From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 7 11:02:17 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A6FB16A4CE for ; Mon, 7 Feb 2005 11:02:17 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2255B43D2F for ; Mon, 7 Feb 2005 11:02:17 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j17B2H0V059787 for ; Mon, 7 Feb 2005 11:02:17 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j17B2GZu059781 for ipfw@freebsd.org; Mon, 7 Feb 2005 11:02:16 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 7 Feb 2005 11:02:16 GMT Message-Id: <200502071102.j17B2GZu059781@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2005 11:02:17 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 8 15:46:12 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A54416A4CE; Tue, 8 Feb 2005 15:46:12 +0000 (GMT) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5633443D45; Tue, 8 Feb 2005 15:46:11 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id AACA0BC098; Tue, 8 Feb 2005 17:46:09 +0200 (EET) Received: from R3B (unknown [62.38.168.185])by smtp.freemail.gr (Postfix) with ESMTP id B8386BC023;Tue, 8 Feb 2005 17:46:08 +0200 (EET) Message-ID: <000a01c50df5$4a4435e0$3c00000a@R3B> From: "Chris Dionissopoulos" To: Date: Tue, 8 Feb 2005 17:45:59 +0200 MIME-Version: 1.0 Content-Type: text/plain;format=flowed;charset="iso-8859-7"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-net@freebsd.org Subject: Sticky pf(4)-like feature in ipfw? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 15:46:12 -0000 Hi, I think of adding a new feature in (my local copy) ipfw (releng5) so that it makes also sticky match when forwarding broken protocols like ftp, h.323, sip, etc. Its inspired from pf(4) sticky feature as is.The general usage will be for "skipto" forwarding rules as shown in example below: Network ASCII-ART: Gateway1 Gateway2 | | ---------------- 192.168.1.0/24 | [Freebsd-ipfw] | ---------------- 192.168.3.0/24 ipfw.sh: ~~~~~~~~~~~~~~~~~~~~~~ #!/bin/sh fwcmd="/sbin/ipfw" pass="skipto 65535" gateway_mac1 ="00:0e:2e:03:36:23" gateway_mac2 ="00:0e:2e:03:37:23" gateway1="192.168.1.2" gateway2 ="192.168.1.1" lan_network = "192.168.3.0/24" broken="20,21,1720,6667,4600-4700" #CHECK STATES. ${fwcmd} add 100 check-state # INCOMING TRAFFIC ${fwcmd} add 1100 skipto 10100 ip from any to any mac any ${gateway_mac1}in recv rl0 keep-state ${fwcmd} add 1200 skipto 10200 ip from any to any mac any ${gateway_mac1}in recv rl0 keep-state #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%] ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not ${lan_network} dst-port ${broken} in recv rl1 keep-sticky ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not ${lan_network}dst-port ${broken} in recv rl1 keep-sticky #OUTGOING + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%] ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not ${lan_network}in recv rl1 keep-state ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not ${lan_network}in recv rl1 keep-state #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not ${lan_network} in recv rl1 ${fwcmd} add 10110 ${pass} ip from any to any #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not ${lan_network} in recv rl1 ${fwcmd} add 10210 ${pass} ip from any to any ~~~~~~~~~~~~~~~~~~~~~~ "keep-sticky" main difference with "keep-state" is just relaxed state matching using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and not (scr_ip:src_port + dst_ip:dst_port) straight and reversed (=keep-state/limit). My question : Does anyone has already working on such feature? Cause its pretty easy to implement(*) "keep-sticky", does any of ipfw developers planning to add such feature in near future? Thanks, Chris. (*) 1. TOK_KEEPSTICKY in /usr/src/sbin/ipfw/ipfw2.c O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h and copy TOK_KEEPSTATE+O_KEEPSTATE code as a new case of cmd+rule argument. 2. Some changes in "lookup_dyn_rule_locked" function of /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state when "keep-sticky" is enabled. ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 8 23:01:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4EE016A4CE; Tue, 8 Feb 2005 23:01:51 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41A6D43D31; Tue, 8 Feb 2005 23:01:51 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id j18N1oOg028464; Tue, 8 Feb 2005 15:01:50 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j18N1ohb028463; Tue, 8 Feb 2005 15:01:50 -0800 (PST) (envelope-from rizzo) Date: Tue, 8 Feb 2005 15:01:50 -0800 From: Luigi Rizzo To: Chris Dionissopoulos Message-ID: <20050208150150.C28282@xorpc.icir.org> References: <000a01c50df5$4a4435e0$3c00000a@R3B> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <000a01c50df5$4a4435e0$3c00000a@R3B>; from dionch@freemail.gr on Tue, Feb 08, 2005 at 05:45:59PM +0200 cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: Sticky pf(4)-like feature in ipfw? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 23:01:51 -0000 the 'state only based on the 3-tuple' as you describe it is certainly an interesting feature. It is slightly more expensive to implement than what i thought at first, because you should do two hash computations and lookups (one on the 5-tuple, one on the 3-tuple) on each packet trying to match a dynamic rule. i just wonder why it is named 'sticky' in pf which is not really very indicative of what the function does. cheers luigi On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote: > Hi, > I think of adding a new feature in (my local copy) ipfw (releng5) so that it > makes also sticky match when forwarding broken protocols like ftp, h.323, > sip, etc. > Its inspired from pf(4) sticky feature as is.The general usage will be for > "skipto" forwarding rules as shown in example below: > > Network ASCII-ART: > > Gateway1 Gateway2 > | | > ---------------- 192.168.1.0/24 > | > [Freebsd-ipfw] > | > ---------------- 192.168.3.0/24 > > ipfw.sh: > ~~~~~~~~~~~~~~~~~~~~~~ > #!/bin/sh > fwcmd="/sbin/ipfw" > pass="skipto 65535" > > gateway_mac1 ="00:0e:2e:03:36:23" > gateway_mac2 ="00:0e:2e:03:37:23" > gateway1="192.168.1.2" > gateway2 ="192.168.1.1" > > lan_network = "192.168.3.0/24" > broken="20,21,1720,6667,4600-4700" > > #CHECK STATES. > ${fwcmd} add 100 check-state > > # INCOMING TRAFFIC > ${fwcmd} add 1100 skipto 10100 ip from any to any mac any ${gateway_mac1}in > recv rl0 keep-state > ${fwcmd} add 1200 skipto 10200 ip from any to any mac any ${gateway_mac1}in > recv rl0 keep-state > > #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%] > ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not > ${lan_network} dst-port ${broken} in recv rl1 keep-sticky > ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not > ${lan_network}dst-port ${broken} in recv rl1 keep-sticky > > #OUTGOING + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%] > ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not > ${lan_network}in recv rl1 keep-state > ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not ${lan_network}in > recv rl1 keep-state > > #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER > ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not > ${lan_network} in recv rl1 > ${fwcmd} add 10110 ${pass} ip from any to any > > #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER > ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not > ${lan_network} in recv rl1 > ${fwcmd} add 10210 ${pass} ip from any to any > > ~~~~~~~~~~~~~~~~~~~~~~ > > > "keep-sticky" main difference with "keep-state" is just relaxed state > matching > using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and not > (scr_ip:src_port + dst_ip:dst_port) straight and reversed > (=keep-state/limit). > > My question : > Does anyone has already working on such feature? > Cause its pretty easy to implement(*) "keep-sticky", does any of > ipfw developers planning to add such feature in near future? > > > Thanks, > Chris. > > > (*) > 1. TOK_KEEPSTICKY in /usr/src/sbin/ipfw/ipfw2.c > O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h > and copy TOK_KEEPSTATE+O_KEEPSTATE code > as a new case of cmd+rule argument. > 2. Some changes in "lookup_dyn_rule_locked" function of > /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state > when "keep-sticky" is enabled. > > > > > > > > ____________________________________________________________________ > http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou. > http://www.freemail.gr - free email service for the Greek-speaking. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 8 23:44:07 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB5D716A4CE; Tue, 8 Feb 2005 23:44:07 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5629B43D2D; Tue, 8 Feb 2005 23:44:07 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1Cyf1a-0004Yl-00; Wed, 09 Feb 2005 00:44:06 +0100 Received: from [217.227.147.152] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1Cyf1M-0001vo-00; Wed, 09 Feb 2005 00:44:06 +0100 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Wed, 9 Feb 2005 00:43:18 +0100 User-Agent: KMail/1.7.2 References: <000a01c50df5$4a4435e0$3c00000a@R3B> <20050208150150.C28282@xorpc.icir.org> In-Reply-To: <20050208150150.C28282@xorpc.icir.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart36976067.LvBGxLmmto"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200502090043.30704.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Luigi Rizzo cc: freebsd-net@freebsd.org cc: Chris Dionissopoulos Subject: Re: Sticky pf(4)-like feature in ipfw? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 23:44:08 -0000 --nextPart36976067.LvBGxLmmto Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 February 2005 00:01, Luigi Rizzo wrote: > the 'state only based on the 3-tuple' as you describe it > is certainly an interesting feature. It is slightly more expensive > to implement than what i thought at first, because you should > do two hash computations and lookups (one on the 5-tuple, one > on the 3-tuple) on each packet trying to match a dynamic rule. > > i just wonder why it is named 'sticky' in pf > which is not really very indicative of what the function does. It's actually called "sticky-address" and applies to all rules that select= =20 addresses from a pool. It is called that way as things work a bit differen= t=20 in PF. You'd have a forwarding rule that selects addresses from a pool as= =20 equivalent to the "prob .5 skip-to" in IPFW. The state matching isn't=20 affected at all (i.e. if you do stateful matching PF still performs 5-tuple= =20 matching). The "sticky-address" option on the pool, however, ensures that= =20 the next time a certain client needs to be forwarded it gets the same=20 translation address. As you said, you have to be careful with only 3-tuple states as it might op= en=20 to injection attacks and thus allow evildoers to bypass the firewall. > cheers > luigi > > On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote: > > Hi, > > I think of adding a new feature in (my local copy) ipfw (releng5) so th= at > > it makes also sticky match when forwarding broken protocols like ftp, > > h.323, sip, etc. > > Its inspired from pf(4) sticky feature as is.The general usage will be > > for "skipto" forwarding rules as shown in example below: > > > > Network ASCII-ART: > > > > Gateway1 Gateway2 > > > > ---------------- 192.168.1.0/24 > > > > [Freebsd-ipfw] > > > > ---------------- 192.168.3.0/24 > > > > ipfw.sh: > > ~~~~~~~~~~~~~~~~~~~~~~ > > #!/bin/sh > > fwcmd=3D"/sbin/ipfw" > > pass=3D"skipto 65535" > > > > gateway_mac1 =3D"00:0e:2e:03:36:23" > > gateway_mac2 =3D"00:0e:2e:03:37:23" > > gateway1=3D"192.168.1.2" > > gateway2 =3D"192.168.1.1" > > > > lan_network =3D "192.168.3.0/24" > > broken=3D"20,21,1720,6667,4600-4700" > > > > #CHECK STATES. > > ${fwcmd} add 100 check-state > > > > # INCOMING TRAFFIC > > ${fwcmd} add 1100 skipto 10100 ip from any to any mac any > > ${gateway_mac1}in recv rl0 keep-state > > ${fwcmd} add 1200 skipto 10200 ip from any to any mac any > > ${gateway_mac1}in recv rl0 keep-state > > > > #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%] > > ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not > > ${lan_network} dst-port ${broken} in recv rl1 keep-sticky > > ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not > > ${lan_network}dst-port ${broken} in recv rl1 keep-sticky > > > > #OUTGOING + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%] > > ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not > > ${lan_network}in recv rl1 keep-state > > ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not > > ${lan_network}in recv rl1 keep-state > > > > #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER > > ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not > > ${lan_network} in recv rl1 > > ${fwcmd} add 10110 ${pass} ip from any to any > > > > #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER > > ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not > > ${lan_network} in recv rl1 > > ${fwcmd} add 10210 ${pass} ip from any to any > > > > ~~~~~~~~~~~~~~~~~~~~~~ > > > > > > "keep-sticky" main difference with "keep-state" is just relaxed state > > matching > > using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and > > not (scr_ip:src_port + dst_ip:dst_port) straight and reversed > > (=3Dkeep-state/limit). > > > > My question : > > Does anyone has already working on such feature? > > Cause its pretty easy to implement(*) "keep-sticky", does any of > > ipfw developers planning to add such feature in near future? > > > > > > Thanks, > > Chris. > > > > > > (*) > > 1. TOK_KEEPSTICKY in /usr/src/sbin/ipfw/ipfw2.c > > O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h > > and copy TOK_KEEPSTATE+O_KEEPSTATE code > > as a new case of cmd+rule argument. > > 2. Some changes in "lookup_dyn_rule_locked" function of > > /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state > > when "keep-sticky" is enabled. > > > > > > > > > > > > > > > > ____________________________________________________________________ > > http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou. > > http://www.freemail.gr - free email service for the Greek-speaking. > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart36976067.LvBGxLmmto Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCCU6iXyyEoT62BG0RArV4AJ9vT6QQOpEKXqeI2UiKkT3HnCh7FwCeOEVZ ZvZRffmYLbqIPQXJfxn7qGg= =RFGJ -----END PGP SIGNATURE----- --nextPart36976067.LvBGxLmmto-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 9 00:03:59 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7761016A4CE for ; Wed, 9 Feb 2005 00:03:59 +0000 (GMT) Received: from sender.vkt.lt (sender.vkt.lt [212.59.30.