From owner-freebsd-ipfw Mon Feb 18 19:10:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from web21410.mail.yahoo.com (web21410.mail.yahoo.com [216.136.232.85]) by hub.freebsd.org (Postfix) with SMTP id EA46437B402 for ; Mon, 18 Feb 2002 19:10:18 -0800 (PST) Message-ID: <20020219031018.39579.qmail@web21410.mail.yahoo.com> Received: from [64.231.168.6] by web21410.mail.yahoo.com via HTTP; Mon, 18 Feb 2002 19:10:18 PST Date: Mon, 18 Feb 2002 19:10:18 -0800 (PST) From: Bing Li Subject: Difference between "src to dst" and "dst to src" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, Is there any difference between the two as follows: add 100 allow tcp from src to dst 22 add 101 allow tcp from dst 22 to src I was confused with the output of "ipfw show": 00100 1532 112460 allow tcp from src to dst 22 00101 1101 275166 allow tcp from dst 22 to src Why are the values of second columes different? So are the values of third columes. The traffic was generated only by ssh from src to dst. __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 18 19:41:58 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id C658237B402 for ; Mon, 18 Feb 2002 19:41:54 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020219034153.RIEO1147.rwcrmhc52.attbi.com@blossom.cjclark.org>; Tue, 19 Feb 2002 03:41:53 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1J3frx38341; Mon, 18 Feb 2002 19:41:53 -0800 (PST) (envelope-from cjc) Date: Mon, 18 Feb 2002 19:41:53 -0800 From: "Crist J. Clark" To: Bing Li Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Difference between "src to dst" and "dst to src" Message-ID: <20020218194153.U48401@blossom.cjclark.org> References: <20020219031018.39579.qmail@web21410.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020219031018.39579.qmail@web21410.mail.yahoo.com>; from calibing@yahoo.com on Mon, Feb 18, 2002 at 07:10:18PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Feb 18, 2002 at 07:10:18PM -0800, Bing Li wrote: > Hi, > > Is there any difference between the two as follows: > > add 100 allow tcp from src to dst 22 > add 101 allow tcp from dst 22 to src Uh, well, let's use hostname examples, add 100 allow tcp from client to server 22 add 101 allow tcp from server 22 to client The first rule passes packets TCP with a source address of "client," and destination address of "server" and destination port 22. The second rule passes TCP packets with a source address of "server" and source port of 22, and destination address of "client." > I was confused with the output of "ipfw show": > > 00100 1532 112460 allow tcp from src to dst 22 > 00101 1101 275166 allow tcp from dst 22 to src > > Why are the values of second columes different? > So are the values of third columes. The traffic was > generated only by ssh from src to dst. A TCP connection is a duplex connection. Traffic must flow in both directions. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 2: 8:48 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hqvsbh1.ms.com (hqvsbh1-x0.ms.com [205.228.12.101]) by hub.freebsd.org (Postfix) with ESMTP id F320737B405 for ; Tue, 19 Feb 2002 02:08:45 -0800 (PST) Received: from hqvsbh1-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh1.ms.com (Postfix) with SMTP id 8BC9020524 for ; Tue, 19 Feb 2002 05:08:45 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by hqvsbh1-idmz.ms.com (Postfix) with ESMTP id 50A9E2050A for ; Tue, 19 Feb 2002 05:08:44 -0500 (EST) Message-ID: <3C722424.75FDA37B@morganstanley.com> Date: Tue, 19 Feb 2002 18:08:37 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: test Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 2:11:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id 7A12137B404 for ; Tue, 19 Feb 2002 02:11:50 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020219101150.ZJYR1214.rwcrmhc54.attbi.com@blossom.cjclark.org> for ; Tue, 19 Feb 2002 10:11:50 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1JABo439550 for ipfw@freebsd.org; Tue, 19 Feb 2002 02:11:50 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Feb 2002 02:11:50 -0800 From: "Crist J. Clark" To: ipfw@freebsd.org Subject: Make rc.firewall Agree with Docs and an rc.firewall6 Question Message-ID: <20020219021149.B48401@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm planning on making rc.firewall comply more closely to the literal meaning and spirit of the documentation in rc.conf(5) and in-line. The only change of note is no longer making the loopback rules unconditional. The "UNKNOWN" type documented in-line should not do _any_ configuration. When a user loads their own configuration file, rc.firewall should not uncoditionally load its loopback rules. Index: src/etc/rc.firewall =================================================================== RCS file: /export/ncvs/src/etc/rc.firewall,v retrieving revision 1.44 diff -u -r1.44 rc.firewall --- src/etc/rc.firewall 27 Dec 2001 05:40:09 -0000 1.44 +++ src/etc/rc.firewall 19 Feb 2002 09:05:50 -0000 @@ -76,6 +76,15 @@ # http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html # +setup_loopback () { + ############ + # Only in rare cases do you want to change these rules + # + ${fwcmd} add 100 pass all from any to any via lo0 + ${fwcmd} add 200 deny all from any to 127.0.0.0/8 + ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any +} + if [ -n "${1}" ]; then firewall_type="${1}" fi @@ -125,18 +134,12 @@ # # ${fwcmd} add 65000 pass all from any to any -############ -# Only in rare cases do you want to change these rules -# -${fwcmd} add 100 pass all from any to any via lo0 -${fwcmd} add 200 deny all from any to 127.0.0.0/8 -${fwcmd} add 300 deny ip from 127.0.0.0/8 to any - # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) + setup_loopback ${fwcmd} add 65000 pass all from any to any ;; @@ -151,6 +154,8 @@ mask="255.255.255.0" ip="192.0.2.1" + setup_loopback + # Allow any traffic to or from my own net. ${fwcmd} add pass all from ${ip} to ${net}:${mask} ${fwcmd} add pass all from ${net}:${mask} to ${ip} @@ -200,6 +205,8 @@ imask="255.255.255.240" iip="192.0.2.17" + setup_loopback + # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} @@ -281,6 +288,9 @@ # config file. ;; +[Cc][Ll][Oo][Ss][Ee][Dd]) + setup_loopback + ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) I was going to make the same kind of changes in the rc.firewall6 script, but I am a bit confused by one of the rules, ############ # Only in rare cases do you want to change these rules # ${fw6cmd} add 100 pass all from any to any via lo0 # # ND # # DAD ${fw6cmd} add pass ipv6-icmp from ff02::/16 to :: ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 # RS, RA, NS, NA, redirect... ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 ${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16 I understand the first. I understand the last two (allow IPV6-ICMP from link-local unicast addresses to link-local unicast and multicast), and I understand the third (unspecified to link-local multicast). I don't understand the second. RFC2373 says, 2.5.2 The Unspecified Address The address 0:0:0:0:0:0:0:0 is called the unspecified address. ... The unspecified address must not be used as the destination address of IPv6 packets or in IPv6 Routing Headers. To my understanding, any packets matching that second rule are actually invalid. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 2:23:59 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hqvsbh1.ms.com (hqvsbh1-x0.ms.com [205.228.12.101]) by hub.freebsd.org (Postfix) with ESMTP id 1D1C637B400 for ; Tue, 19 Feb 2002 02:23:58 -0800 (PST) Received: from hqvsbh1-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh1.ms.com (Postfix) with SMTP id B0D262036D for ; Tue, 19 Feb 2002 05:23:57 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by hqvsbh1-idmz.ms.com (Postfix) with ESMTP id 5F9E02054D for ; Tue, 19 Feb 2002 05:23:56 -0500 (EST) Message-ID: <3C7227B5.305D54D0@morganstanley.com> Date: Tue, 19 Feb 2002 18:23:49 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: ipfw@freebsd.org Subject: test mail Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 2:56:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by hub.freebsd.org (Postfix) with ESMTP id AA9AA37B404; Tue, 19 Feb 2002 02:56:08 -0800 (PST) Received: from regency.nsu.ru ([193.124.210.26] helo=cytherea.weblab.nsu.ru) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 16d7wJ-0006Hi-00; Tue, 19 Feb 2002 16:56:03 +0600 Received: (from danfe@localhost) by cytherea.weblab.nsu.ru (8.11.6/8.11.6) id g1JAuU965842; Tue, 19 Feb 2002 16:56:30 +0600 (NOVT) (envelope-from danfe) Date: Tue, 19 Feb 2002 16:56:30 +0600 From: Alexey Dokuchaev To: arch@freebsd.org Cc: ipfw@freebsd.org Subject: Improvements to ipfw code (followup) Message-ID: <20020219165630.A62749@cytherea.weblab.nsu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements, along with a patch, by Julian Assange . A PR (misc/2386) was then filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason. It seems to never raise any interest afterwards, despite the fact that this work definitely worth considering. I will forward original mail at the end for those who's interested. My particular interest in this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections, which is a neat thing of course. However, to be able to provide any service, I need to allow incoming connections as well, and this is where I got somewhat disappointed: I cannot control