From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 01:15:13 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22A6316A41F; Sun, 27 Nov 2005 01:15:13 +0000 (GMT) (envelope-from gael.roualland@dial.oleane.com) Received: from tom.weedns.com (gre92-1-81-57-176-124.fbx.proxad.net [81.57.176.124]) by mx1.FreeBSD.org (Postfix) with ESMTP id C377943D81; Sun, 27 Nov 2005 01:15:08 +0000 (GMT) (envelope-from gael.roualland@dial.oleane.com) Received: from dial.oleane.com (tom.priv [192.168.27.2]) by tom.weedns.com (8.13.1/8.13.1) with ESMTP id jAR1GN9d040434 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Sun, 27 Nov 2005 02:16:24 +0100 (CET) Sender: gael.roualland@dial.oleane.com Message-ID: <43890899.5EB469C3@dial.oleane.com> Date: Sun, 27 Nov 2005 02:15:05 +0100 From: =?iso-8859-1?Q?Ga=EBl?= Roualland X-Mailer: Mozilla 4.8 [fr] (X11; U; Linux 2.6.12.5 i686) X-Accept-Language: fr, en MIME-Version: 1.0 To: Hajimu UMEMOTO References: <200511232143.jANLh7x3022902@jerry.priv> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org, FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 01:15:13 -0000 Hajimu UMEMOTO a écrit : > gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw > gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does > gael> filter it that way, opening a lot more than just protocol 41... > > Umm, 41 is treated as ipv6, internally. With following patch, > > allow ip from a.b.c.d to me proto 41 > > should work for workaround. However, it is still incomplete, and > `ipfw show' shows > > allow ip from any to any proto ipv6 > > Apart from this limitation, it seems working to me here. I applied the patch, and 'show' was fine (except for ipv6 instead of 41), but it did break my other rules.. Looks like "allow ip from any to any" doesn't match anything anymore... Gaël. -- Gaël Roualland -+- gael.roualland@dial.oleane.com From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 01:20:56 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE6F716A429 for ; Sun, 27 Nov 2005 01:20:56 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FB9843D81 for ; Sun, 27 Nov 2005 01:20:10 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jAR1K6mV098379 for ; Sun, 27 Nov 2005 01:20:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jAR1K5H3098378; Sun, 27 Nov 2005 01:20:05 GMT (envelope-from gnats) Date: Sun, 27 Nov 2005 01:20:05 GMT Message-Id: <200511270120.jAR1K5H3098378@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: =?iso-8859-1?Q?Ga=EBl?= Roualland Cc: Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?iso-8859-1?Q?Ga=EBl?= Roualland List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 01:20:57 -0000 The following reply was made to PR kern/89472; it has been noted by GNATS. From: =?iso-8859-1?Q?Ga=EBl?= Roualland To: Hajimu UMEMOTO Cc: FreeBSD-gnats-submit@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Date: Sun, 27 Nov 2005 02:15:05 +0100 Hajimu UMEMOTO a écrit : > gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw > gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does > gael> filter it that way, opening a lot more than just protocol 41... > > Umm, 41 is treated as ipv6, internally. With following patch, > > allow ip from a.b.c.d to me proto 41 > > should work for workaround. However, it is still incomplete, and > `ipfw show' shows > > allow ip from any to any proto ipv6 > > Apart from this limitation, it seems working to me here. I applied the patch, and 'show' was fine (except for ipv6 instead of 41), but it did break my other rules.. Looks like "allow ip from any to any" doesn't match anything anymore... Gaël. -- Gaël Roualland -+- gael.roualland@dial.oleane.com From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 03:16:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04FA916A41F for ; Sun, 27 Nov 2005 03:16:16 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4579143D8D for ; Sun, 27 Nov 2005 03:15:59 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 5271D5F84; Sat, 26 Nov 2005 22:15:58 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06419-03; Sat, 26 Nov 2005 22:15:57 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-122-227.ny325.east.verizon.net [68.161.122.