From owner-freebsd-ipfw Sun Jan 21 9:29:29 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from blaz.niinet.net (cs160144-62.satx.rr.com [24.160.144.62]) by hub.freebsd.org (Postfix) with ESMTP id 0469637B402 for ; Sun, 21 Jan 2001 09:29:10 -0800 (PST) Received: from blaz.niinet.net (vega [192.168.2.2]) by blaz.niinet.net (8.11.1/8.11.1) with ESMTP id f0LHT9J01538 for ; Sun, 21 Jan 2001 11:29:09 -0600 (CST) (envelope-from jhunt@blaz.niinet.net) Message-ID: <3A6B1C57.4FC7334B@blaz.niinet.net> Date: Sun, 21 Jan 2001 11:28:55 -0600 From: Jason Hunt X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: ipfw troubles.. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hello, I am having a little trouble with my rules that I don't fully understand. I have the following in my ipfw rules but its not working the way I would expect: # Allow ICQ Server Packets add allow tcp from any 5190 to any via xl0 # Allow ICQ Client-to-Client communications add allow tcp from any 1024-65535 to any 1024-65535 in recv xl0 my firewall has xl0 connected to cable modem, and xl1 is connected to local lan. Machines behind the firewall can not access icq though, or some other services. How can I basically allow everything that can get to the firewall through to my lan? thanks for any help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 21 12:36:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from lale.trnet.com (unknown [195.155.1.6]) by hub.freebsd.org (Postfix) with ESMTP id B2E1337B401 for ; Sun, 21 Jan 2001 12:36:15 -0800 (PST) Received: from [195.155.1.6] by lale.trnet.com (InterMail vK.4.02.00.09 201-232-116-109 license 0f5baaa7065154cd09644893d36baf5e) with SMTP id <20010121203234.SPF13708.lale@[195.155.1.6]>; Sun, 21 Jan 2001 22:32:34 +0200 X-Priority: From: To: Jason Hunt Cc: freebsd-ipfw@freebsd.org Subject: =?ISO-8859-9?Q?=DDlgi:ipfw=20?=troubles.. Date: Sun, 21 Jan 2001 22:32:34 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-9 Content-Transfer-Encoding: 7bit Message-Id: <20010121203234.SPF13708.lale@[195.155.1.6]> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi There is no special rules for ICQ2000 In the ICO->Preferences->Connections window You should tell the ICQ "I am behind the firewall" and setup other settings and just click the "Auto Configure..." button I hope this helps Best Wishes Murat SULUHAN > > Kimden: Jason Hunt > Tarih: 2001/01/21 Sun AM 11:28:55 GMT+02:00 > Kime: freebsd-ipfw@freebsd.org > Konu: ipfw troubles.. > > hello, > > I am having a little trouble with my rules that I don't > fully understand. I have the following in my ipfw rules > but its not working the way I would expect: > > # Allow ICQ Server Packets > add allow tcp from any 5190 to any via xl0 > > # Allow ICQ Client-to-Client communications > add allow tcp from any 1024-65535 to any 1024-65535 in recv xl0 > > my firewall has xl0 connected to cable modem, and xl1 is connected > to local lan. Machines behind the firewall can not access icq > though, or some other services. How can I basically allow > everything that can get to the firewall through to my lan? > > thanks for any help. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 21 14: 3: 8 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3461C37B404 for ; Sun, 21 Jan 2001 14:02:49 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 21 Jan 2001 14:00:58 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.0) id f0LM2mo30979; Sun, 21 Jan 2001 14:02:48 -0800 (PST) (envelope-from cjc) Date: Sun, 21 Jan 2001 14:02:43 -0800 From: "Crist J. Clark" To: Jason Hunt Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw troubles.. Message-ID: <20010121140243.T10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A6B1C57.4FC7334B@blaz.niinet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A6B1C57.4FC7334B@blaz.niinet.net>; from jhunt@blaz.homeip.net on Sun, Jan 21, 2001 at 11:28:55AM -0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jan 21, 2001 at 11:28:55AM -0600, Jason Hunt wrote: > hello, > > I am having a little trouble with my rules that I don't > fully understand. I have the following in my ipfw rules > but its not working the way I would expect: > > # Allow ICQ Server Packets > add allow tcp from any 5190 to any via xl0 > > # Allow ICQ Client-to-Client communications > add allow tcp from any 1024-65535 to any 1024-65535 in recv xl0 > > my firewall has xl0 connected to cable modem, and xl1 is connected > to local lan. Machines behind the firewall can not access icq > though, or some other services. How can I basically allow > everything that can get to the firewall through to my lan? Go to Yahoo!. Search for 'icq firewall.' The first link is, http://www.icq.com/icqtour/firewall/ In there you will find, http://www.icq.com/icqtour/firewall/netadmin.html Now, go look at the bottom of the page where they make the little caveat about, ugh, "IP-Masquerading" (known as NAT to the civilized world). That's you. That's why it does not all work. It is not a open-closed firewall ports issue. