From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 24 05:11:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D04D16A4BF for ; Sun, 24 Aug 2003 05:11:17 -0700 (PDT) Received: from mout2.freenet.de (mout2.freenet.de [194.97.50.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B7A043FBF for ; Sun, 24 Aug 2003 05:11:16 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout2.freenet.de with asmtp (Exim 4.21) id 19qtiF-0006Iy-EF for freebsd-ipfw@freebsd.org; Sun, 24 Aug 2003 14:11:15 +0200 Received: from p3e9baa98.dip.t-dialin.net ([62.155.170.152] helo=spotteswoode.dnsalias.org) by mx2.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.21 #2) id 19qtiF-0005sh-2v for freebsd-ipfw@freebsd.org; Sun, 24 Aug 2003 14:11:15 +0200 Received: (qmail 57299 invoked by uid 0); 24 Aug 2003 12:11:08 -0000 Date: 24 Aug 2003 14:11:07 +0200 Message-ID: <1xvbjlwk.fsf@ID-23066.news.dfncis.de> From: "Clemens Fischer" To: "Marcin Gryszkalis" In-Reply-To: <3F47C30C.8070102@fork.pl> (Marcin Gryszkalis's message of "Sat, 23 Aug 2003 21:39:56 +0200") References: <20030822200153.V84903-100000@gateway.posi.net> <3F47C30C.8070102@fork.pl> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org cc: Kelly Yancey Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 12:11:17 -0000 * Marcin Gryszkalis: > On 2003-08-23 05:11, Kelly Yancey wrote: >> The name resolution feature is already questionable: if the DNS >> mapping changes, should the firewall rule somehow be magically >> updated? i agree. > I understand the point of view that it's questionable, but - as it > *is* implemented, it's just inconsistent. Relation between hosts and > ips is treated as 1-to-1 where it's 1-to-many. > But that's my just opinion - that command interface is inconsistent. ... and with eg. HTTP hosts the relation can also be many-to-1. with the genral case beeing many-to-many, i'd vote for an update to the manual page stating the "deficiency", especially with your nice workaround: > ip=`host smtp.o2.pl | cut -f4 -d' ' | paste -s -d, -` > ${ipfw} add tcp from any to ${ip} setup clemens From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 25 11:04:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10AF416A4BF for ; Mon, 25 Aug 2003 11:04:26 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACB3843F93 for ; Mon, 25 Aug 2003 11:04:25 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7PI4PUp031208 for ; Mon, 25 Aug 2003 11:04:25 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7PI4Me0031197 for ipfw@freebsd.org; Mon, 25 Aug 2003 11:04:22 -0700 (PDT) Date: Mon, 25 Aug 2003 11:04:22 -0700 (PDT) Message-Id: <200308251804.h7PI4Me0031197@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2003 18:04:26 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo 8 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 25 16:54:30 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D06F416A4C0 for ; Mon, 25 Aug 2003 16:54:30 -0700 (PDT) Received: from genua.rfc-networks.ie (genua.rfc-networks.ie [62.77.182.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id C997043F75 for ; Mon, 25 Aug 2003 16:54:29 -0700 (PDT) (envelope-from philip.reynolds@rfc-networks.ie) Received: from tear.domain (unknown [10.0.1.254]) by genua.rfc-networks.ie (Postfix) with ESMTP id 56903548BD for ; Tue, 26 Aug 2003 00:54:27 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id ED22D21155; Mon, 25 Aug 2003 23:54:26 +0000 (GMT) Date: Mon, 25 Aug 2003 23:54:26 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Message-ID: <20030825235426.GA74887@rfc-networks.ie> References: <20030822200153.V84903-100000@gateway.posi.net> <3F47C30C.8070102@fork.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F47C30C.8070102@fork.pl> X-Operating-System: FreeBSD 4.7-STABLE X-URL: http://www.rfc-networks.ie Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: philip.reynolds@rfc-networks.ie List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2003 23:54:30 -0000 Marcin Gryszkalis 33 lines of wisdom included: > On 2003-08-23 05:11, Kelly Yancey wrote: > > The name resolution feature is already questionable: if the DNS mapping > >changes, should the firewall rule somehow be magically updated? I mean, > >you > >*did* ask for packets to be allowed to smtp.o2.pl didn't you? > I understand the point of view that it's questionable, but - as it *is* > implemented, it's just inconsistent. Relation between hosts and ips > is