From owner-freebsd-ipfw Mon Sep 13 9: 8:57 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from forrie.net (forrie.net [216.67.12.69]) by hub.freebsd.org (Postfix) with ESMTP id 8BE3714D07 for ; Mon, 13 Sep 1999 09:08:54 -0700 (PDT) (envelope-from forrie@forrie.com) Received: from boomer (boomer.navinet.net [216.67.12.90]) by forrie.net (8.9.3/8.9.3) with ESMTP id MAA15847 for ; Mon, 13 Sep 1999 12:08:54 -0400 (EDT) Message-Id: <4.2.0.58.19990913115244.00b08ee0@216.67.12.69> X-Sender: forrie@216.67.12.69 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 13 Sep 1999 12:07:08 -0400 To: freebsd-ipfw@freebsd.org From: Forrest Aldrich Subject: IPFW and PortSentry Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've noticed that the program PortSentry will use "ipfw add 1" in its trigger mechanism, which I'm not sure is appropriate -- if you already had a rule 1 in there, the results of trying to add another 1 (I've not tested it) are unknown. So, I want to help the author find a better way to do this. Also, is there documented somewhere more info about the -blackhole feature of the route command (the manpage doesn't say much?). Thanks....... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 13 9:46: 3 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (Postfix) with ESMTP id B49CF15000 for ; Mon, 13 Sep 1999 09:46:00 -0700 (PDT) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.9.3/8.9.2) with ESMTP id JAA31519; Mon, 13 Sep 1999 09:45:58 -0700 (PDT) (envelope-from ejs@bfd.com) Date: Mon, 13 Sep 1999 09:45:58 -0700 (PDT) From: "Eric J. Schwertfeger" To: Forrest Aldrich Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW and PortSentry In-Reply-To: <4.2.0.58.19990913115244.00b08ee0@216.67.12.69> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 13 Sep 1999, Forrest Aldrich wrote: > I've noticed that the program PortSentry will use "ipfw add 1" in its trigger mechanism, > which I'm not sure is appropriate -- if you already had a rule 1 in there, the results > of trying to add another 1 (I've not tested it) are unknown. Actually, that behavior is appropriate, as per the man page "Multiple rules may share the same number and apply in the order in which they were added." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 13 16:52:57 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from kodiak.sdsmt.edu (kodiak.sdsmt.edu [151.159.69.102]) by hub.freebsd.org (Postfix) with ESMTP id 8FBC915535 for ; Mon, 13 Sep 1999 16:52:35 -0700 (PDT) (envelope-from jseidel@kodiak.sdsmt.edu) Received: from localhost (jseidel@localhost) by kodiak.sdsmt.edu (8.9.3/8.9.3) with ESMTP id SAA16532 for ; Mon, 13 Sep 1999 18:14:52 -0600 (MDT) (envelope-from jseidel@kodiak.sdsmt.edu) Date: Mon, 13 Sep 1999 18:14:52 -0600 (MDT) From: Jason Seidel To: freebsd-ipfw@freebsd.org Subject: IPFW & Bridging Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm trying to get bridging set up across 2 networks and an isdn router. And so far unsuccessfully due to lack of documentation on this subject. if someone can point me in the right direction, I would greatly appreciate it. thanks Jason Seidel Systems Administrator South Dakota School of Mines and Technology jseidel@kodiak.sdsmt.edu "The dumber people think you are, the more surprised they'll be when you kill them." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Sep 13 17:52: 0 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost.onramp.net (mailhost.onramp.net [199.1.11.3]) by hub.freebsd.org (Postfix) with ESMTP id 6A3CF14F2D for ; Mon, 13 Sep 1999 17:51:53 -0700 (PDT) (envelope-from bpuryear@onramp.net) Received: from cawti (A201-54.PPP.FTWO.TX.VERIO.NET [206.50.209.118]) by mailhost.onramp.net (8.8.7/8.8.7) with SMTP id TAA26537 for ; Mon, 13 Sep 1999 19:51:51 -0500 (CDT) Message-ID: <001801befe4b$63602440$0101a8c0@cawti.iceflame.org> From: "Beth" To: Date: Mon, 13 Sep 1999 19:52:14 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0015_01BEFE21.79D91BC0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0015_01BEFE21.79D91BC0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable subscribe freebsd-ipfw@freebsd.org ------=_NextPart_000_0015_01BEFE21.79D91BC0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
subscribe  freebsd-ipfw@freebsd.org
