From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 11 11:08:12 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C23A716A47C for ; Mon, 11 Sep 2006 11:08:12 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AE5A43D4C for ; Mon, 11 Sep 2006 11:08:12 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8BB8CEY063202 for ; Mon, 11 Sep 2006 11:08:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8BB89TE063198 for freebsd-ipfw@FreeBSD.org; Mon, 11 Sep 2006 11:08:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Sep 2006 11:08:09 GMT Message-Id: <200609111108.k8BB89TE063198@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2006 11:08:12 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent f kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from any to any ic o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o bin/102422 ipfw [patch] ipfw & kernel problems where firewall rules ar o kern/102471 ipfw [ipfw] [patch] add tos and dscp support 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/93422 ipfw ipfw divert rule no longer works in 6.0 (regression) o bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bogus 18 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 00:38:34 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 441DA16A416 for ; Wed, 13 Sep 2006 00:38:34 +0000 (UTC) (envelope-from j_guojun@lbl.gov) Received: from smtp102.sbc.mail.mud.yahoo.com (smtp102.sbc.mail.mud.yahoo.com [68.142.198.201]) by mx1.FreeBSD.org (Postfix) with SMTP id DE80A43D49 for ; Wed, 13 Sep 2006 00:38:33 +0000 (GMT) (envelope-from j_guojun@lbl.gov) Received: (qmail 63027 invoked from network); 13 Sep 2006 00:38:33 -0000 Received: from unknown (HELO ?192.168.2.8?) (jinmtb@sbcglobal.net@68.127.178.237 with plain) by smtp102.sbc.mail.mud.yahoo.com with SMTP; 13 Sep 2006 00:38:32 -0000 Message-ID: <4507539A.5000502@lbl.gov> Date: Tue, 12 Sep 2006 17:40:58 -0700 From: "Jin Guojun [VFFS]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050108 X-Accept-Language: en, zh, zh-CN MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: maximum deny entries? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 00:38:34 -0000 I am not sure if this is a bug or is there some limitation for total deny entry, when the deny list exceeds a certain length (36 lines at this case), ipfw stop working (see the *** line below). This is on 6.1-R i386 platform. Is there know problem on this issue? or Did I made some mistake? Please CC to me since I am not on the list. -Jin # ipfw list ...all non deny entries are removed 00361 deny ip from 202.124.17.215 to any 00361 deny ip from 65.245.144.158 to any 00361 deny ip from 210.76.124.84 to any 00362 deny ip from 220.78.122.177 to any 00362 deny ip from 192.248.32.3 to any 00362 deny ip from 70.229.145.61 to any 00362 deny ip from 64.40.106.252 to any 00362 deny ip from 65.204.143.112 to any 00362 deny ip from 204.16.200.34 to any 00362 deny ip from 62.141.42.33 to any 00362 deny ip from 66.221.219.117 to any 00362 deny ip from 148.223.146.29 to any 00362 deny ip from 82.136.37.93 to any 00362 deny ip from 68.12.255.97 to any 00362 deny ip from 195.110.108.70 to any 00362 deny ip from 69.5.77.151 to any 00362 deny ip from 202.29.9.19 to any 00362 deny ip from 210.196.245.131 to any 00363 deny ip from 71.135.36.103 to any 00363 deny ip from 71.226.110.30 to any 00363 deny ip from 71.135.109.190 to any 00364 deny ip from 71.207.46.56 to any 00364 deny ip from 71.135.52.79 to any 00364 deny ip from 71.135.179.240 to any 00364 deny ip from 222.168.102.118 to any 00364 deny ip from 71.135.65.16 to any 00364 deny ip from 83.19.158.66 to any 00364 deny ip from 71.79.1.13 to any 00364 deny ip from 71.135.206.213 to any 00364 deny ip from 71.135.129.195 to any 00364 deny ip from 217.6.105.253 to any 00364 deny ip from 71.135.44.127 to any 00364 deny ip from 71.135.37.42 to any 00364 deny ip from 71.135.142.223 to any 00364 deny ip from 71.135.69.201 to any 00364 deny ip from 71.135.185.66 to any *********** fails starts from here 00364 deny ip from 71.135.96.85 to any 00364 deny ip from 71.135.41.68 to any 00364 deny ip from 71.135.35.252 to any 00364 deny ip from 71.135.178.215 to any 00365 deny ip from somewhere to any *********** will not work From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 04:07:17 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B94116A407 for ; Wed, 13 Sep 2006 04:07:17 +0000 (UTC) (envelope-from fcash@ocis.net) Received: from smtp.sd73.bc.ca (mailtest.sd73.bc.ca [142.24.13.