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 21 16:36:12 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from rerun.lucentctc.com (rerun.lucentctc.com [199.93.237.2]) by hub.freebsd.org (Postfix) with ESMTP id E20AF37B400 for ; Sun, 21 Jan 2001 16:35:53 -0800 (PST) Received: by rerun.lucentctc.com with Internet Mail Service (5.5.2650.21) id ; Sun, 21 Jan 2001 19:35:41 -0500 Message-ID: <3A6D367EA1EFD4118C9B00A0C9DD99D7064AE8@rerun.lucentctc.com> From: "Cambria, Mike" To: "'cjclark@alum.mit.edu'" , The Babbler Cc: freebsd-ipfw@FreeBSD.ORG Subject: RE: IPSEC tunnelling Date: Sun, 21 Jan 2001 19:35:40 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG FYI -- I'm doing it now. If you can read this it works with the following high level setup: I'm using IPSec tunnel mode, with ESP, but no authentication. I'm also not using AH. I'm also using FreeBSD 4.2-Stable (3.4-Stable didn't work for me; upgrading to 4.2 now does) MikeC Michael C. Cambria Avaya Inc. Former Enterprise Networks Group of Lucent Technologies Voice: (978) 287 - 2807 300 Baker Avenue Fax: (978) 381 - 6415 Concord, Massachusetts 01742 Internet: mcambria@avaya.com -----Original Message----- From: Crist J. Clark [mailto:cjclark@reflexnet.net] Sent: Sunday, January 21, 2001 2:24 AM To: The Babbler Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPSEC tunnelling On Sun, Jan 21, 2001 at 12:40:37AM -0500, The Babbler wrote: > > I realize that the official charter of this group is to work on the > *new* firewall code, and I'm working at RELEASE, which doesn't qualify, > but I have tried freebsd-questions and been met with overwhelming > silence, and this seems to me to be the closest group, so I hope you > folks will be willing to indulge me. And pointing me at the doc is more > than fine. I've tried searching the www.freebsd.org site, but didn't > find anything relavent there. Of course I can't recall any occaison > when I ever have . . . > > Anyway, I'm trying to get my FreeBSD gateway/firewall machine set up so > that it will allow my wife's VPN access to work; this requires IPSEC > packets to get through. > > Has anybody done this? Any helpful hints? Yes, I have done it. But it depends on the VPN implementation. NAT, the basic concept, not natd(8), just plain breaks some aspects of IPSEC. If the VPN you are trying to use enforces a policy that will not work through NAT... it won't work through NAT. Do you know what the policies of the VPN are? What do the logs on the client (which you should have access to) and the server (which you may not have access to) look like? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jan 21 17:38:25 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 29C6F37B400 for ; Sun, 21 Jan 2001 17:38:08 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 21 Jan 2001 17:36:18 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.0) id f0M1c9067590; Sun, 21 Jan 2001 17:38:09 -0800 (PST) (envelope-from cjc) Date: Sun, 21 Jan 2001 17:38:08 -0800 From: "Crist J. Clark" To: "Cambria, Mike" Cc: The Babbler , freebsd-ipfw@FreeBSD.ORG Subject: Re: IPSEC tunnelling Message-ID: <20010121173807.B10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A6D367EA1EFD4118C9B00A0C9DD99D7064AE8@rerun.lucentctc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A6D367EA1EFD4118C9B00A0C9DD99D7064AE8@rerun.lucentctc.com>; from mcambria@avaya.com on Sun, Jan 21, 2001 at 07:35:40PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jan 21, 2001 at 07:35:40PM -0500, Cambria, Mike wrote: > > FYI -- I'm doing it now. If you can read this it works with the following > high level setup: > > I'm using IPSec tunnel mode, with ESP, but no authentication. I'm also not > using AH. Tunnel mode is troublesome to mix with NAT. AH is impossible to run through NAT. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 3:56:19 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from thessaloniki.telehorizon.com (unknown [195.66.101.99]) by hub.freebsd.org (Postfix) with ESMTP id A8B7C37B400 for ; Mon, 22 Jan 2001 03:55:57 -0800 (PST) Received: (from nobody@localhost) by thessaloniki.telehorizon.com (8.9.3/8.9.3) id NAA42103 for freebsd-ipfw@FreeBSD.ORG; Mon, 22 Jan 2001 13:53:20 +0200 (EET) (envelope-from Giannis.Ritsioudis@thessaloniki.telehorizon.com) X-Authentication-Warning: thessaloniki.telehorizon.com: nobody set sender to Giannis.Ritsioudis@telehorizon.com using -f To: freebsd-ipfw Subject: NAT references Message-ID: <980164400.3a6c1f305f0ef@webmail.telehorizon.com> Date: Mon, 22 Jan 2001 13:53:20 +0200 (EET) From: Giannis Ritsioudis MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.3 X-Originating-IP: 195.66.101.98 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi there, Can anyone tell me some good sites about how to install NAT ?? Thanks in advanced //Giannis ------------------------------------------- Mobile : +30937522501 EMail : Giannis.Ritsioudis@telehorizon.com http://www.telehorizon.com ------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 7: 7: 9 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from proxy.outblaze.com (proxy.outblaze.com [202.77.223.120]) by hub.freebsd.org (Postfix) with SMTP id AF98F37B401 for ; Mon, 22 Jan 2001 07:06:51 -0800 (PST) Received: (qmail 57182 invoked from network); 22 Jan 2001 15:06:44 -0000 Received: from unknown (HELO yusufg.portal2.com) (202.77.181.217) by proxy.outblaze.com with SMTP; 22 Jan 2001 15:06:44 -0000 Received: (qmail 3608 invoked by uid 500); 22 Jan 2001 15:11:43 -0000 Date: Mon, 22 Jan 2001 23:11:43 +0800 From: Yusuf Goolamabbas To: freebsd-ipfw@freebsd.org Subject: Sharing a single link evenly Message-ID: <20010122231143.A3564@outblaze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Whilst reading Luigi's page on dummynet http://www.iet.unipi.it/~luigi/ip_dummynet/ I came across the following paragraph If you want all machines to share evenly a single link, you should use instead: ipfw add queue 1 ip from any to 10.1.2.0/24 ipfw queue 1 config weight 5 pipe 2 mask dst-ip 0x000000ff ipfw pipe 2 config bw 300Kbit/s According to the ipfw man page, the value of weight ranges from 1..100. I am trying to get some understanding as to why the value '5' implies evenness. My first thought that the weight should be 50 but maybe I am misunderstanding some concept or in this case could the value be anything since we want each flow to have the same weight ? Regards, Yusuf -- Yusuf Goolamabbas yusufg@outblaze.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 10:45:57 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from excalibur.dotcom.fr (ns.dotcom.fr [195.154.74.11]) by hub.freebsd.org (Postfix) with ESMTP id 14D9137B401; Mon, 22 Jan 2001 10:45:38 -0800 (PST) Received: from IPricot.com (pc181.fr.ipricot.com [192.168.31.181]) by excalibur.dotcom.fr (8.9.1/8.9.1) with ESMTP id SAA20147; Mon, 22 Jan 2001 18:45:36 GMT Message-ID: <3A6C7FD0.7E2ABD65@IPricot.com> Date: Mon, 22 Jan 2001 19:45:36 +0100 From: Roman Le Houelleur Organization: dotcom X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-20000912-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw Cc: freebsd-net Subject: bandwidth analyser Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, I use FreeBSD 4.2 stable + bridge + dummynet + ipfw. I would like to calculate the bandwidth of each authorized IP source flowing through the bridge from a user program. As this bandwidth calculation should be done very often (10 to 20 times per second) I first tried to use the if_data structure from sysctl. But it seems the packet counter is only incremented for packets destinated to the specified interface, and moreover I wouldn't be able to separate the incoming flows depending on their source addresses. Anybody has an advice on the best way to achieve this calculation ? what about the counter capabilities of ipfw ? Moreover, concerning the bridge, I was wondering if there is a way not to put a third interface in promiscous mode. As this third nic exists only for management purposes I don't want it to participate to the bridge in any way. Thanks, Roman. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 10:55:49 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id D784D37B401; Mon, 22 Jan 2001 10:55:29 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f0MItLq39152; Mon, 22 Jan 2001 10:55:21 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101221855.f0MItLq39152@iguana.aciri.org> Subject: Re: bandwidth analyser In-Reply-To: <3A6C7FD0.7E2ABD65@IPricot.com> from Roman Le Houelleur at "Jan 22, 2001 7:45:36 pm" To: roman@IPricot.com (Roman Le Houelleur) Date: Mon, 22 Jan 2001 10:55:21 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > hi, > > I use FreeBSD 4.2 stable + bridge + dummynet + ipfw. > I would like to calculate the bandwidth of each > authorized IP source flowing through the bridge from a > user program. > As this bandwidth calculation should be done very often > (10 to 20 times per second) I first tried to use the if_data ... > Anybody has an advice on the best way to achieve this > calculation ? what about the counter capabilities of ipfw ? i think the ipfw interface to access this info is not very well suited to this kind of task, at least not as often as 20 times per second. > Moreover, concerning the bridge, I was wondering if > there is a way not to put a third interface in promiscous yes, there is asysctl interface (net.link.ether.bridge_cfg) see the manpages. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 11:10:52 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from excalibur.dotcom.fr (ns.dotcom.fr [195.154.74.11]) by hub.freebsd.org (Postfix) with ESMTP id D985D37B404; Mon, 22 Jan 2001 11:10:32 -0800 (PST) Received: from IPricot.com (pc181.fr.ipricot.com [192.168.31.181]) by excalibur.dotcom.fr (8.9.1/8.9.1) with ESMTP id TAA20646; Mon, 22 Jan 2001 19:10:28 GMT Message-ID: <3A6C85A3.9A115BB4@IPricot.com> Date: Mon, 22 Jan 2001 20:10:27 +0100 From: Roman Le Houelleur Organization: dotcom X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-20000912-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Cc: freebsd-net@FreeBSD.ORG Subject: Re: bandwidth analyser References: <200101221855.f0MItLq39152@iguana.aciri.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > > > > Moreover, concerning the bridge, I was wondering if > > there is a way not to put a third interface in promiscous > > yes, there is asysctl interface (net.link.ether.bridge_cfg) > > see the manpages. actually that's what I did, but I'm still not able to have my third nic out of the bridge. If I use net.link.ether.bridge_cfg: rl0:0,rl1:1,rl2:1 rl0 is on a separate cluster, so it's useable, but still rl0 is in promiscous mode. If I use something like net.link.ether.bridge_cfg: rl1:1,rl2:1 then rl0 will by default be part of the same "cluster" as rl1 and rl2. Have I missed something ? Roman. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 11:45:37 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail2.netcologne.de (mail2.netcologne.de [194.8.194.103]) by hub.freebsd.org (Postfix) with ESMTP id BDAF237B404; Mon, 22 Jan 2001 11:45:16 -0800 (PST) Received: from husten.security.at12.de (dial-195-14-233-8.netcologne.de [195.14.233.8]) by mail2.netcologne.de (8.9.3/8.9.3) with ESMTP id UAA04373; Mon, 22 Jan 2001 20:45:14 +0100 (MET) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.1/8.11.1) with ESMTP id f0MJj8W15298; Mon, 22 Jan 2001 20:45:08 +0100 (CET) (envelope-from pherman@frenchfries.net) Date: Mon, 22 Jan 2001 20:45:08 +0100 (CET) From: Paul Herman To: Roman Le Houelleur Cc: freebsd-ipfw , freebsd-net Subject: Re: bandwidth analyser In-Reply-To: <3A6C7FD0.7E2ABD65@IPricot.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello Roman, On Mon, 22 Jan 2001, Roman Le Houelleur wrote: > I use FreeBSD 4.2 stable + bridge + dummynet + ipfw. I would like > to calculate the bandwidth of each authorized IP source flowing > through the bridge from a user program. > > As this bandwidth calculation should be done very often (10 to 20 > times per second) I first tried to use the if_data structure from > sysctl. I think /usr/ports/net/argus does some analysis (however I don't think in real time.) Otherwise (shameless plug) try tcpstat: http://www.frenchfries.net/paul/tcpstat/index.html It's like a vmstat for networks (pcap filters and all), and sounds like what you are describing. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 11:51:57 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 9378A37B69C; Mon, 22 Jan 2001 11:51:37 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f0MJpZF39525; Mon, 22 Jan 2001 11:51:35 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101221951.f0MJpZF39525@iguana.aciri.org> Subject: Re: bandwidth analyser In-Reply-To: <3A6C85A3.9A115BB4@IPricot.com> from Roman Le Houelleur at "Jan 22, 2001 8:10:27 pm" To: roman@IPricot.com (Roman Le Houelleur) Date: Mon, 22 Jan 2001 11:51:35 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > actually that's what I did, but I'm still not able to have > my third nic out of the bridge. > If I use net.link.ether.bridge_cfg: rl0:0,rl1:1,rl2:1 > rl0 is on a separate cluster, so it's useable, but still > rl0 is in promiscous mode. > If I use something like net.link.ether.bridge_cfg: rl1:1,rl2:1 > then rl0 will by default be part of the same "cluster" as > rl1 and rl2. > > Have I missed something ? well, you are hitting a bug or two in bridge.c :) The quick fix is to use something like sysctl -w net.link.ether.bridge_cfg="rl1:6,rl2:6," (note the different cluster-id and the trailing character). The main bug in bridge.c is that the code mistakes the NUL as a separator after the last config. The second bug in that when one interface is disabled, its name is not removed from the list in bdg_stats, so userland utilities still see its name and believe it is still active. Will have a look at fixing these bugs soon. cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 12:15:54 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 225A837B6A7; Mon, 22 Jan 2001 12:15:34 -0800 (PST) Received: from casablanca-14.budapest.interware.hu ([195.70.53.14] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 14KnMy-000624-00; Mon, 22 Jan 2001 21:15:16 +0100 Message-ID: <3A6C94D2.8D41FC4D@elischer.org> Date: Mon, 22 Jan 2001 12:15:14 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Roman Le Houelleur Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: bandwidth analyser References: <200101221855.f0MItLq39152@iguana.aciri.org> <3A6C85A3.9A115BB4@IPricot.com> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Roman Le Houelleur wrote: > > Luigi Rizzo wrote: > > > > > > > Moreover, concerning the bridge, I was wondering if > > > there is a way not to put a third interface in promiscous > > > > yes, there is asysctl interface (net.link.ether.bridge_cfg) > > > > see the manpages. > > actually that's what I did, but I'm still not able to have > my third nic out of the bridge. > If I use net.link.ether.bridge_cfg: rl0:0,rl1:1,rl2:1 > rl0 is on a separate cluster, so it's useable, but still > rl0 is in promiscous mode. > If I use something like net.link.ether.bridge_cfg: rl1:1,rl2:1 > then rl0 will by default be part of the same "cluster" as > rl1 and rl2. > > Have I missed something ? try using netgraph bridging. it give you better control. > > Roman. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ from Perth, presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 15:48:44 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id CA94837B699 for ; Mon, 22 Jan 2001 15:48:26 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id f0MNlPC47720; Mon, 22 Jan 2001 15:47:25 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200101222347.f0MNlPC47720@iguana.aciri.org> Subject: Re: Sharing a single link evenly In-Reply-To: <20010122231143.A3564@outblaze.com> from Yusuf Goolamabbas at "Jan 22, 2001 11:11:43 pm" To: yusufg@outblaze.com (Yusuf Goolamabbas) Date: Mon, 22 Jan 2001 15:46:44 -0800 (PST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Hi, Whilst reading Luigi's page on dummynet > > http://www.iet.unipi.it/~luigi/ip_dummynet/ > > I came across the following paragraph > > If you want all machines to share evenly a single link, you should use instead: > ipfw add queue 1 ip from any to 10.1.2.0/24 > ipfw queue 1 config weight 5 pipe 2 mask dst-ip 0x000000ff > ipfw pipe 2 config bw 300Kbit/s > > According to the ipfw man page, the value of weight ranges from 1..100. > I am trying to get some understanding as to why the value '5' implies > evenness. My first thought that the weight should be 50 but maybe I am > misunderstanding some concept or in this case could the value be > anything since we want each flow to have the same weight ? exactly - can be anything as we just want equal weight (or some preset ratio of weight). I used 5 instead of 50 (or 1, or 100 for what matters) on purpose, to avoid that people would think that the number had something to do with 50% cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (510) 666 2927 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jan 22 22:39:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 4870137B401 for ; Mon, 22 Jan 2001 22:39:22 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 22 Jan 2001 22:37:33 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.0) id