From owner-freebsd-ipfw Sun Jun 23 6:40: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by hub.freebsd.org (Postfix) with ESMTP id AE2DA37B404 for ; Sun, 23 Jun 2002 06:39:58 -0700 (PDT) Received: from toad.stack.nl (toad.stack.nl [2001:610:1108:5010:202:b3ff:fe17:9e1a]) by mailhost.stack.nl (Postfix) with ESMTP id B2C873D836 for ; Sun, 23 Jun 2002 15:39:57 +0200 (CEST) Received: by toad.stack.nl (Postfix, from userid 333) id 7D7449657; Sun, 23 Jun 2002 15:39:57 +0200 (CEST) Date: Sun, 23 Jun 2002 15:39:57 +0200 From: Marc Olzheim To: freebsd-ipfw@freebsd.org Subject: kern/32600 Message-ID: <20020623153957.A71187@stack.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Operating-System: FreeBSD toad.stack.nl 4.5-STABLE FreeBSD 4.5-STABLE X-URL: http://www.stack.nl/~marcolz/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. I was wondering wether a) the patch provided in the PR still works with 4.6 b) the patch provided in the PR gets merged into the source tree. I'm trying to limit incoming SMTP connections myself and having my logs flooded with ipfw messages that don't really matter, is not helping... ;-) Zlo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 23 7:21:59 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id CE5D237B400 for ; Sun, 23 Jun 2002 07:21:54 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1920) id AFAA2AE027; Sun, 23 Jun 2002 07:21:54 -0700 (PDT) Date: Sun, 23 Jun 2002 07:21:54 -0700 From: Maxime Henrion To: freebsd-ipfw@FreeBSD.org Subject: 64 bits platforms warning fixes Message-ID: <20020623142154.GI85525@elvis.mu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="M/SuVGWktc5uNpra" Content-Disposition: inline User-Agent: Mutt/1.3.27i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --M/SuVGWktc5uNpra Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi all, Here is a small patch to fix warnings that occur on 64 bits platforms. Could I have someone to review it so that I can commit it ? Thanks, Maxime --M/SuVGWktc5uNpra Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip.patch" Index: ip_input.c =================================================================== RCS file: /space/ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.201 diff -u -r1.201 ip_input.c --- ip_input.c 22 Jun 2002 11:51:02 -0000 1.201 +++ ip_input.c 23 Jun 2002 14:06:39 -0000 @@ -300,7 +300,7 @@ break; case PACKET_TAG_DIVERT: - args.divert_rule = (int)m->m_hdr.mh_data & 0xffff; + args.divert_rule = (intptr_t)m->m_hdr.mh_data & 0xffff; break; case PACKET_TAG_IPFORWARD: Index: ip_output.c =================================================================== RCS file: /space/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.158 diff -u -r1.158 ip_output.c --- ip_output.c 22 Jun 2002 11:51:02 -0000 1.158 +++ ip_output.c 23 Jun 2002 14:07:09 -0000 @@ -168,7 +168,7 @@ break; case PACKET_TAG_DIVERT: - args.divert_rule = (int)m0->m_data & 0xffff; + args.divert_rule = (intptr_t)m0->m_data & 0xffff; break; case PACKET_TAG_IPFORWARD: --M/SuVGWktc5uNpra-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 24 7:30:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 83C0B37B401 for ; Mon, 24 Jun 2002 07:30:04 -0700 (PDT) Received: from arch20m.dellroad.org (arch20m.dellroad.org [10.1.1.20]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id HAA41527; Mon, 24 Jun 2002 07:20:02 -0700 (PDT) Received: (from archie@localhost) by arch20m.dellroad.org (8.11.6/8.11.6) id g5OEJXk65809; Mon, 24 Jun 2002 07:19:33 -0700 (PDT) (envelope-from archie) From: Archie Cobbs Message-Id: <200206241419.g5OEJXk65809@arch20m.dellroad.org> Subject: Re: a bug in divert handling of fragments In-Reply-To: <20020621073804.B79754@iguana.icir.org> "from Luigi Rizzo at Jun 21, 2002 07:38:04 am" To: Luigi Rizzo Date: Mon, 24 Jun 2002 07:19:33 -0700 (PDT) Cc: ipfw@freebsd.org X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > This is in disagreement with the comment, and almost certainly > not what one wants, so I believe this has to be fixed. > I see two possible alternatives: > > #1: only trust divert info for the fragment with offset 0 > (i.e. the one which should have headers etc.) > > #2: keep as good the info from the first incoming fragment with > a non-zero *divinfo (i.e. one which matched a divert rule). > > I would prefer #1 because it is less prone to attacks and easier to > implement, and also because there is a lot more information that > the firewall can use to select the packet. #1 sounds good to me too.. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 24 13:59:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from cleopatra.rubiconproject.com (cleopatra.rubiconproject.com [63.95.167.9]) by hub.freebsd.org (Postfix) with ESMTP id D808037B423 for ; Mon, 24 Jun 2002 13:57:38 -0700 (PDT) Received: from jmk65.rubiconproject.com. (252-65.rubiconproject.com [10.255.252.65]) by cleopatra.rubiconproject.com (8.11.6/8.9.3) with ESMTP id g5OKvQ603722; Mon, 24 Jun 2002 13:57:26 -0700 Date: Mon, 24 Jun 2002 13:57:21 -0700 (Pacific Daylight Time) From: Jeff Kletsky To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: New ipfw code available Message-ID: X-X-Sender: jkletsky@cleopatra.rubiconproject.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi and Group: In my searches for a way to clear accounting on ipfw pipes, I came across this thread. http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=35657+40570+/usr/local/www/db/text/2002/freebsd-ipfw/20020609.freebsd-ipfw Running a commercial site that relies on the robustness of the ipfw code, I'd like to throw in a few suggestions about the documentation and user-land utilities. First, let me say that this type of flexibility and control has the potential to make my life a lot easier!!! For firewalls to be reliable, the rules need to be both predictable and easily understandable. Having used pcap for some time now, I cannot say that the filter expressions are either, especially when more than just basic in their complexity. The original post's example: "pipe 10 tcp from 1.2.3.4 or 1.2.3.7 or not 1.2.3.0/28 21-25,1024-4095 \ to any in recv ed0 or recv fxp1 or recv dc0 uid 35 or uid 50" can be interpreted in many ways, depending on operator binding and precedence. I'd hate to be wrong.... I need to be able to *easily* look at a rule and understand what it does, both when writing it, and when reading it later as output from