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 5ECAA5D09; Sat, 26 Nov 2005 22:15:57 -0500 (EST) Message-ID: <438924EC.7000505@mac.com> Date: Sat, 26 Nov 2005 22:15:56 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alexandre DELAY References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Protocol filter capabilities X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 03:16:16 -0000 Alexandre DELAY wrote: > I am looking for an efficient way to filter different protocols, such as > edonkey or BEEP. For the moment, I think that ipfw doesn't support it. Sure it does. Start with "deny all" [1] and then add the minimum required open ports, preferably only for a proxy server that the clients are required to use for all outside access. Specificly, look at and combine the closed and simple firewall types in /etc/rc.firewall. You might also try to use bandwidth shaping to prioritize P2P behind more useful traffic like VOIP. > Don't you think that it would be a nice thing to be able to include such > "filters" from, for example, ethereal? > Ethereal support more than 34k different protocols. It woul be nice to be > able to choose from those filters and to apply some rules according to those > filters. You're talking about a reactive IDS. You can rig them up using scripts which monitor logfiles, or something like /usr/ports/security/snort. However, I prefer to use IDS for traffic I permit but want to monitor, not traffic I already know I want to block. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 05:10:16 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C579516A420 for ; Sun, 27 Nov 2005 05:10:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16FB043D45 for ; Sun, 27 Nov 2005 05:10:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jAR5AFND034871 for ; Sun, 27 Nov 2005 05:10:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jAR5AFx7034870; Sun, 27 Nov 2005 05:10:15 GMT (envelope-from gnats) Date: Sun, 27 Nov 2005 05:10:15 GMT Message-Id: <200511270510.jAR5AFx7034870@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Hajimu UMEMOTO Cc: Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hajimu UMEMOTO List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 05:10:16 -0000 The following reply was made to PR kern/89472; it has been noted by GNATS. From: Hajimu UMEMOTO To: =?ISO-8859-1?Q?Ga=EBl?= Roualland Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Date: Sun, 27 Nov 2005 14:06:17 +0900 Hi, >>>>> On Sun, 27 Nov 2005 02:15:05 +0100 >>>>> Ga=EBl Roualland said: gael> I applied the patch, and 'show' was fine (except for ipv6 instead of gael> 41), but it did break my other rules.. Looks like "allow ip from any = to gael> any" doesn't match anything anymore... Oops, please try this patch instead. Index: sbin/ipfw/ipfw2.c diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c --- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005 +++ sbin/ipfw/ipfw2.c Sun Nov 27 13:19:40 2005 @@ -3596,7 +3596,7 @@ add_proto(ipfw_insn *cmd, char *av, u_ch =20 *proto =3D IPPROTO_IP; =20 - if (_substrcmp(av, "all") =3D=3D 0) + if (_substrcmp(av, "all") =3D=3D 0 || strcmp(av, "ip") =3D=3D 0) ; /* do not set O_IP4 nor O_IP6 */ else if (strcmp(av, "ipv4") =3D=3D 0 || strcmp(av, "ip4") =3D=3D 0) /* explicit "just IPv4" rule */ @@ -3606,13 +3606,12 @@ add_proto(ipfw_insn *cmd, char *av, u_ch *proto =3D IPPROTO_IPV6; fill_cmd(cmd, O_IP6, 0, 0); } else if ((*proto =3D atoi(av)) > 0) - ; /* all done! */ - else if ((pe =3D getprotobyname(av)) !=3D NULL) + fill_cmd(cmd, O_PROTO, 0, *proto); + else if ((pe =3D getprotobyname(av)) !=3D NULL) { *proto =3D pe->p_proto; - else - return NULL; - if (*proto !=3D IPPROTO_IP && *proto !