------=_NextPart_000_0015_01BEFE21.79D91BC0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 14 11:12:25 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nippon.highcaliber.com (nippon.highcaliber.com [206.217.210.2]) by hub.freebsd.org (Postfix) with ESMTP id A77CC15191 for ; Tue, 14 Sep 1999 11:12:18 -0700 (PDT) (envelope-from Andre@HighCaliber.com) Received: from work ([206.217.210.26]) by nippon.highcaliber.com (post.office MTA v1.9.3 ID# 0-16273) with SMTP id AAA104 for ; Tue, 14 Sep 1999 14:15:11 -0400 Message-ID: <021401befedd$27a14320$1ad2d9ce@work.highcaliber.com> Reply-To: "Andre Chang" From: Andre@HighCaliber.com (Andre Chang) To: Subject: IPFW configuration as a transparent proxy Date: Tue, 14 Sep 1999 14:15:41 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3612.1700 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I would like to know if this is the place to ask about configuring IPFW to serve as a transparent proxy by use of the IPFW's "fwd" option. Is there anyone who has used this option toward this goal or something similar? Any response on this topic would be greatly appreciated. Thank You. -- Andre Chang Network Engineer. High Caliber Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 14 11:34:39 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id B7E0B15573 for ; Tue, 14 Sep 1999 11:34:10 -0700 (PDT) (envelope-from julian@whistle.com) Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with SMTP id LAA26730; Tue, 14 Sep 1999 11:34:07 -0700 (PDT) Date: Tue, 14 Sep 1999 11:34:06 -0700 (PDT) From: Julian Elischer To: Andre Chang Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW configuration as a transparent proxy In-Reply-To: <021401befedd$27a14320$1ad2d9ce@work.highcaliber.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG The fwd option forces a packet to be sent to: 1/ a nominated local socket or 2/ out a nominated interface tot a nominated 2nd machine. However it doesn't change the packet in any way.. this means that in case (2) above, the second machine will not accept the packet unless it also has a 'fwd' rule to make it do soi( as in case 1). If this is not the case, it will examine the packet and send it towards it's original destination. In the first case, This basically allows transparent proxy, by redirecting all outgoing requests to port 80 (that are not starting at the local machine) (i.e. requests coming in on the local interface that would normally be routed out your WAN interface) to be redirected to whatever port your proxy is listenning on. e.g. ipfw add 2 fwd 127.0.0.1,3137 tcp from any to any 80 out recv ed1 xmit ng0 This redirects any packets that are about to go out through ng0 (our LAN frame relay link), that originated on the LAN (ed1).The reson for being so specific is that we don't want to capture the requests that the proxy makes! hope this helps! julian On Tue, 14 Sep 1999, Andre Chang wrote: > Hello, > > I would like to know if this is the place to ask about configuring IPFW to > serve > as a transparent proxy by use of the IPFW's "fwd" option. > > Is there anyone who has used this option toward this goal or something > similar? > Any response on this topic would be greatly appreciated. Thank You. > > -- Andre Chang > Network Engineer. > High Caliber Systems, Inc. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 14 11:42:35 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.dbitech.bc.ca (i.caniserv.com [139.142.95.1]) by hub.freebsd.org (Postfix) with SMTP id E002D155D6 for ; Tue, 14 Sep 1999 11:41:54 -0700 (PDT) (envelope-from darcy@ok-connect.com) Received: (qmail 19245 invoked from network); 14 Sep 1999 18:41:53 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (darcyb@139.142.95.253) by 139.142.95.10 with SMTP; 14 Sep 1999 18:41:53 -0000 Message-Id: <3.0.32.19990914114153.0287f100@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Tue, 14 Sep 1999 11:41:53 -0700 To: "Andre Chang" , From: Darcy Buskermolen Subject: Re: IPFW configuration as a transparent proxy Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If I understand what you want to do this should be close to what you are after. ipfw add 300 fwd proxy.ip.addy,port tcp from any to 0.0.0.0 80 via outworldinterface ie: ipfw add 1 fwd 10.13.13.200,80 tcp from any to 0.0.0.0 80 via xl0 At 02:15 PM 9/14/99 -0400, Andre Chang wrote: >Hello, > >I would like to know if this is the place to ask about configuring IPFW to >serve >as a transparent proxy by use of the IPFW's "fwd" option. > >Is there anyone who has used this option toward this goal or something >similar? >Any response on this topic would be greatly appreciated. Thank You. > > -- Andre Chang >Network Engineer. >High