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B73143D39 for ; Wed, 9 Feb 2005 00:03:58 +0000 (GMT) (envelope-from hugle@vkt.lt) Received: (qmail 3613 invoked by uid 89); 9 Feb 2005 01:10:31 -0000 Received: from unknown (HELO user-8-177.vkt.lan) (192.168.8.177) by 0 with SMTP; 9 Feb 2005 01:10:31 -0000 Date: Wed, 9 Feb 2005 02:04:03 +0200 From: Jara X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <537516181.20050209020403@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: IPFW pipe v 4.10-stable vs 5.3-stable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 00:03:59 -0000 Hello all. I have a little problem with same ipfw+dummynet options on different FreeBSD versions, look: I add thse rules: pipe 128 config mask src-ip 0xffffffff bw 128Kbit/s add 53098 pipe 128 ip from any to table'(10)' in pipe 127 config mask dst-ip 0xffffffff bw 64Kbit/s pipe 127 ip from table'(10)' to any in so ipfw -l shows: 53098 pipe 128 ip from any to table(10) in 53099 pipe 127 ip from table(10) to any in Now... I u use this configuration under 4.10-stable everything is ok But when i try 5.3-stable download traffic (pipe 128) is reduced twise - down to 64kbits If i remove ' in' from the ipfw command - download grows up to 128kbits. (if i remove ' in' from upload (pipe 127) it stays untouched - 64kbits) Where I could make a mistake ? net.link.ether.ipfw is set to 0 Thanks! Cheers, Jarek From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 9 17:04:29 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7029C16A4CE for ; Wed, 9 Feb 2005 17:04:29 +0000 (GMT) Received: from ctb-mesg2.saix.net (ctb-mesg2.saix.net [196.25.240.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB5CC43D5C for ; Wed, 9 Feb 2005 17:04:28 +0000 (GMT) (envelope-from savage@savage.za.org) Received: from netsphere.cenergynetworks.com (wblv-146-208-196.telkomadsl.co.za [165.146.208.196]) by ctb-mesg2.saix.net (Postfix) with ESMTP id 23E033BDD for ; Wed, 9 Feb 2005 19:04:25 +0200 (SAST) Received: from pmx.ournet.co.za ([198.19.0.73] helo=netsphere.cenergynetworks.com) by netsphere.cenergynetworks.com with smtp (Exim 4.41) id 1CyvGK-000OsN-sL for freebsd-ipfw@freebsd.org; Wed, 09 Feb 2005 19:04:24 +0200 Received: from [192.168.1.10] (helo=netphobia) by netsphere.cenergynetworks.com with smtp (Exim 4.41) id 1CyvGH-000OsI-qj for freebsd-ipfw@freebsd.org; Wed, 09 Feb 2005 19:04:21 +0200 Message-ID: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> From: "Chris Knipe" To: Date: Wed, 9 Feb 2005 19:05:17 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Broken-Reverse-DNS: 192.168.1.10 X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.2.0, Antispam-Data: 2005.2.8.1 Subject: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Knipe List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2005 17:04:29 -0000 Lo all, FreeBSD 4.11-STABLE, running ipfw2. root@wsmd-core02:/home/cknipe# ifconfig vlan1 vlan1: flags=8843 mtu 1496 inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63 ether 00:08:a1:7a:b1:44 media: Ethernet autoselect (100baseTX) status: active vlan: 200 parent interface: rl0 ipfw2: 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to any dst-port 80 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any dst-port 25 However, packets that are forwarded, never connects to the destination where it is forwarded to. And yes, I did check the obvious, everything is up and running.... Is there some sysctl magic or something required to make this work? I can fwd without a problem to the SAME BOX, but I cannot seem to get it to work to fwd to remote machines. In case someone is wondering, this is for transparent proxy / smtp servers. -- Chris. From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 10 00:35:54 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04F7516A4CE for ; Thu, 10 Feb 2005 00:35:54 +0000 (GMT) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84CEC43D48 for ; Thu, 10 Feb 2005 00:35:53 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from gateway.posi.net (adsl-63-201-89-53.dsl.snfc21.pacbell.net [63.201.89.53])j1A0a62Y020663; Wed, 9 Feb 2005 19:36:06 -0500 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id BF90075E13C; Wed, 9 Feb 2005 17:38:35 -0800 (PST) Date: Wed, 9 Feb 2005 17:38:35 -0800 (PST) From: Kelly Yancey To: Chris Knipe In-Reply-To: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> Message-ID: <20050209172905.W66973@gateway.posi.net> References: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2005 00:35:54 -0000 On Wed, 9 Feb 2005, Chris Knipe wrote: > Lo all, > > FreeBSD 4.11-STABLE, running