f0N6dK637098; Mon, 22 Jan 2001 22:39:20 -0800 (PST) (envelope-from cjc) Date: Mon, 22 Jan 2001 22:39:19 -0800 From: "Crist J. Clark" To: Giannis Ritsioudis Cc: freebsd-ipfw Subject: Re: NAT references Message-ID: <20010122223919.R10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <980164400.3a6c1f305f0ef@webmail.telehorizon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <980164400.3a6c1f305f0ef@webmail.telehorizon.com>; from Giannis.Ritsioudis@telehorizon.com on Mon, Jan 22, 2001 at 01:53:20PM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Jan 22, 2001 at 01:53:20PM +0200, Giannis Ritsioudis wrote: > Hi there, > > Can anyone tell me some good sites about how to install NAT ?? $ man natd Go down to the "RUNNING NATD" section. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 23 12: 4:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 8B8AC37B400 for ; Tue, 23 Jan 2001 12:04:17 -0800 (PST) Received: from null ([206.249.222.250]) by smtp.whc.net (8.11.2/8.10.1/kbp) with SMTP id for ; Tue, 23 Jan 2001 13:02:31 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: ipfw problems with 4.2 upgrade Date: Tue, 23 Jan 2001 12:58:59 -0700 Message-ID: <000001c08576$edcf6100$fadef9ce@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG IPFIREWALL is set in my kernel, I re-built it thinking that was the problems. I still get the errors at start up : ipfw: getsockopt(I{_FW_ADD)): Protocol not available ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 23 15:23:27 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from atlas.bit.net.au (atlas.bit.net.au [203.18.94.3]) by hub.freebsd.org (Postfix) with ESMTP id 5ACBB37B404 for ; Tue, 23 Jan 2001 15:23:09 -0800 (PST) Received: (from pdh@localhost) by atlas.bit.net.au (8.11.0/8.11.0) id f0NNN6r17202 for freebsd-ipfw@freebsd.org; Wed, 24 Jan 2001 09:23:06 +1000 Date: Wed, 24 Jan 2001 09:23:06 +1000 From: Phil Homewood To: freebsd-ipfw@freebsd.org Subject: [security-advisories@FreeBSD.ORG: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw] Message-ID: <20010124092306.A5425@atlas.bit.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > FreeBSD-SA-01:08 Security Advisory > Topic: ipfw/ip6fw allows bypassing of 'established' keyword > IV. Workaround > > Because the vulnerability only affects 'established' rules and ECE- > flagged TCP packets, this vulnerability can be removed by adjusting > the system's rulesets. In general, it is possible to express most > 'established' rules in terms of a general TCP rule (with no TCP flag > qualifications) and a 'setup' rule, but may require some restructuring > and renumbering of the ruleset. If my understanding of this is correct, I gather that the following (fictional) ruleset: 00110 allow ip from any to any established 00120 allow ip from any to any frag 00130 allow tcp from 192.168.2.0/24 to 192.168.2.1 22 setup 00140 deny tcp from any to any could be safely replaced by the following: 00110 allow ip from any to any frag 00120 allow tcp from 192.168.2.0/24 to 192.168.2.1 22 setup 00130 deny tcp from any to any setup 00140 allow tcp from any to any established with or without the "established" in rule 1300, yes? I'm assuming here that "setup" actually means more than "not established". -- Phil Homewood pdh@asiaonline.net Senior Technician +61 7 3620 1930 Asia Online http://www.asiaonline.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jan 23 20:55: 5 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id DD33737B401 for ; Tue, 23 Jan 2001 20:54:48 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 23 Jan 2001 20:53:01 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0O4suF44928; Tue, 23 Jan 2001 20:54:56 -0800 (PST) (envelope-from cjc) Date: Tue, 23 Jan 2001 20:54:55 -0800 From: "Crist J. Clark" To: Carlos Andrade Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw problems with 4.2 upgrade Message-ID: <20010123205455.W10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <000001c08576$edcf6100$fadef9ce@rjstech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000001c08576$edcf6100$fadef9ce@rjstech.com>; from carlos@rjstech.com on Tue, Jan 23, 2001 at 12:58:59PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 23, 2001 at 12:58:59PM -0700, Carlos Andrade wrote: > IPFIREWALL is set in my kernel, I re-built it thinking that was the > problems. I still get the errors at start up : > > ipfw: getsockopt(I{_FW_ADD)): Protocol not available Show the dmesg(8). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 24 7:55:42 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from netcabo.pt (mail.netcabo.pt [212.113.161.135]) by hub.freebsd.org (Postfix) with ESMTP id BDEB137B400 for ; Wed, 24 Jan 2001 07:55:24 -0800 (PST) Received: from netcabo ([213.22.31.177]) by netcabo.pt with Microsoft SMTPSVC(5.5.1877.537.53); Wed, 24 Jan 2001 15:52:12 +0000 From: "Bruno Miguel" Organization: Artists, Inc. To: freebsd-ipfw@FreeBSD.ORG Date: Wed, 24 Jan 2001 15:53:26 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: IPSEC tunnelling Reply-To: brunomiguel@netcabo.pt Cc: The Babbler , freebsd-ipfw@FreeBSD.ORG Message-ID: <3A6EFA76.17540.17FDF1@localhost> In-reply-to: <20010121173807.B10761@rfx-216-196-73-168.users.reflex> References: <3A6D367EA1EFD4118C9B00A0C9DD99D7064AE8@rerun.lucentctc.com>; from mcambria@avaya.com on Sun, Jan 21, 2001 at 07:35:40PM -0500 X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > I'm using IPSec tunnel mode, with ESP, but no authentication. I'm also not > > using AH. > > Tunnel mode is troublesome to mix with NAT. AH is impossible to run > through NAT. I tried using a skipto rule when packets from local network tried to reach the other local network... skipping the divert rule. To no avail.. I was trying to use tunnel mode, only esp. I wonder if someone has done it..... i normally use ipfilter, but the ipfw divert rule being able to be bypassed by a skipto rule made me try ipfw. It didn't work..... when I setup a 10.x.x.x. network it worked..... but it was nattin' 192.168.x.x network. I wonder what went wrong. ...:-=>> The freaking Mail Band <<=-:... hununu@netcabo.pt D.E.Q. @ I.S.T. - Portugal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 24 8: 8:38 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from new-dns.whc.net (new-dns.whc.net [204.90.111.214]) by hub.freebsd.org (Postfix) with ESMTP id 6FB8137B401 for ; Wed, 24 Jan 2001 08:08:21 -0800 (PST) Received: from null ([206.249.222.250]) by smtp.whc.net (8.11.2/8.10.1/kbp) with SMTP id for ; Wed, 24 Jan 2001 09:07:17 -0700 (MST) Reply-To: From: "Carlos Andrade" To: Subject: RE: ipfw problems with 4.2 upgrade Date: Wed, 24 Jan 2001 09:03:28 -0700 Message-ID: <001001c0861f$30c37d40$fadef9ce@rjstech.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010123205455.W10761@rfx-216-196-73-168.users.reflex> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Tue, Jan 23, 2001 at 12:58:59PM -0700, Carlos Andrade wrote: > > IPFIREWALL is set in my kernel, I re-built it thinking that was the > > problems. I still get the errors at start up : > > > > ipfw: getsockopt(I{_FW_ADD)): Protocol not available > > Show the dmesg(8). > -- > Crist J. Clark cjclark@alum.mit.edu Okay, lots of info but here is the important stuff : IP packet filtering initialized, divert enabled, rule-based forwarding disabled (WHAT?), default to deny, logging limited to 50 packets/entries by default. Everything but the rule-based forwarding being disabled sounds right. Hmm this is a bad thing. No clue where to look other than rc.conf. -Carlos Andrade ---- Carlos A. Andrade IS Manager RJS Technologies 915.845.5228 ext 13 915.845.2119 fax carlos@rjstech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 24 22: 2:48 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 05E5E37B401 for ; Wed, 24 Jan 2001 22:02:31 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 24 Jan 2001 22:00:36 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0P62SH54222; Wed, 24 Jan 2001 22:02:28 -0800 (PST) (envelope-from cjc) Date: Wed, 24 Jan 2001 22:02:22 -0800 From: "Crist J. Clark" To: Carlos Andrade Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw problems with 4.2 upgrade Message-ID: <20010124220222.F10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <20010123205455.W10761@rfx-216-196-73-168.users.reflex> <001001c0861f$30c37d40$fadef9ce@rjstech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <001001c0861f$30c37d40$fadef9ce@rjstech.com>; from carlos@rjstech.com on Wed, Jan 24, 2001 at 09:03:28AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Jan 24, 2001 at 09:03:28AM -0700, Carlos Andrade wrote: > > On Tue, Jan 23, 2001 at 12:58:59PM -0700, Carlos Andrade wrote: > > > IPFIREWALL is set in my kernel, I re-built it thinking that was the > > > problems. I still get the errors at start up : > > > > > > ipfw: getsockopt(I{_FW_ADD)): Protocol not available > > > > Show the dmesg(8). > > -- > > Crist J. Clark