From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 03:30:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93C2E16A4CE for ; Sun, 7 Mar 2004 03:30:11 -0800 (PST) Received: from numeri.campus.luth.se (numeri.campus.luth.se [130.240.197.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED0F643D1D for ; Sun, 7 Mar 2004 03:30:10 -0800 (PST) (envelope-from k@numeri.campus.luth.se) Received: from numeri.campus.luth.se (localhost [127.0.0.1]) i27BU9T9070264; Sun, 7 Mar 2004 12:30:09 +0100 (CET) (envelope-from k@numeri.campus.luth.se) Received: (from k@localhost) by numeri.campus.luth.se (8.12.10/8.12.10/Submit) id i27BU8av070263; Sun, 7 Mar 2004 12:30:08 +0100 (CET) (envelope-from k) Date: Sun, 7 Mar 2004 12:30:08 +0100 From: Johan Karlsson To: Luigi Rizzo Message-ID: <20040307113008.GC64109@numeri.campus.luth.se> References: <20040306111922.GA64109@numeri.campus.luth.se> <20040306082625.B34490@xorpc.icir.org> <20040306173219.GB64109@numeri.campus.luth.se> <20040306212233.A56351@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: <20040306212233.A56351@xorpc.icir.org> User-Agent: Mutt/1.4.1i cc: ipfw@freebsd.org Subject: Re: where do %j/uintmax_t stand in terms of standards? [WAS: Re: WARNS cleanup for ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 11:30:11 -0000 --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Mar 06, 2004 at 21:22 (-0800) +0000, Luigi Rizzo wrote: > On Sat, Mar 06, 2004 at 06:32:19PM +0100, Johan Karlsson wrote: > > On Sat, Mar 06, 2004 at 08:26 (-0800) +0000, Luigi Rizzo wrote: > > > On Sat, Mar 06, 2004 at 12:19:22PM +0100, Johan Karlsson wrote: > > > > Hi > > > > > > > > the attached patch makes ipfw WARNS=2 clean by using the > > > > %j/(uintmax_t) combo where so needed. If there are no > > > > objections I intend to commit this patch. > > > > First of all, %j/uintmax_t is used since uint64_t does not match > > long long on all our platforms. Hence to print this without warning > > we need to do this. > > ok, given that our counters _are_ 64 bits on all platforms, and > that it would be nice to use the same code on 4.x and 5.x (at least, > I'd hate to see a large number of differences for something trivial > as a printf specifier), i suggest to leave the print format as "%llu", > which is supported on all versions and platforms, and change > align_uint64() as following: > > -static __inline uint64_t > +static unsigned long long > align_uint64(uint64_t *pll) { > uint64_t ret; > > + /* make sure the value is correctly aligned, as pll might be not */ > bcopy (pll, &ret, sizeof(ret)); > - return ret; > + return (unsigned long long)ret; > }; > > (we do not care about __inline since this is always called > within a *printf() which is way more expensive). > This should close the issue, and is a lot more readable and > portable than the proposed patch or my previous suggestion. Ok, how about the attached patch then? It takes care of all printf related warnings on -current. I do not have a -stable machine at the moment so I have not done any compile testing for -stable. If you agree to this patch, please commit it or let me know if I should. take care /Johan K -- Johan Karlsson mailto:johan@FreeBSD.org --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw.diff2" Index: sbin/ipfw/Makefile =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/Makefile,v retrieving revision 1.12 diff -u -r1.12 Makefile --- sbin/ipfw/Makefile 11 Jul 2002 17:33:37 -0000 1.12 +++ sbin/ipfw/Makefile 5 Mar 2004 22:06:10 -0000 @@ -2,7 +2,7 @@ PROG= ipfw SRCS= ipfw2.c -WARNS?= 0 +WARNS?= 2 MAN= ipfw.8 .include Index: sbin/ipfw/ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.45 diff -u -r1.45 ipfw2.c --- sbin/ipfw/ipfw2.c 24 Jan 2004 19:20:09 -0000 1.45 +++ sbin/ipfw/ipfw2.c 7 Mar 2004 11:12:34 -0000 @@ -352,12 +352,12 @@ { NULL, 0 } /* terminator */ }; -static __inline uint64_t +static unsigned long long align_uint64(uint64_t *pll) { uint64_t ret; bcopy (pll, &ret, sizeof(ret)); - return ret; + return (unsigned long long)ret; }; /* @@ -1423,12 +1423,14 @@ ina.s_addr = htonl(q[l].id.dst_ip); printf("%15s/%-5d ", inet_ntoa(ina), q[l].id.dst_port); - printf("%4qu %8qu %2u %4u %3u\n", - q[l].tot_pkts, q[l].tot_bytes, + printf("%4llu %8llu %2u %4u %3u\n", + (unsigned long long)q[l].tot_pkts, + (unsigned long long)q[l].tot_bytes, q[l].len, q[l].len_bytes, q[l].drops); if (verbose) - printf(" S %20qd F %20qd\n", - q[l].S, q[l].F); + printf(" S %20llu F %20llu\n", + (unsigned long long)q[l].S, + (unsigned long long)q[l].F); } } @@ -1517,7 +1519,8 @@ p->pipe_nr, buf, p->delay); print_flowset_parms(&(p->fs), prefix); if (verbose) - printf(" V %20qd\n", p->V >> MY_M); + printf(" V %20llu\n", + (unsigned long long)p->V >> MY_M); q = (struct dn_flow_queue *)(p+1); list_queues(&(p->fs), q); --neYutvxvOLaeuPCA-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 05:02:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A349316A4CE for ; Sun, 7 Mar 2004 05:02:06 -0800 (PST) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id EDFAF43D1F for ; Sun, 7 Mar 2004 05:02:05 -0800 (PST) (envelope-from ukolsch@gmx.net) Received: (qmail 11736 invoked by uid 65534); 7 Mar 2004 13:02:04 -0000 Received: from 82-43-144-161.cable.ubr02.newm.blueyonder.co.uk (EHLO xp0) (82.43.144.161) by mail.gmx.net (mp007) with SMTP; 07 Mar 2004 14:02:04 +0100 X-Authenticated: #10165491 From: "Uwe Kolsch" To: Date: Sun, 7 Mar 2004 13:02:04 -0000 Message-ID: <00e701c40444$63d3ab00$cc06a8c0@wax.local> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: logging and dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 13:02:06 -0000 Hi, I've set up ipfw2 on 5.2.1 like follows. add 1000 check-state #allow ssh traffic from any to any add 2022 allow log tcp from any to any 22 in setup keep-state This results in every packet of any ssh connection getting logged, not really what I want. I would like to get only the initiation of a ssh connection into the logfile. Without dynamic rules I would just deal with packages of an established connection without logging, but log any request to port 22. Is there any way to achieve this with dynamic rules too. Thanks, Hans Hunger From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 05:12:18 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 595D916A4CF; Sun, 7 Mar 2004 05:12:18 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31FA143D41; Sun, 7 Mar 2004 05:12:18 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i27DCH9Q075882; Sun, 7 Mar 2004 05:12:17 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i27DCH3w075881; Sun, 7 Mar 2004 05:12:17 -0800 (PST) (envelope-from rizzo) Date: Sun, 7 Mar 2004 05:12:17 -0800 From: Luigi Rizzo To: Johan Karlsson Message-ID: <20040307051216.A74559@xorpc.icir.org> References: <20040306111922.GA64109@numeri.campus.luth.se> <20040306082625.B34490@xorpc.icir.org> <20040306173219.GB64109@numeri.campus.luth.se> <20040306212233.A56351@xorpc.icir.org> <20040307113008.GC64109@numeri.campus.luth.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040307113008.GC64109@numeri.campus.luth.se>; from johan@freebsd.org on Sun, Mar 07, 2004 at 12:30:08PM +0100 cc: ipfw@freebsd.org Subject: Re: where do %j/uintmax_t stand in terms of standards? [WAS: Re: WARNS cleanup for ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 13:12:18 -0000 On Sun, Mar 07, 2004 at 12:30:08PM +0100, Johan Karlsson wrote: ... > Ok, how about the attached patch then? It takes care of all printf > related warnings on -current. not there yet, sorry... No offense, but I think that rather than rushing for a commit you should wait a few days to get some feedback from people using 64-bit platforms (e.g. try to post to -sparc or -alpha, or ask some of the people involved with 64-bit development), and also have a look at how other system utilities deal with similar things (64-bit counters and possible alignment problems -- what is the preferred way to print out things, "%qu" or "%llu" ? I understand that ipfw2.c does a mix of both things, i just have no idea which one is better except that "unsigned long long" is a lot longer to write than "u_quad_t" so that might favour "%qu" ?). In any case, it's a weekend, give people a bit of time to read and think about solutions. This is muddy ground, I and possibly others have burned our fingers by making the wrong assumptions. A clean and silent compile can still cause the code to dump core on certain systems due to alignment problems. E.g. I strongly suspect that, on systems with aligmnent issues, many of the places where you cast values to (unsigned long long) would be a lot safer by using align_uint64() (I believe the current code _is_ safe because of the way the pointer to list_pipes() and print_flowset_parms() are constructed, but all this is very fragile, because it relies on the userland passing down a suitably aligned buffer, which is not specified anywhere in the ipfw ABI, If we are going to touch this code we better provide a good fix than a bandaid.) cheers luigi > I do not have a -stable machine at the moment so I have not done any > compile testing for -stable. If you agree to this patch, please commit > it or let me know if I should. > > take care > /Johan K > > -- > Johan Karlsson mailto:johan@FreeBSD.org > Index: sbin/ipfw/Makefile > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/Makefile,v > retrieving revision 1.12 > diff -u -r1.12 Makefile > --- sbin/ipfw/Makefile 11 Jul 2002 17:33:37 -0000 1.12 > +++ sbin/ipfw/Makefile 5 Mar 2004 22:06:10 -0000 > @@ -2,7 +2,7 @@ > > PROG= ipfw > SRCS= ipfw2.c > -WARNS?= 0 > +WARNS?