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 929FD43D46 for ; Wed, 13 Sep 2006 04:07:16 +0000 (GMT) (envelope-from fcash@ocis.net) Received: from localhost (localhost [127.0.0.1]) by localhost.sd73.bc.ca (Postfix) with ESMTP id A4E3C18CCB5; Tue, 12 Sep 2006 21:16:31 -0700 (PDT) X-Virus-Scanned: by amavisd-new using ClamAV at sd73.bc.ca Received: from smtp.sd73.bc.ca ([127.0.0.1]) by localhost (smtp.sd73.bc.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 58hVYgeO5FBP; Tue, 12 Sep 2006 21:16:30 -0700 (PDT) Received: from webmail.sd73.bc.ca (unknown [10.10.10.17]) by smtp.sd73.bc.ca (Postfix) with ESMTP id 83A3D18CC82; Tue, 12 Sep 2006 21:16:25 -0700 (PDT) Received: from 24.71.118.34 (SquirrelMail authenticated user fcash) by webmail.sd73.bc.ca with HTTP; Tue, 12 Sep 2006 21:07:14 -0700 (PDT) Message-ID: <60554.24.71.118.34.1158120434.squirrel@webmail.sd73.bc.ca> In-Reply-To: <4507539A.5000502@lbl.gov> References: <4507539A.5000502@lbl.gov> Date: Tue, 12 Sep 2006 21:07:14 -0700 (PDT) From: "Freddie Cash" To: "Jin Guojun [VFFS]" User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: ipfw@freebsd.org Subject: Re: maximum deny entries? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 04:07:17 -0000 On Tue, September 12, 2006 5:40 pm, Jin Guojun [VFFS] wrote: > I am not sure if this is a bug or is there some limitation for total > deny entry, when the deny list exceeds a certain length (36 lines at > this case), ipfw stop working (see the *** line below). > > This is on 6.1-R i386 platform. > Is there know problem on this issue? or Did I made some mistake? > > Please CC to me since I am not on the list. Works fine here, with 62 deny rules out of 533 rules in total. While not every deny rule has a matched packet so far, the rules under them all work fine. ---- Freddie Cash fcash@ocis.net From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 04:07:36 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DACE16A407 for ; Wed, 13 Sep 2006 04:07:36 +0000 (UTC) (envelope-from fcash@ocis.net) Received: from smtp.sd73.bc.ca (smtp.sd73.bc.ca [142.24.13.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id C002443D45 for ; Wed, 13 Sep 2006 04:07:35 +0000 (GMT) (envelope-from fcash@ocis.net) Received: from localhost (localhost [127.0.0.1]) by localhost.sd73.bc.ca (Postfix) with ESMTP id E604D18CCB4; Tue, 12 Sep 2006 21:16:50 -0700 (PDT) X-Virus-Scanned: by amavisd-new using ClamAV at sd73.bc.ca Received: from smtp.sd73.bc.ca ([127.0.0.1]) by localhost (smtp.sd73.bc.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id LMWgWP-Ve5PV; Tue, 12 Sep 2006 21:16:49 -0700 (PDT) Received: from webmail.sd73.bc.ca (unknown [10.10.10.17]) by smtp.sd73.bc.ca (Postfix) with ESMTP id 817AE18CCB5; Tue, 12 Sep 2006 21:16:49 -0700 (PDT) Received: from 24.71.118.34 (SquirrelMail authenticated user fcash) by webmail.sd73.bc.ca with HTTP; Tue, 12 Sep 2006 21:07:34 -0700 (PDT) Message-ID: <60562.24.71.118.34.1158120454.squirrel@webmail.sd73.bc.ca> In-Reply-To: <4507539A.5000502@lbl.gov> References: <4507539A.5000502@lbl.gov> Date: Tue, 12 Sep 2006 21:07:34 -0700 (PDT) From: "Freddie Cash" To: "Jin Guojun [VFFS]" User-Agent: SquirrelMail/1.5.1 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: ipfw@freebsd.org Subject: Re: maximum deny entries? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 04:07:36 -0000 On Tue, September 12, 2006 5:40 pm, Jin Guojun [VFFS] wrote: > I am not sure if this is a bug or is there some limitation for total > deny entry, when the deny list exceeds a certain length (36 lines at > this case), ipfw stop working (see the *** line below). > > This is on 6.1-R i386 platform. > Is there know problem on this issue? or Did I made some mistake? > > Please CC to me since I am not on the list. Works fine here, with 62 deny rules out of 533 rules in total. While not every deny rule has a matched packet so far, the rules under them all work fine. FreeBSD 6.1-p6, i386 (P2 333 MHz box). ---- Freddie Cash fcash@ocis.net From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 04:23:34 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56ED116A403 for ; Wed, 13 Sep 2006 04:23:34 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1.yandex.ru (smtp1.yandex.ru [213.180.223.