Caliber Systems, Inc. > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 14 14:12:29 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nippon.highcaliber.com (nippon.highcaliber.com [206.217.210.2]) by hub.freebsd.org (Postfix) with ESMTP id F072F1526D for ; Tue, 14 Sep 1999 14:12:26 -0700 (PDT) (envelope-from Andre@HighCaliber.com) Received: from work ([206.217.210.26]) by nippon.highcaliber.com (post.office MTA v1.9.3 ID# 0-16273) with SMTP id AAA148; Tue, 14 Sep 1999 17:15:17 -0400 Message-ID: <028101befef6$50f47300$1ad2d9ce@work.highcaliber.com> Reply-To: "Andre Chang" From: Andre@HighCaliber.com (Andre Chang) To: "Julian Elischer" Cc: Subject: Re: IPFW configuration as a transparent proxy Date: Tue, 14 Sep 1999 17:15:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3612.1700 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks for the information, I however still havent figured out my problem.. here it is: I'm using only one interface on the machine running IPFW (fxp1 - the machine has 2 interfaces but I'm only using one) the client, IPFW and the proxy machine are on the same subnet (win98, FreeBSD 3.2-RELEASE and NT4.0 proxy respectively) the client's gateway is the IPFW machine the rule on the IPFW machine: ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 For testing purposes I specified logging and the actual ip of the client. The logs show a matched rule when I attempt to open the browser: ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via fxp1 This looks ok but then the browser returns an unable to connect message. I cant seem to figure out what is wrong here. Any insight will be greatly appreciated. Thanks for the existing comments. -- Andre Chang Network Engineer. High Caliber Systems, Inc. -----Original Message----- From: Julian Elischer To: Andre Chang Cc: freebsd-ipfw@FreeBSD.ORG Date: Tuesday, September 14, 1999 2:37 PM Subject: Re: IPFW configuration as a transparent proxy >The fwd option forces a packet to be sent to: > > 1/ a nominated local socket >or > 2/ out a nominated interface tot a nominated 2nd machine. > >However it doesn't change the packet in any way.. this means that in case >(2) above, the second machine will not accept the packet unless it also >has a 'fwd' rule to make it do soi( as in case 1). If this is not the >case, it will examine the packet and send it towards it's original >destination. > >In the first case, This basically allows transparent proxy, by redirecting >all outgoing requests to port 80 (that are not starting at the local >machine) (i.e. requests coming in on the local interface that would >normally be routed out your WAN interface) to be redirected to whatever >port your proxy is listenning on. > >e.g. >ipfw add 2 fwd 127.0.0.1,3137 tcp from any to any 80 out recv ed1 xmit ng0 > >This redirects any packets that are about to go out through ng0 (our LAN >frame relay link), that originated on the LAN (ed1).The reson for being so >specific is that we don't want to capture the requests that the proxy >makes! > >hope this helps! > >julian > > > > > > > >On Tue, 14 Sep 1999, Andre Chang wrote: > >> Hello, >> >> I would like to know if this is the place to ask about configuring IPFW to >> serve >> as a transparent proxy by use of the IPFW's "fwd" option. >> >> Is there anyone who has used this option toward this goal or something >> similar? >> Any response on this topic would be greatly appreciated. Thank You. >> >> -- Andre Chang >> Network Engineer. >> High Caliber Systems, Inc. >> >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-ipfw" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 14 14:17:34 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id F414914F15 for ; Tue, 14 Sep 1999 14:17:23 -0700 (PDT) (envelope-from julian@whistle.com) Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.9.1a/8.9.1) with SMTP id OAA34292; Tue, 14 Sep 1999 14:17:21 -0700 (PDT) Date: Tue, 14 Sep 1999 14:17:20 -0700 (PDT) From: Julian Elischer To: Andre Chang Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW configuration as a transparent proxy In-Reply-To: <028101befef6$50f47300$1ad2d9ce@work.highcaliber.