the loaded ruleset. Constructs such as 1000 skipto 1010 ip from ${safe_src} to ${safe_dst} 1005 deny log ip from ${generally_unsafe_src} to ${generally_unsafe_dst} 1010 (do something else here) are, while inefficient, easy to read and to understand if the appropriate behaviour applies. I would like to suggest that the syntax and precedence rules for the microcode be very clear and unambiguously documented. Parenthesis or some other construct should be allowed to ensure that the rules are properly interpreted. On output, I would suggest that a similar construct clearly indicate the logic. Yes, I'd help with the documentation and, as my skills permit, the output formatting... Jeff P.S. Implementing 'ipfw pipe [n] zero' to zero the counters (and possibly clean out the inactive flowsets ala expire_queues()) is on my list, though I have a lot more code-comprehension to do. Anyone else who wants to provide suggestions or tackle it is more than welcome! -- Jeffrey Marc Kletsky Director Of Product Management SpotLife Inc. 1950 Leslie St. San Mateo, CA 94403 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 24 22:47:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by hub.freebsd.org (Postfix) with ESMTP id 5EAF137B408 for ; Mon, 24 Jun 2002 22:47:31 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020625054730.NQUS10417.sccrmhc02.attbi.com@blossom.cjclark.org>; Tue, 25 Jun 2002 05:47:30 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5P5lTJK050383; Mon, 24 Jun 2002 22:47:29 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5P5lRAY050382; Mon, 24 Jun 2002 22:47:27 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 24 Jun 2002 22:47:27 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: do we need IPFIREWALL_FORWARD to be optional ? Message-ID: <20020624224727.A50149@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020621104900.C81994@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020621104900.C81994@iguana.icir.org>; from rizzo@icir.org on Fri, Jun 21, 2002 at 10:49:00AM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jun 21, 2002 at 10:49:00AM -0700, Luigi Rizzo wrote: > I am fixing that part of the netinet/ stack, and i wonder why > do we need to make this optional. > > Once the global variables holding its state are removed, all the > code reduces to a small set of short blocks (which are never entered > if you do not have fwd rules) scattered in ip_input.c ip_output.c > ip_fw.c and tcp_input.c, and I strongly believe that the pain and > obfuscation of having it conditionally compiled is a lot worse than > the modest code size increase. > > Unless there are strong objections, I am going to make it > standard. If you feel up to it, unconditionalize pfil(9) stuff too. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 2:19:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id E2D6937B447 for ; Tue, 25 Jun 2002 02:19:08 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5P9J6C23568; Tue, 25 Jun 2002 02:19:06 -0700 (PDT) (envelope-from rizzo) Date: Tue, 25 Jun 2002 02:19:06 -0700 From: Luigi Rizzo To: Archie Cobbs Cc: ipfw@freebsd.org Subject: Re: a bug in divert handling of fragments Message-ID: <20020625021906.B23524@iguana.icir.org> References: <20020621073804.B79754@iguana.icir.org> <200206241419.g5OEJXk65809@arch20m.dellroad.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206241419.g5OEJXk65809@arch20m.dellroad.org>; from archie@dellroad.org on Mon, Jun 24, 2002 at 07:19:33AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 24, 2002 at 07:19:33AM -0700, Archie Cobbs wrote: ... > > #1: only trust divert info for the fragment with offset 0 > > (i.e. the one which should have headers etc.) > #1 sounds good to me too.. ...and it is the thing i have committed on sunday night. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 5:55: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id ACAFC37B403 for ; Tue, 25 Jun 2002 05:55:00 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5PCsv325011; Tue, 25 Jun 2002 05:54:57 -0700 (PDT) (envelope-from rizzo) Date: Tue, 25 Jun 2002 05:54:57 -0700 From: Luigi Rizzo To: Suresh Ramasamy Cc: ipfw@freebsd.org Subject: Re: Question on Filtered Bridging and ARP takeovers Message-ID: <20020625055457.B24694@iguana.icir.org> References: <5.1.0.14.2.20020625120053.02bf64e8@pop.time.net.my> <5.1.0.14.2.20020625120053.02bf64e8@pop.time.net.my> <20020624215809.A21492@iguana.icir.org> <5.1.0.14.2.20020625130437.02cf03f0@pop.time.net.my> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.1.0.14.2.20020625130437.02cf03f0@pop.time.net.my>; from sureshdr@time.net.my on Tue, Jun 25, 2002 at 01:24:51PM +0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG sounds like it is the "new firewall" that is broken, not FreeBSD! cheers luigi On Tue, Jun 25, 2002 at 01:24:51PM +0800, Suresh Ramasamy wrote: > Thanks Luigi, > > I've installed a filtered bridging running on FreeBSD 4.5 Stable > with these config > > WAN ---------- FB (10.10.68.181) ---- Client (10.10.68.222) > | > +---------- the rest of 10.10.68.x > > Recently, a new firewall was introduced and this firewall was using an > active ARP > scanning that "overtakes" IP that does not respond to ping. > > The client 68.222 is ICMP disabled with only a few TCP ports open. > What i noticed is that when I ping from WAN segment to the client, > in the FB, it shows that ARP is taken over by the rogue firewall. > > Temporary Workaround > > I added a static ARP entry onto FB (arp -S 10.10.68.222 mac_address pub) to > publish the ARP into the network segment switch. > > Or is there a documented workaround? > > > Q: Should the bridge function on FreeBSD address the ARP poisoning issue? > If so, I would like to recommend an addition of this into the bridge function > to identify network at the other end and establish an arp broadcasting > function for > the segment behind the filtered bridging. > > At 12:58 PM 6/25/2002, you wrote: > >On Tue, Jun 25, 2002 at 12:01:46PM +0800, Suresh Ramasamy wrote: > > > I have a question on FreeBSD filtered bridging and ARP > > > takeovers. Could i direct the question to you, or specifically to > > > a mailing list? > > > >just ask both me and ipfw@freebsd.org > > > >luigi > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 6: 1:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 8146437B404; Tue, 25 Jun 2002 06:01:50 