From owner-freebsd-ipfw Mon Jan 29 1:55:44 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from proxy.outblaze.com (proxy.outblaze.com [202.77.223.120]) by hub.freebsd.org (Postfix) with SMTP id E3DA337B6A2 for ; Mon, 29 Jan 2001 01:55:19 -0800 (PST) Received: (qmail 65067 invoked from network); 29 Jan 2001 09:55:17 -0000 Received: from unknown (HELO yusufg.portal2.com) (202.77.181.217) by proxy.outblaze.com with SMTP; 29 Jan 2001 09:55:17 -0000 Received: (qmail 4703 invoked by uid 500); 29 Jan 2001 10:00:30 -0000 Date: Mon, 29 Jan 2001 18:00:30 +0800 From: Yusuf Goolamabbas To: freebsd-ipfw@freebsd.org Subject: Bridging and dummynet seems to destroy dmesg output Message-ID: <20010129180030.A4647@outblaze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I cvsup'ed my traffic shaper box today [incorporating Luigi's latest fixes]. So far, I have not been experiencing any stalls. However, the output of dmesg seems to be corrupted. I see only 1 line everytime I invoke it %dmesg >ipfw: 400 Pipe 1 TCP a.b.c.d:port e.f.g.h:port in via %dmesg a.b.c.d:port e.f.g.h:port in via /var/log/messages also seems to have various log messages from ipfw in a segmented manner. Is anybody else seeing this ? Regards, Yusuf -- Yusuf Goolamabbas yusufg@outblaze.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 29 4: 4:15 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from easynet-gw.netvalue.fr (unknown [212.180.121.161]) by hub.freebsd.org (Postfix) with ESMTP id 3943837B400; Mon, 29 Jan 2001 04:03:54 -0800 (PST) Received: from mail.netvalue.fr (unknown [192.168.1.13]) by easynet-gw.netvalue.fr (Postfix) with ESMTP id 1BBF38C29; Mon, 29 Jan 2001 13:05:58 +0100 (CET) Received: from mail-hk.netvalue.fr ([192.168.100.13]) by mail.netvalue.fr (Netscape Messaging Server 3.6) with ESMTP id AAA6114; Mon, 29 Jan 2001 13:03:43 +0100 Received: from erwan.netvalue.fr ([192.168.100.100]) by mail-hk.netvalue.fr (Netscape Messaging Server 4.15) with ESMTP id G7XATO00.GH8; Mon, 29 Jan 2001 20:03:24 +0800 Received: from netvalue.com (localhost [127.0.0.1]) by erwan.netvalue.fr (Postfix) with ESMTP id 7A10E18D7; Mon, 29 Jan 2001 20:03:47 +0800 (HKT) Message-ID: <3A755C23.AE8D79E1@netvalue.com> Date: Mon, 29 Jan 2001 20:03:47 +0800 From: Erwan Arzur Organization: NetValue Ltd. X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en, fr-FR MIME-Version: 1.0 To: Roman Le Houelleur Cc: freebsd-ipfw , freebsd-net Subject: Re: bandwidth analyser References: <3A6C7FD0.7E2ABD65@IPricot.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Roman Le Houelleur wrote: > > hi, > > I use FreeBSD 4.2 stable + bridge + dummynet + ipfw. > I would like to calculate the bandwidth of each > authorized IP source flowing through the bridge from a > user program. > As this bandwidth calculation should be done very often > (10 to 20 times per second) I first tried to use the if_data > structure from sysctl. But it seems the packet counter is > only incremented for packets destinated to the specified > interface, and moreover I wouldn't be able to separate the > incoming flows depending on their source addresses. > > Anybody has an advice on the best way to achieve this > calculation ? what about the counter capabilities of ipfw ? > > Moreover, concerning the bridge, I was wondering if > there is a way not to put a third interface in promiscous > mode. As this third nic exists only for management purposes > I don't want it to participate to the bridge in any way. > > Thanks, > Never did this, but without the 10-20 times/sec requirement (don't do this 10 times/sec !), you could easily hack something like this : * add some rules with actions * write a little perl script that will output the value of the counter for the given rule (exec'ing ipfw show) * associate it with your choice of mrtg or RDDTool and you've got your bandwidth analyser with nice graphs and so forth ... There is something similar done for ipfilter in some mrtg contrib package, if i remember well ... Another solution