000 The following reply was made to PR kern/174749; it has been noted by GNATS. From: Mark Linimon To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/174749: Unexpected change of default route Date: Sat, 12 Jan 2013 02:01:07 -0600 ----- Forwarded message from Vadim Urazaev ----- Date: Fri, 11 Jan 2013 07:46:05 +0200 From: Vadim Urazaev To: Radek Krejča Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org, freebsd-hackers@freebsd.org Subject: RE: kern/174749: Unexpected change of default route Do some body know how can we debug kernel memory corruption on live system? We need to find out which function/subsystem is cause of this mess. Or maybe is there some way to lock particular memory area, where default gateway lies and watch which subsystem will cause system crash? ----- End forwarded message -----