who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind() to the [freed] unprivileged port. One might say this is not a big deal, since servers tend to restart themselves in case of any failure, however, for example, FTP passive mode requires setup connections allowed in certain port range, and I really want only ftp user to be able to bind() to those ports. At present, there is no way in IPFW to open ports for specific user/group only, while Julian's patch seems to solve the problem. Time to revise this stuff again? :-) The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff. Sincerely, Alexey Dokuchaev ------ Forwarded message ------ Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) From: proff@suburbia.net To: hackers@freebsd.org, security@freebsd.org Subject: new firewall code [uid/gid/bind() etc] Message-ID: <19970106200116.16168.qmail@suburbia.net> I tried posting the patches but, at 55k, it seems majordumbo has (silently) rejected them. You may find them at: ftp://suburbia.net/tmp/ipfw.diff My "socket credentials" patches allow you to: punch wormholes, or restrict access to the IPPORT_RESERVED space, or restrict access to bind() altogether based on: (a) uid (b) gid (including secondary groups) (c) port (d) protocol (e) interface And more importantly: Restrict access to packets being sent/received on any socket based on: (a) the packet (per normal ipfw rules) (b) uid (c) gid (including secondary groups) The former permits constructs like: /* let uid sendmail bind to port 25 */ # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind /* only let inetd bind - we presume inetd still needs to run as root for uid switching when forking off clients */ # addgroup inetd # chgrp inetd /usr/sbin/inetd # chmod 2700 /usr/sbin/inetd # killall inetd # ipfw add accept all from any to any bind gid inetd uid root # /* default policy is to deny bind */ /* keep those without security clearance out of secret network */ # ipfw add accept all from any to any via ed0 gid secret # ipfw add deny all from any to any via ed0 gid any Loging has also been enhanced: # ipfw add 60000 accept log all from any to any bind /* example of named starting up */ ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind Cheers, Julian ------ End of forwarded message ------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 8:40:29 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B522037B428; Tue, 19 Feb 2002 08:40:00 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g1JGd9D02838; Tue, 19 Feb 2002 11:39:09 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 19 Feb 2002 11:39:08 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Alexey Dokuchaev Cc: arch@freebsd.org, ipfw@freebsd.org Subject: Re: Improvements to ipfw code (followup) In-Reply-To: <20020219165630.A62749@cytherea.weblab.nsu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Many of these look interesting. However, it's worth noting that most of them are broken with SSH port forwarding, due to sshd binding ports as root, as opposed to as the authenticated credential. This has presented a problem for us for the MAC code also, and requires substantial re-working of the sshd code. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 19 Feb 2002, Alexey Dokuchaev wrote: > Hello, > > Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements, > along with a patch, by Julian Assange . A PR (misc/2386) was then > filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason. It seems to > never raise any interest afterwards, despite the fact that this work definitely worth considering. > > I will forward original mail at the end for those who's interested. My particular interest in > this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections, > which is a neat thing of course. However, to be able to provide any service, I need to allow > incoming connections as well, and this is where I got somewhat disappointed: I cannot control > who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for > whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind() > to the [freed] unprivileged port. One might say this is not a big deal, since servers tend to > restart themselves in case of any failure, however, for example, FTP passive mode requires setup > connections allowed in certain port range, and I really want only ftp user to be able to bind() > to those ports. At present, there is no way in IPFW to open ports for specific user/group only, > while Julian's patch seems to solve the problem. > > Time to revise this stuff again? :-) > > The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and > also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff. > > Sincerely, > Alexey Dokuchaev > > ------ Forwarded message ------ > Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) > From: proff@suburbia.net > To: hackers@freebsd.org, security@freebsd.org > Subject: new firewall code [uid/gid/bind() etc] > Message-ID: <19970106200116.16168.qmail@suburbia.net> > > I tried posting the patches but, at 55k, it seems majordumbo has > (silently) rejected them. You may find them at: > > ftp://suburbia.net/tmp/ipfw.diff > > My "socket credentials" patches allow you to: > > punch wormholes, or restrict access to the IPPORT_RESERVED space, or > restrict access to bind() altogether based on: > > (a) uid > (b) gid (including secondary groups) > (c) port > (d) protocol > (e) interface > > And more importantly: > > Restrict access to packets being sent/received on any socket based on: > > (a) the packet (per normal ipfw rules) > (b) uid > (c) gid (including secondary groups) > > The former permits constructs like: > > /* let uid sendmail bind to port 25 */ > # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind > > /* only let inetd bind - we presume inetd still needs to run as root > for uid switching when forking off clients */ > > # addgroup inetd > # chgrp inetd /usr/sbin/inetd > # chmod 2700 /usr/sbin/inetd > # killall inetd > # ipfw add accept all from any to any bind gid inetd uid root > # /* default policy is to deny bind */ > > /* keep those without security clearance out of secret network */ > # ipfw add accept all from any to any via ed0 gid secret > # ipfw add deny all from any to any via ed0 gid any > > Loging has also been enhanced: > > # ipfw add 60000 accept log all from any to any bind > /* example of named starting up */ > > ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > > Cheers, > Julian > > ------ End of forwarded message ------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 8:41:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3C3BB37B402; Tue, 19 Feb 2002 08:40:39 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g1JGe4D02855; Tue, 19 Feb 2002 11:40:04 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 19 Feb 2002 11:40:03 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Alexey Dokuchaev Cc: arch@freebsd.org, ipfw@freebsd.org Subject: Re: Improvements to ipfw code (followup) In-Reply-To: <20020219165630.A62749@cytherea.weblab.nsu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Just as a slight follow-up I should have included in my earlier e-mail: the merging of ucred and pcred should make this patch now be able to support real and saved uids/gids as well as effective uids/gids, meaning that it can be used to also restrict setuid applications such as ping. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 19 Feb 2002, Alexey Dokuchaev wrote: > Hello, > > Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements, > along with a patch, by Julian Assange . A PR (misc/2386) was then > filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason. It seems to > never raise any interest afterwards, despite the fact that this work definitely worth considering. > > I will forward original mail at the end for those who's interested. My particular interest in > this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections, > which is a neat thing of course. However, to be able to provide any service, I need to allow > incoming connections as well, and this is where I got somewhat disappointed: I cannot control > who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for > whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind() > to the [freed] unprivileged port. One might say this is not a big deal, since servers tend to > restart themselves in case of any failure, however, for example, FTP passive mode requires setup > connections allowed in certain port range, and I really want only ftp user to be able to bind() > to those ports. At present, there is no way in IPFW to open ports for specific user/group only, > while Julian's patch seems to solve the problem. > > Time to revise this stuff again? :-) > > The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and > also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff. > > Sincerely, > Alexey Dokuchaev > > ------ Forwarded message ------ > Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) > From: proff@suburbia.net > To: hackers@freebsd.org, security@freebsd.org > Subject: new firewall code [uid/gid/bind() etc] > Message-ID: <19970106200116.16168.qmail@suburbia.net> > > I tried posting the patches but, at 55k, it seems majordumbo has > (silently) rejected them. You may find them at: > > ftp://suburbia.net/tmp/ipfw.diff > > My "socket credentials" patches allow you to: > > punch wormholes, or restrict access to the IPPORT_RESERVED space, or > restrict access to bind() altogether based on: > > (a) uid > (b) gid (including secondary groups) > (c) port > (d) protocol > (e) interface > > And more importantly: > > Restrict access to packets being sent/received on any socket based on: > > (a) the packet (per normal ipfw rules) > (b) uid > (c) gid (including secondary groups) > > The former permits constructs like: > > /* let uid sendmail bind to port 25 */ > # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind > > /* only let inetd bind - we presume inetd still needs to run as root > for uid switching when forking off clients */ > > # addgroup inetd > # chgrp inetd /usr/sbin/inetd > # chmod 2700 /usr/sbin/inetd > # killall inetd > # ipfw add accept all from any to any bind gid inetd uid root > # /* default policy is to deny bind */ > > /* keep those without security clearance out of secret network */ > # ipfw add accept all from any to any via ed0 gid secret > # ipfw add deny all from any to any via ed0 gid any > > Loging has also been enhanced: > > # ipfw add 60000 accept log all from any to any bind > /* example of named starting up */ > > ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > > Cheers, > Julian > > ------ End of forwarded message ------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 10:48:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from web21402.mail.yahoo.com (web21402.mail.yahoo.com [216.136.232.72]) by hub.freebsd.org (Postfix) with SMTP id 2523937B404 for ; Tue, 19 Feb 2002 10:48:40 -0800 (PST) Message-ID: <20020219184838.99167.qmail@web21402.mail.yahoo.com> Received: from [216.130.212.13] by web21402.mail.yahoo.com via HTTP; Tue, 19 Feb 2002 10:48:38 PST Date: Tue, 19 Feb 2002 10:48:38 -0800 (PST) From: Bing Li Subject: The output of "ipfw show" To: freebsd-ipfw@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, Below are a few lines from a web site (www.freebsd-howto.com/HOWTO/Ipfw-HOWTO): 3.1. Listing Rules ipfw -a list OR ipfw show Both will display the same information in the same way. The first column is the rule number, followed by the number of outgoing matched packets, followed by the number of incoming matched packets, ... I believe that the second column is the number of matched packets, and the third column is the traffic in bytes. Am I right or misunderstanding anything? BTW thanks Crist. __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 13:56: 8 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id EEDC437B402 for ; Tue, 19 Feb 2002 13:56:03 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020219215603.OGMN2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Tue, 19 Feb 2002 21:56:03 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1JLu3h41239; Tue, 19 Feb 2002 13:56:03 -0800 (PST) (envelope-from cjc) Date: Tue, 19 Feb 2002 13:56:02 -0800 From: "Crist J. Clark" To: Bing Li Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: The output of "ipfw show" Message-ID: <20020219135602.D48401@blossom.cjclark.org> References: <20020219184838.99167.qmail@web21402.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020219184838.99167.qmail@web21402.mail.yahoo.com>; from calibing@yahoo.com on Tue, Feb 19, 2002 at 10:48:38AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Feb 19, 2002 at 10:48:38AM -0800, Bing Li wrote: > Hi, > > Below are a few lines from a web site > (www.freebsd-howto.com/HOWTO/Ipfw-HOWTO): > > 3.1. Listing Rules > ipfw -a list OR ipfw show > Both will display the same information in the same way. > The first column is the rule number, > followed by the number of outgoing matched packets, > followed by the number of incoming matched packets, ... > > I believe that the second column is the number > of matched packets, and the third column is the traffic > in bytes. Am I right or misunderstanding anything? You are correct. That website is wrong. Hmm. I don't believe ipfw(8) does actually say what the values are. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Feb 19 19:39:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by hub.freebsd.org (Postfix) with ESMTP id C4A0037B404; Tue, 19 Feb 2002 19:39:14 -0800 (PST) Received: from regency.nsu.ru ([193.124.210.26] helo=cytherea.weblab.nsu.ru) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 16dNav-0003yV-00; Wed, 20 Feb 2002 09:39:01 +0600 Received: (from danfe@localhost) by cytherea.weblab.nsu.ru (8.11.6/8.11.6) id g1K3dXG80972; Wed, 20 Feb 2002 09:39:33 +0600 (NOVT) (envelope-from danfe) Date: Wed, 20 Feb 2002 09:39:33 +0600 From: Alexey Dokuchaev To: Robert Watson Cc: arch@freebsd.org, ipfw@freebsd.org Subject: Re: Improvements to ipfw code (followup) Message-ID: <20020220093933.A78191@cytherea.weblab.nsu.ru> References: <20020219165630.A62749@cytherea.weblab.nsu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from