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5PD1of25100; Tue, 25 Jun 2002 06:01:50 -0700 (PDT) (envelope-from rizzo) Date: Tue, 25 Jun 2002 06:01:50 -0700 From: Luigi Rizzo To: "Crist J. Clark" Cc: ipfw@FreeBSD.ORG Subject: Re: do we need IPFIREWALL_FORWARD to be optional ? Message-ID: <20020625060150.C24694@iguana.icir.org> References: <20020621104900.C81994@iguana.icir.org> <20020624224727.A50149@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020624224727.A50149@blossom.cjclark.org>; from crist.clark@attbi.com on Mon, Jun 24, 2002 at 10:47:27PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 24, 2002 at 10:47:27PM -0700, Crist J. Clark wrote: ... > If you feel up to it, unconditionalize pfil(9) stuff too. speaking of which -- is it a -current only thing ? I was trying to integrate your bridge/ipfliter mods into RELENG_4 but apparently the code there is different... cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 9:18: 7 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 43E6D37B403 for ; Tue, 25 Jun 2002 09:18:03 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020625161802.BNIE8262.rwcrmhc52.attbi.com@blossom.cjclark.org>; Tue, 25 Jun 2002 16:18:02 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g5PGI2JK052567; Tue, 25 Jun 2002 09:18:02 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g5PGI03K052566; Tue, 25 Jun 2002 09:18:00 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Tue, 25 Jun 2002 09:18:00 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: do we need IPFIREWALL_FORWARD to be optional ? Message-ID: <20020625091800.A52519@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020621104900.C81994@iguana.icir.org> <20020624224727.A50149@blossom.cjclark.org> <20020625060150.C24694@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020625060150.C24694@iguana.icir.org>; from rizzo@icir.org on Tue, Jun 25, 2002 at 06:01:50AM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jun 25, 2002 at 06:01:50AM -0700, Luigi Rizzo wrote: > On Mon, Jun 24, 2002 at 10:47:27PM -0700, Crist J. Clark wrote: > ... > > If you feel up to it, unconditionalize pfil(9) stuff too. > > speaking of which -- is it a -current only thing ? Yes. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 12: 2:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from patriarch.dnsalias.org (adsl-66-140-18-199.dsl.hstntx.swbell.net [66.140.18.199]) by hub.freebsd.org (Postfix) with ESMTP id 1318937B764; Tue, 25 Jun 2002 12:01:46 -0700 (PDT) Received: from compgeek ([127.0.0.1]) by patriarch.dnsalias.org with Microsoft SMTPSVC(5.0.2195.4905); Tue, 25 Jun 2002 14:01:50 -0500 Reply-To: From: "Jon Noack" To: "Alexander" , Cc: , Subject: RE: ipfw question Date: Tue, 25 Jun 2002 14:01:50 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020625212231.U4383-100000@bugs.elitsat.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-OriginalArrivalTime: 25 Jun 2002 19:01:50.0817 (UTC) FILETIME=[C34FCD10:01C21C7A] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Not that I know of (isn't that the point of fw.one_pass -- it only matches one rule). Why don't you want to use fw.one_pass? (If it's because you're using bridging I may be able to help) Jon Use the freebsd-ipfw list. I've sent them this message as well. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Alexander Sent: Tuesday, June 25, 2002 1:39 PM To: freebsd-questions@freebsd.org Cc: freebsd-isp@freebsd.org Subject: ipfw question Hello, I have few clients which should share 1 channel of 256Kbit/s and each one of them should have max 64Kbit/s. The idea is like 5-6 clients to share 256Kbit/s I do the following pipe configs ipfw pipe 1 config bw 64Kbit/s queue 5 ... ipfw pipe 6 config bw 64Kbit/s queue 5 ipfw pipe 7 config bw 256Kbit/s queue 5 ipfw add pipe 1 all from any to any via tun0 ipfw add pipe 7 all from any to any via tun0 ... ... ipfw add pipe 6 all from any to any via tun5 ipfw add pipe 7 all from any to any via tun5 (Each client has a tunnel) And what happens is that packets only go to the first rule and everyone have 64k but they don't share one 256k/s channel Is there a way doing this without using sysctl variable net.inet.ip.fw.one_pass ? thanks P.S. I'll be glad if someone responds as quick as possible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 13:59: 1 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from viefep13-int.chello.at (viefep13-int.chello.at [213.46.255.15]) by hub.freebsd.org (Postfix) with ESMTP id B756437B400 for ; Tue, 25 Jun 2002 13:58:55 -0700 (PDT) Received: from there ([213.47.24.51]) by viefep13-int.chello.at (InterMail vM.5.01.03.06 201-253-122-118-106-20010523) with SMTP id <20020625205854.ZGGS9315.viefep13-int.chello.at@there> for ; Tue, 25 Jun 2002 22:58:54 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Thomas Wolf To: freebsd-ipfw@freebsd.org Subject: interface check for packets originating from the local host ? Date: Tue, 25 Jun 2002 23:02:36 +0200 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020625205854.ZGGS9315.viefep13-int.chello.at@there> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi there, "packets originating from the local host have no receive interface" but is it possible/planned/nonsense to filter on exactly this condition, something like: 'allow all from any to any out recv none xmit xxx0' ? I am experimenting with a ruleset for several interfaces and I try to design the rules on src/dst - interface and this would help to distinguish 'natted' packets from locally generated ones when they are leaving the system. Thanks in advance Thomas PS (slightly OT): Should the punch_fw option in natd also create rules for outgoing passive ftp ? It does not (at least on my 4.5 Box) but I wonder if it is my fault, a bug or a feature :-) PPS: would this be the right list to post my ruleset asking for comments when it is finished ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 16:35:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from valis.olywa.net (valis.olywa.net [216.173.192.2]) by hub.freebsd.org (Postfix) with ESMTP id 95C3137B400; Tue, 25 Jun 2002 16:35:31 -0700 (PDT) Received: from intrepid.snowpoint.com ([216.173.213.173]) by valis.olywa.net (Post.Office MTA v3.5.3 release 223 ID# 0-56662U5000L500S0V35) with ESMTP id net; Tue, 25 Jun 2002 16:35:31 -0700 Received: from ([216.173.213.172]) by intrepid.snowpoint.com (Merak 4.10.020) with SMTP id