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG try tcpdump to watch the packets. On Tue, 14 Sep 1999, Andre Chang wrote: > Thanks for the information, > > I however still havent figured out my problem.. here it is: > > I'm using only one interface on the machine running IPFW > (fxp1 - the machine has 2 interfaces but I'm only using one) > > the client, IPFW and the proxy machine are on the same subnet > (win98, FreeBSD 3.2-RELEASE and NT4.0 proxy respectively) > > the client's gateway is the IPFW machine > > the rule on the IPFW machine: > ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 > > For testing purposes I specified logging and the actual ip of the client. > > The logs show a matched rule when I attempt to open the browser: > ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via > fxp1 > > This looks ok but then the browser returns an unable to connect message. I > cant seem to figure out what is wrong here. Any insight will be greatly > appreciated. Thanks for the existing comments. > > > -- Andre Chang > Network Engineer. > High Caliber Systems, Inc. > > -----Original Message----- > From: Julian Elischer > To: Andre Chang > Cc: freebsd-ipfw@FreeBSD.ORG > Date: Tuesday, September 14, 1999 2:37 PM > Subject: Re: IPFW configuration as a transparent proxy > > > >The fwd option forces a packet to be sent to: > > > > 1/ a nominated local socket > >or > > 2/ out a nominated interface tot a nominated 2nd machine. > > > >However it doesn't change the packet in any way.. this means that in case > >(2) above, the second machine will not accept the packet unless it also > >has a 'fwd' rule to make it do soi( as in case 1). If this is not the > >case, it will examine the packet and send it towards it's original > >destination. > > > >In the first case, This basically allows transparent proxy, by redirecting > >all outgoing requests to port 80 (that are not starting at the local > >machine) (i.e. requests coming in on the local interface that would > >normally be routed out your WAN interface) to be redirected to whatever > >port your proxy is listenning on. > > > >e.g. > >ipfw add 2 fwd 127.0.0.1,3137 tcp from any to any 80 out recv ed1 xmit ng0 > > > >This redirects any packets that are about to go out through ng0 (our LAN > >frame relay link), that originated on the LAN (ed1).The reson for being so > >specific is that we don't want to capture the requests that the proxy > >makes! > > > >hope this helps! > > > >julian > > > > > > > > > > > > > > > >On Tue, 14 Sep 1999, Andre Chang wrote: > > > >> Hello, > >> > >> I would like to know if this is the place to ask about configuring IPFW > to > >> serve > >> as a transparent proxy by use of the IPFW's "fwd" option. > >> > >> Is there anyone who has used this option toward this goal or something > >> similar? > >> Any response on this topic would be greatly appreciated. Thank You. > >> > >> -- Andre Chang > >> Network Engineer. > >> High Caliber Systems, Inc. > >> > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-ipfw" in the body of the message > >> > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Sep 14 23:15:38 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.plugcom.ru (radiance.plugcom.ru [212.24.36.7]) by hub.freebsd.org (Postfix) with ESMTP id C037315141 for ; Tue, 14 Sep 1999 23:15:29 -0700 (PDT) (envelope-from vova@plugcom.ru) Received: from vova (helo=localhost) by mail.plugcom.ru with local-smtp (Exim 2.12 #3) id 11R8M3-0002O4-00 for freebsd-ipfw@FreeBSD.ORG; Wed, 15 Sep 1999 10:15:43 +0400 Date: Wed, 15 Sep 1999 10:15:43 +0400 (MSD) From: "Vladimir B. Grebenschikov" X-Sender: vova@radiance.plugcom.ru To: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW configuration as a transparent proxy In-Reply-To: <028101befef6$50f47300$1ad2d9ce@work.highcaliber.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 14 Sep 1999, Andre Chang wrote: > ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 > > For testing purposes I specified logging and the actual ip of the client. > > The logs show a matched rule when I attempt to open the browser: > ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via > fxp1 > > This looks ok but then the browser returns an unable to connect message. I > cant seem to figure out what is wrong here. Any insight will be greatly > appreciated. Thanks for the existing comments. By my opinion problem is in behevior of software listening 10.0.0.1:80 it must be not standart proxy (like squid) standart proxy listens one address and got requests with full URL like: GET http://www.somwhere.net/path/here.html HTTP/1.0 but your browser may send requests without protocol and hostname like: GET /path/here.html HTTP/1.0 so software, listening 10.0.0.1:80 must got destanation IP from request and insert it in proxy requset you can play with telnet to chechk how it works standart software for this need present in ports and called tranproxy but it designed to work with ipfilter, not IPFW -- TSB Russian Express, Moscow Vladimir B. Grebenschikov, vova@express.