=3D IPPROTO_IPV6) fill_cmd(cmd, O_PROTO, 0, *proto); + } else + return NULL; =20 return cmd; } Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 05:30:27 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B573B16A41F for ; Sun, 27 Nov 2005 05:30:27 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD86443D64 for ; Sun, 27 Nov 2005 05:30:09 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jAR5U8LG035353 for ; Sun, 27 Nov 2005 05:30:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jAR5U8NW035352; Sun, 27 Nov 2005 05:30:08 GMT (envelope-from gnats) Date: Sun, 27 Nov 2005 05:30:08 GMT Message-Id: <200511270530.jAR5U8NW035352@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Hajimu UMEMOTO Cc: Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hajimu UMEMOTO List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 05:30:27 -0000 The following reply was made to PR kern/89472; it has been noted by GNATS. From: Hajimu UMEMOTO To: gael.roualland@dial.oleane.com Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Date: Sun, 27 Nov 2005 14:20:37 +0900 Hi, >>>>> On Sun, 27 Nov 2005 05:10:15 GMT >>>>> Hajimu UMEMOTO said: ume> Oops, please try this patch instead. Umm, the patch was encoded by quoted-printable wrongly. So, I've resend it. Index: sbin/ipfw/ipfw2.c diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c --- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005 +++ sbin/ipfw/ipfw2.c Sun Nov 27 13:19:40 2005 @@ -3596,7 +3596,7 @@ add_proto(ipfw_insn *cmd, char *av, u_ch *proto = IPPROTO_IP; - if (_substrcmp(av, "all") == 0) + if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0) ; /* do not set O_IP4 nor O_IP6 */ else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0) /* explicit "just IPv4" rule */ @@ -3606,13 +3606,12 @@ add_proto(ipfw_insn *cmd, char *av, u_ch *proto = IPPROTO_IPV6; fill_cmd(cmd, O_IP6, 0, 0); } else if ((*proto = atoi(av)) > 0) - ; /* all done! */ - else if ((pe = getprotobyname(av)) != NULL) + fill_cmd(cmd, O_PROTO, 0, *proto); + else if ((pe = getprotobyname(av)) != NULL) { *proto = pe->p_proto; - else - return NULL; - if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6) fill_cmd(cmd, O_PROTO, 0, *proto); + } else + return NULL; return cmd; } Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 17:47:04 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1D6016A41F for ; Sun, 27 Nov 2005 17:47:04 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86D5543D91 for ; Sun, 27 Nov 2005 17:46:53 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp2-g19.free.fr (Postfix) with ESMTP id D9D4C5248E; Sun, 27 Nov 2005 18:46:50 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jARHknfw032181; Sun, 27 Nov 2005 18:46:49 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: "Chuck Swiger" Date: Sun, 27 Nov 2005 18:46:53 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <438924EC.7000505@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: freebsd-ipfw@freebsd.org Subject: RE: Protocol filter capabilities X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 17:47:05 -0000 Snort doesn't answer to such needs. It is not able to analyze application protocols such as BEEP or Edonkey. See: http://www.snort.org/docs/writing_rules/ filter application protocol based on ip/ports is not efficient. Some application are able to work on almost any port. cheers -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chuck Swiger Envoye : dimanche 27 novembre 2005 04:16 A : Alexandre DELAY Cc : freebsd-ipfw@freebsd.org Objet : Re: Protocol filter capabilities Alexandre DELAY wrote: > I am looking for an efficient way to filter different protocols, such as > edonkey or BEEP. For the moment, I think that ipfw doesn't support it. Sure it does. Start with "deny all" [1] and then add the minimum required open ports, preferably only for a proxy server that the clients are required to use for all outside access. Specificly, look at and combine the closed and simple firewall types in /etc/rc.firewall. You might also try to use bandwidth shaping to prioritize P2P behind more useful traffic like VOIP. > Don't you think that it would be a nice thing to be able to include such > "filters" from, for example, ethereal? > Ethereal support more than 34k different protocols. It woul be nice to be > able to choose from those filters and to apply some rules according to those > filters. You're talking about a reactive IDS. You can rig them up using scripts which monitor