From owner-freebsd-ipfw Tue Jul 9 2:32:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E798937B400; Tue, 9 Jul 2002 02:32:04 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 372E143E31; Tue, 9 Jul 2002 02:32:04 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g699W4R83312; Tue, 9 Jul 2002 02:32:04 -0700 (PDT) (envelope-from rizzo) Date: Tue, 9 Jul 2002 02:32:04 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: ipfw2 patches for -stable available Message-ID: <20020709023203.A83270@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Bcc to -stable as relevant there] As the subject says, the latest patches to run ipfw2 on -stable are at http://info.iet.unipi.it/~luigi/ipfw2.stable.020709.diffs They rely on the code that I have just committed to -stable. Once you have patched your source tree, you need to add options IPFW2 to your kernel config file to have the new functionality available, otherwise you will still use the old ipfw code. You also need to recompile /sbin/ipfw. Note that this patch *does not* handle libalias. (For the curious, ipfw2 is a nickname for the new firewall code which is in -current. It is much faster and more flexible than the old one, and implements the old ipfw syntax as a subset, so your existing configuration files should work unmodified -- and if they don't, please report the rule(s) where it chokes so i can fix that). cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 9 2:53:38 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B18737B400 for ; Tue, 9 Jul 2002 02:53:34 -0700 (PDT) Received: from hotmail.com (f170.law11.hotmail.com [64.4.17.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B66543E4A for ; Tue, 9 Jul 2002 02:53:34 -0700 (PDT) (envelope-from sroberts84@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 9 Jul 2002 02:53:33 -0700 Received: from 213.38.170.71 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 09 Jul 2002 09:53:33 GMT X-Originating-IP: [213.38.170.71] From: "S Roberts" To: rizzo@icir.org, ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Date: Tue, 09 Jul 2002 09:53:33 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 09 Jul 2002 09:53:33.0979 (UTC) FILETIME=[7D0D2EB0:01C2272E] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Silly quesiton.., How does one recompile /sbin/ipfw? Thanks for the update >From: Luigi Rizzo >To: ipfw@freebsd.org >Subject: ipfw2 patches for -stable available >Date: Tue, 9 Jul 2002 02:32:04 -0700 >MIME-Version: 1.0 >Received: from [216.136.204.119] by hotmail.com (3.2) with ESMTP id >MHotMailBEF3F8A900B24004324ED888CC774E790; Tue, 09 Jul 2002 02:32:26 -0700 >Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18])by >mx2.freebsd.org (Postfix) with ESMTPid 9ECDC55E21; Tue, 9 Jul 2002 >02:32:14 -0700 (PDT)(envelope-from owner-freebsd-stable@FreeBSD.ORG) >Received: by hub.freebsd.org (Postfix, from userid 538)id 51F7437B405; Tue, > 9 Jul 2002 02:32:10 -0700 (PDT) >Received: from localhost (localhost [127.0.0.1])by hub.freebsd.org >(Postfix) with SMTPid C98A02E800F; Tue, 9 Jul 2002 02:32:08 -0700 (PDT) >Received: by hub.freebsd.org (bulk_mailer v1.12); Tue, 9 Jul 2002 02:32:08 >-0700 >Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])by >hub.freebsd.org (Postfix) with ESMTPid E798937B400; Tue, 9 Jul 2002 >02:32:04 -0700 (PDT) >Received: from iguana.icir.org (iguana.icir.org [192.150.187.36])by >mx1.FreeBSD.org (Postfix) with ESMTPid 372E143E31; Tue, 9 Jul 2002 >02:32:04 -0700 (PDT)(envelope-from rizzo@iguana.icir.org) >Received: (from rizzo@localhost)by iguana.icir.org (8.11.6/8.11.3) id >g699W4R83312;Tue, 9 Jul 2002 02:32:04 -0700 (PDT)(envelope-from rizzo) >From owner-freebsd-stable@FreeBSD.ORG Tue, 09 Jul 2002 02:33:29 -0700 >Delivered-To: freebsd-stable@freebsd.org >Message-ID: <20020709023203.A83270@iguana.icir.org> >User-Agent: Mutt/1.2.5.1i >Sender: owner-freebsd-stable@FreeBSD.ORG >List-ID: >List-Archive: (Web Archive) >List-Help: (List Instructions) >List-Subscribe: > >List-Unsubscribe: > >X-Loop: FreeBSD.ORG >Precedence: bulk > >[Bcc to -stable as relevant there] > >As the subject says, the latest patches to run ipfw2 on -stable are at > > http://info.iet.unipi.it/~luigi/ipfw2.stable.020709.diffs > >They rely on the code that I have just committed to -stable. >Once you have patched your source tree, you need to add > > options IPFW2 > >to your kernel config file to have the new functionality available, >otherwise you will still use the old ipfw code. > >You also need to recompile /sbin/ipfw. > >Note that this patch *does not* handle libalias. > >(For the curious, ipfw2 is a nickname for the new firewall code >which is in -current. It is much faster and more flexible than the >old one, and implements the old ipfw syntax as a subset, so your >existing configuration files should work unmodified -- and if they >don't, please report the rule(s) where it chokes so i can fix that). > > cheers > luigi > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-stable" in the body of the message _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 9 3:40: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21D6F37B400 for ; Tue, 9 Jul 2002 03:40:00 -0700 (PDT) Received: from tchpc01.tcd.ie (tchpc.tcd.ie [134.226.10.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 55BDA43E42 for ; Tue, 9 Jul 2002 03:39:59 -0700 (PDT) (envelope-from bobb+mailman-developers@redbrick.dcu.ie) Received: from flipflop.tchpc.tcd.ie (hpc04.iss.tcd.ie [134.226.10.47]) by tchpc01.tcd.ie (Postfix) with ESMTP id 397AF33F7; Tue, 9 Jul 2002 11:39:58 +0100 (IST) Received: by flipflop.tchpc.tcd.ie (Postfix, from userid 1001) id DC94B155; Tue, 9 Jul 2002 11:40:01 +0100 (IST) Date: Tue, 9 Jul 2002 11:40:01 +0100 From: Robert Crosbie To: S Roberts Cc: rizzo@icir.org, ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020709104001.GB25628@lummux.tchpc.tcd.ie> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Organization: bobb Industries Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG S Roberts hath declared on Tuesday the 09 day of July 2002 :-: > > Silly quesiton.., How does one recompile /sbin/ipfw? > > Thanks for the update Pretty much... cd /usr/src/sbin/ipfw/ make && make install - bobb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 9 6:36:52 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CFE137B400 for ; Tue, 9 Jul 2002 06:36:50 -0700 (PDT) Received: from relay1.jet.msk.su (relay1.jet.msk.su [194.87.88.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id B48D043E42 for ; Tue, 9 Jul 2002 06:36:49 -0700 (PDT) (envelope-from jema@jet.msk.su) Received: from tiger ([193.124.4.1] helo=tiger.jet.msk.su) by relay1.jet.msk.su with smtp (Exim 3.22 #1) id 17RvAc-0004Wl-00 for ipfw@freebsd.org; Tue, 09 Jul 2002 17:36:46 +0400 Received: from eel.service.jet.msk.su [192.168.10.183] (jema) by tiger.jet.msk.su with esmtp (Exim 1.73 #2) id 17RvAZ-0007P7-00; Tue, 9 Jul 2002 17:36:43 +0400 Message-ID: <3D2AE6BE.BB474081@jet.msk.su> Date: Tue, 09 Jul 2002 17:35:58 +0400 From: "Andrew V. Jemerya" Organization: Jet Infosystems X-Mailer: Mozilla 4.78 [en] (X11; U; SunOS 5.8 i86pc) X-Accept-Language: ru, en MIME-Version: 1.0 To: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Content-Type: text/plain; charset= Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG So, could i use the divert rule(for example add divert natd from any to any ) in my current ruleset after appliance of these patches To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 9 6:48: 2 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FD3D37B400 for ; Tue, 9 Jul 2002 06:48:00 -0700 (PDT) Received: from spqr.osg.gov.bc.ca (spqr.osg.gov.bc.ca [142.32.102.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1589843E64 for ; Tue, 9 Jul 2002 06:48:00 -0700 (PDT) (envelope-from Cy.Schubert@osg.gov.bc.ca) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by spqr.osg.gov.bc.ca (Postfix) with ESMTP id CEB129EF18; Tue, 9 Jul 2002 06:47:59 -0700 (PDT) Received: from cwsys.cwsent.com (cwsys2 [10.1.2.1]) by passer.osg.gov.bc.ca (8.12.5/8.12.3) with ESMTP id g69DlxOX041226; Tue, 9 Jul 2002 06:47:59 -0700 (PDT) (envelope-from cy@cwsent.com) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.5/8.12.3) with ESMTP id g69DlwfP080468; Tue, 9 Jul 2002 06:47:58 -0700 (PDT) (envelope-from cy@cwsys.cwsent.com) Message-Id: <200207091347.g69DlwfP080468@cwsys.cwsent.