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 15 0:27:14 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id A4E9D14C8A for ; Wed, 15 Sep 1999 00:22:56 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id KAA94079; Wed, 15 Sep 1999 10:20:29 +0300 (EEST) (envelope-from ru) Date: Wed, 15 Sep 1999 10:20:29 +0300 From: Ruslan Ermilov To: Andre Chang Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW configuration as a transparent proxy Message-ID: <19990915102029.E86648@relay.ucb.crimea.ua> References: <028101befef6$50f47300$1ad2d9ce@work.highcaliber.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <028101befef6$50f47300$1ad2d9ce@work.highcaliber.com>; from Andre Chang on Tue, Sep 14, 1999 at 05:15:48PM -0400 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Sep 14, 1999 at 05:15:48PM -0400, Andre Chang wrote: > Thanks for the information, > > I however still havent figured out my problem.. here it is: > > I'm using only one interface on the machine running IPFW > (fxp1 - the machine has 2 interfaces but I'm only using one) > > the client, IPFW and the proxy machine are on the same subnet > (win98, FreeBSD 3.2-RELEASE and NT4.0 proxy respectively) > > the client's gateway is the IPFW machine > > the rule on the IPFW machine: > ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 > > For testing purposes I specified logging and the actual ip of the client. > > The logs show a matched rule when I attempt to open the browser: > ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via > fxp1 > > This looks ok but then the browser returns an unable to connect message. I > cant seem to figure out what is wrong here. Any insight will be greatly > appreciated. Thanks for the existing comments. > Andre! As Julian pointed out, you need `fwd localport' rule on proxy machine as well. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 15 10: 2:14 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nippon.highcaliber.com (nippon.highcaliber.com [206.217.210.2]) by hub.freebsd.org (Postfix) with ESMTP id 1219914E72 for ; Wed, 15 Sep 1999 10:02:09 -0700 (PDT) (envelope-from Andre@HighCaliber.com) Received: from work ([206.217.210.26]) by nippon.highcaliber.com (post.office MTA v1.9.3 ID# 0-16273) with SMTP id AAA85; Wed, 15 Sep 1999 13:05:00 -0400 Message-ID: <001301beff9c$9b98b550$1ad2d9ce@work.highcaliber.com> Reply-To: "Andre Chang" From: Andre@HighCaliber.com (Andre Chang) To: "Vladimir B. Grebenschikov" Cc: Subject: Re: IPFW configuration as a transparent proxy Date: Wed, 15 Sep 1999 13:06:10 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3612.1700 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG -----Original Message----- From: Vladimir B. Grebenschikov To: freebsd-ipfw@FreeBSD.ORG Date: Wednesday, September 15, 1999 2:18 AM Subject: Re: IPFW configuration as a transparent proxy >On Tue, 14 Sep 1999, Andre Chang wrote: > >> ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 >> >> For testing purposes I specified logging and the actual ip of the client. >> >> The logs show a matched rule when I attempt to open the browser: >> ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via >> fxp1 >> >> This looks ok but then the browser returns an unable to connect message. I >> cant seem to figure out what is wrong here. Any insight will be greatly >> appreciated. Thanks for the existing comments. > >By my opinion problem is in behevior of software listening 10.0.0.1:80 >it must be not standart proxy (like squid) > >standart proxy listens one address and got requests with full URL like: >GET http://www.somwhere.net/path/here.html HTTP/1.0 I tried this format via telnet and it returns correct requests. I've been thinking that its possible that the requests get thrown into a loop because I only have that one fwd rule before the open firewall rule I'm going to add the following rule before the fwd rule: ipfw add 400 allow tcp from 10.0.0.100 to any to see if looping is the case. -- Andre Chang Network Engineer. High Caliber Systems, Inc. > >but your browser may send requests without protocol and hostname like: >GET /path/here.html HTTP/1.0 > >so software, listening 10.0.0.1:80 must got destanation IP from >request and insert it in proxy requset > >you can play with telnet to chechk how