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C86143D49 for ; Wed, 13 Sep 2006 04:23:33 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([81.18.142.225]:50701 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S2079306AbWIMEX2 (ORCPT ); Wed, 13 Sep 2006 08:23:28 +0400 X-Comment: RFC 2476 MSA function at smtp1.yandex.ru logged sender identity as: bu7cher Message-ID: <450787BD.6050704@yandex.ru> Date: Wed, 13 Sep 2006 08:23:25 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: "Jin Guojun [VFFS]" References: <4507539A.5000502@lbl.gov> In-Reply-To: <4507539A.5000502@lbl.gov> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: maximum deny entries? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 04:23:34 -0000 Jin Guojun [VFFS] wrote: > I am not sure if this is a bug or is there some limitation for total > deny entry, > when the deny list exceeds a certain length (36 lines at this case), > ipfw stop working (see the *** line below). > # ipfw list > ...all non deny entries are removed > 00361 deny ip from 202.124.17.215 to any ... > 00364 deny ip from 71.135.96.85 to any > 00364 deny ip from 71.135.41.68 to any > 00364 deny ip from 71.135.35.252 to any > 00364 deny ip from 71.135.178.215 to any First, try an ipfw logging rules for each rule and at the end of rules. Second, you can use ipfw tables and replace all your rules with one. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 06:52:24 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0443816A40F for ; Wed, 13 Sep 2006 06:52:24 +0000 (UTC) (envelope-from freebsd@dwec.ru) Received: from mail.dwec.ru (mail.dwec.ru [194.84.175.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F50E43D62 for ; Wed, 13 Sep 2006 06:52:21 +0000 (GMT) (envelope-from freebsd@dwec.ru) Received: from mail.dwec.ru (delivery-agent [127.0.0.200]) by mail.dwec.ru (8.13.8/8.13.1/no info ; )) with ESMTP id k8D6qKur003564 for ; Wed, 13 Sep 2006 10:52:20 +0400 (MSD) (envelope-from freebsd@dwec.ru) From: freebsd@dwec.ru Received: from oivanovmob (gw [194.84.175.30]) by mail.dwec.ru (8.13.8/8.13.1/no info ; )) with SMTP id k8D6qKc8003553 for ; Wed, 13 Sep 2006 10:52:20 +0400 (MSD) (envelope-from freebsd@dwec.ru) Message-ID: <130501c6d701$40d4e0f0$6407a8c0@oivanovmob> To: Date: Wed, 13 Sep 2006 10:52:54 +0400 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="koi8-r"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 X-SpamTest-Version: SMTP-Filter Version 2.0.0 [0125], KAS/Release X-Spamtest-Info: Pass through X-Anti-Virus: Kaspersky Anti-Virus for MailServers 5.5.10/RELEASE, bases: 13092006 #209922, status: clean Cc: Subject: ipfw forward problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 06:52:24 -0000 Hello all I'm confused a bit. Here's what I have: a firewall (with address A) and a proxy host (in internal network) with address B. Both running latest FBSD 6.1-stable. Addresses are (samples) "A" -192.168.0.1 and "B" - 192.168.0.2. Both kernel are compiled with options "ipfirewall" and "ipfirewall_forward". The firewall is supposed to forward outgoing POP3 traffic (from internal LAN) to the proxy (the obviuos). The scheme: [internal lan + proxy] <---> [firewall] <---> [elsewhere] So, on the firewall I add rule "ipfw add fwd B tcp from internal_net to any 110 in recv internal_intf" On the proxy server I add rule "ipfw fwd 127.0.0.1,PROXY_PORT tcp from any to any 110". What I get: I get firewall which is trying to forward packets to default gateway (plenty of DENIES on the external interface of the firewall). Question: what am I doing wrong? PS the same configuration works perfectly on FBSD 4.11 From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 09:38:37 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17E0816A417 for ; Wed, 13 Sep 2006 09:38:37 +0000 (UTC) (envelope-from bts@iae.nl) Received: from smtp-vbr3.xs4all.nl (smtp-vbr3.xs4all.nl [194.109.24.