logfiles, or something like /usr/ports/security/snort. However, I prefer to use IDS for traffic I permit but want to monitor, not traffic I already know I want to block. -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 18:48:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE00E16A41F for ; Sun, 27 Nov 2005 18:48:49 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6FB443D67 for ; Sun, 27 Nov 2005 18:48:46 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id F3FB95FA5; Sun, 27 Nov 2005 13:48:45 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60149-04; Sun, 27 Nov 2005 13:48:45 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-122-227.ny325.east.verizon.net [68.161.122.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id D15BF5CA1; Sun, 27 Nov 2005 13:48:44 -0500 (EST) Message-ID: <4389FF8D.6050806@mac.com> Date: Sun, 27 Nov 2005 13:48:45 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alexandre DELAY References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Protocol filter capabilities X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 18:48:50 -0000 Alexandre DELAY wrote: [ ...top-posting reformatted... ] >>> Don't you think that it would be a nice thing to be able to include such >>> "filters" from, for example, ethereal? Ethereal support more than 34k >>> different protocols. It woul be nice to be able to choose from those >>> filters and to apply some rules according to those filters. >> >> You're talking about a reactive IDS. You can rig them up using scripts >> which monitor logfiles, or something like /usr/ports/security/snort. >> >> However, I prefer to use IDS for traffic I permit but want to monitor, not >> traffic I already know I want to block. > > Snort doesn't answer to such needs. > It is not able to analyze application protocols such as BEEP or Edonkey. > See: http://www.snort.org/docs/writing_rules/ > > filter application protocol based on ip/ports is not efficient. Some > application are able to work on almost any port. Snort is a tool. It can be used to build an IDS and is well-suited for that task, but it is not intended to entirely replace a firewall. It is true that P2P application protocols are very adaptive and are able to work via almost any port. However, they do not work through a properly configured proxy using a "deny all" firewall in what is called a DMZ or screened subnet firewall architecture. If your network is set up for this correctly, internal machines on the LAN will never be allowed to make external requests, at all (period); clients may even run without a default route set and without the firewall having NAT enabled. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 18:56:08 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69B9C16A41F for ; Sun, 27 Nov 2005 18:56:08 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D3B043D5E for ; Sun, 27 Nov 2005 18:56:07 +0000 (GMT) (envelope-from alexandre.delay@free.fr) Received: from Cerbere-de-Troyes.cerbere23.com (eur10-1-82-241-181-23.fbx.proxad.net [82.241.181.23]) by smtp5-g19.free.fr (Postfix) with ESMTP id 99D3296A7; Sun, 27 Nov 2005 19:56:06 +0100 (CET) Received: from artemis ([192.168.2.2]) by Cerbere-de-Troyes.cerbere23.com (8.13.3/8.13.3) with SMTP id jARIu5vp039837; Sun, 27 Nov 2005 19:56:05 +0100 (CET) (envelope-from alexandre.delay@free.fr) From: "Alexandre DELAY" To: "Chuck Swiger" Date: Sun, 27 Nov 2005 19:56:09 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <4389FF8D.6050806@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Cc: freebsd-ipfw@freebsd.org Subject: RE: Protocol filter capabilities X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 18:56:08 -0000 I agree with you, but my aim is not to block traffic between my internal network and the Internet. I only want to filter (not block) certain protocols. I found a nice tool for this: http://freebsd.rogness.net/snort_inline/ -----Message d'origine----- De : owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]De la part de Chuck Swiger Envoye : dimanche 27 novembre 2005 19:49 A : Alexandre DELAY Cc : freebsd-ipfw@freebsd.org Objet : Re: Protocol filter capabilities Alexandre DELAY wrote: [ ...top-posting reformatted... ] >>> Don't you think that it would be a nice thing to be able to include such >>> "filters" from, for example, ethereal? Ethereal support more than 34k >>> different protocols. It woul be nice to be able to choose from those >>> filters and to apply some rules according to those filters. >> >> You're talking about a reactive IDS. You can rig them up using scripts >> which monitor logfiles, or something like /usr/ports/security/snort. >> >> However, I prefer to use IDS for traffic I permit but want to monitor, not >> traffic I already know I want to block. > > Snort doesn't answer to such needs. > It is not able to analyze application protocols such as BEEP or Edonkey. > See: http://www.snort.org/docs/writing_rules/ > > filter application protocol based on ip/ports is not efficient. Some > application are able to work on almost any port. Snort is a tool. It can be used to build an IDS and is well-suited for that task, but it is not intended to entirely replace a firewall. It is true that P2P application protocols are very adaptive and are able to work via almost any port. However, they do not work through a properly configured proxy using a "deny all" firewall in what is called a DMZ or screened subnet firewall architecture. If your network is set up for this correctly, internal machines on the LAN will never be allowed to make external requests, at all (period); clients may even run without a default route set and without the firewall having NAT enabled. -- -Chuck _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 27 21:30:11 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1813E16A41F for ; Sun, 27 Nov 2005 21:30:11 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3721F43D76 for ; Sun, 27 Nov 2005 21:30:08 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jARLU7Zx071334 for ; Sun, 27 Nov 2005 21:30:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jARLU70N071333; Sun, 27 Nov 2005 21:30:07 GMT (envelope-from gnats) Date: Sun, 27 Nov 2005 21:30:07 GMT Message-Id: <200511272130.jARLU70N071333@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: =?iso-8859-1?Q?Ga=EBl?= Roualland Cc: Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?iso-8859-1?Q?Ga=EBl?= Roualland List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2005 21:30:11 -0000 The following reply was made to PR kern/89472; it has been noted by GNATS. From: =?iso-8859-1?Q?Ga=EBl?= Roualland To: Hajimu UMEMOTO Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE Date: Sun, 27 Nov 2005 22:27:40 +0100 This is a multi-part message in MIME format. --------------A3E74D29D65F52E3591BAEAD Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hajimu UMEMOTO a écrit : > > Hi, > > >>>>> On Sun, 27 Nov 2005 02:15:05 +0100 > >>>>> Gaël Roualland said: > > gael> I applied the patch, and 'show' was fine (except for ipv6 instead of > gael> 41), but it did break my other rules.. Looks like "allow ip from any to > gael> any" doesn't match anything anymore... > > Oops, please try this patch instead. It seems to work fine with this patch so far (fyi, none of the patches you sent applied as-is, so I applied it by manually). Thanks. Regarding the fact that ip6/ipv6 (and ip4/ipv4) cannot be used in the proto construction, I added a parameter to add_proto to distinguish between the main rule proto and potential "proto options". The patch is attached. Gaël. -- Gaël Roualland -+- gael.roualland@dial.oleane.com --------------A3E74D29D65F52E3591BAEAD Content-Type: text/plain; charset=us-ascii; name="ipfw2.