= 2 > MAN= ipfw.8 > > .include > Index: sbin/ipfw/ipfw2.c > =================================================================== > RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v > retrieving revision 1.45 > diff -u -r1.45 ipfw2.c > --- sbin/ipfw/ipfw2.c 24 Jan 2004 19:20:09 -0000 1.45 > +++ sbin/ipfw/ipfw2.c 7 Mar 2004 11:12:34 -0000 > @@ -352,12 +352,12 @@ > { NULL, 0 } /* terminator */ > }; > > -static __inline uint64_t > +static unsigned long long > align_uint64(uint64_t *pll) { > uint64_t ret; > > bcopy (pll, &ret, sizeof(ret)); > - return ret; > + return (unsigned long long)ret; > }; > > /* > @@ -1423,12 +1423,14 @@ > ina.s_addr = htonl(q[l].id.dst_ip); > printf("%15s/%-5d ", > inet_ntoa(ina), q[l].id.dst_port); > - printf("%4qu %8qu %2u %4u %3u\n", > - q[l].tot_pkts, q[l].tot_bytes, > + printf("%4llu %8llu %2u %4u %3u\n", > + (unsigned long long)q[l].tot_pkts, > + (unsigned long long)q[l].tot_bytes, > q[l].len, q[l].len_bytes, q[l].drops); > if (verbose) > - printf(" S %20qd F %20qd\n", > - q[l].S, q[l].F); > + printf(" S %20llu F %20llu\n", > + (unsigned long long)q[l].S, > + (unsigned long long)q[l].F); > } > } > > @@ -1517,7 +1519,8 @@ > p->pipe_nr, buf, p->delay); > print_flowset_parms(&(p->fs), prefix); > if (verbose) > - printf(" V %20qd\n", p->V >> MY_M); > + printf(" V %20llu\n", > + (unsigned long long)p->V >> MY_M); > > q = (struct dn_flow_queue *)(p+1); > list_queues(&(p->fs), q); > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 05:14:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DE3D16A4F3 for ; Sun, 7 Mar 2004 05:14:12 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4115A43D3F for ; Sun, 7 Mar 2004 05:14:12 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i27DEB9Q075949; Sun, 7 Mar 2004 05:14:11 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i27DEBfW075948; Sun, 7 Mar 2004 05:14:11 -0800 (PST) (envelope-from rizzo) Date: Sun, 7 Mar 2004 05:14:11 -0800 From: Luigi Rizzo To: Uwe Kolsch Message-ID: <20040307051411.B74559@xorpc.icir.org> References: <00e701c40444$63d3ab00$cc06a8c0@wax.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <00e701c40444$63d3ab00$cc06a8c0@wax.local>; from ukolsch@gmx.net on Sun, Mar 07, 2004 at 01:02:04PM -0000 cc: freebsd-ipfw@freebsd.org Subject: Re: logging and dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 13:14:12 -0000 On Sun, Mar 07, 2004 at 01:02:04PM -0000, Uwe Kolsch wrote: > Hi, > > I've set up ipfw2 on 5.2.1 like follows. > > add 1000 check-state > #allow ssh traffic from any to any > add 2022 allow log tcp from any to any 22 in setup keep-state > > This results in every packet of any ssh connection getting logged, not > really what I want. I would like to get only the initiation of a ssh > connection into the logfile. Without dynamic rules I would just deal i guess your best option is to do this: add 2022 count log tcp from any to any 22 in setup add 2022 allow tcp from any to any 22 in setup keep-state cheers luigi > with packages of an established connection without logging, but log any > request to port 22. Is there any way to achieve this with dynamic rules > too. > > Thanks, > > Hans Hunger > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 6 09:32:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6F7C016A4CE; Sat, 6 Mar 2004 09:32:22 -0800 (PST) Received: from numeri.campus.luth.se (numeri.campus.luth.se [130.240.197.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1C5C43D45; Sat, 6 Mar 2004 09:32:21 -0800 (PST) (envelope-from k@numeri.campus.luth.se) Received: from numeri.campus.luth.se (localhost [127.0.0.1]) i26HWJT9074142; Sat, 6 Mar 2004 18:32:19 +0100 (CET) (envelope-from k@numeri.campus.luth.se) Received: (from k@localhost) by numeri.campus.luth.se (8.12.10/8.12.10/Submit) id i26HWJJM074141; Sat, 6 Mar 2004 18:32:19 +0100 (CET) (envelope-from k) Date: Sat, 6 Mar 2004 18:32:19 +0100 From: Johan Karlsson To: Luigi Rizzo Message-ID: <20040306173219.GB64109@numeri.campus.luth.se> References: <20040306111922.GA64109@numeri.campus.luth.se> <20040306082625.B34490@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040306082625.B34490@xorpc.icir.org> User-Agent: Mutt/1.4.1i X-Mailman-Approved-At: Sun, 07 Mar 2004 05:18:21 -0800 cc: standards@freebsd.org Subject: where do %j/uintmax_t stand in terms of standards? [WAS: Re: WARNS cleanup for ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Mar 2004 17:32:22 -0000 [lets move this from ipfw@ to standars@ to get an answer] On Sat, Mar 06, 2004 at 08:26 (-0800) +0000, Luigi Rizzo wrote: > On Sat, Mar 06, 2004 at 12:19:22PM +0100, Johan Karlsson wrote: > > Hi > > > > the attached patch makes ipfw WARNS=2 clean by using the > > %j/(uintmax_t) combo where so needed. If there are no > > objections I intend to commit this patch. First of all, %j/uintmax_t is used since uint64_t does not match long long on all our platforms. Hence to print this without warning we need to do this. > > if align_uint64() is always cast to uintmax_t, why don't > you define it to return the proper type instead ? Since I only looked at removing the warnings I did not realize that it is only used when printing. However, I do agree that this is a better solution. I will make that change and run it through a make universe. > > Also, where do %j/uintmax_t stand in terms of standards ? > certainly the gcc in 4.x does not like them... I have absolutly no idea. Can someone here at standards@ answer this question? take care /Johan K -- Johan Karlsson mailto:johan@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 06:05:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6138B16A4CE for ; Sun, 7 Mar 2004 06:05:21 -0800 (PST) Received: from mail.gmx.net (pop.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 1853143D3F for ; Sun, 7 Mar 2004 06:05:19 -0800 (PST) (envelope-from ukolsch@gmx.net) Received: (qmail 6278 invoked by uid 65534); 7 Mar 2004 14:05:18 -0000 Received: from 82-43-144-161.cable.ubr02.newm.blueyonder.co.uk (EHLO xp0) (82.43.144.161) by mail.gmx.net (mp008) with SMTP; 07 Mar 2004 15:05:18 +0100 X-Authenticated: #10165491 From: "Uwe Kolsch" To: Date: Sun, 7 Mar 2004 14:05:18 -0000 Message-ID: <00f001c4044d$395e22c0$cc06a8c0@wax.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <20040307051411.B74559@xorpc.icir.org> Subject: RE: logging and dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 14:05:21 -0000 Thanks Luigi -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Luigi Rizzo Sent: 07 March 2004 13:14 To: Uwe Kolsch Cc: freebsd-ipfw@freebsd.org Subject: Re: logging and dynamic rules On Sun, Mar 07, 2004 at 01:02:04PM -0000, Uwe Kolsch wrote: > Hi, > > I've set up ipfw2 on 5.2.1 like follows. > > add 1000 check-state > #allow ssh traffic from any to any > add 2022 allow log tcp from any to any 22 in setup keep-state > > This results in every packet of any ssh connection getting logged, not > really what I want. I would like to get only the initiation of a ssh > connection into the logfile. Without dynamic rules I would just deal i guess your best option is to do this: add 2022 count log tcp from any to any 22 in setup add 2022 allow tcp from any to any 22 in setup keep-state cheers luigi > with packages of an established connection without logging, but log > any request to port 22. Is there any way to achieve this with dynamic > rules too. > > Thanks, > > Hans Hunger > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 06:09:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6298816A4CE; Sun, 7 Mar 2004 06:09:15 -0800 (PST) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DCA443D41; Sun, 7 Mar 2004 06:09:15 -0800 (PST) (envelope-from mux@freebsd.org) Received: by elvis.mu.org (Postfix, from userid 1920) id 537415C788; Sun, 7 Mar 2004 06:09:15 -0800 (PST) Date: Sun, 7 Mar 2004 15:09:15 +0100 From: Maxime Henrion To: Luigi Rizzo Message-ID: <20040307140915.GR35475@elvis.mu.org> References: <20040306111922.GA64109@numeri.campus.luth.se> <20040306082625.B34490@xorpc.icir.org> <20040306173219.GB64109@numeri.campus.luth.se> <20040306212233.A56351@xorpc.icir.org> <20040307113008.GC64109@numeri.campus.luth.se> <20040307051216.A74559@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040307051216.A74559@xorpc.icir.org> User-Agent: Mutt/1.4.1i cc: ipfw@freebsd.org cc: Johan Karlsson Subject: Re: where do %j/uintmax_t stand in terms of standards? [WAS: Re: WARNS cleanup for ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 14:09:15 -0000 Luigi Rizzo wrote: > On Sun, Mar 07, 2004 at 12:30:08PM +0100, Johan Karlsson wrote: > ... > > Ok, how about the attached patch then? It takes care of all printf > > related warnings on -current. > > not there yet, sorry... > > No offense, but I think that rather than rushing for a commit you > should wait a few days to get some feedback from people using 64-bit > platforms (e.g. try to post to -sparc or -alpha, or ask some of > the people involved with 64-bit development), and also have a look > at how other system utilities deal with similar things (64-bit > counters and possible alignment problems -- what is the preferred > way to print out things, "%qu" or "%llu" ? I understand that > ipfw2.c does a mix of both things, i just have no idea which one is > better except that "unsigned long long" is a lot longer to > write than "u_quad_t" so that might favour "%qu" ?). > In any case, it's a weekend, give people a bit of time to read and > think about solutions. The "%llu" format is preferred over "%qu", because the latter is BSD-specific while the former is in C99 now (it was a GCC extension before). It is correct to cast to unsigned long long and use "%llu" to print an uint64_t because a long long is guaranteed to always be at least 64 bits. One should however still use uint64_t to store the type rather than unsigned long long because it may be bigger than 64 bits. So unsigned long long should only be used for the cast here. Cheers, Maxime From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 06:16:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8093F16A4CF; Sun, 7 Mar 2004 06:16:43 -0800 (PST) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5558743D46; Sun, 7 Mar 2004 06:16:43 -0800 (PST) (envelope-from mux@freebsd.org) Received: by elvis.mu.org (Postfix, from userid 1920) id 4C5BC5C784; Sun, 7 Mar 2004 06:16:43 -0800 (PST) Date: Sun, 7 Mar 2004 15:16:43 +0100 From: Maxime Henrion To: Luigi Rizzo Message-ID: <20040307141643.GS35475@elvis.mu.org> References: <20040306111922.GA64109@numeri.campus.luth.se> <20040306082625.B34490@xorpc.icir.org> <20040306173219.GB64109@numeri.campus.luth.se> <20040306212233.A56351@xorpc.icir.org> <20040307113008.GC64109@numeri.campus.luth.se> <20040307051216.A74559@xorpc.icir.org> <20040307140915.GR35475@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040307140915.GR35475@elvis.mu.org> User-Agent: Mutt/1.4.1i cc: ipfw@freebsd.org cc: Johan Karlsson Subject: Re: where do %j/uintmax_t stand in terms of standards? [WAS: Re: WARNS cleanup for ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 14:16:43 -0000 Maxime Henrion wrote: > Luigi Rizzo wrote: > > On Sun, Mar 07, 2004 at 12:30:08PM +0100, Johan Karlsson wrote: > > ... > > > Ok, how about the attached patch then? It takes care of all printf > > > related warnings on -current. > > > > not there yet, sorry... > > > > No offense, but I think that rather