treated as 1-to-1 where it's 1-to-many. > > I know I can just write > > ip=`host smtp.o2.pl | cut -f4 -d' ' | paste -s -d, -` > ${ipfw} add tcp from any to ${ip} setup > > or something similar instead of changing ipfw code. But that's my just > opinion > - that command interface is inconsistent. Perhaps where more than one host is returned, the user should receive a warning? Regards, -- Philip Reynolds | RFC Networks Ltd. philip.reynolds@rfc-networks.ie | +353 (0)1 8832063 http://people.rfc-networks.ie/~phil | www.rfc-networks.ie From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 26 04:58:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E47C816A4BF; Tue, 26 Aug 2003 04:58:26 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8027043FF5; Tue, 26 Aug 2003 04:58:26 -0700 (PDT) (envelope-from ceri@FreeBSD.org) Received: from freefall.freebsd.org (ceri@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7QBwQUp064384; Tue, 26 Aug 2003 04:58:26 -0700 (PDT) (envelope-from ceri@freefall.freebsd.org) Received: (from ceri@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7QBwQ1E064380; Tue, 26 Aug 2003 04:58:26 -0700 (PDT) Date: Tue, 26 Aug 2003 04:58:26 -0700 (PDT) From: Ceri Davies Message-Id: <200308261158.h7QBwQ1E064380@freefall.freebsd.org> To: ceri@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/55984: [patch] time based firewalling support for ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2003 11:58:27 -0000 Synopsis: [patch] time based firewalling support for ipfw2 Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: ceri Responsible-Changed-When: Tue Aug 26 04:58:05 PDT 2003 Responsible-Changed-Why: Assign this to the ipfw maintainers. http://www.freebsd.org/cgi/query-pr.cgi?pr=55984 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 26 23:29:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0CD816A4BF for ; Tue, 26 Aug 2003 23:29:50 -0700 (PDT) Received: from fw1.internett.de (fw1.internett.de [195.30.142.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id E69BA43FE0 for ; Tue, 26 Aug 2003 23:29:44 -0700 (PDT) (envelope-from michael@nettmail.de) Received: from mx5.internett.de (mx5.internett.de [195.30.142.17]) with ESMTP id h7R6Tgo11746 for ; Wed, 27 Aug 2003 08:29:42 +0200 Received: from nettmail.de (mobil-4.internett.de [195.30.143.204]) (authenticated (0 bits))with ESMTP id h7R6TfV03271 for ; Wed, 27 Aug 2003 08:29:42 +0200 Message-ID: <3F4C4F9E.9060500@nettmail.de> Date: Wed, 27 Aug 2003 08:28:46 +0200 From: michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.1) Gecko/20021005 X-Accept-Language: de, de-DE MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Subject: have anyone does ip accounting? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 06:29:50 -0000 Hi, i would know how to make ip-accounting on an FreeBSD-box with an ipfw-firewall. Can anyone help me? thanks for all btw michael From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 27 09:49:47 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C28216A4BF for ; Wed, 27 Aug 2003 09:49:47 -0700 (PDT) Received: from vsmtp3.tin.it (vsmtp3.tin.it [212.216.176.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8920643FF2 for ; Wed, 27 Aug 2003 09:49:46 -0700 (PDT) (envelope-from frgaddeo@tin.it) Received: from ims3a.cp.tin.it (212.216.176.219) by vsmtp3.tin.it (7.0.019) id 3F4A2C87000D0C26 for freebsd-ipfw@freebsd.org; Wed, 27 Aug 2003 18:49:45 +0200 Received: from [192.168.70.226] by ims3a.cp.tin.it with HTTP; Wed, 27 Aug 2003 18:49:43 +0200 Date: Wed, 27 Aug 2003 18:49:43 +0200 Message-ID: <3F43400E00005CB9@ims3a.cp.tin.it> From: frgaddeo@tin.it To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable X-Originating-IP: 192.168.70.226 Subject: ipfw demon X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 16:49:47 -0000 Hi all An Information Please. When you run ipfw in freebsd what demon show ps -aux Thanks Francesco From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 27 12:06:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 270EC16A4BF for ; Wed, 27 Aug 2003 12:06:37 -0700 (PDT) Received: from fw1.internett.de (fw1.internett.de [195.30.142.