HUB36795; Tue, 25 Jun 2002 16:30:49 -0700 From: "Corey Snow" To: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Date: Tue, 25 Jun 2002 16:35:40 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: ipfw, nat and routing Message-ID: <3D189BDC.28738.2074C888@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi- I'm currently trying to set up a FreeBSD 4.5-RELEASE box as both a router and a NAT system. Basically, it has two NICs, and sits between my DMZ and my private LAN. The DMZ is connected to the Internet via a FreeBSD-based filtering bridge, which works fine. The DMZ is where I keep my routable IPs, for things like my webserver and mail system. On the backside of my NAT firewall, I use RFC1918 addresses. The outer interface of the NAT firewall has a routable address, obviously. I can get all this to work just fine. However, there's one more thing I'd like to add to this- the ability for the NAT firewall to also do simple routing between interfaces for my RFC1918 addresess. See, on my DMZ, in addition to my external IP addresses, I have used some RFC1918 addresses for various purposes, mostly for local administration. These RFC 1918 IPs are all in a single Class C. On the inside of the NAT firewall, I have another collection of RFC 1918 addresses, also in their own Class C. The internal interface of the NAT firewall has an address that is within that Class C, as does every other host on the network. The external interface of the NAT firewall has both a public IP and a private one. The private one is set as an alias. I'd like my firewall to route packets from my internal private Class C to my DMZ one, or if packets are destined for the Internet, to perform NAT and pump them out on the public IP. I can get this working one way, or the other, but not both at once. I'm still experimenting, but any suggestions would be helpful. Thanks a bunch. Regards, Corey Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jun 25 20:39: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 68E7437B400 for ; Tue, 25 Jun 2002 20:39:03 -0700 (PDT) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.35 #1) id 17N3fW-000C3L-00 for ipfw@freebsd.org; Wed, 26 Jun 2002 05:40:34 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.35 #1) id 17N3fV-000C30-00; Wed, 26 Jun 2002 05:40:33 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 17N3ee-000J1R-00; Wed, 26 Jun 2002 05:39:40 +0200 Date: Wed, 26 Jun 2002 05:39:40 +0200 From: Barry Irwin To: Luigi Rizzo Cc: Suresh Ramasamy , ipfw@freebsd.org Subject: Re: Question on Filtered Bridging and ARP takeovers Message-ID: <20020626053940.T46303@itouchlabs.com> References: <5.1.0.14.2.20020625120053.02bf64e8@pop.time.net.my> <5.1.0.14.2.20020625120053.02bf64e8@pop.time.net.my> <20020624215809.A21492@iguana.icir.org> <5.1.0.14.2.20020625130437.02cf03f0@pop.time.net.my> <20020625055457.B24694@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020625055457.B24694@iguana.icir.org>; from luigi@iet.unipi.it on Tue, Jun 25, 2002 at 05:54:57AM -0700 X-Checked: Scanned for any viruses and unauthorized attachments at mx1.dev.itouchnet.net X-iScan-ID: 46331-1025062834-61251@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG agreed. units that I've read about that implement this, usually release their ARP as soonas they see a system reply with a valid response to an arp request, such as when a new system is turned on. I have not heard f one like this that uses ICMP to check the availability, but rather thy monito unanswered arp requests. Barry On Tue 2002-06-25 (05:54), Luigi Rizzo wrote: > > sounds like it is the "new firewall" that is broken, not FreeBSD! > > cheers > luigi > > On Tue, Jun 25, 2002 at 01:24:51PM +0800, Suresh Ramasamy wrote: > > Thanks Luigi, > > > > I've installed a filtered bridging running on FreeBSD 4.5 Stable > > with these config > > > > WAN ---------- FB (10.10.68.181) ---- Client (10.10.68.222) > > | > > +---------- the rest of 10.10.68.x > > > > Recently, a new firewall was introduced and this firewall was using an > > active ARP > > scanning that "overtakes" IP that does not respond to ping. > > > > The client 68.222 is ICMP disabled with only a few TCP ports open. > > What i noticed is that when I ping from WAN segment to the client, > > in the FB, it shows that ARP is taken over by the rogue firewall. > > > > Temporary Workaround > > > > I added a static ARP entry onto FB (arp -S 10.10.68.222 mac_address pub) to > > publish the ARP into the network segment switch. > > > > Or is there a documented workaround? > > > > > > Q: Should the bridge function on FreeBSD address the ARP poisoning issue? > > If so, I would like to recommend an addition of this into the bridge function > > to identify network at the other end and establish an arp broadcasting > > function for > > the segment behind the filtered bridging. > > > > At 12:58 PM 6/25/2002, you wrote: > > >On Tue, Jun 25, 2002 at 12:01:46PM +0800, Suresh Ramasamy wrote: > > > > I have a question on FreeBSD filtered bridging and ARP > > > > takeovers. Could i direct the question to you, or specifically to > > > > a mailing list? > > > > > >just ask both me and ipfw@freebsd.org > > > > > >luigi > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > -- Barry Irwin bvi@itouchlabs.com +27214875177 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 26 1: 6:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailomat.net (mailomat.net [62.157.203.218]) by hub.freebsd.org (Postfix) with ESMTP id 5F1DC37B400 for ; Wed, 26 Jun 2002 01:06:29 -0700 (PDT) Received: This mail has hopefully been cleaned of damaging elements. Received: from gemini.bnc.net (gemini.bnc.net [62.225.99.33]) by mailomat.net (8.12.3/8.12.3) with ESMTP id g5Q86GBQ003250; Wed, 26 Jun 2002 10:06:16 +0200 (CEST) (envelope-from ap@bnc.net) Received: from entity (entity.bnc.net [62.225.99.68]) by gemini.bnc.net (8.11.3/8.11.3) with SMTP id g5Q86AY21017; Wed, 26 Jun 2002 10:06:10 +0200 (CEST) (envelope-from ap@bnc.net) From: "Achim Patzner" To: "Thomas Wolf" , Subject: RE: interface check for packets originating from the local host ? Date: Wed, 26 Jun 2002 10:08:56 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <20020625205854.ZGGS9315.viefep13-int.chello.at@there> Disposition-Notification-To: "Achim Patzner" X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > "packets originating from the local host have no receive interface" > but is it possible/planned/nonsense to filter on exactly this Nonsense. > condition, something like: > 'allow all from any to any out recv none xmit xxx0' ? What's wrong with "allow all from me to [...]"