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-os: FreeBSD X-Sender: cy@cwsent.com To: Robert Crosbie Cc: S Roberts , rizzo@icir.org, ipfw@FreeBSD.ORG Subject: Re: ipfw2 patches for -stable available In-Reply-To: Message from Robert Crosbie of "Tue, 09 Jul 2002 11:40:01 BST." <20020709104001.GB25628@lummux.tchpc.tcd.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 09 Jul 2002 06:47:58 -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <20020709104001.GB25628@lummux.tchpc.tcd.ie>, Robert Crosbie writes: > S Roberts hath declared on Tuesday the 09 day of July 2002 :-: > > > > Silly quesiton.., How does one recompile /sbin/ipfw? > > > > Thanks for the update > > Pretty much... > > cd /usr/src/sbin/ipfw/ > make && make install The lions share of ipfw is in the kernel. You'll need to rebuild it or the ipfw module too. -- Cheers, Phone: 250-387-8437 Cy Schubert Fax: 250-387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 9 19:20:11 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D51AF37B405 for ; Tue, 9 Jul 2002 19:20:06 -0700 (PDT) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 6525543E09 for ; Tue, 9 Jul 2002 19:20:06 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available References: <20020709023203.A83270@iguana.icir.org> From: Dan Pelleg Date: 09 Jul 2002 22:19:26 -0400 In-Reply-To: <20020709023203.A83270@iguana.icir.org> Message-ID: Lines: 25 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > [Bcc to -stable as relevant there] > > As the subject says, the latest patches to run ipfw2 on -stable are at > > http://info.iet.unipi.it/~luigi/ipfw2.stable.020709.diffs > Thanks a lot! I've only used it briefly. For now it looks ok, with the following observations: 1) the "icmptype" option doesn't seem to be supported 2) my "limit" rules are silently converted to "limit all" 3) I'm getting lots of "/kernel: install_state: entry already present, done" (related to (2)?). 4) there's an extra space after "log" in the "ipfw show" output -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 9 22:14: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27E4637B400 for ; Tue, 9 Jul 2002 22:13:56 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB6B643E42 for ; Tue, 9 Jul 2002 22:13:55 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6A5DlA91136; Tue, 9 Jul 2002 22:13:47 -0700 (PDT) (envelope-from rizzo) Date: Tue, 9 Jul 2002 22:13:47 -0700 From: Luigi Rizzo To: Dan Pelleg Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020709221347.A91104@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from daniel+bsd@pelleg.org on Tue, Jul 09, 2002 at 10:19:26PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Dan, thanks for the report: > I've only used it briefly. For now it looks ok, with the following observations: > > 1) the "icmptype" option doesn't seem to be supported the manpage lists "icmptypes" (plural) as the option keyword, though it is true that the previous code allowed abbreviations (but those could be ambiguous). I am not sure whether or not it is the case to fix it -- for sure i can add "icmptype" as an alias for "icmptypes" > 2) my "limit" rules are silently converted to "limit all" thanks, that was in fact only a bug in the code to print out the rule, the mask is correctly stored. Fixed. > 3) I'm getting lots of "/kernel: install_state: entry already present, > done" (related to (2)?). this one i cannot reproduce, do you have a small ruleset and input example to send me so i can try and reproduce the problem ? > 4) there's an extra space after "log" in the "ipfw show" output fixed, thanks. Diffs for bugs #1,2,4 are below. cheers luigi Index: ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.3 diff -u -r1.3 ipfw2.c --- ipfw2.c 8 Jul 2002 19:49:52 -0000 1.3 +++ ipfw2.c 10 Jul 2002 05:12:12 -0000 @@ -315,6 +315,7 @@ { "tcpseq", TOK_TCPSEQ }, { "tcpack", TOK_TCPACK }, { "tcpwin", TOK_TCPWIN }, + { "icmptype", TOK_ICMPTYPES }, { "icmptypes", TOK_ICMPTYPES }, { "not", TOK_NOT }, /* pseudo option */ @@ -850,9 +851,9 @@ } if (logptr) { if (logptr->max_log > 0) - printf(" log logamount %d ", logptr->max_log); + printf(" log logamount %d", logptr->max_log); else - printf(" log "); + printf(" log"); } /* * then print the body @@ -1066,7 +1067,7 @@ printf(" limit"); for ( ; p->x != 0 ; p++) - if (x & p->x) { + if ((x & p->x) == p->x) { x &= ~p->x; printf("%s%s", comma, p->s); comma = ","; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 2:23:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D72CB37B400 for ; Wed, 10 Jul 2002 02:23:40 -0700 (PDT) Received: from anastasia.lan.blastermaster.de (pD956129A.dip.t-dialin.net [217.86.18.154]) by mx1.FreeBSD.org (Postfix) with SMTP id B0D0743E52 for ; Wed, 10 Jul 2002 02:23:38 -0700 (PDT) (envelope-from jt@barfoos.de) Received: (qmail 28081 invoked by uid 1001); 10 Jul 2002 09:23:37 -0000 Date: Wed, 10 Jul 2002 11:23:37 +0200 From: Jens Trzaska To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020710092337.GB27538@anastasia.lan.blastermaster.de> References: <20020709023203.A83270@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020709023203.A83270@iguana.icir.org> X-Operating-System: FreeBSD 4.6-STABLE, i386 X-GPG-Key-ID: = 96FE36DB X-GPG-Key-Fingerprint: 1C9B 7EF8 1A22 1740 9F1B AB7B 17D2 64E1 96FE 36DB X-GPG-Key-Location: http://www.elug.de/schluessel/96FE36DB.asc X-Accept-Language: de,en User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 09, 2002 at 02:32:04AM -0700, Luigi Rizzo wrote: > [Bcc to -stable as relevant there] > > As the subject says, the latest patches to run ipfw2 on -stable are at > > http://info.iet.unipi.it/~luigi/ipfw2.stable.020709.diffs Great work. No problems so far. But one question. Does the code also allow the new OR syntax you mentioned in -net? I tried to insert the following rule but it does not work. anastasia:~#ipfw add allow ip from 10.11.9.3 or 10.11.9.2 to any ipfw: invalid OR block Jens -- KeyID=96FE36DB Key fingerprint=1C9B 7EF8 1A22 1740 9F1B AB7B 17D2 64E1 96FE 36DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 2:31:52 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CD7037B400 for ; Wed, 10 Jul 2002 02:31:49 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA0B243E09 for ; Wed, 10 Jul 2002 02:31:48 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6A9VjQ92743; Wed, 10 Jul 2002 02:31:45 -0700 (PDT) (envelope-from rizzo) Date: Wed, 10 Jul 2002 02:31:45 -0700 From: Luigi Rizzo To: Jens Trzaska Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020710023145.A91972@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <20020710092337.GB27538@anastasia.lan.blastermaster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020710092337.GB27538@anastasia.lan.blastermaster.de>; from jt@barfoos.de on Wed, Jul 10, 2002 at 11:23:37AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 10, 2002 at 11:23:37AM +0200, Jens Trzaska wrote: > On Tue, Jul 09, 2002 at 02:32:04AM -0700, Luigi Rizzo wrote: > > [Bcc to -stable as relevant there] > > > > As the subject says, the latest patches to run ipfw2 on -stable are at > > > > http://info.iet.unipi.it/~luigi/ipfw2.stable.020709.diffs > > Great work. No problems so far. > > But one question. Does the code also allow the new OR syntax you > mentioned in -net? I tried to insert the following rule but it does > not work. you need to put braces around the OR block (one person suggested that to avoid ambiguity). Either braces {} or parentheses () do, but the latter need to be escaped from the shell. > anastasia:~#ipfw add allow ip from 10.11.9.3 or 10.11.9.2 to any ipfw add allow ip from { 10.11.9.3 or 10.11.9.2 } to any also: ipfw add allow ip from 10.11.9.0/24{2,3} to any does the same in this case. cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 2:51:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B070B37B400 for ; Wed, 10 Jul 2002 02:51:15 -0700 (PDT) Received: from anastasia.lan.blastermaster.de (pD956129A.dip.t-dialin.net [217.86.18.154]) by mx1.FreeBSD.org (Postfix) with SMTP id 437C743E52 for ; Wed, 10 Jul 2002 02:51:14 -0700 (PDT) (envelope-from jt@barfoos.de) Received: (qmail 29377 invoked by uid 1001); 10 Jul 2002 09:51:12 -0000 Date: Wed, 10 Jul 2002 11:51:12 +0200 From: Jens Trzaska To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020710095112.GB28611@anastasia.lan.blastermaster.de> References: <20020709023203.A83270@iguana.icir.org> <20020710092337.GB27538@anastasia.lan.blastermaster.de> <20020710023145.A91972@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020710023145.A91972@iguana.icir.org> X-Operating-System: FreeBSD 4.6-STABLE, i386 X-GPG-Key-ID: = 96FE36DB X-GPG-Key-Fingerprint: 1C9B 7EF8 1A22 1740 9F1B AB7B 17D2 64E1 96FE 36DB X-GPG-Key-Location: http://www.elug.de/schluessel/96FE36DB.asc X-Accept-Language: de,en User-Agent: Mutt/1.