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw2.patch" --- src/sbin/ipfw/ipfw2.c.orig Sun Nov 27 22:25:33 2005 +++ src/sbin/ipfw/ipfw2.c Sun Nov 27 22:24:14 2005 @@ -3590,29 +3590,33 @@ add_mactype(ipfw_insn *cmd, int ac, char } static ipfw_insn * -add_proto(ipfw_insn *cmd, char *av, u_char *proto) +add_proto(ipfw_insn *cmd, char *av, u_char *proto, int ismain) { struct protoent *pe; *proto = IPPROTO_IP; - if (_substrcmp(av, "all") == 0) + if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0) ; /* do not set O_IP4 nor O_IP6 */ else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0) - /* explicit "just IPv4" rule */ - fill_cmd(cmd, O_IP4, 0, 0); + if (ismain) /* explicit "just IPv4" rule */ + fill_cmd(cmd, O_IP4, 0, 0); + else + fill_cmd(cmd, O_PROTO, 0, *proto); else if (strcmp(av, "ipv6") == 0 || strcmp(av, "ip6") == 0) { /* explicit "just IPv6" rule */ *proto = IPPROTO_IPV6; - fill_cmd(cmd, O_IP6, 0, 0); - } else if ((*proto = atoi(av)) > 0) - ; /* all done! */ - else if ((pe = getprotobyname(av)) != NULL) + if (ismain) + fill_cmd(cmd, O_IP6, 0, 0); + else + fill_cmd(cmd, O_PROTO, 0, *proto); + } else if ((*proto = atoi(av)) > 0) + fill_cmd(cmd, O_PROTO, 0, *proto); + else if ((pe = getprotobyname(av)) != NULL) { *proto = pe->p_proto; - else - return NULL; - if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6) fill_cmd(cmd, O_PROTO, 0, *proto); + } else + return NULL; return cmd; } @@ -4056,7 +4060,7 @@ add(int ac, char *av[]) OR_START(get_proto); NOT_BLOCK; NEED1("missing protocol"); - if (add_proto(cmd, *av, &proto)) { + if (add_proto(cmd, *av, &proto, 1)) { av++; ac--; if (F_LEN(cmd) != 0) { prev = cmd; @@ -4451,7 +4455,7 @@ read_options: case TOK_PROTO: NEED1("missing protocol"); - if (add_proto(cmd, *av, &proto)) { + if (add_proto(cmd, *av, &proto, 0)) { ac--; av++; } else errx(EX_DATAERR, "invalid protocol ``%s''", --------------A3E74D29D65F52E3591BAEAD-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 28 11:02:28 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E24E16A422 for ; Mon, 28 Nov 2005 11:02:28 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7102843D53 for ; Mon, 28 Nov 2005 11:02:09 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jASB24Tr088184 for ; Mon, 28 Nov 2005 11:02:04 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jASB24Ad088178 for freebsd-ipfw@freebsd.org; Mon, 28 Nov 2005 11:02:04 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 28 Nov 2005 11:02:04 GMT Message-Id: <200511281102.jASB24Ad088178@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 11:02:28 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2003/12/11] kern/60154 ipfw [ipfw] ipfw core (crash) o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w 10 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/02/01] kern/76971 ipfw [ipfw] ipfw antispoof incorrectly blocks o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2005/11/23] kern/89472 ipfw [ipfw] ipfw2 no longer supports filtering 18 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 28 15:29:03 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC47316A41F for ; Mon, 28 Nov 2005 15:29:03 +0000 (GMT) (envelope-from rasfan@nadi-it.com) Received: from nadi-it.com (mx1.nadi-it.com [219.94.101.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9003F43D75 for ; Mon, 28 Nov 2005 15:28:52 +0000 (GMT) (envelope-from rasfan@nadi-it.com) Received: from localhost (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 2EB2B7C5B8 for ; Mon, 28 Nov 2005 23:33:56 +0800 (MYT) Received: from nadi-it.com ([127.0.0.1]) by localhost (nadi-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44440-02 for ; Mon, 28 Nov 2005 23:33:55 +0800 (MYT) Received: from webmail.nadi-it.com (localhost [127.0.0.1]) by nadi-it.com (Postfix) with ESMTP id 48E4E7C5B6 for ; Mon, 28 Nov 2005 23:33:55 +0800 (MYT) Received: from 219.94.101.34 (SquirrelMail authenticated user rasfan); by webmail.nadi-it.com with HTTP; Mon, 28 Nov 2005 23:33:55 +0800 (MYT) Message-ID: <1525.219.94.101.34.1133192035.squirrel@219.94.101.34> Date: Mon, 28 Nov 2005 23:33:55 +0800 (MYT) From: "Mohd Rasfan" To: freebsd-ipfw@FreeBSD.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: by amavisd-new at mail.nadi-it.com Cc: Subject: dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rasfan@nadi-it.