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16AAC43FD7 for ; Wed, 27 Aug 2003 12:06:35 -0700 (PDT) (envelope-from michael@nettmail.de) Received: from mx5.internett.de (mx5.internett.de [195.30.142.17]) with ESMTP id h7RJ6Wo06548 for ; Wed, 27 Aug 2003 21:06:32 +0200 Received: (from wwwrun@localhost)id h7RJ6Wi09073 for freebsd-ipfw@freebsd.org; Wed, 27 Aug 2003 21:06:32 +0200 To: freebsd-ipfw@freebsd.org Message-ID: <1062011192.3f4d01387c3a1@mx5.internett.de> Date: Wed, 27 Aug 2003 21:06:32 +0200 (CEST) From: michael References: <20030827190045.5FA4B16A5AC@hub.freebsd.org> In-Reply-To: <20030827190045.5FA4B16A5AC@hub.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Originating-IP: 80.138.244.230 X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Subject: Re:ipfw demon X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 19:06:37 -0000 > Hi all > An Information Please. > When you run ipfw in freebsd what demon show ps -aux > Thanks > Francesco You can't see an extra process for ipfw, ipfw is directly implemented in the kernel or it is an kernelmodule use kldstat to see it if it is an kernelmodule (eg. you use the generic kernel) btw michael From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 27 12:25:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72C8D16A4BF for ; Wed, 27 Aug 2003 12:25:40 -0700 (PDT) Received: from fw1.internett.de (fw1.internett.de [195.30.142.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24F4F43FD7 for ; Wed, 27 Aug 2003 12:25:39 -0700 (PDT) (envelope-from michael@nettmail.de) Received: from mx5.internett.de (mx5.internett.de [195.30.142.17]) with ESMTP id h7RJPbo06746; Wed, 27 Aug 2003 21:25:37 +0200 Received: (from wwwrun@localhost)id h7RJPbU09949; Wed, 27 Aug 2003 21:25:37 +0200 To: Michael Sierchio Message-ID: <1062012337.3f4d05b194524@mx5.internett.de> Date: Wed, 27 Aug 2003 21:25:37 +0200 (CEST) From: michael References: <20030827190045.5FA4B16A5AC@hub.freebsd.org> <1062011192.3f4d01387c3a1@mx5.internett.de> <3F4D0222.7010402@tenebras.com> In-Reply-To: <3F4D0222.7010402@tenebras.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Originating-IP: 80.138.244.230 X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) cc: michael cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw demon X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 19:25:40 -0000 Quoting Michael Sierchio : > michael wrote: > >>Hi all > >>An Information Please. > >>When you run ipfw in freebsd what demon show ps -aux > >>Thanks > >>Francesco > > > > > > You can't see an extra process for ipfw, > > ipfw is directly implemented in the kernel or > > it is an kernelmodule > > > > use kldstat to see it if it is an kernelmodule > > (eg. you use the generic kernel) > > ipfw is not in the kernel, and is not a kernel module. > ipfw is the userland command that manipulates rulesets > and dummynet pipes and queues, and reports the internal > state if ipfirewall -- which is in the kernel or a loadable > module. > > > > Hi, okay okay, what you say's is more correctly, ipfw ist only the control-frontend to the ipfilter/netfilter-implementation under FreeBSD :-). May i think the question from frgaddeo@tin.it sound's like: can i see an process for the ipfw/ipfilter/ipfirewall if it was running or active? Or i have it misunderstood. May thank you for this hint. Have a good time michael From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 28 03:54:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88B3816A4BF for ; Thu, 28 Aug 2003 03:54:02 -0700 (PDT) Received: from cicero1.cybercity.dk (cicero1.cybercity.dk [212.242.40.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 133B943F75 for ; Thu, 28 Aug 2003 03:54:01 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user5.cybercity.dk (fxp0.user5.ip.cybercity.dk [212.242.41.51]) by cicero1.cybercity.dk (Postfix) with ESMTP id 969517E30FE for ; Thu, 28 Aug 2003 12:53:59 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user5.cybercity.dk (Postfix) with SMTP id 202B1563DD for ; Thu, 28 Aug 2003 12:53:57 +0200 (CEST) Date: Thu, 28 Aug 2003 12:54:34 +0200 From: Socketd To: freebsd-ipfw@freebsd.org Message-Id: <20030828125434.0256b38f.db@traceroute.dk> X-Mailer: Sylpheed version 0.8.