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 10, 2002 at 02:31:45AM -0700, Luigi Rizzo wrote: > On Wed, Jul 10, 2002 at 11:23:37AM +0200, Jens Trzaska wrote: > > On Tue, Jul 09, 2002 at 02:32:04AM -0700, Luigi Rizzo wrote: > > > [Bcc to -stable as relevant there] > > > > > > As the subject says, the latest patches to run ipfw2 on -stable are at > > > > > > http://info.iet.unipi.it/~luigi/ipfw2.stable.020709.diffs > > > > Great work. No problems so far. > > > > But one question. Does the code also allow the new OR syntax you > > mentioned in -net? I tried to insert the following rule but it does > > not work. > > you need to put braces around the OR block (one person > suggested that to avoid ambiguity). > Either braces {} or parentheses () do, but the latter need > to be escaped from the shell. > > > anastasia:~#ipfw add allow ip from 10.11.9.3 or 10.11.9.2 to any > > ipfw add allow ip from { 10.11.9.3 or 10.11.9.2 } to any > > also: > > ipfw add allow ip from 10.11.9.0/24{2,3} to any > > does the same in this case. Cool. *g* But is that o.k.? anastasia:~#ipfw add 5900 allow ip from { 10.11.9.3 or 10.11.9.2 } to any 05900 allow ip from { 10.11.9.3 or 10.11.9.2 } to any 05900 allow ip from { 10.11.9.3 or 10.11.9.2 } to any It shows the rule 2 times. Jens -- KeyID=96FE36DB Key fingerprint=1C9B 7EF8 1A22 1740 9F1B AB7B 17D2 64E1 96FE 36DB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 3:25:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0655A37B400 for ; Wed, 10 Jul 2002 03:25:26 -0700 (PDT) Received: from gw.pelleg.org (dpelleg.dsl.telerama.com [205.201.13.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D2B643E09 for ; Wed, 10 Jul 2002 03:25:25 -0700 (PDT) (envelope-from dpelleg@cs.cmu.edu) Received: from lank.auton.cs.cmu.edu (lank.wburn [192.168.3.41]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "dpelleg.dsl.telerama.com", Issuer "Dan Pelleg" (verified OK)) by gw.pelleg.org (Postfix) with ESMTP id D62C357E0; Wed, 10 Jul 2002 06:25:23 -0400 (EDT) Received: by lank.auton.cs.cmu.edu (Postfix, from userid 7675) id 16A2F52F; Wed, 10 Jul 2002 06:25:20 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15660.2959.142937.827544@gargle.gargle.HOWL> Date: Wed, 10 Jul 2002 06:25:19 -0400 To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available In-Reply-To: <20020709221347.A91104@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <20020709221347.A91104@iguana.icir.org> X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > Hi Dan, > thanks for the report: > > > I've only used it briefly. For now it looks ok, with the following observations: > > > > 1) the "icmptype" option doesn't seem to be supported > > the manpage lists "icmptypes" (plural) as the option keyword, > though it is true that the previous code allowed abbreviations > (but those could be ambiguous). I am not sure whether or > not it is the case to fix it -- for sure i can add "icmptype" > as an alias for "icmptypes" > I see. While both choices are reasonable, this change has the potential of causing a lot of grief to people who find their rulesets altered. If we're dropping abbreviations, maybe it's a good idea to provide a search-and-replace script to convert existing rule scripts. Maybe even offer it as part of mergemaster (if that's at all possible - I don't know). > > 3) I'm getting lots of "/kernel: install_state: entry already present, > > done" (related to (2)?). > > this one i cannot reproduce, do you have a small ruleset and > input example to send me so i can try and reproduce the problem ? > That's easy: sh /etc/rc.firewall closed ipfw add 500 pass tcp from me to any keep-state limit src-addr dst-port 40 ipfw add 600 pass udp from me to any keep-state limit src-addr dst-port 40 Now just fire up Mozilla (which opens lots of connections in rapid succession) and watch the logs. I have another bug to report. The following causes a segfault on a DUMMYNET-less machine: ipfw queue 1 config pipe 10 weight 100 mask src-ip 0xffffffff note that if you drop the mask speficier, then it just tells you: ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Protocol not available as it should. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 4:33:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A857037B400 for ; Wed, 10 Jul 2002 04:33:12 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B86643E31 for ; Wed, 10 Jul 2002 04:33:12 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6ABX9G93417; Wed, 10 Jul 2002 04:33:09 -0700 (PDT) (envelope-from rizzo) Date: Wed, 10 Jul 2002 04:33:09 -0700 From: Luigi Rizzo To: Jens Trzaska Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020710043309.A93353@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <20020710092337.GB27538@anastasia.lan.blastermaster.de> <20020710023145.A91972@iguana.icir.org> <20020710095112.GB28611@anastasia.lan.blastermaster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020710095112.GB28611@anastasia.lan.blastermaster.de>; from jt@barfoos.de on Wed, Jul 10, 2002 at 11:51:12AM +0200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 10, 2002 at 11:51:12AM +0200, Jens Trzaska wrote: ... > But is that o.k.? > > anastasia:~#ipfw add 5900 allow ip from { 10.11.9.3 or 10.11.9.2 } to any > 05900 allow ip from { 10.11.9.3 or 10.11.9.2 } to any > 05900 allow ip from { 10.11.9.3 or 10.11.9.2 } to any > > It shows the rule 2 times. oh don't worry, there was an extra call to show_ipfw() that i put in for debugging purposes. It is near the end of ipfw2.c:add() you can safely remove it cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 6:21:55 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8179B37B400 for ; Wed, 10 Jul 2002 06:21:53 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED28D43E52 for ; Wed, 10 Jul 2002 06:21:51 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6ADLlJ93976; Wed, 10 Jul 2002 06:21:47 -0700 (PDT) (envelope-from rizzo) Date: Wed, 10 Jul 2002 06:21:47 -0700 From: Luigi Rizzo To: Dan Pelleg Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020710062146.A93900@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <20020709221347.A91104@iguana.icir.org> <15660.2959.142937.827544@gargle.gargle.HOWL> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <15660.2959.142937.827544@gargle.gargle.HOWL>; from daniel+bsd@pelleg.org on Wed, Jul 10, 2002 at 06:25:19AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 10, 2002 at 06:25:19AM -0400, Dan Pelleg wrote: ... > That's easy: > > sh /etc/rc.firewall closed > > ipfw add 500 pass tcp from me to any keep-state limit src-addr dst-port 40 ah, that is a bug in your ruleset: "keep-state" and "limit" are incompatible, if you use one you should not use the latter. For the old code the overloading of several fields in the rule descriper masked the bug. I will add some checks in /sbin/ipfw to flag this incorrect usage. In the meantime could you check if removing "keep-state" from the limit rules still causes the problem ? > I have another bug to report. The following causes a segfault on a > DUMMYNET-less machine: > > ipfw queue 1 config pipe 10 weight 100 mask src-ip 0xffffffff will look into this. thanks again luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 7: 9:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 186D437B405 for ; Wed, 10 Jul 2002 07:09:10 -0700 (PDT) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id 1962243E4A for ; Wed, 10 Jul 2002 07:09:09 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15660.16374.50102.170751@gs166.sp.cs.cmu.edu> Date: Wed, 10 Jul 2002 10:08:54 -0400 To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available In-Reply-To: <20020710062146.A93900@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <20020709221347.A91104@iguana.icir.org> <15660.2959.142937.827544@gargle.gargle.HOWL> <20020710062146.A93900@iguana.icir.org> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > On Wed, Jul 10, 2002 at 06:25:19AM -0400, Dan Pelleg wrote: > ... > > That's easy: > > > > sh /etc/rc.firewall closed > > > > ipfw add 500 pass tcp from me to any keep-state limit src-addr dst-port 40 > > ah, that is a bug in your ruleset: > "keep-state" and "limit" are incompatible, if you use one you should > not use the latter. For the old code the overloading of several fields > in the rule descriper masked the bug. > Huh. I always thought of limit as "a keep-state rule with some additional restrictions". > I will add some checks in /sbin/ipfw to flag this incorrect usage. > > In the meantime could you check if removing "keep-state" from > the limit rules still causes the problem ? > Removing keep-state seems to solve the problem. Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 7:28:11 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 494E137B400 for ; Wed, 10 Jul 2002 07:28:10 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB49143E58 for ; Wed, 10 Jul 2002 07:28:09 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g6AES8N94340; Wed, 10 Jul 2002 07:28:08 -0700 (PDT) (envelope-from rizzo) Date: Wed, 10 Jul 2002 07:28:08 -0700 From: Luigi Rizzo To: Dan Pelleg Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available Message-ID: <20020710072808.B94159@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <20020709221347.A91104@iguana.icir.org> <15660.2959.142937.827544@gargle.gargle.HOWL> <20020710062146.A93900@iguana.icir.org> <15660.16374.50102.170751@gs166.sp.cs.cmu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <15660.16374.50102.170751@gs166.sp.cs.cmu.edu>; from daniel+bsd@pelleg.org on Wed, Jul 10, 2002 at 10:08:54AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 10, 2002 at 10:08:54AM -0400, Dan Pelleg wrote: ... > > In the meantime could you check if removing "keep-state" from > > the limit rules still causes the problem ? > > Removing keep-state seems to solve the problem. Thanks! the good thing is that without a single exception, all the bugs reported so far are responsibility of the userland code, not the kernel :) cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Jul 10 10:10:41 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFF4F37B400 for ; Wed, 10 Jul 2002 10:10:30 -0700 (PDT) Received: from dsee.fee.unicamp.br (dsee.fee.unicamp.br [143.106.11.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id D220843E31 for ; Wed, 10 Jul 2002 10:10:29 -0700 (PDT) (envelope-from morte@dsee.fee.unicamp.br) Received: from xapuri (dsee.fee.unicamp.br [143.106.11.14]) by dsee.fee.unicamp.br (8.10.1/8.10.1) with SMTP id g6AH9i223463 for ; Wed, 10 Jul 2002 14:09:44 -0300 (EST) Reply-To: From: "Luiz Morte da Costa Jr" To: Subject: rexec Date: Wed, 10 Jul 2002 14:06:07 -0300 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0008_01C2281A.EFDC5410" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0008_01C2281A.EFDC5410 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi there, I have a ipfw+nat running in a FreeBSD 4.5. I have this configuration: Internet 1 (fxp0) Internet 2 (fxp1) (a.b.c.164) (a.b.d.80) / \ / \ | | -------------------------------------------------- | \ / Internal (fxp2) (10.10.10.129) Obs: - The IP Class x.y.z.0 is in fxp0 network. - The default route to a.b.c.0 IP Class is a.b.c.129 - In /etc/rc.conf defaultrouter=3D"a.b.d.65" I have a sun with a valid IP and with a calendar server running - IP: a.b.c.152 - valid IP - calendar server running I have a PC in a internal network - IP: 10.10.10.130 - no valid IP - calendar client My problem is to have access in a calendar server from a internal IP = (10.10.10.130) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D NAT: /sbin/natd -p 8668 -n fxp0 (natd) /sbin/natd -p 8669 -n fxp1 (natd2) My rules are: # Internal IP Class add 0011 skipto 0055 all from a.b.c.0/24 to any add 0012 skipto 0055 all from any to a.b.c.0/24 add 0013 skipto 0055 all from x.y.z.0/24 to any add 0014 skipto 0055 all from any to x.y.z.0/24 # # NAT for all IP Class add 0051 divert natd2 all from any to any add 0052 skipto 0100 all from any to any # # NAT for Internal IP Class add 0055 divert natd all from any to any # forward internal IP Class add 0056 fwd a.b.c.129 all from a.b.c.164 to any out # # Deny source routing, record route add 0100 deny log tcp from any to any ipoptions ssrr,lsrr,rr # Allow loop back add 0102 allow all from any to any via lo0 # # Allow all (for test) add 60000 allow log logamount 20000 all from any to any =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D Thanks any way, Luiz. ------=_NextPart_000_0008_01C2281A.EFDC5410 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi there,
 
I have a ipfw+nat running in a FreeBSD=20 4.5.