than rushing for a commit you > > should wait a few days to get some feedback from people using 64-bit > > platforms (e.g. try to post to -sparc or -alpha, or ask some of > > the people involved with 64-bit development), and also have a look > > at how other system utilities deal with similar things (64-bit > > counters and possible alignment problems -- what is the preferred > > way to print out things, "%qu" or "%llu" ? I understand that > > ipfw2.c does a mix of both things, i just have no idea which one is > > better except that "unsigned long long" is a lot longer to > > write than "u_quad_t" so that might favour "%qu" ?). > > In any case, it's a weekend, give people a bit of time to read and > > think about solutions. > > The "%llu" format is preferred over "%qu", because the latter is > BSD-specific while the former is in C99 now (it was a GCC extension > before). It is correct to cast to unsigned long long and use "%llu" to > print an uint64_t because a long long is guaranteed to always be at > least 64 bits. One should however still use uint64_t to store the type > rather than unsigned long long because it may be bigger than 64 bits. > So unsigned long long should only be used for the cast here. Replying to myself : it's interesting to know that C99 introduces some macros expanding to printf() formats. Those are in inttypes.h. For instance, to print an uint64_t, one should theoritically use the PRIu64 macro, ie: `` printf("%" PRIu64 "\n", foo); ''. We actually don't use those in FreeBSD because they are simply ugly. Also, it's probably not a good idea to use this in ipfw since Luigi is concerned about keeping the code similar in 5.x and 4.x. Cheers, Maxime From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 07:04:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3451E16A4CE; Sun, 7 Mar 2004 07:04:41 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24F5943D1F; Sun, 7 Mar 2004 07:04:41 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i27F4f9Q079787; Sun, 7 Mar 2004 07:04:41 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i27F4emg079786; Sun, 7 Mar 2004 07:04:41 -0800 (PST) (envelope-from rizzo) Date: Sun, 7 Mar 2004 07:04:40 -0800 From: Luigi Rizzo To: Maxime Henrion Message-ID: <20040307070440.A79457@xorpc.icir.org> References: <20040306111922.GA64109@numeri.campus.luth.se> <20040306082625.B34490@xorpc.icir.org> <20040306173219.GB64109@numeri.campus.luth.se> <20040306212233.A56351@xorpc.icir.org> <20040307113008.GC64109@numeri.campus.luth.se> <20040307140915.GR35475@elvis.mu.org> <20040307141643.GS35475@elvis.mu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040307141643.GS35475@elvis.mu.org>; from mux@freebsd.org on Sun, Mar 07, 2004 at 03:16:43PM +0100 cc: ipfw@freebsd.org cc: Johan Karlsson Subject: Re: where do %j/uintmax_t stand in terms of standards? [WAS: Re: WARNS cleanup for ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 15:04:41 -0000 On Sun, Mar 07, 2004 at 03:16:43PM +0100, Maxime Henrion wrote: ... [thanks for the clarification about %llu vs %qu] > > before). It is correct to cast to unsigned long long and use "%llu" to > > print an uint64_t because a long long is guaranteed to always be at > > least 64 bits. One should however still use uint64_t to store the type yes, my point against casts was that given that we are going for some code cleanup, we might also do it right and make sure there are no aligmnent issues by using align_uint64() and making it return the correct type so we need no casts. > those in FreeBSD because they are simply ugly. Also, it's probably not > a good idea to use this in ipfw since Luigi is concerned about keeping > the code similar in 5.x and 4.x. yep cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 7 08:54:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF09916A4CE for ; Sun, 7 Mar 2004 08:54:15 -0800 (PST) Received: from mx2.ndsoftware.net (ns2.ndsoftware.net [195.140.149.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id B60C143D1F for ; Sun, 7 Mar 2004 08:54:15 -0800 (PST) (envelope-from nicolas.deffayet@ndsoftware.net) Received: from nat.gw1.par1.fr.corp.ndsoftware.net ([195.140.149.50] helo=w1-par1-fr.corp.ndsoftware.com) by mx2.ndsoftware.net with esmtp (Exim 3.35 #1 (Debian)) id 1B01XA-0007aS-00; Sun, 07 Mar 2004 17:53:48 +0100 From: Nicolas DEFFAYET To: Vincent Poy In-Reply-To: <20040306140955.T8264-100000@oahu.WURLDLINK.NET> References: <20040306140955.T8264-100000@oahu.WURLDLINK.NET> Content-Type: text/plain Organization: NDSoftware Message-Id: <1078678428.18552.17.camel@w1-par1-fr.corp.ndsoftware.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Sun, 07 Mar 2004 17:53:48 +0100 Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: Latency problem with traffic shaping X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Mar 2004 16:54:16 -0000 On Sun, 2004-03-07 at 01:10, Vincent Poy wrote: > On Sat, 6 Mar 2004, Nicolas DEFFAYET wrote: Hello, > > How fix this latency problem ? > > Not much except maybe read dummynet(4) manpage and look at the HZ > option in the kernel. Same problem with HZ=2000 and HZ=10000 :( Why FreeBSD 5.0-RELEASE don't have the problem of latency ? Thanks Best Regards, -- Nicolas DEFFAYET, NDSoftware NDSoftware IP Network: http://www.ip.ndsoftware.net/ FNIX6 (French National Internet Exchange IPv6): http://www.fnix6.net/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 8 05:55:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F4E116A4CE for ; Mon, 8 Mar 2004 05:55:59 -0800 (PST) Received: from duke.boxke.be (duke.boxke.be [62.213.198.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 6F07C43D2F for ; Mon, 8 Mar 2004 05:55:58 -0800 (PST) (envelope-from jimmy@inet-solutions.be) Received: (qmail 8744 invoked from network); 8 Mar 2004 13:55:57 -0000 Received: from unknown (HELO webmail.boxke.be) (127.0.0.1) by duke.boxke.be with SMTP; 8 Mar 2004 13:55:57 -0000 Received: from 213.118.81.79 (SquirrelMail authenticated user postmaster@inet-solutions.be) by webmail.boxke.be with HTTP; Mon, 8 Mar 2004 14:55:57 +0100 (CET) Message-ID: <47557.213.118.81.79.1078754157.squirrel@webmail.boxke.be> Date: Mon, 8 Mar 2004 14:55:57 +0100 (CET) From: "Jimmy Scott" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: ipfw counters (field 3) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 13:55:59 -0000 Hello, Me and a friend of my are located in a datacenter on the same switch, We both have the same 3 rules, to count the traffic. Our ISP uses MRTG with the 95% rule to charge us, now i was wondering, i have 2MB traffic echt day, theire MRTG says 70MB i thought it was because of all the ARP traffic. But my friend counted 1,6944 GB traffic, while our ISP's MRTG points 2GB i've let crond mail me his results from 00:01 till 00:01, so these are both mails: 00010 11345045 1068348938 count ip from any to any via xl0 00011 6826150 466872667 count ip from any to any in recv xl0 00012 4518893 601476157 count ip from any to any out xmit xl0 00010 27743578 2887729820 count ip from any to any via xl0 00011 17168887 1405455507 count ip from any to any in recv xl0 00012 10574689 1482274199 count ip from any to any out xmit xl0 1) is there something except ARP that isn't counted here? i thought this is with IP headers inclusive. (we don't have any ESP traffic) 2) is it because of theire 95% rule? 3) is theire system absolutely not correct? in case of number 3, how can i prove it to my ISP, just normal ipfw logs and kernel ipfw counters won't do imho Thanks in advance Jimmy Scott From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 8 11:01:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 168AA16A4E3 for ; Mon, 8 Mar 2004 11:01:40 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDCA043D2D for ; Mon, 8 Mar 2004 11:01:39 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i28J1dbv072706 for ; Mon, 8 Mar 2004 11:01:39 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i28J1doh072699 for freebsd-ipfw@freebsd.org; Mon, 8 Mar 2004 11:01:39 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Mar 2004 11:01:39 -0800 (PST) Message-Id: <200403081901.i28J1doh072699@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 19:01:40 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work 1 problem total. Non-critical problems From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 8 11:01:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5BB516A4D4 for ; Mon, 8 Mar 2004 11:01:59 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF44443D2D for ; Mon, 8 Mar 2004 11:01:59 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i28J1xbv073096 for ; Mon, 8 Mar 2004 11:01:59 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i28J1xop073090 for ipfw@freebsd.org; Mon, 8 Mar 2004 11:01:59 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Mar 2004 11:01:59 -0800 (PST) Message-Id: <200403081901.i28J1xop073090@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 19:02:00 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp 10 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 8 23:14:17 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAAD316A4CF for ; Mon, 8 Mar 2004 23:14:17 -0800 (PST) Received: from web41307.mail.yahoo.com (web41307.mail.yahoo.com [66.218.93.56]) by mx1.FreeBSD.org (Postfix) with SMTP id 9C32C43D46 for ; Mon, 8 Mar 2004 23:14:17 -0800 (PST) (envelope-from jason_highland@yahoo.com) Message-ID: <20040309071417.28175.qmail@web41307.mail.yahoo.com> Received: from [216.123.231.198] by web41307.mail.yahoo.com via HTTP; Mon, 08 Mar 2004 23:14:17 PST Date: Mon, 8 Mar 2004 23:14:17 -0800 (PST) From: asd ads To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Multiple natd and inbound web traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 07:14:17 -0000 Hi I have the following setup below. A FreeBSD 4.9 machine with 3 nics fxp0, fxp1 and ed0. Fxp0 is connected to my DSL connection, fxp1 is connected to my Cable connection and ed0 is my internal network. xx.xx.12.1 yy.yy.34.1 --------- ------ | DSL | |Cable| --------- ------ | | \ / \ / \ / \ / \ / fxp0 | | fxp1 .12.2 | |.34.2 | | ---------------- | FW | | Default route | | xx.xx.12.1 | | | ----------------- | |ed0 |192.168.200.1 | | ----- | | | | Web Server | | 192.168.200.10:80 | | ----- What I'm trying to do: Need to have inbound web traffic (from both connections) foward to the same internal web server. Problem: When a web connection is made to xx.xx.12.2:80(DSL), its nated to 