? Achim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 26 2: 7:22 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id A4B7937B400 for ; Wed, 26 Jun 2002 02:07:19 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5Q95sO34590; Wed, 26 Jun 2002 02:05:54 -0700 (PDT) (envelope-from rizzo) Date: Wed, 26 Jun 2002 02:05:54 -0700 From: Luigi Rizzo To: Achim Patzner Cc: Thomas Wolf , freebsd-ipfw@FreeBSD.ORG Subject: Re: interface check for packets originating from the local host ? Message-ID: <20020626020554.A34406@iguana.icir.org> References: <20020625205854.ZGGS9315.viefep13-int.chello.at@there> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from ap@bnc.net on Wed, Jun 26, 2002 at 10:08:56AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jun 26, 2002 at 10:08:56AM +0200, Achim Patzner wrote: > > "packets originating from the local host have no receive interface" > > but is it possible/planned/nonsense to filter on exactly this > > Nonsense. i beg to differ... it is both possible and planned. > > condition, something like: > > 'allow all from any to any out recv none xmit xxx0' ? > > What's wrong with "allow all from me to [...]"? "me" is an expensive check when you can simply look at the rcvif field in the mbuf header (not to mention che slightly different behaviour in corner cases such as packet coming from divert sockets). cheers luigi > > Achim > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 26 13:17:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by hub.freebsd.org (Postfix) with ESMTP id 3081137C641 for ; Wed, 26 Jun 2002 13:03:45 -0700 (PDT) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6/8.11.6) with ESMTP id g5QJXDg00697 for ; Wed, 26 Jun 2002 15:33:14 -0400 (EDT) Received: from CONVERSION-DAEMON by lmco.com (PMDF V5.2-33 #38886) id <0GYB00C01VNDQ0@lmco.com> for freebsd-ipfw@freebsd.org; Wed, 26 Jun 2002 12:33:13 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V5.2-33 #38886) with ESMTP id <0GYB00OM7VN8WH@lmco.com> for freebsd-ipfw@freebsd.org; Wed, 26 Jun 2002 12:33:08 -0700 (PDT) Date: Wed, 26 Jun 2002 12:28:58 -0700 From: rick norman Subject: Re: ipfw and aliases To: freebsd-ipfw@freebsd.org Message-id: <3D1A15F9.7589DCE7@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: multipart/alternative; boundary="Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ)" X-Accept-Language: en References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org> <3CE3F5A7.FE02E845@lmco.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Did this issue ever get resolved or is there some hope it can be incorporated ? rick norman wrote: > > > Here is an example (please view in fix point font) > > Src Hop1 Hop2 Dest > -+- -+- -+- -+- > | | | | > +---------+----------+----------+ > 10.0.0.1 10.0.0.2 > 10.0.1.1 10.0.1.2 > 10.0.2.1 10.0.2.2 > 10.0.3.1 10.0.3.2 > 10.0.4.2 10.0.4.3 > > Notes: > Subnet mask=255.255.255.0 for all > there is only one NIC in each computer > All the computers are connected to an ethernet switch. > We are manually manipulating the routing table on hop2 and hop3 for > the destination. > > The topology above allows us to get to destination address > 10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2. > > We would like to be able to setup IPFW rules and Dummynet Pipes > to vary the link quality between hop1 and hop2 > depending on which of the three routes are taken to the destination. > > We need a firewall rule that reads like this > > 0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1 > 0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1 > 0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1 > > The problem is that currently the via 10.0.1.1 and 10.0.2.1 and > 10.0.3.1 all resolve to the same > interface and therefore onpy pipe 1 is used. That's why I would like > subnets to be used > instread of the interface to which they resolve. Actually, I think > the via qualifier would make > more sense if it was able differentiate subnets. If you have any way > of making this work please > let me know. > > Thanks, > Rick Norman > > > "Crist J. Clark" wrote: > >> On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote: >> > I'm probably giving too little detail. Basically I'm configuring >> bsd 4.5 >> > as an intermediate node router in a fairly complex topology. The >> different >> > aliases on an interface allow me to take different paths through >> this topology >> > based on the subnets. What I want to do is apply different >> characteristics >> > to multiple data streams based on the subnet they take leaving my >> router. >> > The pkt only has src and des ip which says nothing about the path >> the routing >> > protocols have picked. >> >> What information are the routing protocols using besides the >> destination IP? >> >> > The rules that I see available in the ipfw would catch >> > all the aliases leaving on an interface with no differentiation. >> >> Because there is no difference. The only information available on a >> packet being forwarded are the interface it came in on, the >> interface >> it is going out of, the next hop, and of course the data in the >> packet >> itself (the source and destination IPs). I'm not sure what other >> information you are trying to tap into. >> >> > It seems that >> > another key word, similar to the 'via' qualifier would allow me to >> individually >> > grab the outbound aliases. The needed info is available in the >> routing table >> > in the form of the next hop router, I just don't see a way to grab >> a pkt based >> > on the next hop address or the outbound subnet. >> >> Examining the next hop address on outgoing packets is not a big >> deal. >> It would be straight forward to add it to ipfw(8). But I'm still not >> >> sure what it has to do with local alias addresses. >> -- >> Crist J. Clark | cjclark@alum.mit.edu >> | cjclark@jhu.edu >> http://people.freebsd.org/~cjc/ | cjc@freebsd.org > -- One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. wk: 408 742 1619 rick.norman@lmco.com hm: 650 726 0677 rnorman@ikaika.com cell: 650 303 3877 --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT Did this issue ever get resolved or is there some hope it can be incorporated ?
 