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: ipfw newbie X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 10:54:02 -0000 Hi I am setting up a gateway for a friend and he want it to firewall and traffic shape. The network: Router (running NAT and PPP) |(192.168.1.1) |(no ip) Gateway (FreeBSD 5.1, ipfw + dummynet and DHCP to the LAN) |(192.168.2.1 to the LAN and 192.168.3.1 to the DMZ) |\ | \ | DMZ(192.168.3.0/24) LAN (192.168.2.0/24) I have been asking around wether I should NAT the DMZ. People had different opinions on that and I chose to NAT it. Now what I want is: Allow all traffic _from_ LAN and DMZ and out. Also allow all traffic between the two. DMZ traffic should have 100 times the weight of LAN traffic. So I was thinking if this maybe right? (I can't test the firewall before returning it, so the configuration have to be correct): //Give DMZ 100 times more weight than LAN pipe 10 config bw 512Kbit/s pipe 20 config bw 2Mbit/s add pipe 10 ip from any to any out add pipe 20 ip from any to any in queue 100 config pipe 10 weight 100 queue 200 config pipe 20 weight 100 queue 300 config pipe 10 weight 1 queue 400 config pipe 20 weight 1 //rl1 is the NIC to the router (rl0 = LAN, de0 = DMZ) add queue 100 ip from 192.168.3.0/24 to any out via rl1 add queue 200 ip from any to 192.168.3.0/24 in via rl1 add queue 300 ip from 192.168.2.0/24 to any out via rl1 add queue 400 ip from any to 192.168.2.0/24 in via rl1 //Allow all traffic _from_ LAN and DMZ add allow all from 192.168.0.0/255.255.0.0 to any //Here I will specify what traffic to allow to the DMZ //And I want this at the end: deny all from any to any And then set net.inet.ip.fw.one_pass: 0 Is this about right? And is it "normal" to place the firewalling rules after the pipes? Hope someone will help. btw please cc to me as I am not on the list. br socketd From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 28 20:08:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 98E0016A4BF for ; Thu, 28 Aug 2003 20:08:20 -0700 (PDT) Received: from web14205.mail.yahoo.com (web14205.mail.yahoo.com [216.136.172.151]) by mx1.FreeBSD.org (Postfix) with SMTP id DF0B843FDD for ; Thu, 28 Aug 2003 20:08:19 -0700 (PDT) (envelope-from joelevi@yahoo.com) Message-ID: <20030829030819.48897.qmail@web14205.mail.yahoo.com> Received: from [68.237.1.176] by web14205.mail.yahoo.com via HTTP; Thu, 28 Aug 2003 20:08:19 PDT Date: Thu, 28 Aug 2003 20:08:19 -0700 (PDT) From: Joseph Levi To: freebsd@gndrsh.dnsmgr.net, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: MBR Question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 03:08:20 -0000 I saw a message you posted re: how the MBR works (http://www.geocrawler.com/archives/3/152/2000/3/550/3491517/) and had some technical questions I'd like to ask. What is a good way to contact you? Thank you. Joe __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 29 05:48:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C8B716A4BF for ; Fri, 29 Aug 2003 05:48:27 -0700 (PDT) Received: from exchange.wan.no (exchange.wan.no [80.86.128.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06A7C43FF7 for ; Fri, 29 Aug 2003 05:48:26 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 29 Aug 2003 14:45:55 +0200 Message-ID: <0AF1BBDF1218F14E9B4CCE414744E70F07DF28@exchange.wanglobal.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: verrevpath - denies local multicast. Is this intended? Thread-Index: AcNuK8k6CwcH4c67SFykaoQtDENvOg== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: verrevpath - denies local multicast. Is this intended? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 12:48:27 -0000 when using verrevpath it seems to drop local multicast packets suck as = RIP2. i use it as suggested; deny log ip from any to any not verrevpath logentry: Aug 29 14:32:08 fictious /kernel: ipfw: 1011 Deny UDP = 80.86.140.54:520 224.0.0.9:520 in via fxp1 i read in /sys/netinet/ip_fw2.c: /* * The 'verrevpath' option checks that the interface that an IP packet * arrives on is the same interface that traffic destined for the * packet's source address would be routed out of. This is a measure * to block forged packets. This is also commonly known as = "anti-spoofing" * or Unicast Reverse Path Forwarding (Unicast RFP) in Cisco-ese. The * name of the knob is purposely reminisent of the Cisco IOS command, * * ip verify unicast reverse-path * * which implements the same functionality. But note that syntax is * misleading. The check may be performed on all IP packets whether = unicast, * multicast, or broadcast. */ does this mean it should deny multicast and broadcasts or that it = really should=20 verify that the multicast path is correct?=20 i'm a little confused since it does allow dhcp (broadcast) to function. - Sten From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 29 12:18:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C52B16A4EB; Fri, 29 Aug 2003 12:18:58 -0700 (PDT) Received: from gateway.posi.net (adsl-63-201-90-66.dsl.snfc21.pacbell.net [63.201.90.