I have = this=20 configuration:
 
Internet=20 1 (fxp0)          Internet = 2=20 (fxp1)
  =20 (a.b.c.164)          &n= bsp;      (a.b.d.80)
     / \ &n= bsp;           &nb= sp;=20             &= nbsp;     /=20 \
     =20 |            =          =20              = |
----------------------------------------------= ----
       &nbs= p;           =20    |
       &nbs= p;        =20      \ /
       &nbs= p;      =20 Internal (fxp2)
       &nbs= p;     =20 (10.10.10.129)
 
Obs:
- The = IP Class=20 x.y.z.0 is in fxp0 network.
- The = default=20 route to a.b.c.0 IP Class is = a.b.c.129
-=20 In=20 /etc/rc.conf
  = defaultrouter=3D"a.b.d.65"
 
 
I have = a sun with a=20 valid IP and with a calendar server running
- IP:=20 a.b.c.152
- = valid=20 IP
- = calendar server=20 running
 
I have = a PC in a=20 internal network
- IP:=20 10.10.10.130
- no = valid=20 IP
- = calendar=20 client
 
My = problem is to=20 have access in a calendar server from a internal IP=20 (10.10.10.130)
 
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D
NAT:
/sbin/natd -p 8668=20 -n fxp0   (natd)
/sbin/natd -p 8669 -n fxp1  =20 (natd2)
My = rules=20 are:
 
# = Internal IP=20 Class
add = 0011 skipto 0055=20 all from a.b.c.0/24 to any
add 0012 skipto 0055 all from any to=20 a.b.c.0/24
add 0013 skipto 0055 all from x.y.z.0/24 to any
add = 0014 skipto=20 0055 all from any to x.y.z.0/24
#
# NAT = for all IP=20 Class
add 0051 divert natd2 all from any to any
add 0052 skipto = 0100 all=20 from any to any
#
# NAT = for Internal=20 IP Class
add 0055 divert natd all from any to any
# forward = internal IP=20 Class
add 0056 fwd a.b.c.129 all from a.b.c.164 to any out
#
#=20 Deny source routing, record route
add 0100 deny log tcp from any = to any=20 ipoptions ssrr,lsrr,rr
# Allow loop back
add 0102 allow all = from any=20 to any via lo0
#
# Allow all (for test)
add 60000 = allow log=20 logamount 20000 all from any to=20 any
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D
 
Thanks = any=20 way,
Luiz.
------=_NextPart_000_0008_01C2281A.EFDC5410-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Jul 12 22:27:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CAC337B400 for ; Fri, 12 Jul 2002 22:27:54 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 686C143E65 for ; Fri, 12 Jul 2002 22:27:53 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020713052752.SCFE6023.sccrmhc02.attbi.com@blossom.cjclark.org>; Sat, 13 Jul 2002 05:27:52 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g6D5RpJK049122; Fri, 12 Jul 2002 22:27:51 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g6D5Rptm049121; Fri, 12 Jul 2002 22:27:51 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 12 Jul 2002 22:27:50 -0700 From: "Crist J. Clark" To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020713052750.GA48937@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020704043409.A26837@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020704043409.A26837@iguana.icir.org> User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote: > Hi, > i was looking at the implementation of ipfw rules which generate > a feedback packet back to the source (reset, reject and unreach) > and i realised that there is a potential problem here... > > Some ICMP packets generated by the host bypass the firewall, but > TCP RST do not, so they can be blocked themselves (this is the way > the old ipfw works, and there is code to prevent loops). > > I think policies should be consistent -- either all packets (including > icmps generated by the firewal) should go through the firewall again > (with proper countermeasures to avoid loops), or all packets generated > by the firewall should bypass the firewall and go to the correct > destination. > > So, what do we want to do ? I would initially say that packets generated by a firewall rule should go out without being filtered again. That is the simplest. Simple makes for better security. I've been trying to think of configurations where the only way to control where replies go is by outgoing filter rules, but I haven't been able to think of any. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message