would be to use /usr/ports/net/snmpd with the contributed ipfw MIB ... Why this 10 times/sec requirement ? Load balancing ? -- Erwan Arzur NetValue ltd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 29 15:47:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from hera.drwilco.net (10dyn120.dh.casema.net [212.64.31.120]) by hub.freebsd.org (Postfix) with ESMTP id 745A437B69D; Mon, 29 Jan 2001 15:46:58 -0800 (PST) Received: from ceres.drwilco.nl (ceres.drwilco.net [10.1.1.19]) by hera.drwilco.net (8.11.1/8.11.1) with ESMTP id f0U092b05863; Tue, 30 Jan 2001 01:09:04 +0100 (CET) (envelope-from drwilco@drwilco.nl) Message-Id: <4.3.2.7.0.20010130000929.00c80a20@mail.bsdchicks.com> X-Sender: lists@mail.bsdchicks.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 30 Jan 2001 00:15:34 +0100 To: Erwan Arzur , Roman Le Houelleur From: "Rogier R. Mulhuijzen" Subject: Re: bandwidth analyser Cc: freebsd-ipfw , freebsd-net In-Reply-To: <3A755C23.AE8D79E1@netvalue.com> References: <3A6C7FD0.7E2ABD65@IPricot.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > Moreover, concerning the bridge, I was wondering if > > there is a way not to put a third interface in promiscous > > mode. As this third nic exists only for management purposes > > I don't want it to participate to the bridge in any way. Use the ng_bridge node if you want to have precise control over which interfaces are being bridged. There's one downside though. You can get statistics from the bridge node on packets and octects passed through the different parts of the bridge setyup, but it's not IP based. Also using that bridging code there's no bandwidth throttling or IPFW rule matching yet. Vitaly Belekhov wrote BW throttling and ipfw netgraph nodes for 3.X, and I will be porting those to 5.X-CURRENT over the next few weeks. Using those you could get statistics really quickly by using libnetgraph and querying the nodes yourself with some C code instead of shell/perl scripting. DocWilco To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 29 15:53:37 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from hera.drwilco.net (10dyn120.dh.casema.net [212.64.31.120]) by hub.freebsd.org (Postfix) with ESMTP id 60AA037B6A3; Mon, 29 Jan 2001 15:53:17 -0800 (PST) Received: from ceres.drwilco.nl (ceres.drwilco.net [10.1.1.19]) by hera.drwilco.net (8.11.1/8.11.1) with ESMTP id f0U0Fcb05888; Tue, 30 Jan 2001 01:15:38 +0100 (CET) (envelope-from drwilco@drwilco.nl) Message-Id: <4.3.2.7.0.20010130001851.00aed910@mail.bsdchicks.com> X-Sender: lists@mail.bsdchicks.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 30 Jan 2001 00:21:51 +0100 To: Erwan Arzur , Roman Le Houelleur From: "Rogier R. Mulhuijzen" Subject: Re: bandwidth analyser Cc: freebsd-ipfw , freebsd-net Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Use the ng_bridge node if you want to have precise control over which interfaces are being bridged. Another thing, be careful when you enable the netgraph node when you have BRIDGE compiled into your kernel. 2 reasons: 1) if you have the bridging code activated you'll get broadcast loops resulting in links being deactivated and whatnot. 2) when you have the bridging deactivated you'll run into some nice problems due to this problem: http://www.freebsd.org/cgi/query-pr.cgi?pr=24720 (patch included). Nothing earth shattering, but when you alter your setup in anyway some machines suddenly become unreachable until the arp tables age out on them.... DocWilco To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 29 16: 0:24 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 84E1B37B69E; Mon, 29 Jan 2001 16:00:01 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f0TNxOU48488; Mon, 29 Jan 2001 15:59:24 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101292359.f0TNxOU48488@iguana.aciri.org> Subject: Re: bandwidth analyser In-Reply-To: <4.3.2.7.0.20010130000929.00c80a20@mail.bsdchicks.com> from "Rogier R. Mulhuijzen" at "Jan 30, 2001 0:15:34 am" To: drwilco@drwilco.nl (Rogier R. Mulhuijzen) Date: Mon, 29 Jan 2001 15:59:14 -0800 (PST) Cc: erwan@netvalue.com, roman@IPricot.com, freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > There's one downside though. You can get statistics from the bridge node on > packets and octects passed through the different parts of the bridge > setyup, but it's not IP based. Also using that bridging code there's no > bandwidth throttling or IPFW rule matching yet. > > Vitaly Belekhov wrote BW throttling and ipfw netgraph nodes for 3.X, and I > will be porting those to 5.X-CURRENT over the next few weeks. > > Using those you could get statistics really quickly by using libnetgraph > and querying the nodes yourself with some C code instead of shell/perl > scripting. the real problem with any approach is that if you have very many flows, you have to fetch all the info every time you want to update your statistics. The ipfw implementation which is in the kernel now really does not help you there, because the stats are spread over lists and hash tables, and on top of this the data structure evolves dynamically as pkts come in, so you need to hold a lock while navigating on it. This is why you do not want to download the stats 10-20 times per second, at least with this architecture. I do not have a good solution in mind other than maybe change the data structures so that the flow descriptors (at least the part with the flow identifier and the stats) are in a contiguous chunk of memory whose only variable part is the size. This way you can either mmap the block, or copyout() it without having to get a lock. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 31 1:59:54 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from star.rila.bg (star.rila.bg [212.39.75.32]) by hub.freebsd.org (Postfix) with ESMTP id 409BB37B503 for ; Wed, 31 Jan 2001 01:59:34 -0800 (PST) Received: from star.rila.bg (vlady@localhost [127.0.0.1]) by star.rila.bg (8.9.3/8.9.3) with ESMTP id LAA25924 for ; Wed, 31 Jan 2001 11:59:13 +0200 (EET) (envelope-from vlady@star.rila.bg) Message-Id: <200101310959.LAA25924@star.rila.bg> X-Mailer: exmh version 2.1.1 10/15/1999 To: freebsd-ipfw@FreeBSD.ORG From: "Vladimir Terziev" Subject: Need a patch for IPFW for 4.0-Release system Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 31 Jan 2001 11:59:13 +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Does anybody have a patch for the last ipfw vulnerability (I mean 'established' keyword)? I saw in mailing list that patch which had been submited is not for 4.0-RELEASE systems. regards, Vladimir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 31 6: 9: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194]) by hub.freebsd.org (Postfix) with ESMTP id 11FF937B491 for ; Wed, 31 Jan 2001 06:08:48 -0800 (PST) Received: from i-clue.de (automatix.i-clue.de [192.168.0.112]) by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id QAA10321; Wed, 31 Jan 2001 16:16:25 +0100 Message-ID: <3A781CBE.EDC7700D@i-clue.de> Date: Wed, 31 Jan 2001 15:10:06 +0100 From: Christoph Sold Reply-To: so@server.i-clue.de X-Mailer: Mozilla 4.75 [de] (WinNT; U) X-Accept-Language: de MIME-Version: 1.0 To: Yusuf Goolamabbas Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Bridging and dummynet seems to destroy dmesg output References: <20010129180030.A4647@outblaze.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Yusuf Goolamabbas schrieb: > > Hi, I cvsup'ed my traffic shaper box today [incorporating Luigi's latest > fixes]. So far, I have not been experiencing any stalls. However, the > output of dmesg seems to be corrupted. I see only 1 line everytime I > invoke it > > %dmesg > >ipfw: 400 Pipe 1 TCP a.b.c.d:port e.f.g.h:port in via > %dmesg > a.b.c.d:port e.f.g.h:port in via > > /var/log/messages also seems to have various log messages from ipfw in a > segmented manner. Is anybody else seeing this ? Since I do not use ipfw, I cannot see it. If you suspect ipfw nulls the logfile prior to writing its newest error message, try