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CDE743FBF; Fri, 29 Aug 2003 12:18:32 -0700 (PDT) (envelope-from kbyanc@posi.net) Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (8.12.6/8.12.8) with ESMTP id h7TJIUYl004861; Fri, 29 Aug 2003 12:18:31 -0700 (PDT) (envelope-from kbyanc@posi.net) Date: Fri, 29 Aug 2003 12:18:30 -0700 (PDT) From: Kelly Yancey To: Philip Reynolds In-Reply-To: <20030825235426.GA74887@rfc-networks.ie> Message-ID: <20030829121458.W4705-100000@gateway.posi.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org cc: luigi@freebsd.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 19:18:58 -0000 On Mon, 25 Aug 2003, Philip Reynolds wrote: > Marcin Gryszkalis 33 lines of wisdom included: > > On 2003-08-23 05:11, Kelly Yancey wrote: > > > The name resolution feature is already questionable: if the DNS mapping > > >changes, should the firewall rule somehow be magically updated? I mean, > > >you > > >*did* ask for packets to be allowed to smtp.o2.pl didn't you? > > I understand the point of view that it's questionable, but - as it *is* > > implemented, it's just inconsistent. Relation between hosts and ips > > is treated as 1-to-1 where it's 1-to-many. > > > > I know I can just write > > > > ip=`host smtp.o2.pl | cut -f4 -d' ' | paste -s -d, -` > > ${ipfw} add tcp from any to ${ip} setup > > > > or something similar instead of changing ipfw code. But that's my just > > opinion > > - that command interface is inconsistent. > > Perhaps where more than one host is returned, the user should > receive a warning? > Great idea. How about something along the lines of this (untested) patch: RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.4.2.17 diff -u -p -r1.4.2.17 ipfw2.c --- ipfw2.c 25 Jul 2003 08:23:07 -0000 1.4.2.17 +++ ipfw2.c 29 Aug 2003 19:14:33 -0000 @@ -1879,6 +1879,10 @@ lookup_host (char *host, struct in_addr if ((he = gethostbyname(host)) == NULL) return(-1); *ipaddr = *(struct in_addr *)he->h_addr_list[0]; + if (he->h_addr_list[1] != NULL) { + warn("%s resolved to multiple addresses, only using %s", + host, inet_ntoa(*ipaddr)); + } } return(0); } Kelly -- Kelly Yancey -- kbyanc@{posi.net,FreeBSD.org} -- kelly@nttmcl.com Join distributed.net Team FreeBSD: http://www.posi.net/freebsd/Team-FreeBSD/ From owner-freebsd-ipfw@FreeBSD.ORG Sat Aug 30 07:07:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F40C116A4BF for ; Sat, 30 Aug 2003 07:07:05 -0700 (PDT) Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 671A343FEA for ; Sat, 30 Aug 2003 07:07:03 -0700 (PDT) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.50.144] (helo=mx1.freenet.de) by mout1.freenet.de with asmtp (Exim 4.21) id 19t6NZ-0000gM-Pc for freebsd-ipfw@freebsd.org; Sat, 30 Aug 2003 16:07:01 +0200 Received: from p3e9baaa4.dip.t-dialin.net ([62.155.170.164] helo=spotteswoode.dnsalias.org) by mx1.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.21 #5) id 19t6NZ-0000uU-ET for freebsd-ipfw@freebsd.org; Sat, 30 Aug 2003 16:07:01 +0200 Received: (qmail 69873 invoked by uid 0); 30 Aug 2003 14:07:00 -0000 Date: 30 Aug 2003 16:07:00 +0200 Message-ID: From: "Clemens Fischer" To: "Kelly Yancey" In-Reply-To: <20030829121458.W4705-100000@gateway.posi.net> (Kelly Yancey's message of "Fri, 29 Aug 2003 12:18:30 -0700 (PDT)") References: <20030829121458.W4705-100000@gateway.posi.net> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org cc: luigi@freebsd.org Subject: Re: hostnames resolving problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Aug 2003 14:07:06 -0000 * Kelly Yancey: > diff -u -p -r1.4.2.17 ipfw2.c > --- ipfw2.c 25 Jul 2003 08:23:07 -0000 1.4.2.17 > +++ ipfw2.c 29 Aug 2003 19:14:33 -0000 > @@ -1879,6 +1879,10 @@ lookup_host (char *host, struct in_addr > if ((he = gethostbyname(host)) == NULL) > return(-1); > *ipaddr = *(struct in_addr *)he->h_addr_list[0]; > + if (he->h_addr_list[1] != NULL) { > + warn("%s resolved to multiple addresses, only using %s", > + host, inet_ntoa(*ipaddr)); > + } that would not be my cup of tea, because by this ipfw(8) becomes "unscriptable", ie. i'd have to grep(1) for messages and start from scratch again. i guess this problem should be detected and handled ahead of running ipfw(8). note that you can always use `-p preprocessor' for this. clemens