192.168.200.10:80(websrv) and then back to the client(all is well at this point). The problem occars when a connection is made to yy.yy.34.2:80(cable), it's nated with the second instance of nat to 192.168.200.10:80(websrv) but when it trys to respond back to the client the default route forces it back thru the first connection. Does anyone have a good example of a fwd & divert rules that would help with this issue? Thanks in advance Jason Highland __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 9 02:18:28 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B75B116A4CE for ; Tue, 9 Mar 2004 02:18:28 -0800 (PST) Received: from enterprise.chester.ac.uk (enterprise.chester.ac.uk [194.80.193.191]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0045543D2D for ; Tue, 9 Mar 2004 02:18:28 -0800 (PST) (envelope-from h.blackman@chester.ac.uk) Received: from web (opaccL19.chester.ac.uk [194.80.193.19]) by enterprise.chester.ac.uk (8.10.1/8.10.1) with SMTP id i29AIQI97827 for ; Tue, 9 Mar 2004 10:18:27 GMT Message-ID: <009e01c405bf$e04e5960$13c150c2@chester.ac.uk> From: "Henry Blackman" To: Date: Tue, 9 Mar 2004 10:18:32 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Captive Portal Help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 10:18:28 -0000 Hello. I run a residential network at Chester College for students who live on campus. We use FreeBSD 4.9 to do NAT to manage the network and the authentication with captive portal type technologies. My problem is, is that currently the "firewall" is open, by default, so we're getting lots of MPAA notices because our students are sharing with Kazaa(!). What I want to do is close it to allow only web, MSN, AIM, RTSP and a few other things so we can really clamp down on their activities. The problem is however is that I have rules that work for our captive portal, but I'm clueless at how to get them to disallow all other traffic. I've included them here, but does anyone have any idea how to change them to disallow everything other than known ports? 00050 divert 8668 ip from any to any via em0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00398 allow icmp from any to 194.80.193.232 00399 allow icmp from 194.80.193.232 to any 00400 deny icmp from any to any Every student (that is authorised) has an entry like this: 49998 skipto 64998 ip from 172.16.122.187 to any Then these lines to deal with forcing webtraffic through dansguardian (and squid): 64993 fwd 172.16.120.1,8080 tcp from 172.16.120.0/22 to any 80,8080 64994 fwd 172.16.120.1,443 tcp from 172.16.120.0/22 to any 443 64995 allow tcp from 172.16.120.0/22 to 172.16.120.0/22 8080 64996 allow udp from 172.16.120.0/22 to any 53 64997 deny ip from 172.16.120.0/22 to any 64998 allow tcp from 195.195.128.195 to any 64999 fwd 127.0.0.1,8082 log logamount 100 tcp from any to any 80 65000 allow ip from any to any 65535 deny ip from any to any Does anyone know how I might change the rules to, instead of allowing IP from any to any, to deny ip from any to any, excepting the rules I put in for ports for the above services. I've tried deleting 65000 and adding specific rules with appropriate ports, but then nothing works. TIA, Henry From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 9 02:57:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AEA616A4CE for ; Tue, 9 Mar 2004 02:57:35 -0800 (PST) Received: from mail006.syd.optusnet.com.au (mail006.syd.optusnet.com.au [211.29.132.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0A8443D1F for ; Tue, 9 Mar 2004 02:57:33 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-126.eburwd5.vic.optusnet.com.au [211.28.241.126])i29AvSw29343; Tue, 9 Mar 2004 21:57:29 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id 4FF6A1FB81; Tue, 9 Mar 2004 21:57:27 +1100 (EST) Date: Tue, 9 Mar 2004 21:57:27 +1100 From: Tony Frank To: Jimmy Scott Message-ID: <20040309105727.GA8528@marvin.home.local> References: <47557.213.118.81.79.1078754157.squirrel@webmail.boxke.be> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47557.213.118.81.79.1078754157.squirrel@webmail.boxke.be> User-Agent: Mutt/1.4.2.1i cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw counters (field 3) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 10:57:35 -0000 Hi there, On Mon, Mar 08, 2004 at 02:55:57PM +0100, Jimmy Scott wrote: > Me and a friend of my are located in a datacenter on the same switch, > We both have the same 3 rules, to count the traffic. > > Our ISP uses MRTG with the 95% rule to charge us, > now i was wondering, i have 2MB traffic echt day, theire MRTG says 70MB > i thought it was because of all the ARP traffic. > > But my friend counted 1,6944 GB traffic, while our ISP's MRTG points 2GB > i've let crond mail me his results from 00:01 till 00:01, so these are > both mails: > > 00010 11345045 1068348938 count ip from any to any via xl0 > 00011 6826150 466872667 count ip from any to any in recv xl0 > 00012 4518893 601476157 count ip from any to any out xmit xl0 > > 00010 27743578 2887729820 count ip from any to any via xl0 > 00011 17168887 1405455507 count ip from any to any in recv xl0 > 00012 10574689 1482274199 count ip from any to any out xmit xl0 > > 1) is there something except ARP that isn't counted here? i thought this > is with IP headers inclusive. (we don't have any ESP traffic) > 2) is it because of theire 95% rule? > 3) is theire system absolutely not correct? > > in case of number 3, how can i prove it to my ISP, just normal ipfw logs > and kernel ipfw counters won't do imho I believe that counting at ipfw 'ip' level should count IP traffic only. Ie no ethernet headers, ARP, STP, CDP, IPX or whatever other protocols come through. Note that ethernet headers will add minimum 14 bytes per packet. Possibly also more for any padding/checksums needed, also if you use extras like vlan tagging these would be counted by a switch but not at IP level. Depending on your ISP equipment, their switch port may count all those bytes transmitted at layer2 level. You perhaps need to identify 100% exactly what is measured by ISP. MRTG is just a tool that will gather statistics - you can run it on your freebsd computer too and measure your interface traffic. If they are counting layer3 traffic (IP) to your address, then the numbers seem to mismatch. If they are counting layer2 traffic to your switch port, then there are a lot of extras you will not see at IP level where ipfw counts. You can see the raw traffic levels by using "netstat -ib" command. I believe this will show you everything that the interface sees. See the netstat(1) man page for more info on the -i options. If you are using ipfw2 you might be able to use the sysctl net.link.ether.ipfw to make ipfw see the layer2 packets and count them. I'd strongly suggest careful reading of the ipfw man page before trying that however or you might find unexpected results. I'd also look at any one of the many accounting packages in the ports tree. Personally I would probably setup mrtg or cricket and use them to count & graph the traffic at your end. You then have your own records. If you feel you are being unfairly charged you can compare the numbers. Just be sure you are both measuring the same numbers. In my case: > netstat -ibd Name Mtu Network Address Ipkts Ierrs Ibytes Opkts Oerrs Obytes Coll Drop fxp1 1500 00:04:ac:e5:d3:59 1252413 0 157415021 142427 0 18572480 0 0 fxp1 1500 netname hostname 37303 - 26725212 142424 - 16577800 - - 'ipfw show' for same time period gives me: 00500 188899 90900442 count ip from any to any in recv fxp1 00501 141977 16560196 count ip from any to any out xmit fxp1 As you can see there is a bit of a difference between layer2 and layer3 counts. In my case that is 99.9% due to excess ARP messages seen on my cable modem. Fortunately my ISP only counts the layer3 unicast traffic to my address. So while the extra ARP clogs up the interface it is not counted towards usage. Though I am not currently sure why the inet 'ipkts' figure is so low on the netstat print. Possibly something to do with the natd/divert I'm using. Hope that helps, Tony From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 9 03:27:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3689216A4CE for ; Tue, 9 Mar 2004 03:27:51 -0800 (PST) Received: from mail024.syd.optusnet.com.au (mail024.syd.optusnet.com.au [211.29.132.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 436AC43D46 for ; Tue, 9 Mar 2004 03:27:50 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-126.eburwd5.vic.optusnet.com.au [211.28.241.126])i29BRmZ09403; Tue, 9 Mar 2004 22:27:48 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id 81C5A1FB81; Tue, 9 Mar 2004 22:27:48 +1100 (EST) Date: Tue, 9 Mar 2004 22:27:48 +1100 From: Tony Frank To: asd ads Message-ID: <20040309112748.GB8528@marvin.home.local> References: <20040309071417.28175.qmail@web41307.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040309071417.28175.qmail@web41307.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-ipfw@freebsd.org Subject: Re: Multiple natd and inbound web traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 11:27:51 -0000 Hi there, On Mon, Mar 08, 2004 at 11:14:17PM -0800, asd ads wrote: > I have the following setup below. A FreeBSD 4.9 > machine with 3 nics fxp0, fxp1 and ed0. Fxp0 is > connected to my DSL connection, fxp1 is connected to > my Cable connection and ed0 is my internal network. > > > xx.xx.12.1 yy.yy.34.1 > --------- ------ > | DSL | |Cable| > --------- ------ > | | > \ / > \ / > \ / > \ / > \ / > fxp0 | | fxp1 > .12.2 | |.34.2 > | | > ----------------- > | FW | > | Default route | > | xx.xx.12.1 | > | | > ----------------- > | > |ed0 > |192.168.200.1 > | > | > ----- > | | > | | Web Server > | | 192.168.200.10:80 > | | > ----- > > What I'm trying to do: > > Need to have inbound web traffic (from both > connections) foward to the same internal web server. > > Problem: > > When a web connection is made to xx.xx.12.2:80(DSL), > its nated to 192.168.200.10:80(websrv) and then back > to the client(all is well at this point). > > The problem occars when a connection is made to > yy.yy.34.2:80(cable), it's nated with the second > instance of nat to 192.168.200.10:80(websrv) but when > it trys to respond back to the client the default > route forces it back thru the first connection. > > Does anyone have a good example of a fwd & divert > rules that would help with this issue? Since you seem to have the nat going ok, you might just want to try something like this: 02100 fwd xx.xx.12.1 ip from xx.xx.12.2 02200 fwd yy.yy.34.1 ip from yy.yy.34.2 Similar kind of thing works for my environment, though I am not doing exactly the same thing. Regards, Tony From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 9 03:42:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA89C16A4CF for ; Tue, 9 Mar 2004 03:42:49 -0800 (PST) Received: from mx1.subnetmask.net (mx1.subnetmask.net [207.44.145.