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 15:29:04 -0000 hello,guys i setup frebsd 6.0 with ipfw2 + dummynet i have one internet connection 2mb with one firewall. my question that is that dummynet shapping on the bsd mechine or internet connection... ? my nic is 1000Mbps ... for user i give 1Mbps .... is that 1Mbps on bsd mechine or in my router ? From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 28 17:59:31 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C253116A41F for ; Mon, 28 Nov 2005 17:59:31 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id D96C843D45 for ; Mon, 28 Nov 2005 17:59:30 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (fezkly@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id jASHxRNN093198 for ; Mon, 28 Nov 2005 18:59:28 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id jASHxR3q093197; Mon, 28 Nov 2005 18:59:27 +0100 (CET) (envelope-from olli) Date: Mon, 28 Nov 2005 18:59:27 +0100 (CET) Message-Id: <200511281759.jASHxR3q093197@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG In-Reply-To: <43833270.8060502@freebsdbrasil.com.br> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-STABLE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Features enhacement: AND-block and "me" expression on a table... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 17:59:32 -0000 Patrick Tracanelli wrote: > Would it be hard to make ipfw processing "and" blocks, just like "or" > blocks? I mean, in the following situation: > > ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32 } > to any dst-port 22 out via fxp0 setup keep-state > > On my understanding, this rule will *always* match, because the OR block > makes the source always be true, because it *won't* be a orign OR won't > the other be. What if we could have: > > ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32 } > to any dst-port 22 out via fxp0 setup keep-state First, some small notes: 1. It usually doesn't make much sense to use "keep-state" with deny rules. I suggest you omit it. 2. You can also savely omit the "setup" option. 3. You can omit the /32 bitmask (it's the default). 4. I'm not sure whether you really mean "via". It seems that "xmit" is intended in this case, not "via". 5. And finally, you don't have to write "dst-port" (it doesn't hurt, but I prefer to write rules in a compact way because I think it's more readable when the lines don't have to wrap on a standard 80-columns terminal). Now to your question about an "and" operator. There are several possibilities to do what you want. For example, you could use a byte list: deny log tcp from not 10.10.10.0/24 to any 22 out xmit fxp0 deny log tcp from 10.10.10.0/24{0-9,11-19,21-255} to any 22 out xmit fxp0 Or slightly different (negated byte list): deny log tcp from not 10.10.10.0/24 to any 22 out xmit fxp0 deny log tcp from not 10.10.10.0/24{10,20} to any 22 out xmit fxp0 Or you could use a skipto rule: 100 skipto 300 all from { 10.10.10.10 or 10.10.10.20 } 200 deny log tcp from any to any 22 out xmit fxp0 300 ... Personally I like the latter best, because it's the most flexible solution. It's also easy to read and understand. You can easily place more rules in the range which is skipped over for the two priviledged IP addresses, and you don't have to mention those IP addresses again in every such rule. With careful use of "skipto" rules, it is easy to make very well-structured rule sets. Using "skipto" also often improves performance of the rule set, because fewer rules have to be analyzed for every packet. If you have a lot of rules, it is almost always a good idea to group them into logical units and then use "skipto" to jump into the appropriate groups. Doing that can improve performance by a big factor. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "Emacs ist für mich kein Editor. Für mich ist das genau das gleiche, als wenn ich nach einem Fahrrad (für die Sonntagbrötchen) frage und einen pangalaktischen Raumkreuzer mit 10 km Gesamtlänge bekomme. Ich weiß nicht, was ich damit soll." -- Frank Klemm, de.comp.os.unix.discussion From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 29 04:40:09 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3BE616A422; Tue, 29 Nov 2005 04:40:09 +0000 (GMT) (envelope-from nstfsyfcvec@charter.com) Received: from p549C6CE6.dip.t-dialin.net (p549C6CE6.dip.t-dialin.net [84.156.108.230]) by mx1.FreeBSD.org (Postfix) with SMTP id 7CD1C43D49; Tue, 