From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 4 14:44:48 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF9C016A400 for ; Sun, 4 Feb 2007 14:44:48 +0000 (UTC) (envelope-from prvs=astraserg/0555aa3f3c@proc.ru) Received: from mail.proc.ru (mail.proc.ru [217.117.112.5]) by mx1.freebsd.org (Postfix) with ESMTP id AE0B513C481 for ; Sun, 4 Feb 2007 14:44:48 +0000 (UTC) (envelope-from prvs=astraserg/0555aa3f3c@proc.ru) Received: from uranium.proc.ru ([217.117.127.77]) by mail.proc.ru with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (envelope-from ) id 1HDi4m-0006YS-8U for freebsd-ipfw@freebsd.org; Sun, 04 Feb 2007 17:10:40 +0300 From: AstraSerg Organization: Proc.ru To: freebsd-ipfw@freebsd.org Date: Sun, 4 Feb 2007 17:10:38 +0300 User-Agent: KMail/1.9.5 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200702041710.38797.astraserg@proc.ru> X-SpamTest-Envelope-From: astraserg@proc.ru X-SpamTest-Info: Profiles 743 [Feb 02 2007] X-SpamTest-Info: {received from trusted relay: common white list} X-SpamTest-Method: white ip list X-SpamTest-Rate: 0 X-SpamTest-Status: Trusted X-SpamTest-Status-Extended: trusted Subject: Big tables deny pakets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: astraserg@proc.ru List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Feb 2007 14:44:49 -0000 Good day I use big tables in my ipfw. There are some trables gate# date ; ipfw show 2101 2102 2103 Sun Feb 4 17:07:01 MSK 2007 02101 97 5800 skipto 2102 ip from 192.168.122.17 to any 02102 150 10348 deny ip from table(64) to any 02103 0 0 skipto 2104 ip from 192.168.122.17 to any gate# gate# date ; ipfw show 2101 2102 2103 Sun Feb 4 17:07:29 MSK 2007 02101 102 6100 skipto 2102 ip from 192.168.122.17 to any 02102 155 10648 deny ip from table(64) to any 02103 0 0 skipto 2104 ip from 192.168.122.17 to any gate# Why counter 2103 not rgowing? gate# ipfw table 64 list | grep 192.168.122 192.168.122.2/32 0 192.168.122.5/32 0 192.168.122.15/32 0 192.168.122.16/32 0 192.168.122.131/32 0 192.168.122.135/32 0 192.168.122.146/32 0 gate# and gate# ipfw table 64 list | grep -v /32 gate# gate# uname -a FreeBSD gate.proc.ru 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #1: Tue Oct 10 21:48:09 MSD 2006 Thanks From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 5 11:11:27 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91CB516A4A9 for ; Mon, 5 Feb 2007 11:11:27 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id DDD5613C47E for ; Mon, 5 Feb 2007 11:11:26 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l15BBQIk025979 for ; Mon, 5 Feb 2007 11:11:26 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l15BBLHR025951 for freebsd-ipfw@FreeBSD.org; Mon, 5 Feb 2007 11:11:21 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Feb 2007 11:11:21 GMT Message-Id: <200702051111.l15BBLHR025951@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2007 11:11:27 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 8 14:39:21 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6949716A402 for ; Thu, 8 Feb 2007 14:39:19 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.234]) by mx1.freebsd.org (Postfix) with ESMTP id 1658613C46B for ; Thu, 8 Feb 2007 14:39:18 +0000 (UTC) (envelope-from xxadmiralxx@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so464635wxc for ; Thu, 08 Feb 2007 06:39:18 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=a54ftoOhsnn2SBLlp7Htyct9Zk5h/zeHtGLtYmFW4Y06Q/y2BY6H1XmBNdtJV+H6K5NDLZk/rO8q5IlPp+g1AKIwvFk+F4m7m283ifEjdu8bKXgkUpSLWlIdmskuDPPf9aPXTnefHQJXtJrDY0GAvzB46yYsXSXfcUMExBgJCnY= Received: by 10.78.142.14 with SMTP id p14mr3199hud.1170894312867; Wed, 07 Feb 2007 16:25:12 -0800 (PST) Received: by 10.66.251.19 with HTTP; Wed, 7 Feb 2007 16:25:12 -0800 (PST) Message-ID: <66f7e7af0702071625m7e5b98dbo76c8068ea936ed23@mail.gmail.com> Date: Wed, 7 Feb 2007 19:25:12 -0500 From: "The Admiral" To: freebsd-ipfw@freebsd.org In-Reply-To: <1170395697.21151.18.camel@tick.tock> MIME-Version: 1.0 References: <66f7e7af0702011304m61385124r5876e0af3d767a55@mail.gmail.com> <002401c74657$6b169690$0205000a@white> <66f7e7af0702011611v155a3c2h6a26152d7faf9796@mail.gmail.com> <000001c74663$212a10a0$0205000a@white> <66f7e7af0702011759t1b4ba6a8jb988d68fe5595601@mail.gmail.com> <1170395697.21151.18.camel@tick.tock> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: rc.firewall script not running at system boot X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 14:39:22 -0000 On 2/2/07, Josh wrote: > > On Thu, 2007-02-01 at 20:59 -0500, The Admiral wrote: > > On 2/1/07, Dewayne Geraghty > > wrote: > > > > I tried executing "/etc/rc.d/ipfw restart" and sure enough, it showed > that > > one of my firewall rules was mistakenly entered as "addpass" while it > > should've been "add pass". I corrected the typo, but the strange thing > is, > > when I reboot, it still doesn't work! Running the firewall command > manually > > works without error, but it isn't executed at boot.. Any other ideas? I > was > > sure that the typo was the problem, unfortunately that's not the > case. Oh > > well, at least it seems I'm getting closer to a solution! Thanks, > > I have always written my own firewall rules into their own shell script > and launch it from from /etc/rc.local > > You could just add > /etc/rc.firewall client > to /etc/rc.local and do away with any of the traditional stuff in > rc.conf well, I ended up moving all my firewall commands from /etc/rc.firewall into rc.local like you suggested and it works fine now.. Strange that it suddenly stopped working from inside rc.firewall.. I even tried disabling pretty much everything from rc.conf except for the pertinent firewall lines, and it still wouldn't execute any of my firewall commands. Oh well, at least it's working now.. If anyone has any other suggestions of what to try, please let me know, otherwise I'll just leave it at that. Thanks, Mike