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id AECD843D41 for ; Tue, 9 Mar 2004 03:42:49 -0800 (PST) (envelope-from mcgehrin@reverse.net) Received: from localhost (mx1.subnetmask.net [207.44.145.31]) by mx1.subnetmask.net (Postfix) with ESMTP id 5FA11F396C for ; Tue, 9 Mar 2004 06:42:48 -0500 (EST) Received: by localhost (Postfix, from userid 1012) id EE94B6706; Tue, 9 Mar 2004 06:42:47 -0500 (EST) Received: from orange (unknown [192.168.0.175]) by localhost (Postfix) with SMTP id 55F4F5B3E for ; Tue, 9 Mar 2004 06:42:47 -0500 (EST) Message-ID: <001201c405cb$a4c09140$af00a8c0@orange> From: "Matthew McGehrin" To: References: <47557.213.118.81.79.1078754157.squirrel@webmail.boxke.be> Date: Tue, 9 Mar 2004 06:42:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_00 autolearn=ham version=2.63 X-Spam-Level: Subject: Re: ipfw counters (field 3) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 11:42:50 -0000 95 percentile is not actual traffic. It says 95% of the time you are below this figure for traffic. There's an old patch you can run with mrtg here: http://www.seanadams.com/95/ A better alternative would to run rrdtool on an interface and have rrdtool record 95% http://www.red.net/support/resourcecentre/leasedline/percentile.php -- Matthew ----- Original Message ----- From: "Jimmy Scott" To: Sent: Monday, March 08, 2004 8:55 AM Subject: ipfw counters (field 3) > Hello, > > Me and a friend of my are located in a datacenter on the same switch, > We both have the same 3 rules, to count the traffic. > > Our ISP uses MRTG with the 95% rule to charge us, > now i was wondering, i have 2MB traffic echt day, theire MRTG says 70MB > i thought it was because of all the ARP traffic. > 00010 11345045 1068348938 count ip from any to any via xl0 > 00011 6826150 466872667 count ip from any to any in recv xl0 > 00012 4518893 601476157 count ip from any to any out xmit xl0 > > 00010 27743578 2887729820 count ip from any to any via xl0 > 00011 17168887 1405455507 count ip from any to any in recv xl0 > 00012 10574689 1482274199 count ip from any to any out xmit xl0 From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 9 09:15:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0835316A4CE for ; Tue, 9 Mar 2004 09:15:24 -0800 (PST) Received: from web41305.mail.yahoo.com (web41305.mail.yahoo.com [66.218.93.54]) by mx1.FreeBSD.org (Postfix) with SMTP id D95CA43D2F for ; Tue, 9 Mar 2004 09:15:23 -0800 (PST) (envelope-from jason_highland@yahoo.com) Message-ID: <20040309171513.96071.qmail@web41305.mail.yahoo.com> Received: from [68.151.56.238] by web41305.mail.yahoo.com via HTTP; Tue, 09 Mar 2004 09:15:13 PST Date: Tue, 9 Mar 2004 09:15:13 -0800 (PST) From: asd ads To: Tony Frank In-Reply-To: <20040309112748.GB8528@marvin.home.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org Subject: Re: Multiple natd and inbound web traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2004 17:15:24 -0000 Hey Tony Thanks for the help. I seem to be having the same problem. Here's the ruleset 5 divert 8668 ip from any to any via fxp0 5 divert 8669 ip from any to any via fxp1 6 fwd xx.xx.12.1 ip from xx.xx.12.2 to any 7 fwd yy.yy.34.1 ip from yy.yy.34.2 to any 10 allow all from any to any /sbin/natd -p 8668 -interface fxp0 -redirect_port tcp 192.168.200.10:80 xx.xx.12.2:80 /sbin/natd -p 8669 -interface fxp1 -redirect_port tcp 192.168.200.10:80 yy.yy.34.2:80 First Connection works fine. When I try the second one I run tcpdump and see the connection come in thru yy.yy.34.2(cable) but exits out xx.xx.12.1 due the the default route. Any ideas? Jason --- Tony Frank wrote: > Hi there, > > On Mon, Mar 08, 2004 at 11:14:17PM -0800, asd ads > wrote: > > I have the following setup below. A FreeBSD 4.9 > > machine with 3 nics fxp0, fxp1 and ed0. Fxp0 is > > connected to my DSL connection, fxp1 is connected > to > > my Cable connection and ed0 is my internal > network. > > > > > > xx.xx.12.1 yy.yy.34.1 > > --------- ------ > > | DSL | |Cable| > > --------- ------ > > | | > > \ / > > \ / > > \ / > > \ / > > \ / > > fxp0 | | fxp1 > > .12.2 | |.34.2 > > | | > > ----------------- > > | FW | > > | Default route | > > | xx.xx.12.1 | > > | | > > ----------------- > > | > > |ed0 > > |192.168.200.1 > > | > > | > > ----- > > | | > > | | Web Server > > | | 192.168.200.10:80 > > | | > > ----- > > > > What I'm trying to do: > > > > Need to have inbound web traffic (from both > > connections) foward to the same internal web > server. > > > > Problem: > > > > When a web connection is made to > xx.xx.12.2:80(DSL), > > its nated to 192.168.200.10:80(websrv) and then > back > > to the client(all is well at this point). > > > > The problem occars when a connection is made to > > yy.yy.34.2:80(cable), it's nated with the second > > instance of nat to 192.168.200.10:80(websrv) but > when > > it trys to respond back to the client the default > > route forces it back thru the first connection. > > > > Does anyone have a good example of a fwd & divert > > rules that would help with this issue? > > Since you seem to have the nat going ok, you might > just > want to try something like this: > > > 02100 fwd xx.xx.12.1 ip from xx.xx.12.2 > 02200 fwd yy.yy.34.1 ip from yy.yy.34.2 > > Similar kind of thing works for my environment, > though > I am not doing exactly the same thing. > > Regards, > > Tony > __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 10 01:54:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50F9A16A4CF for ; Wed, 10 Mar 2004 01:54:41 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02B7043D46 for ; Wed, 10 Mar 2004 01:54:41 -0800 (PST) (envelope-from mlaier@vampire.homelinux.org) Received: from [212.227.126.160] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1B10QC-00011e-00 for ipfw@freebsd.org; Wed, 10 Mar 2004 10:54:40 +0100 Received: from [217.83.6.158] (helo=vampire.homelinux.org) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1B10QB-0004vc-00 for ipfw@freebsd.org; Wed, 10 Mar 2004 10:54:40 +0100 Received: (qmail 4692 invoked by uid 1001); 10 Mar 2004 10:01:18 -0000 Date: Wed, 10 Mar 2004 11:01:18 +0100 From: Max Laier To: Ian FREISLICH Message-ID: <20040310100118.GA4514@router.laiers.local> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 cc: ipfw@freebsd.org cc: current@freebsd.org Subject: Re: PATCH: ip_input.c, ip_output.c, ipfw.8 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 09:54:41 -0000 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 10, 2004 at 11:12:46AM +0200, Ian FREISLICH wrote: > Hi >=20 > Noted in the BUGS section of the ipfw manual page: >=20 > Packets that match a tee rule should not be immediately accepted, but > should continue going through the rule list. This may be fixed in a > later version. >=20 > I've needed to get a copy of packets before the firewall potentially > drops them or passes them to dummynet, but I still want the firewall > to process the packets as normal and not just accept them. >=20 > Here's a patch to fix the bug. If all is in order, please commit > it otherwise let me know how and what I should change so that it can > be committed. It would also be nice if it can be MFC'd. First of all, please file a PR to avoid this to be forgotten/lost/etc. The diff looks okay to me from a first glance, but it needs a closer look and testing (CC'ed ipfw). As for MFC'ing: I am afraid that this is only possible (in such an easy way) since we removed MT_TAGs lately. I am not sure if that is something that will be merged. --=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFATudtXyyEoT62BG0RAm70AJ45va7+Yzmq+uCcomt/njiWiUFCFACePMFB aGIBxAEiRsTpVT00NdyVOpk= =21Dp -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 10 02:54:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A84B616A4CE for ; Wed, 10 Mar 2004 02:54:11 -0800 (PST) Received: from pathfinder.roks.biz (roks.biz [212.110.133.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id E089143D31 for ; Wed, 10 Mar 2004 02:54:07 -0800 (PST) (envelope-from quetzal@roks.biz) Received: from pathfinder.roks.biz (localhost.roks.biz [127.0.0.1]) by pathfinder.roks.biz (8.12.9p2/8.12.9) with ESMTP id i2AArSZp025959 for ; Wed, 10 Mar 2004 12:53:28 +0200 (EET) (envelope-from quetzal@pathfinder.roks.biz) Received: (from quetzal@localhost) by pathfinder.roks.biz (8.12.9p2/8.12.9/Submit) id i2AArSHn025958 for freebsd-ipfw@freebsd.org; Wed, 10 Mar 2004 12:53:28 +0200 (EET) (envelope-from quetzal) Date: Wed, 10 Mar 2004 12:53:28 +0200 From: Nikolay Pavlov To: freebsd-ipfw@freebsd.org Message-ID: <20040310105328.GA25880@pathfinder.roks.biz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: The way to dynamicly change bandwidth. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 10:54:11 -0000 Hi, folks. I want to write some kind of intellectual shaper which changed bandwidht depending on the average channel load. Is there any way to dynamicly change bandwidht limitations using dummynet? My be you know other recipes? Best regards, Nikolay Pavlov. Sorry for my english. From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 10 03:26:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E157316A4CE; Wed, 10 Mar 2004 03:26:52 -0800 (PST) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66EAC43D54; Wed, 10 Mar 2004 03:26:52 -0800 (PST) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1B11rK-0003bY-00; Wed, 10 Mar 2004 13:26:46 +0200 To: Max Laier From: Ian FREISLICH In-Reply-To: Message from Max Laier <20040310100118.GA4514@router.laiers.local> Date: Wed, 10 Mar 2004 13:26:46 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: ipfw@freebsd.org cc: current@freebsd.org Subject: Re: PATCH: ip_input.c, ip_output.c, ipfw.8 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 11:26:53 -0000 > > I've needed to get a copy of packets before the firewall potentially > > drops them or passes them to dummynet, but I still want the firewall > > to process the packets as normal and not just accept them. > >=20 > > Here's a patch to fix the bug. If all is in order, please commit > > it otherwise let me know how and what I should change so that it can > > be committed. It would also be nice if it can be MFC'd. > > First of all, please file a PR to avoid this to be forgotten/lost/etc. > > The diff looks okay to me from a first glance, but it needs a closer look > and testing (CC'ed ipfw). > > As for MFC'ing: I am afraid that this is only possible (in such an easy way) > since we removed MT_TAGs lately. I am not sure if that is something that > will be merged. Oh, well. This patch was merged from stable where it works and the current ip_input/output code looked so similar that I thought it would just work there too. My current machine paniced after sending the second copy of the packet (and the packet was delivered) with a ruleset similar to: 1 tee 5000 ip from me to b 2 divert 5000 ip from me to b 3 permit ip from any to any I'll have to figure out what the problem is and send a patch that works for current. I'm pretty sure this patch is on the right track though. Ian -- Ian Freislich FWIW, here's a copy of the panic message: Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0xc fault code = supervisor read, page not present instruction pointer = 0x8:0xc052e2c0 stack pointer = 0x10:0xd35ffadc frame pointer = 0x10:0xd35ffaf4 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 610 (sshd) trap number = 12 panic: page fault at line 819 in file ../../../i386/i386/trap.c cpuid = 1; Stack backtrace: backtrace(c0658818,1,333,c06766a4,100) at backtrace+0x17 __panic(c06766a4,333,c065405f,c06764fc,1) at __panic+0x15d trap_fatal(d35ffa9c,c,1,0,c3dc6690) at trap_fatal+0x376 trap_pfault(d35ffa9c,0,c,c0fc4be0,c) at trap_pfault+0x242 trap(c3df0018,d35f0010,c0520010,50,0) at trap+0x30d calltrap() at calltrap+0x5 --- trap 0xc, eip = 0xc052e2c0, esp = 0xd35ffadc, ebp = 0xd35ffaf4 --- m_copydata(c0fdaf00,250,50,c0fd9274,4) at m_copydata+0x20 tcp_output(c3c8ca2c,c0fd9000,0,c3dc6690,0) at tcp_output+0x70a tcp_usr_send(c3c70780,0,c0fd9000,0,0) at tcp_usr_send+0x1bd sosend(c3c70780,0,d35ffc80,c0fd9000,0) at sosend+0x43d soo_write(c3bf2770,d35ffc80,c3bf5d00,0,c3dc6690) at soo_write+0x97 dofilewrite(c3dc6690,c3bf2770,4,8082000,50) at dofilewrite+0xfb write(c3dc6690,d35ffd14,c,d35ffd3c,3) at write+0x6e syscall(2f,2f,2f,8073dc8,50) at syscall+0x320 Xint0x80_syscall() at Xint0x80_syscall+0x1d --- syscall (4), eip = 0x282f976f, esp = 0xbfbfe4ec, ebp = 0xbfbfe508 --- boot() called on cpu#1 syncing disks, buffers remaining... 1599 From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 11 20:46:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71E5816A4CE for ; Thu, 11 Mar 2004 20:46:51 -0800 (PST) Received: from ns1.valuedj.com (adsl-216-100-130-21.dsl.snfc21.pacbell.net [216.100.130.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AA1743D31 for ; Thu, 11 Mar 2004 20:46:51 -0800 (PST) (envelope-from whizkid@ValueDJ.com) Received: by ns1.valuedj.com (Postfix, from userid 80) id 11DA260EA; Thu, 11 Mar 2004 20:51:45 -0800 (PST) Received: from 216.100.130.17 (SquirrelMail authenticated user whizkid) by www.ValueDJ.com with HTTP; Thu, 11 Mar 2004 20:51:45 -0800 (PST) Message-ID: <3934.216.100.130.17.1079067105.squirrel@www.ValueDJ.com> Date: Thu, 11 Mar 2004 20:51:45 -0800 (PST) From: whizkid@ValueDJ.com To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: Problems connecting to port 25 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 04:46:51 -0000 Hello all, I just joined this list, I didn't see to much help from the FreeBSD_Questions side so I thought I would ask here. I currently have 2 FreeBSD 5.1 boxes. one is a test server the other I would consider production. Both provide Email/Web/DNS services. I have a firewall I found on the internet, and everything works, DNS/Web/Webmin/SSH but I cannot telnet into port 25. Can someone tell me what I am doing wrong? Or send me a copy of a Firewall that will improve my current one? I found alot of samples on the net, but nothing seems to work. I am running Qmail / MailDrop. Not sure if that helps. Thanks in advance.. # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via xl0 add 00302 deny ip from 172.16.0.0/12 to any in via xl0 add 00303 deny ip from 192.168.0.0/16 to any in via xl0 # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 in via xl0 setup keep-state #IMAP-SSL add 04001 allow tcp from any to me dst-port 143 in via xl0 setup keep-state # NTP add 04002 allow tcp from any to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from any to me dst-port 123 in via xl0 keep-state #webmin add 04004 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state #http add 04005 allow tcp from any to me dst-port 80 in via xl0 setup keep-state # DNS add 04006 allow udp from any to me dst-port 53 in via xl0 #POP add 04007 allow tcp from any to me dst-port 110 in via xl0 setup keep-state add 04008 allow tcp from any to me dst-port 443 in via xl0 setup keep-state #IMAPS add 04009 allow tcp from any to me dst-port 993 in via xl0 setup keep-state #SMTP add 04010 allow tcp from any to me 25 in via xl0 setup add 04011 allow tcp from any to me established add 04012 allow udp from any to me established # drop everything else add 04020 deny ip from any to me # allow all outgoing traffic from the router add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60001 deny log ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 12 07:21:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A5B416A4CE for ; Fri, 12 Mar 2004 07:21:36 -0800 (PST) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4AF943D3F for ; Fri, 12 Mar 2004 07:21:35 -0800 (PST) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.119]) by mta9.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040312152135.IDXO26462.mta9.adelphia.net@barbish>; Fri, 12 Mar 2004 10:21:35 -0500 From: "JJB" To: , Date: Fri, 12 Mar 2004 10:21:34 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <3934.216.100.130.17.1079067105.squirrel@www.ValueDJ.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: Problems connecting to port 25 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 15:21:36 -0000 Your ISP has closed ports 25 and 80 for all their non-commercial accounts. This is very normal, and becoming standard among ISP's. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of whizkid@ValueDJ.com Sent: Thursday, March 11, 2004 11:52 PM To: freebsd-ipfw@freebsd.org Subject: Problems connecting to port 25 Hello all, I just joined this list, I didn't see to much help from the FreeBSD_Questions side so I thought I would ask here. I currently have 2 FreeBSD 5.1 boxes. one is a test server the other I would consider production. Both provide Email/Web/DNS services. I have a firewall I found on the internet, and everything works, DNS/Web/Webmin/SSH but I cannot telnet into port 25. Can someone tell me what I am doing wrong? Or send me a copy of a Firewall that will improve my current one? I found alot of samples on the net, but nothing seems to work. I am running Qmail / MailDrop. Not sure if that helps. Thanks in advance.. # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via xl0 add 00302 deny ip from 172.16.0.0/12 to any in via xl0 add 00303 deny ip from 192.168.0.0/16 to any in via xl0 # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 in via xl0 setup keep-state #IMAP-SSL add 04001 allow tcp from any to me dst-port 143 in via xl0 setup keep-state # NTP add 04002 allow tcp from any to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from any to me dst-port 123 in via xl0 keep-state #webmin add 04004 allow tcp from any to me dst-port 10000 in via xl0 setup keep-state #http add 04005 allow tcp from any to me dst-port 80 in via xl0 setup keep-state # DNS add 04006 allow udp from any to me dst-port 53 in via xl0 #POP add 04007 allow tcp from any to me dst-port 110 in via xl0 setup keep-state add 04008 allow tcp from any to me dst-port 443 in via xl0 setup keep-state #IMAPS add 04009 allow tcp from any to me dst-port 993 in via xl0 setup keep-state #SMTP add 04010 allow tcp from any to me 25 in via xl0 setup add 04011 allow tcp from any to me established add 04012 allow udp from any to me established # drop everything else add 04020 deny ip from any to me # allow all outgoing traffic from the router add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60001 deny log ip from any to any _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 12 07:49:50 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A01D116A4CE for ; Fri, 12 Mar 2004 07:49:50 -0800 (PST) Received: from ns1.valuedj.com (adsl-216-100-130-21.dsl.snfc21.pacbell.net [216.100.130.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69F6343D2D for ; Fri, 12 Mar 2004 07:49:50 -0800 (PST) (envelope-from whizkid@ValueDJ.com) Received: by ns1.valuedj.com (Postfix, from userid 80) id 2FA316112; Fri, 12 Mar 2004 07:54:44 -0800 (PST) Received: from 208.253.246.93 (proxying for unknown) (SquirrelMail authenticated user whizkid) by www.ValueDJ.com with HTTP; Fri, 12 Mar 2004 07:54:44 -0800 (PST) Message-ID: <61088.208.253.246.93.1079106884.squirrel@www.ValueDJ.com> In-Reply-To: References: <3934.216.100.130.17.1079067105.squirrel@www.ValueDJ.com> Date: Fri, 12 Mar 2004 07:54:44 -0800 (PST) From: whizkid@ValueDJ.com To: Barbish3@adelphia.net User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal cc: freebsd-ipfw@freebsd.org cc: whizkid@valuedj.com Subject: RE: Problems connecting to port 25 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 15:49:50 -0000 > Your ISP has closed ports 25 and 80 for all their non-commercial > accounts. > This is very normal, and becoming standard among ISP's. > Thanks for all your comments. I pay for a Business type DSL with 5 ip addresses and I am allowed to run all my own servers. I didn't have this issue until I re-complied my kernel with the IPFIREWALL option. I have now resloved the issue. Basically what I did was move the rule for port 25 to the top of the list. Changed the add 04010 to 03001. When I did a nmap on the localhost I could see port 25 open, but when I did the nmap from one of my other servers on the same subnet, it did not list port 25. A quick reboot of the server, and all is well. Thank you all for your comments. From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 12 09:51:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FF2116A4CE for ; Fri, 12 Mar 2004 09:51:29 -0800 (PST) Received: from mail1.firstlink.com (mail1.firstlink.com [66.37.141.