cjclark@alum.mit.edu > > Okay, lots of info but here is the important stuff : > > IP packet filtering initialized, divert enabled, rule-based forwarding > disabled (WHAT?), default to deny, logging limited to 50 packets/entries by > default. > > Everything but the rule-based forwarding being disabled sounds right. Hmm > this is a bad thing. No clue where to look other than rc.conf. "rule-based forwarding disabled" just means you can't use 'fwd' rules. That's not your problem though. Looking at rc.firewall would be a good start for finding the problem. But first, # ipfw show # ipfw add 65000 pass ip from any to any Try some ipfw(8) at the command line to see what you get. Run rc.firewall in debug mode to see if you can find if there is one rule causing problems, # sh -x /etc/rc.firewall DO NOT DO THIS FROM A NETWORK LOGIN. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jan 24 22: 5:54 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id A1FE237B401 for ; Wed, 24 Jan 2001 22:05:37 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 24 Jan 2001 22:03:47 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0P65cF54235; Wed, 24 Jan 2001 22:05:38 -0800 (PST) (envelope-from cjc) Date: Wed, 24 Jan 2001 22:05:37 -0800 From: "Crist J. Clark" To: Bruno Miguel Cc: freebsd-ipfw@FreeBSD.ORG, The Babbler Subject: Re: IPSEC tunnelling Message-ID: <20010124220537.G10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A6D367EA1EFD4118C9B00A0C9DD99D7064AE8@rerun.lucentctc.com>; <20010121173807.B10761@rfx-216-196-73-168.users.reflex> <3A6EFA76.17540.17FDF1@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A6EFA76.17540.17FDF1@localhost>; from brunomiguel@netcabo.pt on Wed, Jan 24, 2001 at 03:53:26PM -0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Jan 24, 2001 at 03:53:26PM -0000, Bruno Miguel wrote: > > > I'm using IPSec tunnel mode, with ESP, but no authentication. I'm also not > > > using AH. > > > > Tunnel mode is troublesome to mix with NAT. AH is impossible to run > > through NAT. > > I tried using a skipto rule when packets from local network tried to reach the > other local network... skipping the divert rule. That should pretty much break everything before you even have to worry whether the IPsec is working. > To no avail.. > I was trying to use tunnel mode, only esp. > I wonder if someone has done it..... i normally use ipfilter, but the ipfw divert > rule being able to be bypassed by a skipto rule made me try ipfw. It didn't > work..... when I setup a 10.x.x.x. network it worked..... but it was nattin' > 192.168.x.x network. I wonder what went wrong. ESP is rarely going to be the problem. If you make it all of the way through the ISAKMP keying negotiations, you are in business. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jan 27 11:51:11 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from home.cg.nu (home.cg.nu [213.196.2.115]) by hub.freebsd.org (Postfix) with ESMTP id C185F37B404 for ; Sat, 27 Jan 2001 11:50:53 -0800 (PST) Received: from kpnlep (51.16.dialup.cybercomm.nl [213.196.16.51]) by home.cg.nu (Postfix) with SMTP id BC254158E5A for ; Sat, 27 Jan 2001 20:50:45 +0100 (CET) Reply-To: From: "Henk Wevers" To: Subject: RE: IPSEC tunnelling Date: Sat, 27 Jan 2001 20:50:45 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal In-Reply-To: <3A6EFA76.17540.17FDF1@localhost> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ipsec VPN tunnel's are working fine with ipnat. http://FreeBSD.cg.nu/ipsec.html Henk -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Bruno Miguel Sent: woensdag 24 januari 2001 16:53 To: freebsd-ipfw@FreeBSD.ORG Cc: The Babbler; freebsd-ipfw@FreeBSD.ORG Subject: Re: IPSEC tunnelling > > I'm using IPSec tunnel mode, with ESP, but no authentication. I'm also not > > using AH. > > Tunnel mode is troublesome to mix with NAT. AH is impossible to run > through NAT. I tried using a skipto rule when packets from local network tried to reach the other local network... skipping the divert rule. To no avail.. I was trying to use tunnel mode, only esp. I wonder if someone has done it..... i normally use ipfilter, but the ipfw divert rule being able to be bypassed by a skipto rule made me try ipfw. It didn't work..... when I setup a 10.x.x.x. network it worked..... but it was nattin' 192.168.x.x network. I wonder what went wrong. ...:-=>> The freaking Mail Band <<=-:... hununu@netcabo.pt D.E.Q. @ I.S.T. - Portugal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message