directing ifpw logs into its own logfile. man syslog.conf tells you how. HTH -Christoph Sold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 31 12:18:59 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from switch2.switchpwr.com (switch1.switchpwr.com [12.14.48.19]) by hub.freebsd.org (Postfix) with ESMTP id 8415137B699 for ; Wed, 31 Jan 2001 12:18:34 -0800 (PST) Received: from switchpwr.com (switch1.switchpwr.com [12.14.48.19]) by switch2.switchpwr.com (8.11.0/8.11.0) with ESMTP id f0VKC6i21246 for ; Wed, 31 Jan 2001 15:12:07 -0500 (EST) Message-ID: <3A787261.FC964939@switchpwr.com> Date: Wed, 31 Jan 2001 15:15:30 -0500 From: mel kravitz Organization: switching power inc X-Mailer: Mozilla 4.75 [en] (X11; U; NetBSD 1.5_ALPHA2 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: natd questions Content-Type: multipart/mixed; boundary="------------D671C73F1EA3D4A6D8AC2269" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------D671C73F1EA3D4A6D8AC2269 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, Running 4.1 on an i386 box, updated to 4.1 after succesfully using 2.2.8 for 2+ years. I normally start natd from /sbin/natd -m -f /etc/natd.conf (/etc/rc.conf.local) where /etc/natd.conf file is included below : ipfw rules contain proper divert call to tx0 my question is i am getting a large number of /var/log/messages: natd "failed to write packet back (permission denied)" If i start natd from /etc/rc.conf file how do i call natd.conf? Any help would be appreciated. -Mel --------------D671C73F1EA3D4A6D8AC2269 Content-Type: text/plain; charset=us-ascii; name="natd.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="natd.conf" # natd.conf use_sockets port 6668 interface tx0 redirect_port tcp 12.14.48.20:http 80 redirect_port udp 12.14.48.20:http 80 redirect_port tcp 12.14.48.28:http 12.14.48.18:80 redirect_port udp 12.14.48.28:http 12.14.48.18:80 redirect_port tcp 12.14.48.20:ftp 20 redirect_port udp 12.14.48.20:ftp 20 redirect_port tcp 12.14.48.20:ftp 21 redirect_port udp 12.14.48.20:ftp 21 --------------D671C73F1EA3D4A6D8AC2269-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 31 22: 9:10 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id B056C37B67D for ; Wed, 31 Jan 2001 22:08:52 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 31 Jan 2001 22:06:56 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1168PR23505; Wed, 31 Jan 2001 22:08:25 -0800 (PST) (envelope-from cjc) Date: Wed, 31 Jan 2001 22:08:24 -0800 From: "Crist J. Clark" To: mel kravitz Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: natd questions Message-ID: <20010131220824.R91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A787261.FC964939@switchpwr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A787261.FC964939@switchpwr.com>; from melk@switchpwr.com on Wed, Jan 31, 2001 at 03:15:30PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Jan 31, 2001 at 03:15:30PM -0500, mel kravitz wrote: > Hi, > Running 4.1 on an i386 box, updated to 4.1 after succesfully using 2.2.8 > for 2+ years. > I normally start natd from /sbin/natd -m -f /etc/natd.conf > (/etc/rc.conf.local) That can cause problems since rc.local is one of the last things to run after all of the network services have tried to start. > where /etc/natd.conf file is included below : > ipfw rules contain proper divert call to tx0 > my question is i am getting a large number of /var/log/messages: > natd "failed to write packet back (permission denied)" That means a packet processed by natd(8) is being blocked by a later rule in the firewall. > If i start natd from /etc/rc.conf file how do i call natd.conf? natd_enable="YES" natd_interface="tx0" natd_flags="-f /etc/natd.conf" firewall_enable="YES" firewall_type= > Any help would be appreciated. > -Mel > # natd.conf > use_sockets > port 6668 > interface tx0 > redirect_port tcp 12.14.48.20:http 80 > redirect_port udp 12.14.48.20:http 80 > redirect_port tcp 12.14.48.28:http 12.14.48.18:80 > redirect_port udp 12.14.48.28:http 12.14.48.18:80 > redirect_port tcp 12.14.48.20:ftp 20 > redirect_port udp 12.14.48.20:ftp 20 > redirect_port tcp 12.14.48.20:ftp 21 > redirect_port udp 12.14.48.20:ftp 21 HTTP and FTP do not use UDP. You don't need those. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 1 0:59:21 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from leylak.trnet.com (leylak.tr.net [195.155.1.5]) by hub.freebsd.org (Postfix) with ESMTP id 5F01437B491 for ; Thu, 1 Feb 2001 00:59:01 -0800 (PST) Received: from msuluhan ([195.155.33.55]) by leylak.trnet.com (InterMail vK.4.02.00.09 201-232-116-109 license 0f5baaa7065154cd09644893d36baf5e) with SMTP id <20010201085749.NTNF10404.leylak@msuluhan>; Thu, 1 Feb 2001 10:57:49 +0200 From: "Murat SULUHAN" To: Subject: RE: natd questions Date: Thu, 1 Feb 2001 11:01:07 +0200 Message-ID: X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20010131220824.R91447@rfx-216-196-73-168.users.reflex> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi but how can I find packets which blocked via firewall -------------------------------- | | Murat SULUHAN | TE.SA.M. T.U.R.K. / GLOBALSTAR | -------------------------------- > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Crist J. Clark > Sent: Thursday, February 01, 2001 8:08 AM > To: mel kravitz > Cc: freebsd-ipfw@FreeBSD.ORG > Subject: Re: natd questions > > > On Wed, Jan 31, 2001 at 03:15:30PM -0500, mel kravitz wrote: > > Hi, > > Running 4.1 on an i386 box, updated to 4.1 after succesfully using 2.2.8 > > for 2+ years. > > I normally start natd from /sbin/natd -m -f /etc/natd.conf > > (/etc/rc.conf.local) > > That can cause problems since rc.local is one of the last things to > run after all of the network services have tried to start. > > > where /etc/natd.conf file is included below : > > ipfw rules contain proper divert call to tx0 > > my question is i am getting a large number of /var/log/messages: > > natd "failed to write packet back (permission denied)" > > That means a packet processed by natd(8) is being blocked by a later > rule in the firewall. > > > If i start natd from /etc/rc.conf file how do i call natd.conf? > > natd_enable="YES" > natd_interface="tx0" > natd_flags="-f /etc/natd.conf" > firewall_enable="YES" > firewall_type= > > > Any help would be appreciated. > > -Mel > > > # natd.conf > > use_sockets > > port 6668 > > interface tx0 > > redirect_port tcp 12.14.48.20:http 80 > > redirect_port udp 12.14.48.20:http 80 > > redirect_port tcp 12.14.48.28:http 12.14.48.18:80 > > redirect_port udp 12.14.48.28:http 12.14.48.18:80 > > redirect_port tcp 12.14.48.20:ftp 20 > > redirect_port udp 12.14.48.20:ftp 20 > > redirect_port tcp 12.14.48.20:ftp 21 > > redirect_port udp 12.14.48.20:ftp 21 > > HTTP and FTP do not use UDP. You don't need those. > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 1 11: 1:56 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 0FFFE37B6AC; Thu, 1 Feb 2001 11:01:35 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f11J1YM60760; Thu, 1 Feb 2001 11:01:34 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200102011901.f11J1YM60760@iguana.aciri.org> Subject: a note on ipfw/bridge/dummynet changes To: luigi@aciri.org Date: Thu, 1 Feb 2001 11:01:34 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [Bcc to net and ipfw as relevant there -- if you want a reply to go to the lists you need to add them explicitly.] Hi, as some of you have noticed, i am trying to fix some long-standing problems that we have had with bridging and dummynet, so I'd like to comment on what I am doing and how. * i am working and doing testing on STABLE, as some of the problems that we had in the past (races) were peculiar to that version, at least until CURRENT uses Giant to protect critical sections. I am testing/putting the code in CURRENT as well, but i believe we can only have some significant testing on STABLE. So, you will see some quick MFC -- please be tolerant. (The other reason for this is that I do have a CURRENT box but it often