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6199A43D31 for ; Fri, 12 Mar 2004 09:51:29 -0800 (PST) (envelope-from dvm@firstlink.com) Received: from jackstraw (66-37-143-139.corp.firstlink.com [66.37.143.139]) by mail1.firstlink.com (Postfix) with ESMTP id C4BB9EC10E for ; Fri, 12 Mar 2004 10:51:27 -0700 (MST) From: Dan Vande More To: freebsd-ipfw@freebsd.org Content-Type: text/plain Message-Id: <1079113870.1238.8.camel@dvmgentoo> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 12 Mar 2004 10:51:10 -0700 Content-Transfer-Encoding: 7bit Subject: transparent squid bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dvm@firstlink.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 17:51:29 -0000 Hey all Trying to get freebsd to do some simple redirecting using ipfw2. Luigi Rizzo's patch isn't working. http://www.freebsdforums.org/forums/showthread.php?threadid=14795 Applying the patch yields: ******************************************************** Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v |retrieving revision 1.6.2.16 |diff -u -r1.6.2.16 ip_fw2.c |--- ip_fw2.c 17 Jul 2003 06:03:39 -0000 1.6.2.16 |+++ ip_fw2.c 22 Sep 2003 22:21:38 -0000 -------------------------- Patching file ip_fw2.c using Plan A... patch: **** malformed patch at line 7: goto done; ********************************************************* Is this ever going to make it's way into the main source code? Does any one have a working patch for this, the full file or an alternative setup? It doesn't matter which version of freebsd I have to run, I just need a version. All I really want is a box, with 2 network cards. This box sits between users and the outgoing router acting as a bridge. The box sees all outbound port 80 connections, diverts them to squid running on itself. Squid retrieves the site, caches the data, etc. I can do it with openbsd/pf but openbsd in and of itself can't handle much of a load. Using the same rules in freebsd pf that I do in openbsd, can I expect it to work? Thanks! Dan Vande More From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 12 10:00:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7051916A4CE for ; Fri, 12 Mar 2004 10:00:55 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58C0E43D45 for ; Fri, 12 Mar 2004 10:00:55 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i2CI0s9Q063508; Fri, 12 Mar 2004 10:00:54 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i2CI0sWG063507; Fri, 12 Mar 2004 10:00:54 -0800 (PST) (envelope-from rizzo) Date: Fri, 12 Mar 2004 10:00:54 -0800 From: Luigi Rizzo To: Dan Vande More Message-ID: <20040312100054.A63349@xorpc.icir.org> References: <1079113870.1238.8.camel@dvmgentoo> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1079113870.1238.8.camel@dvmgentoo>; from dvm@firstlink.com on Fri, Mar 12, 2004 at 10:51:10AM -0700 cc: freebsd-ipfw@freebsd.org Subject: Re: transparent squid bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 18:00:55 -0000 On Fri, Mar 12, 2004 at 10:51:10AM -0700, Dan Vande More wrote: > Hey all how about applying the patch manually ? It is so trivial it would have taken less than posting this message... cheers luigi > Trying to get freebsd to do some simple redirecting using ipfw2. > > Luigi Rizzo's patch isn't working. > > http://www.freebsdforums.org/forums/showthread.php?threadid=14795 > > Applying the patch yields: > > ******************************************************** > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v > |retrieving revision 1.6.2.16 > |diff -u -r1.6.2.16 ip_fw2.c > |--- ip_fw2.c 17 Jul 2003 06:03:39 -0000 1.6.2.16 > |+++ ip_fw2.c 22 Sep 2003 22:21:38 -0000 > -------------------------- > Patching file ip_fw2.c using Plan A... > patch: **** malformed patch at line 7: goto done; > ********************************************************* > > Is this ever going to make it's way into the main source code? > Does any one have a working patch for this, the full file or an > alternative setup? > > It doesn't matter which version of freebsd I have to run, I just need a > version. > > All I really want is a box, with 2 network cards. > This box sits between users and the outgoing router acting as a bridge. > The box sees all outbound port 80 connections, diverts them to squid > running on itself. > Squid retrieves the site, caches the data, etc. > > I can do it with openbsd/pf but openbsd in and of itself can't handle > much of a load. > Using the same rules in freebsd pf that I do in openbsd, can I expect it > to work? > > Thanks! > > Dan Vande More > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 12 10:05:02 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4610516A4CE for ; Fri, 12 Mar 2004 10:05:02 -0800 (PST) Received: from mail3.firstlink.com (mail3.firstlink.com [66.37.141.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26EBF43D2D for ; Fri, 12 Mar 2004 10:05:02 -0800 (PST) (envelope-from dvm@firstlink.com) Received: from jackstraw (66-37-143-139.corp.firstlink.com [66.37.143.139]) by mail3.firstlink.com (Postfix) with ESMTP id A7E6DE196C for ; Fri, 12 Mar 2004 11:05:01 -0700 (MST) From: Dan Vande More To: freebsd-ipfw@freebsd.org In-Reply-To: <20040312100054.A63349@xorpc.icir.org> References: <1079113870.1238.8.camel@dvmgentoo> <20040312100054.A63349@xorpc.icir.org> Content-Type: text/plain Message-Id: <1079114684.1240.22.camel@dvmgentoo> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 12 Mar 2004 11:04:44 -0700 Content-Transfer-Encoding: 7bit Subject: Re: transparent squid bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dvm@firstlink.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 18:05:02 -0000 I did try it manually, several times. My question in that scenario, is: Will it still work with: src/sys/netinet/ip_fw2.c,v 1.51.2.1 2003/12/23 12:25:56 maxim and src/sys/netinet/ip_input.c,v 1.259 2003/11/26 20:31:13 andre When I did apply it manually, it *seemed* like it didn't work. I admit it could have easily been user error. Thanks! Dan On Fri, 2004-03-12 at 11:00, Luigi Rizzo wrote: > On Fri, Mar 12, 2004 at 10:51:10AM -0700, Dan Vande More wrote: > > Hey all > > how about applying the patch manually ? It is so trivial > it would have taken less than posting this message... > > cheers > luigi > > > Trying to get freebsd to do some simple redirecting using ipfw2. > > > > Luigi Rizzo's patch isn't working. > > > > http://www.freebsdforums.org/forums/showthread.php?threadid=14795 > > > > Applying the patch yields: > > > > ******************************************************** > > Hmm... Looks like a unified diff to me... > > The text leading up to this was: > > -------------------------- > > |RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v > > |retrieving revision 1.6.2.16 > > |diff -u -r1.6.2.16 ip_fw2.c > > |--- ip_fw2.c 17 Jul 2003 06:03:39 -0000 1.6.2.16 > > |+++ ip_fw2.c 22 Sep 2003 22:21:38 -0000 > > -------------------------- > > Patching file ip_fw2.c using Plan A... > > patch: **** malformed patch at line 7: goto done; > > ********************************************************* > > > > Is this ever going to make it's way into the main source code? > > Does any one have a working patch for this, the full file or an > > alternative setup? > > > > It doesn't matter which version of freebsd I have to run, I just need a > > version. > > > > All I really want is a box, with 2 network cards. > > This box sits between users and the outgoing router acting as a bridge. > > The box sees all outbound port 80 connections, diverts them to squid > > running on itself. > > Squid retrieves the site, caches the data, etc. > > > > I can do it with openbsd/pf but openbsd in and of itself can't handle > > much of a load. > > Using the same rules in freebsd pf that I do in openbsd, can I expect it > > to work? > > > > Thanks! > > > > Dan Vande More > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 12 10:52:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 164BD16A4CE for ; Fri, 12 Mar 2004 10:52:27 -0800 (PST) Received: from mail.1wisp.com (uslec-66-255-6-131.cust.uslec.net [66.255.6.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id 102B543D31 for ; Fri, 12 Mar 2004 10:52:26 -0800 (PST) (envelope-from tscrum@1wisp.com) Received: from wolf (68-235-82-212.atlsfl.adelphia.net [68.235.82.212]) (authenticated) by mail.1wisp.com (8.11.6/8.11.6) with ESMTP id i2CIqO904734; Fri, 12 Mar 2004 13:52:24 -0500 From: "Thomas S. Crum - 1WISP, Inc." To: , Date: Fri, 12 Mar 2004 13:54:16 -0500 Message-ID: <02d801c40863$72353290$d452eb44@wolf> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 In-reply-to: <61088.208.253.246.93.1079106884.squirrel@www.ValueDJ.com> Importance: Normal cc: freebsd-ipfw@freebsd.org Subject: RE: Problems connecting to port 25 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 18:52:27 -0000 I found it much easier to reload firewall rules with: sh /etc/rc.firewall no need to reboot. Best, Tom -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of whizkid@ValueDJ.com Sent: Friday, March 12, 2004 10:55 AM To: Barbish3@adelphia.net Cc: freebsd-ipfw@freebsd.org; whizkid@ValueDJ.com Subject: RE: Problems connecting to port 25 > Your ISP has closed ports 25 and 80 for all their non-commercial > accounts. > This is very normal, and becoming standard among ISP's. > Thanks for all your comments. I pay for a Business type DSL with 5 ip addresses and I am allowed to run all my own servers. I didn't have this issue until I re-complied my kernel with the IPFIREWALL option. I have now resloved the issue. Basically what I did was move the rule for port 25 to the top of the list. Changed the add 04010 to 03001. When I did a nmap on the localhost I could see port 25 open, but when I did the nmap from one of my other servers on the same subnet, it did not list port 25. A quick reboot of the server, and all is well. Thank you all for your comments. _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 12 14:42:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3C7D16A4CE for ; Fri, 12 Mar 2004 14:42:01 -0800 (PST) Received: from mail1.firstlink.com (mail1.firstlink.com [66.37.141.