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 43E8E43D49 for ; Wed, 13 Sep 2006 09:38:35 +0000 (GMT) (envelope-from bts@iae.nl) Received: from btsoftware.com (a80-126-117-160.adsl.xs4all.nl [80.126.117.160]) by smtp-vbr3.xs4all.nl (8.13.6/8.13.6) with SMTP id k8D9cY5G036220 for ; Wed, 13 Sep 2006 11:38:34 +0200 (CEST) (envelope-from bts@iae.nl) Received: from anaconda (anaconda.office [192.168.0.12] ) by btsoftware.com (Hethmon Brothers Smtpd) ; Wed, 13 Sep 2006 11:38:33 +0200 Message-Id: <200609131138.3334981.6@btsoftware.com> From: "Martin" To: "ipfw@freebsd.org" , "Jin Guojun [VFFS]" Date: Wed, 13 Sep 2006 11:38:32 +0200 (CDT) Priority: Normal X-Mailer: PMMail 2.20.2380 for OS/2 Warp 4.5 In-Reply-To: <4507539A.5000502@lbl.gov> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Virus-Scanned: by XS4ALL Virus Scanner Cc: Subject: Re: maximum deny entries? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 09:38:37 -0000 All deny rules should have a different number ....... /Martin On Tue, 12 Sep 2006 17:40:58 -0700, Jin Guojun [VFFS] wrote: >I am not sure if this is a bug or is there some limitation for total >deny entry, >when the deny list exceeds a certain length (36 lines at this case), >ipfw stop working (see the *** line below). > >This is on 6.1-R i386 platform. >Is there know problem on this issue? or Did I made some mistake? > >Please CC to me since I am not on the list. > > -Jin > ># ipfw list >...all non deny entries are removed >00361 deny ip from 202.124.17.215 to any >00361 deny ip from 65.245.144.158 to any >00361 deny ip from 210.76.124.84 to any >00362 deny ip from 220.78.122.177 to any >00362 deny ip from 192.248.32.3 to any >00362 deny ip from 70.229.145.61 to any >00362 deny ip from 64.40.106.252 to any >00362 deny ip from 65.204.143.112 to any >00362 deny ip from 204.16.200.34 to any >00362 deny ip from 62.141.42.33 to any >00362 deny ip from 66.221.219.117 to any >00362 deny ip from 148.223.146.29 to any >00362 deny ip from 82.136.37.93 to any >00362 deny ip from 68.12.255.97 to any >00362 deny ip from 195.110.108.70 to any >00362 deny ip from 69.5.77.151 to any >00362 deny ip from 202.29.9.19 to any >00362 deny ip from 210.196.245.131 to any >00363 deny ip from 71.135.36.103 to any >00363 deny ip from 71.226.110.30 to any >00363 deny ip from 71.135.109.190 to any >00364 deny ip from 71.207.46.56 to any >00364 deny ip from 71.135.52.79 to any >00364 deny ip from 71.135.179.240 to any >00364 deny ip from 222.168.102.118 to any >00364 deny ip from 71.135.65.16 to any >00364 deny ip from 83.19.158.66 to any >00364 deny ip from 71.79.1.13 to any >00364 deny ip from 71.135.206.213 to any >00364 deny ip from 71.135.129.195 to any >00364 deny ip from 217.6.105.253 to any >00364 deny ip from 71.135.44.127 to any >00364 deny ip from 71.135.37.42 to any >00364 deny ip from 71.135.142.223 to any >00364 deny ip from 71.135.69.201 to any >00364 deny ip from 71.135.185.66 to any *********** fails starts from here >00364 deny ip from 71.135.96.85 to any >00364 deny ip from 71.135.41.68 to any >00364 deny ip from 71.135.35.252 to any >00364 deny ip from 71.135.178.215 to any >00365 deny ip from somewhere to any *********** will not work >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 14:58:35 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE48816A47B for ; Wed, 13 Sep 2006 14:58:35 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.FreeBSD.org (Postfix) with ESMTP id C33AF43D46 for ; Wed, 13 Sep 2006 14:58:33 +0000 (GMT) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.2.10] ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.0); Wed, 13 Sep 2006 16:58:31 +0200 Message-ID: <45081C97.1040206@ide.resurscentrum.se> Date: Wed, 13 Sep 2006 16:58:31 +0200 From: Jon Otterholm User-Agent: Thunderbird 1.5 (X11/20060204) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 13 Sep 2006 14:58:31.0654 (UTC) FILETIME=[14191060:01C6D745] Subject: Bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 14:58:35 -0000 Hi. According to man if_bridge one could filter L2-traffic with ipfw: From man if_bridge: ARP and REVARP packets are forwarded without being filtered and others that are not IP nor IPv6 packets are not forwarded when pfil_onlyip is enabled. IPFW can filter Ethernet types using mac-type so all packets are passed to the filter for processing. ARP is still forwarded though I have the following config: I have the following sysctl set: net.link.bridge.ipfw: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.pfil_onlyip: 