From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 26 02:20:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EBB016A4B3 for ; Sun, 26 Oct 2003 02:20:19 -0800 (PST) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id B961243F85 for ; Sun, 26 Oct 2003 02:20:17 -0800 (PST) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout2.freenet.de with asmtp (Exim 4.24) id 1ADi0O-0007fY-DM for freebsd-ipfw@FreeBSD.ORG; Sun, 26 Oct 2003 11:20:16 +0100 Received: from p3e9baad4.dip.t-dialin.net ([62.155.170.212] helo=spotteswoode.dnsalias.org) by mx2.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.24 #17) id 1ADi0O-0006ZD-0K for freebsd-ipfw@FreeBSD.ORG; Sun, 26 Oct 2003 11:20:16 +0100 Received: (qmail 3160 invoked by uid 0); 26 Oct 2003 10:20:37 -0000 Date: 26 Oct 2003 11:20:14 +0100 Message-ID: From: "Clemens Fischer" To: "Michael Sierchio" In-Reply-To: <3F833434.5090506@tenebras.com> (Michael Sierchio's message of "Tue, 07 Oct 2003 14:46:28 -0700") References: <3F833434.5090506@tenebras.com> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Strange leakage of private source addresses w/ipfw and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Oct 2003 10:20:19 -0000 * 2003-10-07 Michael Sierchio: > This doesn't have a (user-) noticeable impact on traffic, but > installing a silent network recorder outside my firewall shows that > some RFC 1918 addrs are getting through. don't worry, just block them on the external interface. > I'll post details when I've got them, but I'm wondering if anyone > else has seen this? it happens, and with my installation they are coming from the outside. clemens From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 26 05:36:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B56F816A4BF for ; Sun, 26 Oct 2003 05:36:22 -0800 (PST) Received: from tequila.4you.lt (tequila.4you.lt [212.122.68.216]) by mx1.FreeBSD.org (Postfix) with SMTP id E723643FA3 for ; Sun, 26 Oct 2003 05:36:19 -0800 (PST) (envelope-from hugle@vkt.lt) Received: (qmail 96453 invoked by uid 0); 26 Oct 2003 12:35:47 -0000 Received: from hugle@vkt.lt by tequila by uid 82 with qmail-scanner-1.20rc1 (. Clear:RC:1:. Processed in 0.125443 secs); 26 Oct 2003 12:35:47 -0000 Received: from unknown (HELO localhost) (213.252.192.162) by tequila.4you.lt with SMTP; 26 Oct 2003 12:35:47 -0000 From: hugle X-Mailer: The Bat! (v1.63 Beta/5) X-Priority: 3 (Normal) Message-ID: <1112481437.19990124172534@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: checking IP <> MAC in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 26 Oct 2003 13:36:22 -0000 X-Original-Date: Sun, 24 Jan 1999 17:25:34 +0200 X-List-Received-Date: Sun, 26 Oct 2003 13:36:22 -0000 Hello. searching for a patch for ipfw2 the thing i like to do, is to check users ip and mac.. if mac isn't equal to some_value then do smth.. for example: ipfw add deny ip from 192.168.1.1 src-mac not 00:11:22:33:44:55 is it possible ? thx -- Best regards,Hugle From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 01:40:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83E2116A4B3 for ; Mon, 27 Oct 2003 01:40:39 -0800 (PST) Received: from mail.dwec.ru (mail.dwec.ru [194.84.175.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id A74E043F85 for ; Mon, 27 Oct 2003 01:40:37 -0800 (PST) (envelope-from freebsd@dwec.ru) Received: (from root@localhost) by mail.dwec.ru (8.11.6/8.11.6/no info ;)) id h9R9eZl45438 for freebsd-ipfw@freebsd.org.KAV; Mon, 27 Oct 2003 12:40:35 +0300 (MSK) (envelope-from freebsd@dwec.ru) Received: from admin (gw [194.84.175.30]) by mail.dwec.ru (8.11.6/8.11.6/no info ;)) with SMTP id h9R9eZT45427 for ; Mon, 27 Oct 2003 12:40:35 +0300 (MSK) (envelope-from freebsd@dwec.ru) Message-ID: <020201c39c6e$5f0fea40$080ba8c0@admin> From: To: References: <3F833434.5090506@tenebras.com> Date: Mon, 27 Oct 2003 12:40:22 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4927.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200 Subject: Re: Strange leakage of private source addresses w/ipfw and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 09:40:39 -0000 Ok, maybe not THAT important but definitely a Bad Surprise. Here's the sample (and in current configuration only ICMP packets from time to time are being passed through unaltered): snort: [1:0:0] POSSIBLE address leakage - ICMP {ICMP} 192.168.5.2 -> 208.115.104.193 [**] POSSIBLE address leakage - ICMP [**] 10/25-22:55:08.782139 192.168.5.2 -> 208.115.104.193 ICMP TTL:255 TOS:0x0 ID:17365 IpLen:20 DgmLen:60 Type:11 Code:0 TTL EXCEEDED IN TRANSIT 192.168.5.2 is Cisco 2509 if it matters. box details: ipfw2+natd, acts as a gateway. OS version 4.9-PRERELEASE FreeBSD 4.9-PRERELEASE #0: Thu Sep 25 08:58:21 MSD 2003,but it doesn't matter as I've seen this behaviour before. PS I can provide more details if needed. > > This doesn't have a (user-) noticeable impact on traffic, but > > installing a silent network recorder outside my firewall shows that > > some RFC 1918 addrs are getting through. > don't worry, just block them on the external interface. > > > I'll post details when I've got them, but