ipfw2. > > root@wsmd-core02:/home/cknipe# ifconfig vlan1 > vlan1: flags=8843 mtu 1496 > inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63 > ether 00:08:a1:7a:b1:44 > media: Ethernet autoselect (100baseTX) > status: active > vlan: 200 parent interface: rl0 > > ipfw2: > 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 > 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 > 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to any > dst-port 80 > 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any > dst-port 25 > > > However, packets that are forwarded, never connects to the destination where > it is forwarded to. And yes, I did check the obvious, everything is up and > running.... Is there some sysctl magic or something required to make this > work? I can fwd without a problem to the SAME BOX, but I cannot seem to get > it to work to fwd to remote machines. In case someone is wondering, this is > for transparent proxy / smtp servers. > > -- > Chris. > I don't suppose you're getting bitten by: "The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them." The ipfw(8) man page is a little vague with the phrasing "matching rule on that system to capture them". Normally systems don't process packets locally that are not destined for it. You can use tcpdump on the remote box to verify for yourself that the fwd is working correctly and that the remote box is receiving the packets. The remote box just doesn't know what to do with the packets it is receiving. Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com "And say, finally, whether peace is best preserved by giving energy to the government or information to the people. This last is the most certain and the most legitimate engine of government." -- Thomas Jefferson to James Madison, 1787. From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 10 08:02:58 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36D5716A4CE for ; Thu, 10 Feb 2005 08:02:58 +0000 (GMT) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id C08D943D31 for ; Thu, 10 Feb 2005 08:02:57 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id 56B7ABC0B8; Thu, 10 Feb 2005 10:02:56 +0200 (EET) Received: from R3B (unknown [62.38.168.185])by smtp.freemail.gr (Postfix) with ESMTP id 07175BC096;Thu, 10 Feb 2005 10:02:54 +0200 (EET) Message-ID: <003201c50f46$e23049f0$3c00000a@R3B> From: "Chris Dionissopoulos" To: "Luigi Rizzo" References: <000a01c50df5$4a4435e0$3c00000a@R3B> <20050208150150.C28282@xorpc.icir.org> Date: Thu, 10 Feb 2005 10:02:34 +0200 MIME-Version: 1.0 Content-Type: text/plain;format=flowed;charset="ISO-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 cc: freebsd-ipfw@freebsd.org Subject: Re: Sticky pf(4)-like feature in ipfw? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Dionissopoulos List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2005 08:02:58 -0000 Thanks for your help. "Sticky" was more a wordplay than an technical description , just more people to understand at first reading what i want to do. Chris. > the 'state only based on the 3-tuple' as you describe it > is certainly an interesting feature. It is slightly more expensive > to implement than what i thought at first, because you should > do two hash computations and lookups (one on the 5-tuple, one > on the 3-tuple) on each packet trying to match a dynamic rule. > > i just wonder why it is named 'sticky' in pf > which is not really very indicative of what the function does. > > cheers > luigi ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 10 09:55:22 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1FC916A4CE for ; Thu, 10 Feb 2005 09:55:22 +0000 (GMT) Received: from ctb-mesg4.saix.net (ctb-mesg4.saix.net [196.25.240.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 508A043D39 for ; Thu, 10 Feb 2005 09:55:22 +0000 (GMT) (envelope-from savage@savage.za.org) Received: from netsphere.cenergynetworks.com (wblv-146-208-196.telkomadsl.co.za [165.146.208.196]) by ctb-mesg4.saix.net (Postfix) with ESMTP id 47436AE36; Thu, 10 Feb 2005 11:55:17 +0200 (SAST) Received: from pmx.ournet.co.za ([198.19.0.73] helo=netsphere.cenergynetworks.com) by netsphere.cenergynetworks.com with smtp (Exim 4.41) id 1CzB2a-0001Rw-sR; Thu, 10 Feb 2005 11:55:16 +0200 Received: from [192.168.1.10] (helo=netphobia) by netsphere.cenergynetworks.com with smtp (Exim 4.41) id 1CzB2Z-0001Rs-s0; Thu, 10 Feb 2005 11:55:15 +0200 Message-ID: <004e01c50f56$ce47c020$0a01a8c0@ops.cenergynetworks.com> From: "Chris Knipe" To: "Kelly Yancey" References: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> <20050209172905.W66973@gateway.posi.net> Date: Thu, 10 Feb 2005 11:56:34 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 X-Broken-Reverse-DNS: 192.168.1.10 X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.2.0, Antispam-Data: 