dies in cpu_idle. The same hw seems to be more robust when using a PicoBSD floppy with STABLE, so i have no idea if it is bad hardware or what.) * some of the problems peple are experiencing appear to be related to memory corruption, which in turn derives from shared mbuf clusters being modified at different places in the stack. The approach i am following to track and fix them involves some changes to the interfaces of ether_input(), bdg_forward(), and the firewall check functions, so that these modules limit the amount of patching into shared mbufs. This means that some of the patches are rather extensive, and affect several files namely: net/if_ethersubr.c net/bridge.[ch] netinet/ip_dummynet.[ch] netinet/ip_fw.[ch] and to a much lesser degree netinet/ip_input.c netinet/ip_output.c src/sbin/ipfw/ipfw.c In some cases you will be required to update the userland program, ipfw. * check your system before reporting problems. While I can make mistakes, I do check my code before committing. Most of the "problems" reported recently were of the kind "cannot compile the kernel", "ipfw says invalid command", and they were just local error from people not updating the sources or header files properly. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 1 13:44:50 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194]) by hub.freebsd.org (Postfix) with ESMTP id D57B737B4EC for ; Thu, 1 Feb 2001 13:44:31 -0800 (PST) Received: from i-clue.de (automatix.i-clue.de [192.168.0.112]) by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id XAA21924; Thu, 1 Feb 2001 23:52:20 +0100 Message-ID: <3A79D919.53061763@i-clue.de> Date: Thu, 01 Feb 2001 22:46:01 +0100 From: Christoph Sold Reply-To: so@server.i-clue.de X-Mailer: Mozilla 4.75 [de] (WinNT; U) X-Accept-Language: de MIME-Version: 1.0 To: ipfw@FreeBSD.org Subject: freebsd-ipfw@FreeBSD.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi folks, for the first time, I need to do some redirect: On a box with a single interface I want to run an untrusted application on port 23. I know, I can run it suid root, but i did not want to for obvious reasons. Q: How to redirect from interface ed0, port 80, to the very same machine, untrusted port, e.g. 1234? Thanks for your assistance -Christoph Sold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 1 14:36:43 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194]) by hub.freebsd.org (Postfix) with ESMTP id 2BE8037B491 for ; Thu, 1 Feb 2001 14:36:24 -0800 (PST) Received: from i-clue.de (automatix.i-clue.de [192.168.0.112]) by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id AAA22333; Fri, 2 Feb 2001 00:44:01 +0100 Message-ID: <3A79E536.BCF96341@i-clue.de> Date: Thu, 01 Feb 2001 23:37:42 +0100 From: Christoph Sold Reply-To: so@server.i-clue.de X-Mailer: Mozilla 4.75 [de] (WinNT; U) X-Accept-Language: de MIME-Version: 1.0 To: John Aughey Cc: Christoph Sold , FreeBSD-ipfw@FreeBSD.org Subject: Re: freebsd-ipfw@FreeBSD.org References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG John Aughey schrieb: > > On Thu, 1 Feb 2001, Christoph Sold wrote: > > Q: How to redirect from interface ed0, port 80, to the very same > > machine, untrusted port, e.g. 1234? > > Checkout /usr/ports/net/bounce. It will accept connections on one port > and forward it on to another. > > This is also an interesting way to enable IPv6 connectivity for > applications that are not IPv6 aware. You can write an application that > will listen on the IPv6 interface and forward the data on to your IPv4 > application. Reverse name lookups will always point back to your loopback > device, but it does work. I've written an application like that that runs > from inetd. Thanks, John. Unfortunately, I need to know who connects to our untrusted application. I use rinetd at this time, which also drops the connection information -- all connects point back to localhost. -Christoph Sold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 2 7: 8:44 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from