1 ipfw list: 65533 deny ip from any to any MAC any any 65534 deny ip from any to any layer2 65535 deny ip from any to any ifconfig: em0: flags=8943 mtu 1500 options=b inet6 fe80::204:23ff:febd:2342%em0 prefixlen 64 scopeid 0x1 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active em1: flags=8802 mtu 1500 options=b ether 00:04:23:bd:23:43 media: Ethernet autoselect status: no carrier plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 vlan1000: flags=8843 mtu 1500 inet6 fe80::204:23ff:febd:2342%vlan1000 prefixlen 64 scopeid 0x5 inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 1000 parent interface: em0 vlan1001: flags=8943 mtu 1500 inet6 fe80::204:23ff:febd:2342%vlan1001 prefixlen 64 scopeid 0x6 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 1001 parent interface: em0 vlan1002: flags=8943 mtu 1500 inet6 fe80::204:23ff:febd:2342%vlan1002 prefixlen 64 scopeid 0x7 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 1002 parent interface: em0 bridge0: flags=8043 mtu 1500 ether ac:de:48:83:8d:c6 priority 32768 hellotime 2 fwddelay 15 maxage 20 member: vlan1002 flags=3 member: vlan1001 flags=3 member: vlan10 flags=3 vlan10: flags=8943 mtu 1500 inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255 inet6 fe80::204:23ff:febd:2342%vlan10 prefixlen 64 scopeid 0x9 ether 00:04:23:bd:23:42 media: Ethernet autoselect (100baseTX ) status: active vlan: 10 parent interface: em0 ARP-broadcast can still travel between member IFs in bridge0. Have I missed something here? Do I have to use bridge instead of if_bridge? /Jon From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 13 18:49:59 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DA5A16A4AB for ; Wed, 13 Sep 2006 18:49:59 +0000 (UTC) (envelope-from j_guojun@lbl.gov) Received: from smtp101.sbc.mail.mud.yahoo.com (smtp101.sbc.mail.mud.yahoo.com [68.142.198.200]) by mx1.FreeBSD.org (Postfix) with SMTP id B7C4243D55 for ; Wed, 13 Sep 2006 18:49:58 +0000 (GMT) (envelope-from j_guojun@lbl.gov) Received: (qmail 60540 invoked from network); 13 Sep 2006 18:49:55 -0000 Received: from unknown (HELO ?192.168.2.8?) (jinmtb@sbcglobal.net@68.127.178.237 with plain) by smtp101.sbc.mail.mud.yahoo.com with SMTP; 13 Sep 2006 18:49:54 -0000 Message-ID: <45085369.50601@lbl.gov> Date: Wed, 13 Sep 2006 11:52:25 -0700 From: "Jin Guojun [VFFS]" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050108 X-Accept-Language: en, zh, zh-CN MIME-Version: 1.0 To: Freddie Cash References: <4507539A.5000502@lbl.gov> <60562.24.71.118.34.1158120454.squirrel@webmail.sd73.bc.ca> In-Reply-To: <60562.24.71.118.34.1158120454.squirrel@webmail.sd73.bc.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: maximum deny entries? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 18:49:59 -0000 Freddie Cash wrote: >On Tue, September 12, 2006 5:40 pm, Jin Guojun [VFFS] wrote: > > >>I am not sure if this is a bug or is there some limitation for total >>deny entry, when the deny list exceeds a certain length (36 lines at >>this case), ipfw stop working (see the *** line below). >> >>This is on 6.1-R i386 platform. >>Is there know problem on this issue? or Did I made some mistake? >> >>Please CC to me since I am not on the list. >> >> > >Works fine here, with 62 deny rules out of 533 rules in total. While >not every deny rule has a matched packet so far, the rules under them >all work fine. > >FreeBSD 6.1-p6, i386 (P2 333 MHz box). >---- >Freddie Cash >fcash@ocis.net > > I tested a slightly different way on a different machine with 6.1-R, it did not have the problem. So, this can be sure not a limitation problem. This is why I wonder if this is a known bug that is triggered by a certain ipfw add command pattern somehow. I will do some investigation further to see if this will be repeatable under some circumstance. -Jin From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 14 11:00:12 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CEB616A4A0 for ; Thu, 14 Sep 2006 11:00:12 +0000 (UTC) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id D971A43D6A for ; Thu, 14 Sep 2006 10:59:45 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.9.8] (gw1.arcticwireless.no [194.19.37.70]) (authenticated bits=0) by lakepoint.domeneshop.no (8.13.8/8.13.8) with ESMTP id k8EAxh7i013118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 Sep 2006 12:59:43 +0200 Message-ID: <450935FA.3060105@wm-access.no> Date: Thu, 14 Sep 2006 12:59:06 +0200 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Luigi Rizzo References: <20060825064627.D6023@xorpc.icir.org> In-Reply-To: <20060825064627.D6023@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org, Ian FREISLICH Subject: Re: ipfw performance and random musings. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 11:00:12 -0000 Luigi Rizzo wrote: > On Fri, Aug 25, 2006 at 03:27:17PM +0200, Ian FREISLICH wrote: >> Luigi Rizzo wrote: >>> i am basically ok with this except, as i said, that there is >>> no point in replicating the interface name i.e. why re0-re5 >>> instead of just re0-5 ? you just open up to possible mistakes >>> and the need for extra code to check what happens when the user >>> types re2-de5 (by mistake or intentionally). >> Ok, it's just syntactic sugar anyway which doesn't really affect >> implimentation anyway. >> >> So, to recap. You will be fine with although I'm now leaning toward >> "factor" in stead of "delta" but that will be a trivial change and >> I'd like to change "@" to "indirect". >> >> skipto @ via vlan2-264 base 100 delta 100 >> >> or as I'd prefer >> >> skipto indirect via vlan2-264 base 100 factor 100 >=20 > either way is fine with me. >=20 How about; skipto 1000:1000 via vlan2-264 ?? --=20 Sten Daniel S=F8rsdal From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 14 16:35:37 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2EEF16A417 for ; Thu, 14 Sep 2006 16:35:37 +0000 (UTC) (envelope-from wash@wananchi.com) Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 406B843D69 for ; Thu, 14 Sep 2006 16:35:36 +0000 (GMT) (envelope-from wash@wananchi.com) Received: from wash by ns2.wananchi.com with local (Exim 4.63 #0 (FreeBSD 4.11-STABLE)) id 1GNuBZ-000J7x-9j by authid for ; Thu, 14 Sep 2006 19:35:33 +0300 Date: Thu, 14 Sep 2006 19:35:33 +0300 From: Odhiambo WASHINGTON To: freebsd-ipfw@freebsd.org Message-ID: <20060914163533.GU49058@ns2.wananchi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Disclaimer: Any views expressed in this message, where not explicitly attributed otherwise, are mine alone!. X-Mailer: Mutt 1.5.13 (2006-08-11) X-Designation: Systems Administrator, Wananchi Online Ltd. X-Location: Nairobi, KE, East Africa. User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Odhiambo Washington Subject: Bandwith Control (Newbie) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 16:35:37 -0000 Salut! Hello Security folks, Dad, please don't cane me, please, I am innocent. I just don't know how to do it. I am a regular FreeBSD user/admin, but not a regular ipfw user. I only need ipfw on certain machines where I use IPFilter for firewalling, and more so, just for the bandwidth control. Please bear with me on this. My desire is not to learn the ipfw as a firewall tool, as I already bought into PF, but since I am still a newbie with PF, I need to use dummynet as an emergency solution to a problem I have at the moment. I hope you guys welcome lazy people into this list once in a while;) My questions. I have two situations, and two different questions. 1. I have a mail server, with just one IP address (1.2.3.4). Then I have two IP blocks (a.b.c.0/19 and d.e.f.0/20). On this mail server, which is directly connected to the Internet, I need to limit the outgoing bandwidth used by SMTP service to just 512Kbit/s, except where the destination is one of my IP blocks, the rule should NOT apply. I have the rule below, but it appears not to do what I want, as it seems to apply the rule even to destinations in my IP blocks. # smtp traffic throttle ipfw pipe 1 config bw 512Kbit/s ipfw add pipe 1 tcp from 1.2.3.4 to not a.b.c.0/19 25 ipfw add pipe 1 tcp from 1.2.3.4 to not d.e.f.0/20 25 ${fwcmd} add 65000 pass all from any to any 2. In another setup, I have a FreeBSD box acting as a router/firewall/etc for a LAN for a customer. The ISP (shit, I am the ISP) is giving the customer 256Kbps bandwidth. The firewall is IPFilter, as I have mentioned. I need to restrict the outging bandwidth for all machines (on all services) except for one host (10.0.0.251), to 128Kbit/s. The good guy should always get 128Kbit/s even when all