29 Nov 2005 04:39:35 +0000 (GMT) (envelope-from nstfsyfcvec@charter.com) Received: from mail pickup service by cgocable.net with Microsoft SMTPSVC; From: "Mr Adele Mcfadden" To: announce@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6323 Thread-Index: 8SUhQUBhIjhYZa1r7qzR4dDvEiss7E== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2518 Message-Id: <71581743894215.2079761E6A@216.136.204.125> X-InMailing: ID=11540; server 2/7; gr=10335 X-Originating-IP: 84.156.108.230 Cc: freebsd-ipfw@freebsd.org, core@freebsd.org, cvs-committers@freebsd.org Subject: Skinny cooks can't be trusted X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Tue, 29 Nov 2005 04:40:10 -0000 X-List-Received-Date: Tue, 29 Nov 2005 04:40:10 -0000 FINALLY A NATURALL SUPPRESSANT THAT WORKS FOR EVERYONE What if you could fool your brain into believing that you are full? Amazing, but true! Imagine the weight that you could lose if you could JUST REDUCE your appetite. This miracle drug has been around for thousands of years but only recently has it been made available to the general population. Hoodia is an ugly cactus that grows deep inside the African Kalahari desert thriving in extremely high temperatures. The San Bushmen of the Kalahari, one of the world's oldest and most primitive tribes, have been eating the Hoodia plant for more than 100,00 years to stave off hunger during long hunting trips. After 30 years of scientific research, Hoodia is finally available for modern man! http://advicefound.com You've seen it on "60 Minutes" and read the BBC News report . now find out just what everyone is talking about and get yourself some Hoodia Maximum Strength today! From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 29 15:38:15 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B13316A420; Tue, 29 Nov 2005 15:38:15 +0000 (GMT) (envelope-from ume@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDB0843D76; Tue, 29 Nov 2005 15:38:14 +0000 (GMT) (envelope-from ume@FreeBSD.org) Received: from freefall.freebsd.org (ume@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jATFcE7w055274; Tue, 29 Nov 2005 15:38:14 GMT (envelope-from ume@freefall.freebsd.org) Received: (from ume@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jATFcDcT055270; Tue, 29 Nov 2005 15:38:13 GMT (envelope-from ume) Date: Tue, 29 Nov 2005 15:38:13 GMT From: Hajimu UMEMOTO Message-Id: <200511291538.jATFcDcT055270@freefall.freebsd.org> To: gael.roualland@dial.oleane.com, ume@FreeBSD.org, freebsd-ipfw@FreeBSD.org, ume@FreeBSD.org Cc: Subject: Re: kern/89472: [ipfw] ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 15:38:15 -0000 Synopsis: [ipfw] ipfw2 no longer supports filtering IPv6-over-IPv4 on 6.0-RELEASE State-Changed-From-To: open->patched State-Changed-By: ume State-Changed-When: Tue Nov 29 15:35:43 GMT 2005 State-Changed-Why: I've just committed the fix into HEAD but silghtly different way. Thank you for reporting it. Responsible-Changed-From-To: freebsd-ipfw->ume Responsible-Changed-By: ume Responsible-Changed-When: Tue Nov 29 15:35:43 GMT 2005 Responsible-Changed-Why: Because, I committed it. http://www.freebsd.org/cgi/query-pr.cgi?pr=89472 From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 1 09:57:52 2005 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24E4216A41F; Thu, 1 Dec 2005 09:57:52 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D269843D55; Thu, 1 Dec 2005 09:57:51 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jB19vpgL080164; Thu, 1 Dec 2005 09:57:51 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jB19vpnW080160; Thu, 1 Dec 2005 09:57:51 GMT (envelope-from linimon) Date: Thu, 1 Dec 2005 09:57:51 GMT From: Mark Linimon Message-Id: <200512010957.jB19vpnW080160@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: conf/89789: [patch] 500.ipfwdenied uses deprecated syntax of ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2005 09:57:52 -0000 Synopsis: [patch] 500.ipfwdenied uses deprecated syntax of ipfw Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Thu Dec 1 09:57:39 GMT 2005 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=89789