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8920F43D1D for ; Fri, 12 Mar 2004 14:42:01 -0800 (PST) (envelope-from dvm@firstlink.com) Received: from jackstraw (66-37-143-139.corp.firstlink.com [66.37.143.139]) by mail1.firstlink.com (Postfix) with ESMTP id D96A7EC096 for ; Fri, 12 Mar 2004 15:42:00 -0700 (MST) From: Dan Vande More To: freebsd-ipfw@freebsd.org In-Reply-To: <1079114684.1240.22.camel@dvmgentoo> References: <1079113870.1238.8.camel@dvmgentoo> <1079114684.1240.22.camel@dvmgentoo> Content-Type: text/plain Message-Id: <1079131302.1238.49.camel@dvmgentoo> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 12 Mar 2004 15:41:42 -0700 Content-Transfer-Encoding: 7bit Subject: Re: transparent squid bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dvm@firstlink.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 22:42:01 -0000 Ok, to show I did try here's my diff on the manual patching. I've triple checked my work, and everything appears to be the way it is supposed to be. I don't see the expected behavior, if anyone sees anything wrong, I would appreciate some input. Although the counter increases on rule 400 when a client requests a webpage on the other side of the bridge, a 'tcpdump port 80' on {proxy_server_ip_address} sees no packets whatsoever. A tcpdump on the bridge server (tcpdump -n port 80) shows the packets from the client going straight to the requested host, instead of being hijacked and sent to the proxy server. ************************************* bash-2.05b# egrep -v "^#" /etc/sysctl.conf sysctl net.link.ether.bridge_cfg='xl0 dc0' sysctl net.link.ether.bridge_ipfw=1 sysctl net.link.ether.bridge=1 sysctl net.inet.ip.forwarding=1 ************************************* ************************************** bash-2.05b# ipfw show 00100 56 2920 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 21 1078 fwd {proxy_server_ip_address} tcp from any to any dst-port 80 65000 19137 2942276 allow ip from any to any 65535 0 0 deny ip from any to any ************************************** The diff of the pre and post manual patched files ************************************** bash-2.05b# diff -u ip_fw2.c.default ip_fw2.c --- ip_fw2.c.working Fri Mar 12 12:26:51 2004 +++ ip_fw2.c Fri Mar 12 12:31:18 2004 @@ -2061,12 +2061,33 @@ goto done; case O_FORWARD_IP: + #if 0 if (args->eh) /* not valid on layer2 pkts */ break; + #endif if (!q || dyn_dir == MATCH_FORWARD) args->next_hop = &((ipfw_insn_sa *)cmd)->sa; retval = 0; + if (args->eh) { + struct m_hdr tag; + + if (hlen == 0) /* non IP */ + break; + /* + * tag with PACKET_TAG_IPFORWARD + * call ip_input() (need ip_forwarding=1 + * if this has to go out) + * mark packet as comsumed by the firewall + */ + tag.mh_type = MT_TAG; + tag.mh_flags = PACKET_TAG_IPFORWARD; + tag.mh_data = (caddr_t)args->next_hop; + tag.mh_next = m; + args->m = NULL; + retval = IP_FW_PORT_DENY_FLAG; + ip_input((struct mbuf *)&tag); + } goto done; default: ************************************** ip_input: ************************************** bash-2.05b# diff -u ip_input.c.working ip_input.c --- ip_input.c.working Fri Mar 12 12:31:30 2004 +++ ip_input.c Fri Mar 12 12:32:38 2004 @@ -509,7 +509,7 @@ * skip the firewall a second time */ if (args.next_hop) - goto ours; + goto pass; /* XXX was 'ours' */; args.m = m; i = ip_fw_chk_ptr(&args); ************************************** uname -a ************************************** FreeBSD squid.mydomain.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Fri Mar 12 14:54:27 MST 2004 root@squid.mydomain.com:/usr/src/sys/i386/compile/squid i386 ************************************** Thanks again! Dan Vande More On Fri, 2004-03-12 at 11:04, Dan Vande More wrote: > I did try it manually, several times. My question in that scenario, is: > > Will it still work with: > > src/sys/netinet/ip_fw2.c,v 1.51.2.1 2003/12/23 12:25:56 maxim > > and > > src/sys/netinet/ip_input.c,v 1.259 2003/11/26 20:31:13 andre > > When I did apply it manually, it *seemed* like it didn't work. I admit > it could have easily been user error. > > Thanks! > > Dan > > On Fri, 2004-03-12 at 11:00, Luigi Rizzo wrote: > > On Fri, Mar 12, 2004 at 10:51:10AM -0700, Dan Vande More wrote: > > > Hey all > > > > how about applying the patch manually ? It is so trivial > > it would have taken less than posting this message... > > > > cheers > > luigi > > From owner-freebsd-ipfw@FreeBSD.ORG Sat Mar 13 06:19:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8D8716A4CE for ; Sat, 13 Mar 2004 06:19:48 -0800 (PST) Received: from mail022.syd.optusnet.com.au (mail022.syd.optusnet.com.au [211.29.132.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id F36F743D1D for ; Sat, 13 Mar 2004 06:19:47 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-126.eburwd5.vic.optusnet.com.au [211.28.241.126])i2DEJjE11964; Sun, 14 Mar 2004 01:19:45 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id 339F01FB81; Sun, 14 Mar 2004 01:19:45 +1100 (EST) Date: Sun, 14 Mar 2004 01:19:45 +1100 From: Tony Frank To: asd ads Message-ID: <20040313141945.GA64101@marvin.home.local> References: <20040309112748.GB8528@marvin.home.local> <20040309171513.96071.qmail@web41305.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040309171513.96071.qmail@web41305.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i cc: freebsd-ipfw@freebsd.org cc: Tony Frank Subject: Re: Multiple natd and inbound web traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Mar 2004 14:19:49 -0000 Hi there again, Bit of a delay due to some work committments. Note, preferably post your comments in-line so it's easier to track the history of the message & contents etc. On Tue, Mar 09, 2004 at 09:15:13AM -0800, asd ads wrote: > > > I have the following setup below. A FreeBSD 4.9 > > > machine with 3 nics fxp0, fxp1 and ed0. Fxp0 is > > > connected to my DSL connection, fxp1 is connected > > to > > > my Cable connection and ed0 is my internal > > network. > > > > > > > > > xx.xx.12.1 yy.yy.34.1 > > > --------- ------ > > > | DSL | |Cable| > > > --------- ------ > > > | | > > > \ / > > > \ / > > > \ / > > > \ / > > > \ / > > > fxp0 | | fxp1 > > > .12.2 | |.34.2 > > > | | > > > ----------------- > > > | FW | > > > | Default route | > > > | xx.xx.12.1 | > > > | | > > > ----------------- > > > | > > > |ed0 > > > |192.168.200.1 > > > | > > > | > > > ----- > > > | | > > > | | Web Server > > > | | 192.168.200.10:80 > > > | | > > > ----- > > > > > > What I'm trying to do: > > > > > > Need to have inbound web traffic (from both > > > connections) foward to the same internal web > > server. > > > > > > Problem: > > > > > > When a web connection is made to > > xx.xx.12.2:80(DSL), > > > its nated to 192.168.200.10:80(websrv) and then > > back > > > to the client(all is well at this point). > > > > > > The problem occars when a connection is made to > > > yy.yy.34.2:80(cable), it's nated with the second > > > instance of nat to 192.168.200.10:80(websrv) but > > when > > > it trys to respond back to the client the default > > > route forces it back thru the first connection. > > > > > > Does anyone have a good example of a fwd & divert > > > rules that would help with this issue? You need a way to distinguish the 'uplink' traffic as 'belonging' to either uplink (DSL or cable) Easiest way I can think of is to use a IP alias on the webserver and direct (via natd) the traffic from DSL to IP1 and from cable to IP2. Then you can forward traffic from IP1 to DSL, and from IP2 to cable. So from your example above I select 192.168.200.11 as second IP for cable traffic. A sample config that will possibly work for you: 1. Build a kernel with at least the following options: options IPFIREWALL options IPFW2 options IPFIREWALL_FORWARD options IPDIVERT 2. Configure second IP address on webserver # ifconfig fxp0 inet 192.168.200.11 netmask 255.255.255.255 alias Also ensure that httpd etc is listening on both IP addresses. 2. Start two instances of natd (one for each 'public' interface) Include redirection either in config file or on commandline # /sbin/natd -f /etc/natd.conf -n fxp0 -p 8668 -redirect_port tcp 192.168.200.10:80 80 # /sbin/natd -f /etc/natd.conf -n fxp1 -p 8669 -redirect_port tcp 192.168.200.11:80 80 My natd.conf looks like this: dynamic yes log_denied yes deny_incoming no use_sockets yes same_ports yes target_address 255.255.255.255 log_ipfw_denied yes 2. Configure suitable ipfw divert & forwarding rules You will need to combine this with an existing rc.firewall for the full script logic required. inside_if="ed0" outside_if1="fxp0" outside_ip1="xx.xx.12.2" uplink_ip1="xx.xx.12.1" inside_ip1="192.168.200.10" outside_if2="fxp1" outside_ip2="yy.yy.34.2" uplink_ip2="yy.yy.34.1" inside_ip2="192.168.200.11" # First place any generic rules - eg can stop spoofing etc (refer default rc.firewall for sample) # Rules to jump to correct processing locations for outside/transit traffic ${fwcmd} add 05000 skipto 10000 ip from ${inside_ip2} to any out xmit ${outside_if1} ${fwcmd} add 05010 skipto 11000 ip from ${inside_ip1} to any out xmit ${outside_if2} ${fwcmd} add 05020 skipto 12000 ip from any to any via ${outside_if1} ${fwcmd} add 05030 skipto 13000 ip from any to any via ${outside_if2} # Fallthrough - 'inside' traffic (anything via fxp0) ${fwcmd} add 09999 allow ip from any to any # or could use: ${fwcmd} add 09999 skipto 50000 ip from any to any # Special case "policy routing" rules: # divert traffic from cable inside IP to cable instance of natd # After natd ip src will be rewritten to IP of cable interface, so send packet to cable next-hop ${fwcmd} add 10000 divert 8669 ip from ${inside_ip2} to any out xmit ${outside_if1} ${fwcmd} add 10005 fwd ${uplink_ip2} ip from ${outside_ip2} to any # divert traffic from dsl inside IP to dsl instance of natd # After natd ip src will be rewritten to IP of dsl interface, so send packet to dsl next-hop ${fwcmd} add 11000 divert 8668 ip from ${inside_ip1} to any out xmit ${outside_if2} ${fwcmd} add 11005 fwd ${uplink_ip1} ip from ${outside_ip1} to any # General natd rules for 'normal' transit traffic ${fwcmd} add 12000 divert 8668 ip from any to any via ${outside_if1} ${fwcmd} add 12010 skipto 50000 ip from any to any ${fwcmd} add 13000 divert 8669 ip from any to any via ${outside_if2} ${fwcmd} add 13010 skipto 50000 ip from any to any # Final set of more specific rules to control transit traffic if needed ${fwcmd} add 50000 allow ip from any to any # Everything else is denied and logged [XXX should never hit this - catchall XXX] ${fwcmd} add 65000 deny log logamount 0 all from any to any ### end Note also that some of the other available firewall packages (ipfilter, pf) offer a few other options in this domain. It might be worth looking at them too. Hope it helps, Tony