2005.2.8.1 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Knipe List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2005 09:55:23 -0000 >> FreeBSD 4.11-STABLE, running ipfw2. >> >> root@wsmd-core02:/home/cknipe# ifconfig vlan1 >> vlan1: flags=8843 mtu 1496 >> inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63 >> ether 00:08:a1:7a:b1:44 >> media: Ethernet autoselect (100baseTX) >> status: active >> vlan: 200 parent interface: rl0 >> >> ipfw2: >> 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 >> 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 >> 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to >> any >> dst-port 80 >> 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any >> dst-port 25 >> >> >> However, packets that are forwarded, never connects to the destination >> where >> it is forwarded to. And yes, I did check the obvious, everything is up >> and >> running.... Is there some sysctl magic or something required to make >> this >> work? I can fwd without a problem to the SAME BOX, but I cannot seem to >> get >> it to work to fwd to remote machines. In case someone is wondering, this >> is >> for transparent proxy / smtp servers. >> >> -- >> Chris. >> > > I don't suppose you're getting bitten by: > > "The fwd action does not change the contents of the packet at > all. In particular, the destination address remains > unmodified, so packets forwarded to another system will usually > be rejected by that system unless there is a matching rule on > that system to capture them." > > The ipfw(8) man page is a little vague with the phrasing "matching > rule on that system to capture them". Normally systems don't process > packets locally that are not destined for it. You can use tcpdump on > the remote box to verify for yourself that the fwd is working correctly > and that the remote box is receiving the packets. The remote box just > doesn't know what to do with the packets it is receiving. I never even saw this before in the man page... I'll have to look a bit closer. I did check prior to posting (sorry, I should have mentioned), no packets are picked up on the host that I forward to... Is there any other ways to accomplish this?? natd???? I want to try and stay away from natd, because if I do this with NATD, there's going to be allot of other issues I need fix as well..... -- Chris From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 10 12:50:51 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B11516A4CE for ; Thu, 10 Feb 2005 12:50:51 +0000 (GMT) Received: from grsu.by (grsu.by [194.158.202.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9291F43D3F for ; Thu, 10 Feb 2005 12:50:41 +0000 (GMT) (envelope-from grog@grsu.by) Received: (qmail 60881 invoked from network); 10 Feb 2005 12:48:11 -0000 Received: from unknown (HELO ?10.31.16.99?) (grog@10.31.16.99) by grsu.by with SMTP; 10 Feb 2005 12:48:10 -0000 Message-ID: <420B56F6.2010702@grsu.by> Date: Thu, 10 Feb 2005 14:43:34 +0200 From: Yury Tarasievich User-Agent: Mozilla Thunderbird 1.0 (X11/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20050210120056.4F7A316A4E9@hub.freebsd.org> In-Reply-To: <20050210120056.4F7A316A4E9@hub.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw fwd [freebsd-ipfw Digest, Vol 98, Issue 3] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2005 12:50:51 -0000 My quick guess would be: 1. you'll have to qualify packets re their in/out status. 2. also to check whether your firewall is of OPEN type (alias "accept by default" == allows everything in 65535 or somewhere close) --Yury freebsd-ipfw-request@freebsd.org wrote: > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 9 Feb 2005 19:05:17 +0200 > From: "Chris Knipe" > Subject: ipfw fwd > To: > Message-ID: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> > Content-Type: text/plain; format=flowed; charset="iso-8859-1"; > reply-type=original > > Lo all, > > FreeBSD 4.11-STABLE, running ipfw2. > > root@wsmd-core02:/home/cknipe# ifconfig vlan1 > vlan1: flags=8843 mtu 1496 > inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63 > ether 00:08:a1:7a:b1:44 > media: Ethernet autoselect (100baseTX) > status: active > vlan: 200 parent interface: rl0 > > ipfw2: > 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 > 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 > 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to any > dst-port 80 > 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any > dst-port 25 > > > However, packets that are forwarded, never connects to the destination where > it is forwarded to. And yes, I did check the obvious, everything is up and > running.... Is there some sysctl magic or something required to make this > work? I can fwd without a problem to the SAME BOX, but I cannot seem to get > it to work to fwd to remote machines. In