syncopation-01.iinet.net.au (syncopation-01.iinet.net.au [203.59.24.37]) by hub.freebsd.org (Postfix) with SMTP id 9D06737B4EC for ; Fri, 2 Feb 2001 07:08:23 -0800 (PST) Received: (qmail 16535 invoked by uid 666); 2 Feb 2001 15:15:40 -0000 Received: from reggae-14-13.nv.iinet.net.au (HELO elischer.org) (203.59.77.13) by mail.m.iinet.net.au with SMTP; 2 Feb 2001 15:15:40 -0000 Message-ID: <3A7ACD4B.155B2657@elischer.org> Date: Fri, 02 Feb 2001 07:07:55 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Luigi Rizzo Cc: "Rogier R. Mulhuijzen" , erwan@netvalue.com, roman@IPricot.com, freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: bandwidth analyser References: <200101292359.f0TNxOU48488@iguana.aciri.org> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > > > There's one downside though. You can get statistics from the bridge node on > > packets and octects passed through the different parts of the bridge > > setyup, but it's not IP based. Also using that bridging code there's no > > bandwidth throttling or IPFW rule matching yet. > > > > Vitaly Belekhov wrote BW throttling and ipfw netgraph nodes for 3.X, and I > > will be porting those to 5.X-CURRENT over the next few weeks. The new ethernet node netgrpah interface (with 'upper' and 'lower') may influence this. also the ipfw he used is very old now. > > > > Using those you could get statistics really quickly by using libnetgraph > > and querying the nodes yourself with some C code instead of shell/perl > > scripting. > > the real problem with any approach is that if you have very many > flows, you have to fetch all the info every time you want to update > your statistics. The ipfw implementation which is in the kernel > now really does not help you there, because the stats are spread > over lists and hash tables, and on top of this the data structure > evolves dynamically as pkts come in, so you need to hold a lock > while navigating on it. > > This is why you do not want to download the stats 10-20 times per > second, at least with this architecture. > > I do not have a good solution in mind other than maybe > change the data structures so that the flow descriptors > (at least the part with the flow identifier and the stats) > are in a contiguous chunk of memory whose only variable > part is the size. This way you can either mmap the block, > or copyout() it without having to get a lock. > > cheers > luigi > ----------------------------------+----------------------------------------- > Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) > http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 > Phone: (510) 666 2927 > ----------------------------------+----------------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000-2001 ---> X_.---._/ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 2 14:30:37 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 7E21B37B491 for ; Fri, 2 Feb 2001 14:30:19 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 2 Feb 2001 14:28:23 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f12MTfx37577; Fri, 2 Feb 2001 14:29:41 -0800 (PST) (envelope-from cjc) Date: Fri, 2 Feb 2001 14:29:40 -0800 From: "Crist J. Clark" To: Christoph Sold Cc: ipfw@FreeBSD.ORG Subject: Unprivileged Access to Ports <1024 (was Re: freebsd-ipfw@FreeBSD.org) Message-ID: <20010202142940.V91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A79D919.53061763@i-clue.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A79D919.53061763@i-clue.de>; from so@server.i-clue.de on Thu, Feb 01, 2001 at 10:46:01PM +0100 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 01, 2001 at 10:46:01PM +0100, Christoph Sold wrote: > Hi folks, > > for the first time, I need to do some redirect: > > On a box with a single interface I want to run an untrusted application > on port 23. I know, I can run it suid root, but i did not want to for > obvious reasons. > > Q: How to redirect from interface ed0, port 80, to the very same > machine, untrusted port, e.g. 1234? I coulda sworn there was a sysctl knob to turn off the rather outdated behavor that restricts opening ports <1024 to root. However, I cannot seem to find such a thing. Am I imagining things? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 2 14:38:11 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from newnet.co.uk (newnet.co.uk [212.87.80.11]) by hub.freebsd.org (Postfix) with ESMTP id E706E37B4EC for ; Fri, 2 Feb 2001 14:37:53 -0800 (PST) Received: from newnet.co.uk (muktananda.sys.newnet.co.uk [212.87.87.37]) by newnet.co.uk (8.9.3/8.9.3) with ESMTP id WAA15271; Fri, 2 Feb 2001 22:37:32 GMT Message-ID: <3A7B369F.2E9922F8@newnet.co.uk> Date: Fri, 02 Feb 2001 22:37:19 +0000 From: Peter Coates Organization: NewNet Fast Access Internet - Support Team X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Christoph Sold , ipfw@FreeBSD.ORG Subject: Re: Unprivileged Access to Ports <1024 (was Re: freebsd-ipfw@FreeBSD.org) References: <3A79D919.53061763@i-clue.de> <20010202142940.V91447@rfx-216-196-73-168.users.reflex> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Crist J. Clark" wrote: > > On Thu, Feb 01, 2001 at 10:46:01PM +0100, Christoph Sold wrote: > > Hi folks, > > > > for the first time, I need to do some redirect: > > > > On a box with a single interface I want to run an untrusted application > > on port 23. I know, I can run it suid root, but i did not want to for > > obvious reasons. > > > > Q: How to redirect from interface ed0, port 80, to the very same > > machine, untrusted port, e.g. 1234? > > I coulda sworn there was a sysctl knob to turn off the rather outdated > behavor that restricts opening ports <1024 to root. However, I cannot > seem to find such a thing. Am I imagining things? > -- > Crist J. Clark cjclark@alum.mit.edu There is: net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.first: 1024 They sounds along the right lines. I'm not sure what they do mind ;-) Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 2 21:34: 6 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 0987E37B491 for ; Fri, 2 Feb 2001 21:33:50 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Fri, 2 Feb 2001 21:31:58 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f135XCe40265; Fri, 2 Feb 2001 21:33:12 -0800 (PST) (envelope-from cjc) Date: Fri, 2 Feb 2001 21:33:07 -0800 From: "Crist J. Clark" To: Peter Coates Cc: Christoph Sold , ipfw@FreeBSD.ORG Subject: Re: Unprivileged Access to Ports <1024 (was Re: freebsd-ipfw@FreeBSD.org) Message-ID: <20010202213307.C91447@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A79D919.53061763@i-clue.de> <20010202142940.V91447@rfx-216-196-73-168.users.reflex> <3A7B369F.2E9922F8@newnet.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A7B369F.2E9922F8@newnet.co.uk>; from peter@newnet.co.uk on Fri, Feb 02, 2001 at 10:37:19PM +0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Feb 02, 2001 at 10:37:19PM +0000, Peter Coates wrote: > "Crist J. Clark" wrote: > > > > On Thu, Feb 01, 2001 at 10:46:01PM +0100, Christoph Sold wrote: > > > Hi folks, > > > > > > for the first time, I need to do some redirect: > > > > > > On a box with a single interface I want to run an untrusted application > > > on port 23. I know, I can run it suid root, but i did not want to for > > > obvious reasons. > > > > > > Q: How to redirect from interface ed0, port 80, to the very same > > > machine, untrusted port, e.g. 1234? > > > > I coulda sworn there was a sysctl knob to turn off the rather outdated > > behavor that restricts opening ports <1024 to root. However, I cannot > > seem to find such a thing. Am I imagining things? > > -- > > Crist J. Clark cjclark@alum.mit.edu > > There is: > > net.inet.ip.portrange.lowfirst: 1023 > net.inet.ip.portrange.first: 1024 > > They sounds along the right lines. I'm not sure what they do mind ;-) They tell the OS what ranges of ports to choose from for ephemeral ports. It does not change any permissions. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message