it works > >standart software for this need present in ports and called tranproxy >but it designed to work with ipfilter, not IPFW > >-- >TSB Russian Express, Moscow >Vladimir B. Grebenschikov, vova@express.ru > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 15 10:27:30 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nippon.highcaliber.com (nippon.highcaliber.com [206.217.210.2]) by hub.freebsd.org (Postfix) with ESMTP id AE760150C7 for ; Wed, 15 Sep 1999 10:27:21 -0700 (PDT) (envelope-from Andre@HighCaliber.com) Received: from work ([206.217.210.26]) by nippon.highcaliber.com (post.office MTA v1.9.3 ID# 0-16273) with SMTP id AAA182; Wed, 15 Sep 1999 13:30:12 -0400 Message-ID: <002d01beffa0$210134d0$1ad2d9ce@work.highcaliber.com> Reply-To: "Andre Chang" From: Andre@HighCaliber.com (Andre Chang) To: "Ruslan Ermilov" Cc: Subject: Re: IPFW configuration as a transparent proxy Date: Wed, 15 Sep 1999 13:31:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3612.1700 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3612.1700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG -----Original Message----- From: Ruslan Ermilov To: Andre Chang Cc: freebsd-ipfw@FreeBSD.ORG Date: Wednesday, September 15, 1999 3:30 AM Subject: Re: IPFW configuration as a transparent proxy >On Tue, Sep 14, 1999 at 05:15:48PM -0400, Andre Chang wrote: >> Thanks for the information, >> >> I however still havent figured out my problem.. here it is: >> >> I'm using only one interface on the machine running IPFW >> (fxp1 - the machine has 2 interfaces but I'm only using one) >> >> the client, IPFW and the proxy machine are on the same subnet >> (win98, FreeBSD 3.2-RELEASE and NT4.0 proxy respectively) >> >> the client's gateway is the IPFW machine >> >> the rule on the IPFW machine: >> ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 >> >> For testing purposes I specified logging and the actual ip of the client. >> >> The logs show a matched rule when I attempt to open the browser: >> ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via >> fxp1 >> >> This looks ok but then the browser returns an unable to connect message. I >> cant seem to figure out what is wrong here. Any insight will be greatly >> appreciated. Thanks for the existing comments. >> >Andre! > >As Julian pointed out, you need `fwd localport' rule on proxy machine >as well. Yes I see what you are saying, unfortunatley the proxy machine is Microsoft Proxy Server, I'll have to see if I can set packet filtering on that machine. -- Andre Chang Network Engineer. High Caliber Systems, Inc. > >-- >Ruslan Ermilov Sysadmin and DBA of the >ru@ucb.crimea.ua United Commercial Bank, >ru@FreeBSD.org FreeBSD committer, >+380.652.247.647 Simferopol, Ukraine > >http://www.FreeBSD.org The Power To Serve >http://www.oracle.com Enabling The Information Age > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 15 10:48:36 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (Postfix) with ESMTP id DAF4D14D03 for ; Wed, 15 Sep 1999 10:48:33 -0700 (PDT) (envelope-from julian@whistle.com) Received: from home.elischer.org (home.elischer.org [207.76.204.203]) by alpo.whistle.com (8.9.1a/8.9.1) with ESMTP id KAA67489; Wed, 15 Sep 1999 10:48:23 -0700 (PDT) Date: Wed, 15 Sep 1999 10:48:32 -0700 (PDT) From: Julian Elischer X-Sender: julian@home.elischer.org To: "Vladimir B. Grebenschikov" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW configuration as a transparent proxy In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG squid has a set of patches to allow this to be done.. (in fact it is standard, but you must compile it in). The Linux transparent proxy changes are about the same.... On Wed, 15 Sep 1999, Vladimir B. Grebenschikov wrote: > On Tue, 14 Sep 1999, Andre Chang wrote: > > > ipfw add 500 fwd 10.0.0.1,80 log tcp from 10.0.0.100 to any 80 in recv fxp1 > > > > For testing purposes I specified logging and the actual ip of the client. > > > > The logs show a matched rule when I attempt to open the browser: > > ipfw: 500 Forward to 10.0.0.1:80 TCP 10.0.0.100:1158 204.141.86.3:80 in via > > fxp1 > > > > This looks ok but then the browser returns an unable to connect message. I > > cant seem to figure out what is wrong here. Any insight will be greatly > > appreciated. Thanks for the existing comments. > > By my opinion problem is in behevior of software listening 10.0.0.1:80 > it must be not standart proxy (like squid) > > standart proxy listens one address and got