case someone is wondering, this is > for transparent proxy / smtp servers. From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 11 04:34:44 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7554416A4CE for ; Fri, 11 Feb 2005 04:34:44 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72EF143D31 for ; Fri, 11 Feb 2005 04:34:43 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1CzSVc-000NNV-00; Fri, 11 Feb 2005 06:34:24 +0200 To: Chris Knipe From: Ian FREISLICH In-Reply-To: Message from "Chris Knipe" <004e01c50f56$ce47c020$0a01a8c0@ops.cenergynetworks.com> Date: Fri, 11 Feb 2005 06:34:24 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org cc: Kelly Yancey Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 04:34:44 -0000 "Chris Knipe" wrote: > >> 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 > >> 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 > >> 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to > >> any > >> dst-port 80 > >> 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any > >> dst-port 25 > >> > >> > >> However, packets that are forwarded, never connects to the > >> destination where it is forwarded to. And yes, I did check the > >> obvious, everything is up and running.... Is there some sysctl > >> magic or something required to make this work? I can fwd without > >> a problem to the SAME BOX, but I cannot seem to get it to work to > >> fwd to remote machines. In case someone is wondering, this is for > >> transparent proxy / smtp servers. > > > > I don't suppose you're getting bitten by: > > > > "The fwd action does not change the contents of the packet at > > all. In particular, the destination address remains unmodified, so > > packets forwarded to another system will usually be rejected by that > > system unless there is a matching rule on that system to capture > > them." > > > > The ipfw(8) man page is a little vague with the phrasing "matching > > rule on that system to capture them". Normally systems don't > > process packets locally that are not destined for it. You can use > > tcpdump on the remote box to verify for yourself that the fwd is > > working correctly and that the remote box is receiving the packets. > > The remote box just doesn't know what to do with the packets it is > > receiving. > > I never even saw this before in the man page... I'll have to look > a bit closer. I did check prior to posting (sorry, I should have > mentioned), no packets are picked up on the host that I forward to... I think that you might need to set net.inet.ip.forwarding=1 on the server that you're forwarding the packets to. Unless this is turned on, the server won't act as a router and unless it's a router it won't accept packets that do not are not for it to forward them on. Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 11 22:45:02 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65BDA16A4CE for ; Fri, 11 Feb 2005 22:45:02 +0000 (GMT) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id A83B843D55 for ; Fri, 11 Feb 2005 22:45:01 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from gateway.posi.net (adsl-63-201-89-53.dsl.snfc21.pacbell.net [63.201.89.53])j1BMjE2Y027779; Fri, 11 Feb 2005 17:45:14 -0500 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id 60BD475E13B; Fri, 11 Feb 2005 15:47:45 -0800 (PST) Date: Fri, 11 Feb 2005 15:47:45 -0800 (PST) From: Kelly Yancey To: Chris Knipe In-Reply-To: <004e01c50f56$ce47c020$0a01a8c0@ops.cenergynetworks.com> Message-ID: <20050211151821.J78477@gateway.posi.net> References: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> <004e01c50f56$ce47c020$0a01a8c0@ops.cenergynetworks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 22:45:02 -0000 On Thu, 10 Feb 2005, Chris Knipe wrote: > > > > The ipfw(8) man page is a little vague with the phrasing "matching > > rule on that system to capture them". Normally systems don't process > > packets locally that are not destined for it. You can use tcpdump on > > the remote box to verify for yourself that the fwd is working correctly > > and that the remote box is receiving the packets. The remote box just > > doesn't know what to do with the packets it is receiving. > > I never even saw this before in the man page... I'll have to look a bit > closer. I did check prior to posting (sorry, I should have mentioned), no > packets are picked up on the host that I forward to... > > Is there any other ways to accomplish this?? natd???? I want to try and > stay away from natd, because if I do this with NATD, there's going to be > allot of other issues I need fix as well..... > Others have already covered the possible issues with receiving the packets. As for getting the remote host to accept the packets once it receives them, you are faced with needing to rewrite the destination IP address one way or another. As you mention, natd should be able to do this for you. Another solution would be to forward to a local process which proxies the traffic to the remote server, but then you have to ask yourself whether that is better than just running whatever application it is on the remote server on the firewall itself. Good luck, Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 11 23:11:28 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6D3F16A4CE for ; Fri, 11 Feb 2005 23:11:28 +0000 (GMT) Received: from web52410.mail.yahoo.com (web52410.mail.yahoo.com [206.190.39.