the rest are starved. Put it another way, all LAN hosts except 10.0.0.251 should be restricted to 128Kbit/s. This leaves a half of the total bandwidth available to 10.0.0.251. I don't want this limitation to apply for LAN<->LAN traffic, just outgoing to the Internet. Is the rule below correct? # Outside (public) interface network and netmask and ip oif="bfe0" onet="4.5.6.0" omask="255.255.255.252" oip="4.5.6.1" # Inside interface network and netmask and ip iif="xl0" inet="10.0.0.0" imask="255.255.255.0" iip="10.0.0.2" ipfw pipe 1 config bw 128Kbit/s ipfw add 100 pass all from 10.0.0.251 to any out via ${oif} ipfw add pipe 1 tcp from not 10.0.0.251 to any out via ${oif} ${fwcmd} add 65000 pass all from any to any Thank you (all) very much, for your patience (with me) and time. I'll very much appreciate modifications to these rules. I concocted these so fast from ipfw man page. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ The fortune program is supported, in part, by user contributions and by a major grant from the National Endowment for the Inanities. From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 14 21:13:18 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F029B16A412 for ; Thu, 14 Sep 2006 21:13:18 +0000 (UTC) (envelope-from 1090046@mail.ru) Received: from f61.mail.ru (f61.mail.ru [194.67.57.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 932AF43D46 for ; Thu, 14 Sep 2006 21:13:18 +0000 (GMT) (envelope-from 1090046@mail.ru) Received: from mail by f61.mail.ru with local id 1GNyWK-000CxJ-00 for freebsd-ipfw@freebsd.org; Fri, 15 Sep 2006 01:13:16 +0400 Received: from [85.140.1.198] by win.mail.ru with HTTP; Fri, 15 Sep 2006 01:13:16 +0400 From: Al Lad <1090046@mail.ru> To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [85.140.1.198] Date: Fri, 15 Sep 2006 01:13:16 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: X-Mailman-Approved-At: Thu, 14 Sep 2006 21:14:23 +0000 Subject: FreeBSD 5.5 - stable IPFW FWD to {another ip} doesn't work even with 5.3 beta patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Al Lad <1090046@mail.ru> List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 21:13:19 -0000 >> Environment: > FreeBSD gate.club4x4.ru 5.5-STABLE FreeBSD 5.5-STABLE #0: Wed Sep 13 02:07:28 MSD 2006 >> Description: > KERN ->options IPDIVERT > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPFIREWALL_FORWARD_EXTENDED > rc.conf -> firewall_enable=yes gateway_enable=yes firewall_script=/etc/rc.fire > ifconfig_fxp0="inet 192.168.100.4 netmask 255.255.255.0" > > rc.fire -> > ipfw add 88 fwd 192.168.100.3,3128 tcp from 192.168.100.0/24 to any 80,81,8000 > ipfw add 89 fwd 192.168.100.3,3128 tcp from 192.168.100.0/24 to any 8001-9000 > > ipfw show -> > 00088 6034 410828 fwd 192.168.100.3,3128 tcp from 192.168.100.0/24 to any dst-port 80,81,8000 > 00089 3132 382127 fwd 192.168.100.3,3128 tcp from 192.168.100.0/24 to any dst-port 8001-9000 > > But on machine 192.168.100.3 i'v got nothing - all config was accurate working on free 4.8 - 4.11. update was done through backup configuration (rc.conf & > etc) then full new install & kernel reassembling - IPFW FWD doesn't work! From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 16 06:40:21 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36A2716A47B for ; Sat, 16 Sep 2006 06:40:21 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 062FA43D45 for ; Sat, 16 Sep 2006 06:40:21 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8G6eKds053943 for ; Sat, 16 Sep 2006 06:40:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8G6eKWj053942; Sat, 16 Sep 2006 06:40:20 GMT (envelope-from gnats) Date: Sat, 16 Sep 2006 06:40:20 GMT Message-Id: <200609160640.k8G6eKWj053942@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/102422: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Sep 2006 06:40:21 -0000 The following reply was made to PR bin/102422; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/102422: commit references a PR Date: Sat, 16 Sep 2006 06:34:44 +0000 (UTC) jhay 2006-09-16 06:34:30 UTC FreeBSD src repository Modified files: sbin/ipfw ipfw2.c Log: Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(), otherwise this command ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129 turns into icmp6types 1,2,32,33,34,...94,95,128,129 PR: 102422 (part 1) Submitted by: Andrey V. Elsukov MFC after: 5 days Revision Changes Path 1.97 +1 -1 src/sbin/ipfw/ipfw2.