requests with full URL like: > GET http://www.somwhere.net/path/here.html HTTP/1.0 > > but your browser may send requests without protocol and hostname like: > GET /path/here.html HTTP/1.0 > > so software, listening 10.0.0.1:80 must got destanation IP from > request and insert it in proxy requset > > you can play with telnet to chechk how it works > > standart software for this need present in ports and called tranproxy > but it designed to work with ipfilter, not IPFW > > -- > TSB Russian Express, Moscow > Vladimir B. Grebenschikov, vova@express.ru > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Sep 15 16:46:34 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.dbitech.bc.ca (i.caniserv.com [139.142.95.1]) by hub.freebsd.org (Postfix) with SMTP id 2429B14A2C for ; Wed, 15 Sep 1999 16:46:28 -0700 (PDT) (envelope-from darcy@ok-connect.com) Received: (qmail 16612 invoked from network); 15 Sep 1999 23:46:27 -0000 Received: from ccliii.caniserv.com (HELO dbitech) (darcyb@139.142.95.253) by 139.142.95.10 with SMTP; 15 Sep 1999 23:46:27 -0000 Message-Id: <3.0.32.19990915164626.02309970@mail.ok-connect.com> X-Sender: darcyb@mail.ok-connect.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 15 Sep 1999 16:46:27 -0700 To: freebsd-ipfw@FreeBSD.ORG From: Darcy Buskermolen Subject: Firewall-1 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've been asked a question by a friend of mine who is the firewall admin for a large company. They are looking at replacing their Firewall-1 system with a FreeBSD box running IPFW, What tools if any are available for converting the 500+ rules in their firewall to IPFW ones, a rough look through makes be think that each one of the Firewall-1 rules will need 5-10 IPFW rules to implement. Plus he is very versed in writeing rules for Firewall-1 and would like the ability to write future rules in Firewall-1 symantics. \\DarcyB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 16 8:28: 4 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.rio.ru (mail.rio.ru [195.210.157.130]) by hub.freebsd.org (Postfix) with SMTP id 7FE51153FA for ; Thu, 16 Sep 1999 08:27:55 -0700 (PDT) (envelope-from AAKopeyko@rio.ru) Received: from akopeyko [195.210.157.133] by rio.ru [195.157.210.130] with SMTP (MDaemon.v2.7.SP5.R) for ; Thu, 16 Sep 1999 19:27:47 +0400 From: AAKopeyko@rio.ru Organization: RIO To: freebsd-ipfw@FreeBSD.ORG Date: Thu, 16 Sep 1999 19:30:12 +0400 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: what is 'ICMP:3.13' ? In-reply-to: <3.0.32.19990915164626.02309970@mail.ok-connect.com> X-mailer: Pegasus Mail for Win32 (v3.01b) X-MDaemon-Deliver-To: freebsd-ipfw@FreeBSD.ORG X-Return-Path: AAKopeyko@rio.ru Reply-To: AAKopeyko@rio.ru Message-Id: <19990916152801.7FE51153FA@hub.freebsd.org> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi All! Yesterday I add new rule ipfw add 802 allow log icmp from any to XXX.XXX.XXX.XXX and now have a lot of > ipfw: 802 Accept ICMP:3.13 XXX.XXX.XXX.XXX yyy.yyy.yyy.yyy in via tun0 in log. Can anybody explain what 'ICMP type 3 code 13' message is? rfc 792, 950 never talk about it. --- Best regards, Andrew Kopeyko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Sep 16 8:55:11 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 5753614E65 for ; Thu, 16 Sep 1999 08:54:11 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id SAA24742; Thu, 16 Sep 1999 18:52:47 +0300 (EEST) (envelope-from ru) Date: Thu, 16 Sep 1999 18:52:47 +0300 From: Ruslan Ermilov To: AAKopeyko@rio.ru Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: what is 'ICMP:3.13' ? Message-ID: <19990916185247.A22681@relay.ucb.crimea.ua> References: <3.0.32.19990915164626.02309970@mail.ok-connect.com> <19990916152801.7FE51153FA@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <19990916152801.7FE51153FA@hub.freebsd.org>; from AAKopeyko@rio.ru on Thu, Sep 16, 1999 at 07:30:12PM +0400 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Sep 16, 1999 at 07:30:12PM +0400, AAKopeyko@rio.ru wrote: > Hi All! > > Yesterday I add new rule > > ipfw add 802 allow log icmp from any to XXX.XXX.XXX.XXX > > and now have a lot of > > > ipfw: 802 Accept ICMP:3.13 XXX.XXX.XXX.XXX yyy.yyy.yyy.yyy in via tun0 > > in log. > > Can anybody explain what 'ICMP type 3 code 13' message is? rfc 792, 950 never > talk about it. > Becase RFC1812 is only PROPOSED STANDARD. # grep "ICMP_UNREACH_FILTER_PROHIB" /usr/include/netinet/ip_icmp.h HTH, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message