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 2179743D48 for ; Fri, 11 Feb 2005 23:11:28 +0000 (GMT) (envelope-from kendo_2@yahoo.com) Received: (qmail 54473 invoked by uid 60001); 11 Feb 2005 23:11:27 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=iunOhdneXjgP4k9hrfNKoOol9Um7lYs2vQLA2DAmHTg48ecrZFRLANH4O6w8++3NK5PMmVp8rCStguZzi8pjbBut+oJ+SoXVxpxyYG3mwH1N1XtxbN44FmpFpy/DWoNg0VYSZKc5ykwNBzmAN+pF8qOOR9w7he3z0IGy57Dg49g= ; Message-ID: <20050211231127.54471.qmail@web52410.mail.yahoo.com> Received: from [148.235.187.243] by web52410.mail.yahoo.com via HTTP; Fri, 11 Feb 2005 17:11:27 CST Date: Fri, 11 Feb 2005 17:11:27 -0600 (CST) From: =?iso-8859-1?q?Diego=20Camarena=20Gonz=E1lez?= To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Configuring ipfw with squid as a transparent proxy X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 23:11:28 -0000 Does anyone knows how can i configure Squid as a Transparent proxy using IPFW assuming that i have already configured Squid with Samba authentication. I've configure Squid that allow users to log on pages using their smb account but i have to configure every computer on my Lan to connect to the proxy server. How can i configure IPFW and Squid to work as a trasnparent proxy to work on every computer authenticating samba users in my lan that uses internet explorer. Net interfaces: xl0 : 10.254.254.253 --- LAN ip xl1 : 172.21.14.253 --- This ip is used to make the SMB authentication and get the internet connection Requeriments: OS: FreeBSD 5.2 Authentication module: smb_auth Firewall: IPFW Could anyone please send me a configuration that has been proved or any idea? i have already read the FAQ about squid transparent proxy but any of the configurations works with samba authentication and IPFW {#358;#373;#65155;#321;#1602;#65155;#1106;#354;} --------------------------------- Do You Yahoo!? Yahoo! Net: La mejor conexiσn a internet y 25MB extra a tu correo por $100 al mes. From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 12 20:24:56 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B18E716A4CE for ; Sat, 12 Feb 2005 20:24:56 +0000 (GMT) Received: from gatekeeper.radio-do.de (gatekeeper.Radio-do.de [193.101.164.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64BE343D2F for ; Sat, 12 Feb 2005 20:24:55 +0000 (GMT) (envelope-from fn@radio-do.de) Received: by gatekeeper.radio-do.de (Milliard Gargantubrain Mail Daemon, from userid 65534) id 5B45141C47; Sat, 12 Feb 2005 21:24:49 +0100 (CET) Received: from [IPv6:2001:600:1032:666::7] (pbook.radio-do.de [IPv6:2001:600:1032:666::7])ESMTP id 2FD7841C2D; Sat, 12 Feb 2005 21:24:47 +0100 (CET) In-Reply-To: <20050211231127.54471.qmail@web52410.mail.yahoo.com> References: <20050211231127.54471.qmail@web52410.mail.yahoo.com> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Frank Nobis Date: Sat, 12 Feb 2005 21:24:36 +0100 To: =?ISO-8859-1?Q?Diego_Camarena_Gonz=E1lez?= X-Pgp-Agent: GPGMail 1.0.2 X-Mailer: Apple Mail (2.619.2) X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on gatekeeper.radio-do.de X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.1 cc: freebsd-ipfw@freebsd.org Subject: Re: Configuring ipfw with squid as a transparent proxy X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2005 20:24:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 12. Feb 2005 um 00:11 schrieb Diego Camarena Gonz=E1lez: > Does anyone knows how can i configure Squid as a Transparent proxy > using IPFW assuming that i have already configured Squid with Samba > authentication. > First you need a rule in IPFW like this one add 1000 fwd 127.0.0.1,3128 tcp from INET:IMASK to any 80 via IIF where INET:IMASK is my local network an IIF is my internal interface. and you need some specials in the squid conf like this: http_port 127.0.0.1:3128 forwarded_for off httpd_accel_with_proxy off httpd_accel_uses_host_header off httpd_accel_single_host off cache_effective_user nobody cache_effective_group nobody httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Gru=DF Frank - --=20 Frank Nobis, Thielenstr. 12, 44369 Dortmund Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCDmYONTxD6oqBaVcRAgzMAJ481jvtAG9yheBd5HKN03h47GkSewCfV3KQ FiALyBUFl5jVIcBA4h7bL6I=3D =3D8ybB -----END PGP SIGNATURE-----