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 16 10:30:24 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAF9C16A403 for ; Sat, 16 Sep 2006 10:30:24 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7837B43D4C for ; Sat, 16 Sep 2006 10:30:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8GAUORM074203 for ; Sat, 16 Sep 2006 10:30:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8GAUOni074202; Sat, 16 Sep 2006 10:30:24 GMT (envelope-from gnats) Date: Sat, 16 Sep 2006 10:30:24 GMT Message-Id: <200609161030.k8GAUOni074202@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/102422: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Sep 2006 10:30:25 -0000 The following reply was made to PR bin/102422; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/102422: commit references a PR Date: Sat, 16 Sep 2006 10:27:22 +0000 (UTC) jhay 2006-09-16 10:27:05 UTC FreeBSD src repository Modified files: sys/netinet ip_fw2.c Log: Handle a list of IPv6 src and dst addresses correctly, eg. ipfw add allow ip6 from any to 2000::/16,2002::/16 PR: 102422 (part 3) Submitted by: Andrey V. Elsukov MFC after: 5 days Revision Changes Path 1.147 +17 -14 src/sys/netinet/ip_fw2.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 16 12:38:24 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0897F16A407 for ; Sat, 16 Sep 2006 12:38:24 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: from zibbi.meraka.csir.co.za (zibbi.meraka.csir.co.za [146.64.24.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FAD943D45 for ; Sat, 16 Sep 2006 12:38:22 +0000 (GMT) (envelope-from jhay@meraka.csir.co.za) Received: by zibbi.meraka.csir.co.za (Postfix, from userid 3973) id 439E033CAF; Sat, 16 Sep 2006 14:38:18 +0200 (SAST) Date: Sat, 16 Sep 2006 14:38:18 +0200 From: John Hay To: freebsd-ipfw@freebsd.org Message-ID: <20060916123818.GA8497@zibbi.meraka.csir.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: ipfw buffers too small? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Sep 2006 12:38:24 -0000 Hi, It seems that the buffer sizes inside ipfw did not keep up with its possible uses. If I run this: ipfw add 160 allow ip6 from 3000::/16,3100::/16,3200::/16,3300::/16,3ffe::/16,4ffe::/16,2000::/16,2001::/16 to any it put this inside the kernel: 00160 allow ip6 from { me6 or to any A shorter one does work: ipfw add 170 allow ip6 from 3200::/16,3300::/16,3ffe::/16,4ffe::/16,2000::/16,2001::/16 to any 00170 allow ip6 from 3200::/16,3300::/16,3ffe::/16,4ffe::/16,2000::/16,2001::/16 to any So I have two questions, should the arrays (rulebuf, actbuf and cmdbuf) in ipfw/ipfw2.c:add() not be bigger? And the more important question, should it not have some bounds checking? John -- John Hay -- John.Hay@meraka.csir.co.za / jhay@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 16 22:06:53 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3973F16A49E for ; Sat, 16 Sep 2006 22:06:53 +0000 (UTC) (envelope-from admin2@enabled.com) Received: from typhoon.enabled.com (typhoon.enabled.com [216.218.220.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73B5043D73 for ; Sat, 16 Sep 2006 22:06:50 +0000 (GMT) (envelope-from admin2@enabled.com) Received: from [172.24.241.5] (natint3.juniper.net [66.129.224.36]) (authenticated bits=0) by typhoon.enabled.com (8.13.8/8.13.8) with ESMTP id k8GM6oHY044885 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 16 Sep 2006 15:06:50 -0700 (PDT) (envelope-from admin2@enabled.com) Message-ID: <450C7574.7020303@enabled.com> Date: Sat, 16 Sep 2006 15:06:44 -0700 From: Noah User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw and temporary port access X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Sep 2006 22:06:53 -0000 Hi there, I am trying to figure out how to open a port temporarily for a specific IP who is able to provide a proper username and password on the website of the box. After authentication is verified then the IP address is cached and temporarily allowed to access a specific port on the server. This temporary firewall changes would be handled by ipfw. Any clues if a system like this is a already coded and out there somewhere? Cheers, Noah