rick norman wrote:

 

Here is an example (please view in fix point font)

Src       Hop1       Hop2       Dest
-+-       -+-        -+-        -+-
 |         |          |          |
 +---------+----------+----------+
10.0.0.1  10.0.0.2
          10.0.1.1  10.0.1.2
          10.0.2.1  10.0.2.2
          10.0.3.1  10.0.3.2
                    10.0.4.2    10.0.4.3

Notes:
Subnet mask=255.255.255.0 for all
there is only one NIC in each computer
All the computers are connected to an ethernet switch.
We are manually manipulating the routing table on hop2 and hop3 for the destination.

The topology above allows us to get to destination address
10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2.

We would like to be able to setup IPFW rules and Dummynet Pipes
to vary the link quality between hop1 and hop2
depending on which of the three routes are taken to the destination.

We need a firewall rule that reads like this

0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1
0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1
0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1

The problem is that currently the via 10.0.1.1 and 10.0.2.1 and 10.0.3.1 all resolve to the same
interface and therefore onpy pipe 1 is used.  That's why I would like  subnets to be used
instread of the interface to which they resolve.  Actually, I think the via qualifier would make
more sense if it was able differentiate subnets. If you have any way of making this work please
let me know.

Thanks,
Rick Norman
 

"Crist J. Clark" wrote:

On Tue, May 14, 2002 at 01:45:10PM -0700, rick norman wrote:
> I'm probably giving too little detail.  Basically I'm configuring bsd 4.5
> as an intermediate node router in a fairly complex topology.  The different
> aliases on an interface allow me to take different paths through this topology
> based on the subnets.  What I want to do is apply different characteristics
> to multiple data streams based on the subnet they take leaving my router.
> The pkt only has src and des ip which says nothing about the path the routing
> protocols have picked.

What information are the routing protocols using besides the
destination IP?

> The rules that I see available in the ipfw would catch
> all the aliases leaving on an interface with no differentiation.

Because there is no difference. The only information available on a
packet being forwarded are the interface it came in on, the interface
it is going out of, the next hop, and of course the data in the packet
itself (the source and destination IPs). I'm not sure what other
information you are trying to tap into.

> It seems that
> another key word, similar to the 'via' qualifier would allow me to individually
> grab the outbound aliases.  The needed info is available in the routing table
> in the form of the next hop router, I just don't see a way to grab a pkt based
> on the next hop address or the outbound subnet.

Examining the next hop address on outgoing packets is not a big deal.
It would be straight forward to add it to ipfw(8). But I'm still not
sure what it has to do with local alias addresses.
--
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

--
One Unix to rule them all, One Resolver to find them,
One IP to bring them all and in the zone to bind them.