I'm wondering if anyone > > else has seen this? > it happens, and with my installation they are coming from the outside. > clemens From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 11:02:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E7AC16A4B3 for ; Mon, 27 Oct 2003 11:02:10 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0DD543FD7 for ; Mon, 27 Oct 2003 11:01:55 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h9RJ1tFY056987 for ; Mon, 27 Oct 2003 11:01:55 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h9RJ1sM1056981 for ipfw@freebsd.org; Mon, 27 Oct 2003 11:01:54 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 27 Oct 2003 11:01:54 -0800 (PST) Message-Id: <200310271901.h9RJ1sM1056981@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 19:02:10 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 29 07:30:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39E7416A4CE for ; Wed, 29 Oct 2003 07:30:20 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A489443FE3 for ; Wed, 29 Oct 2003 07:30:19 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h9TFUJFY032607 for ; Wed, 29 Oct 2003 07:30:19 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h9TFUJ7E032606; Wed, 29 Oct 2003 07:30:19 -0800 (PST) (envelope-from gnats) Date: Wed, 29 Oct 2003 07:30:19 -0800 (PST) Message-Id: <200310291530.h9TFUJ7E032606@freefall.freebsd.org> To: ipfw@FreeBSD.org From: "Kang Liu" Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Kang Liu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2003 15:30:20 -0000 The following reply was made to PR kern/50216; it has been noted by GNATS. From: "Kang Liu" To: Cc: Subject: Re: kern/50216: kernel panic on 5.0-current when use ipfw2 with dynamic rules Date: Wed, 29 Oct 2003 23:24:12 +0800 it seems that the stable branch does not affected by this problem after Mckusick's commit. :-) (src/sys/netinet/ip_fw2.c Revision 1.6.2.18) testing 5.1current... From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 1 14:39:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F49E16A4CE for ; Sat, 1 Nov 2003 14:39:39 -0800 (PST) Received: from mx1.purplecat.net (mx1.purplecat.net [12.150.157.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A60F43F85 for ; Sat, 1 Nov 2003 14:39:38 -0800 (PST) (envelope-from pbrezny@purplecat.net) Received: (qmail 93722 invoked by uid 89); 1 Nov 2003 22:39:37 -0000 Received: from athena.skyrunner.net (HELO transport) (12.150.158.2) by mx1.purplecat.net with SMTP; 1 Nov 2003 22:39:37 -0000 From: "Peter Brezny" To: Date: Sat, 1 Nov 2003 17:39:54 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: creating a dedicated portion of bandwidth with ipfw and dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Nov 2003 22:39:39 -0000 Greetings IPFW list. Is it possible to dedicate a portion of bandwidth to a rule so that regardless of how cramped a connection gets, a defined amount can be reserved for a particular packet flow, for instance ssh? I figured out how to 'prioritize' using queues thanks to this little tutorial: http://ezunix.org/modules.php?op=modload&name=Sections&file=index&req=viewar ticle&artid=36&page=1 But I'd like to be able to dedicate a small amount of bandwidth that nothing else would be able to use, regardless of how saturated the link got. Thanks in advance for any assistance, or pointers to good reading for improving my dummynet skills Yours, Peter Brezny purplecat.net From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 1 15:28:00 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89A9416A4CE for ; Sat, 1 Nov 2003 15:28:00 -0800 (PST) Received: from tenebras.com (dnscache.tenebras.com [66.92.188.165]) by mx1.FreeBSD.org (Postfix) with SMTP id C7F4743FB1 for ; Sat, 1 Nov 2003 15:27:59 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 35587 invoked from network); 1 Nov 2003 23:27:58 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 1 Nov 2003 23:27:58 -0000 Message-ID: <3FA4417E.3040508@tenebras.com> Date: Sat, 01 Nov 2003 15:27:58 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: creating a dedicated portion of bandwidth with ipfw and dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Nov 2003 23:28:00 -0000 Peter Brezny wrote: > Is it possible to dedicate a portion of bandwidth to a rule so that > regardless of how cramped a connection gets, a defined amount can be > reserved for a particular packet flow, for instance ssh? I've been experimenting with using dummynet queues based on packetlen ranges. Bulk transfers almost always occur at the MTU size, and interactive traffic almost always consists of small packets. I did a tcpdump of raw packets during a "typical" day when there was no contention for resources, then used tcpdstat on the dump file to get stats like: ### Packet Size Distribution (including MAC headers) ### <<<< [ 32- 63]: 759995 [ 64- 127]: 2525268 [ 128- 255]: 895623 [ 256- 511]: 85380 [ 512- 1023]: 119121 [ 1024- 2047]: 339362 >>>> Subtract 12 bytes to get the IP len, and you can use iplen range matching to assign weights to queues. Set net.inet.ip.fw.one_pass=0