wk: 408 742 1619
rick.norman@lmco.com
hm: 650 726 0677
rnorman@ikaika.com
cell: 650 303 3877
  --Boundary_(ID_nXTxTJCP9ntWnKv3I87DaQ)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jun 26 16:46:32 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from patriarch.dnsalias.org (adsl-66-136-23-175.dsl.hstntx.swbell.net [66.136.23.175]) by hub.freebsd.org (Postfix) with ESMTP id EEEF737C272; Wed, 26 Jun 2002 16:39:01 -0700 (PDT) Received: from compgeek ([127.0.0.1]) by patriarch.dnsalias.org with Microsoft SMTPSVC(5.0.2195.4905); Wed, 26 Jun 2002 15:45:30 -0500 Reply-To: From: "Jon Noack" To: "Jaime" , Cc: Subject: RE: Bridge and proxy? Date: Wed, 26 Jun 2002 15:45:29 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020626133540.F1925-100000@malkav.snowmoon.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-OriginalArrivalTime: 26 Jun 2002 20:45:30.0028 (UTC) FILETIME=[68A9D6C0:01C21D52] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Better list for this is freebsd-ipfw@freebsd.org -- this message sent there as well... What does 'ipfw show' output? Is it not matching all your rules? With a bridge it won't match multiple rules... Jon -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jaime Sent: Wednesday, June 26, 2002 12:41 PM To: freebsd-questions@freebsd.org Subject: Bridge and proxy? I'm trying to set up a FreeBSD 4.6 system for bridging and as a transparent HTTP proxy. I have the squid (tcp port 3128) and dansguardian (tcp port 8080) ports installed and running well. I have bridging in the kernel and it is running well. The topology is: (ISP) -- (Router) -- (FBSD 4.6) -- (LAN's core switch) I have it working well enough that HTTP requests to port 80 are passing through the FreeBSD box and working correctly. However, they are not going into DansGuardian (which passes the request to Squid). I'm using the following IPFW rules: cerberus# ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 01000 allow tcp from me to any 01100 allow tcp from any to me 80 01200 fwd 127.0.0.1,8080 tcp from any to any 80 01210 fwd 127.0.0.1,8080 tcp from any to any 8080 01220 fwd 127.0.0.1,8080 tcp from any to any 81 01230 fwd 127.0.0.1,8080 tcp from any to any 8000 65000 allow ip from any to any 65535 allow ip from any to any Any advice? Thanks in advance, Jaime To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 3:58:33 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by hub.freebsd.org (Postfix) with SMTP id 698FE37B408 for ; Thu, 27 Jun 2002 03:58:24 -0700 (PDT) To: Marc Olzheim Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/32600 References: <20020623153957.A71187@stack.nl> From: Dan Pelleg Date: 27 Jun 2002 06:58:02 -0400 In-Reply-To: <20020623153957.A71187@stack.nl> Message-ID: Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Marc Olzheim writes: > Hi. > > I was wondering wether > a) the patch provided in the PR still works with 4.6 Yes, it does. At least for me. > b) the patch provided in the PR gets merged into the source tree. > That's not up to me to say. > I'm trying to limit incoming SMTP connections myself and having my logs > flooded with ipfw messages that don't really matter, is not helping... > ;-) > > Zlo -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 5:52:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 279D237B401 for ; Thu, 27 Jun 2002 05:52:11 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5RCq7946824; Thu, 27 Jun 2002 05:52:07 -0700 (PDT) (envelope-from rizzo) Date: Thu, 27 Jun 2002 05:52:07 -0700 From: Luigi Rizzo To: Dan Pelleg Cc: Marc Olzheim , freebsd-ipfw@FreeBSD.ORG Subject: Re: kern/32600 Message-ID: <20020627055206.B46659@iguana.icir.org> References: <20020623153957.A71187@stack.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from daniel+bsd@pelleg.org on Thu, Jun 27, 2002 at 06:58:02AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG as you may know if you read this list, I have completely rewritten the firewall code, including fixes for this and other bugs, and i posted the code (for -stable) earlier last week. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 10:12:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from malkav.snowmoon.com (malkav.snowmoon.com [209.23.60.62]) by hub.freebsd.org (Postfix) with SMTP id 5214937B405 for ; Thu, 27 Jun 2002 10:12:13 -0700 (PDT) Received: (qmail 7240 invoked from network); 27 Jun 2002 17:12:01 -0000 Received: from localhost.snowmoon.com (HELO localhost) (127.0.0.1) by localhost.snowmoon.com with SMTP; 27 Jun 2002 17:12:01 -0000 Date: Thu, 27 Jun 2002 13:12:01 -0400 (EDT) From: Jaime To: freebsd-ipfw@freebsd.org Subject: ipfw fwd and bridging Message-ID: <20020627130511.J7217-100000@malkav.snowmoon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm trying to put a new FreeBSD 4.6 firewall + filtering proxy into the network at my job. (Damn CIPA....) I tried to do this with bridging, but I couldn't get "ipfw add 10000 fwd 127.0.0.1,8080 tcp from any to any 80" to work the way that I expected. The man page seems to indicate that fwd and bridge are incompatible. Is this true? I ended up re-designing the firewall as a routing firewall and used ipfw fwd --> transproxy --> dansguardian --> squid. Now the /var/log/dansguardian.log file lists all requests as coming from 127.0.0.1 for obvious reasons. This means that I can't use /usr/local/etc/dansguardian/exceptioniplist to allow certain computers to bypass the web filters. So I'd kind of like to remove transproxy, too. :) Not an ipfw issue per se, but if anyone out there has some pointers I'd love to hear them. :) Jaime To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 10:43:11 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 22FC437B40B for ; Thu, 27 Jun 2002 10:43:09 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5RHh2f50277; Thu, 27 Jun 2002 10:43:02 -0700 (PDT) (envelope-from rizzo) Date: Thu, 27 Jun 2002 10:43:02 -0700 From: Luigi Rizzo To: Jaime Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw fwd and bridging Message-ID: <20020627104301.A50086@iguana.icir.org> References: <20020627130511.J7217-100000@malkav.snowmoon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020627130511.J7217-100000@malkav.snowmoon.com>; from jaime@snowmoon.com on Thu, Jun 27, 2002 at 01:12:01PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jun 27, 2002 at 01:12:01PM -0400, Jaime wrote: .... > any to any 80" to work the way that I expected. The man page seems to > indicate that fwd and bridge are incompatible. Is this true? yes. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 11:47:16 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from malkav.snowmoon.com (malkav.snowmoon.com [209.23.60.62]) by hub.freebsd.org (Postfix) with SMTP id C6C5B37B411 for ; Thu, 27 Jun 2002 11:46:53 -0700 (PDT) Received: (qmail 7542 invoked from network); 27 Jun 2002 18:46:52 -0000 Received: from localhost.snowmoon.com (HELO localhost) (127.0.0.1) by localhost.snowmoon.com with SMTP; 27 Jun 2002 18:46:52 -0000 Date: Thu, 27 Jun 2002 14:46:52 -0400 (EDT) From: jaime@snowmoon.com To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw fwd and bridging In-Reply-To: <20020627104301.A50086@iguana.icir.org> Message-ID: <20020627144549.X7490-100000@malkav.snowmoon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 27 Jun 2002, Luigi Rizzo wrote: > On Thu, Jun 27, 2002 at 01:12:01PM -0400, Jaime wrote: > > any to any 80" to work the way that I expected. The man page seems to > > indicate that fwd and bridge are incompatible. Is this true? > > yes. How about divert and bridge? I saw no mention of bridge in the divert manpage. Will an ipfw divert rule, a natd process, and bridging work together on the same box? Jaime To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 11:59:22 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id BC57337B408 for ; Thu, 27 Jun 2002 11:59:06 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5RIvnJ50848; Thu, 27 Jun 2002 11:57:49 -0700 (PDT) (envelope-from rizzo) Date: Thu, 27 Jun 2002 11:57:49 -0700 From: Luigi Rizzo To: jaime@snowmoon.com Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw fwd and bridging Message-ID: <20020627115749.B50351@iguana.icir.org> References: <20020627104301.A50086@iguana.icir.org> <20020627144549.X7490-100000@malkav.snowmoon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020627144549.X7490-100000@malkav.snowmoon.com>; from jaime@snowmoon.com on Thu, Jun 27, 2002 at 02:46:52PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jun 27, 2002 at 02:46:52PM -0400, jaime@snowmoon.com wrote: > On Thu, 27 Jun 2002, Luigi Rizzo wrote: > > On Thu, Jun 27, 2002 at 01:12:01PM -0400, Jaime wrote: > > > any to any 80" to work the way that I expected. The man page seems to > > > indicate that fwd and bridge are incompatible. Is this true? > > > > yes. > > How about divert and bridge? I saw no mention of bridge in the incompatible as well. The new firewall code enforces this better (it will also make it easier to implement divert or forward or nat or tunneling of layer2 or layer3 packets, but none of this is implemented now). > divert manpage. Will an ipfw divert rule, a natd process, and bridging > work together on the same box? well, this is a different story. You _can_ have these things work together, but you have to write the rules in the right way. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 12:49:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from malkav.snowmoon.com (malkav.snowmoon.com [209.23.60.62]) by hub.freebsd.org (Postfix) with SMTP id 06D0637B401 for ; Thu, 27 Jun 2002 12:49:51 -0700 (PDT) Received: (qmail 7750 invoked from network); 27 Jun 2002 19:49:39 -0000 Received: from localhost.snowmoon.com (HELO localhost) (127.0.0.1) by localhost.snowmoon.com with SMTP; 27 Jun 2002 19:49:39 -0000 Date: Thu, 27 Jun 2002 15:49:39 -0400 (EDT) From: jaime@snowmoon.com To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw fwd and bridging In-Reply-To: <20020627115749.B50351@iguana.icir.org> Message-ID: <20020627154514.R7726-100000@malkav.snowmoon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 27 Jun 2002, Luigi Rizzo wrote: > > divert manpage. Will an ipfw divert rule, a natd process, and bridging > > work together on the same box? > > well, this is a different story. You _can_ have these things > work together, but you have to write the rules in the right way. At this point, I'll be happy to use routing instead of bridging, as long as I can get transproxy out of my firewall. :) That's what I've been trying to do between messages. At the moment, I'm testing out things like: ipfw add 00050 divert natd tcp from 10.0.0.0/8 to not 10.0.0.0/8 80 natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1 Any tips? Thanks in advance, Jaime To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 27 16: 9:32 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id DE2F937B405 for ; Thu, 27 Jun 2002 16:09:27 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g5RN9Rs52611; Thu, 27 Jun 2002 16:09:27 -0700 (PDT) (envelope-from rizzo) Date: Thu, 27 Jun 2002 16:09:27 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: HEADS UP -- new ipfw in -current Message-ID: <20020627160927.A52381@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If people feel like testing this and reporting any problems... thanks luigi ----- Forwarded message from Luigi Rizzo ----- Date: Thu, 27 Jun 2002 16:02:18 -0700 (PDT) From: Luigi Rizzo Subject: cvs commit: src/sbin/ipfw Makefile ipfw2.c src/sys/netinet ip_dummynet.c ip_fw.h ip_fw2.c src/sys/conf files src/lib/libalias alias_db.c To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org luigi 2002/06/27 16:02:18 PDT Modified files: sbin/ipfw Makefile sys/netinet ip_dummynet.c ip_fw.h sys/conf files lib/libalias alias_db.c Added files: sbin/ipfw ipfw2.c sys/netinet ip_fw2.c Log: The new ipfw code. This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug. The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules). The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time. I have not renamed the header file because it would have required touching a one-line change to a number of kernel files. In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon. On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones. Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this: 10.20.30.0/26{18,44,33,22,9} which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes). Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled. The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC. Revision Changes Path 1.48 +118 -0 src/lib/libalias/alias_db.c 1.11 +2 -1 src/sbin/ipfw/Makefile 1.1 +3178 -0 src/sbin/ipfw/ipfw2.c (new) 1.655 +1 -1 src/sys/conf/files 1.48 +26 -30 src/sys/netinet/ip_dummynet.c 1.69 +292 -249 src/sys/netinet/ip_fw.h 1.1 +2519 -0 src/sys/netinet/ip_fw2.c (new) ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message