rwatson@freebsd.org on Tue, Feb 19, 2002 at 11:40:03AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Feb 19, 2002 at 11:40:03AM -0500, Robert Watson wrote: > Just as a slight follow-up I should have included in my earlier e-mail: > the merging of ucred and pcred should make this patch now be able to > support real and saved uids/gids as well as effective uids/gids, meaning > that it can be used to also restrict setuid applications such as ping. Cool! Right now I am cleaning up this 5-year old patch to catch up with current IPFW code, fixing possible bugs, and separating optimizations and features stuff for easier reviewing and testing. I like the idea of supporting real and saved uids/gids as well as effective ones, I think I will include this functionality as soon as I get the whole thing working with current -CURRENT. Regs, Alexey Dokuchaev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 21 21: 0:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from sithdroid.ns1.com.br (sithdroid.ns1.com.br [200.185.44.17]) by hub.freebsd.org (Postfix) with ESMTP id 5FB8B37B404 for ; Thu, 21 Feb 2002 21:00:31 -0800 (PST) Received: from ivan (20217.virtua.com.br [200.213.202.17] (may be forged)) by sithdroid.ns1.com.br (8.12.2/8.12.2) with SMTP id g1M50SSK024133 for ; Fri, 22 Feb 2002 02:00:28 -0300 (BRT) Message-ID: <046501c1ba96$3da26c40$11cad5c8@mshome.net> From: "Ivan Coimbra" To: Subject: forward to non-local adresses Date: Thu, 21 Feb 2002 02:11:37 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am having serious problems with the ipfw of FreeBSD. I am trying to use the forward of packages, and I am having the following problem: the ipfw doesn't make forward for non-local addresses! The options in the kernel are active (IPFIREWALL, IPFIREWALL_FORWARD, etc) and the option of forward of FreeBSD (gateway_enable = "YES") in /etc/rc.conf is active too! With local adresses (local machine) ipfw fwd work! Please, can you help me? ? Thanks, Ivan Coimbra São Paulo / Brasil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 21 22: 8:27 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from hqvsbh2.ms.com (hqvsbh2.ms.com [205.228.12.104]) by hub.freebsd.org (Postfix) with ESMTP id 4994237B400 for ; Thu, 21 Feb 2002 22:08:25 -0800 (PST) Received: from hqvsbh2-idmz.ms.com (localhost [127.0.0.1]) by hqvsbh2.ms.com (Postfix) with SMTP id 68D5FA493; Fri, 22 Feb 2002 01:08:24 -0500 (EST) Received: from morganstanley.com (unknown [172.19.97.161]) by hqvsbh2-idmz.ms.com (Postfix) with ESMTP id B6748A497; Fri, 22 Feb 2002 01:08:22 -0500 (EST) Message-ID: <3C75E053.8FCC3D5A@morganstanley.com> Date: Fri, 22 Feb 2002 14:08:20 +0800 From: Victor Tayer Reply-To: Victor.Tayer@morganstanley.com Organization: Morgan Stanley X-Mailer: Mozilla 4.76 [en]C-CCK-MCD MS4.76 V20001206.2 (WinNT; U) X-Accept-Language: en,ja MIME-Version: 1.0 To: Ivan Coimbra Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: forward to non-local adresses References: <046501c1ba96$3da26c40$11cad5c8@mshome.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG you may use natd -redirect_port option. for more info read http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/natd.html jett tayer Ivan Coimbra wrote: > I am having serious problems with the ipfw of FreeBSD. I am trying to use > the forward of packages, and I am having the following problem: the ipfw > doesn't make forward for non-local addresses! The options in the kernel are > active (IPFIREWALL, IPFIREWALL_FORWARD, etc) and the option of forward of > FreeBSD (gateway_enable = "YES") in /etc/rc.conf is active too! > With local adresses (local machine) ipfw fwd work! > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 2:18:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by hub.freebsd.org (Postfix) with ESMTP id 3B7DF37B402 for ; Fri, 22 Feb 2002 02:18:33 -0800 (PST) Received: from xtremedev.com (xtremedev.com [216.241.38.65]) by mail.XtremeDev.com (Postfix) with ESMTP id B42B270603 for ; Fri, 22 Feb 2002 03:18:27 -0700 (MST) Date: Fri, 22 Feb 2002 03:18:27 -0700 (MST) From: FreeBSD user To: freebsd-ipfw@freebsd.org Subject: ipfw, dummynet, weights, and ssh? Message-ID: <20020222031809.M37938-100000@Amber.XtremeDev.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm trying to decipher ipfw syntax related to dummynet, and I'm not having much luck. Basically all I want to do is give priority to all ssh connections, both outbound and inbound. If the line is saturated I should still be able to ssh in and out of my server, hopefully without too much lag. Is this possible with ipfw/dummynet's WF2Q+ policies? And if so, any examples you can provide would greatly help. Thanks in advance. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 8:37:30 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id DB57A37B41A for ; Fri, 22 Feb 2002 08:37:26 -0800 (PST) Received: (qmail 6149 invoked from network); 22 Feb 2002 16:37:26 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 22 Feb 2002 16:37:26 -0000 Message-ID: <3C7673C6.9060706@tenebras.com> Date: Fri, 22 Feb 2002 08:37:26 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020218 X-Accept-Language: en-us MIME-Version: 1.0 To: FreeBSD user Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw, dummynet, weights, and ssh? References: <20020222031809.M37938-100000@Amber.XtremeDev.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG FreeBSD user wrote: > I'm trying to decipher ipfw syntax related to dummynet, and I'm not having > much luck. Basically all I want to do is give priority to all ssh > connections, both outbound and inbound. If the line is saturated I should > still be able to ssh in and out of my server, hopefully without too much > lag. Is this possible with ipfw/dummynet's WF2Q+ policies? And if so, any > examples you can provide would greatly help. Thanks in advance. Dummynet doesn't provide dynamic bandwidth limiting based on load or traffic. You can use a clever combination of bandwidth-limiting pipes and masks to ensure that no one connection uses more that X% of your (theoretical) bw. You could make all non-ssh connections go through a bw-limiting pipe (75-85%). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 9:27:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 5C2A637B400 for ; Fri, 22 Feb 2002 09:27:08 -0800 (PST) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g1MHR3S62421; Fri, 22 Feb 2002 09:27:03 -0800 (PST) (envelope-from rizzo) Date: Fri, 22 Feb 2002 09:27:03 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: FreeBSD user , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? Message-ID: <20020222092703.A62387@iguana.icir.org> References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C7673C6.9060706@tenebras.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Feb 22, 2002 at 08:37:26AM -0800, Michael Sierchio wrote: > FreeBSD user wrote: > >I'm trying to decipher ipfw syntax related to dummynet, and I'm not having > >much luck. Basically all I want to do is give priority to all ssh > >connections, both outbound and inbound. If the line is saturated I should > >still be able to ssh in and out of my server, hopefully without too much > >lag. Is this possible with ipfw/dummynet's WF2Q+ policies? And if so, any > >examples you can provide would greatly help. Thanks in advance. > > Dummynet doesn't provide dynamic bandwidth limiting based on load wrong. You can use queues (WF2Q+) to do this kind of sharing. cheers luigi > or traffic. You can use a clever combination of bandwidth-limiting > pipes and masks to ensure that no one connection uses more that X% > of your (theoretical) bw. > > You could make all non-ssh connections go through a bw-limiting > pipe (75-85%). > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 9:41:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id F3A3137B400 for ; Fri, 22 Feb 2002 09:41:27 -0800 (PST) Received: (qmail 6404 invoked from network); 22 Feb 2002 17:41:27 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 22 Feb 2002 17:41:27 -0000 Message-ID: <3C7682C7.10009@tenebras.com> Date: Fri, 22 Feb 2002 09:41:27 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020218 X-Accept-Language: en-us MIME-Version: 1.0 To: Luigi Rizzo Cc: FreeBSD user , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> <20020222092703.A62387@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > You can use queues (WF2Q+) to do this kind of sharing. And this is on the manpage for... dummynet? ipfw? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 9:42:45 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 4999737B402 for ; Fri, 22 Feb 2002 09:42:38 -0800 (PST) Received: (qmail 6419 invoked from network); 22 Feb 2002 17:42:38 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 22 Feb 2002 17:42:38 -0000 Message-ID: <3C76830D.4090807@tenebras.com> Date: Fri, 22 Feb 2002 09:42:37 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020218 X-Accept-Language: en-us MIME-Version: 1.0 To: Michael Sierchio Cc: Luigi Rizzo , FreeBSD user , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> <20020222092703.A62387@iguana.icir.org> <3C7682C7.10009@tenebras.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael Sierchio wrote: > Luigi Rizzo wrote: > >> You can use queues (WF2Q+) to do this kind of sharing. > > > And this is on the manpage for... dummynet? ipfw? Sorry, slipped away from me. The manpage for ipfw is woefully inadequate. It's a useful reference for someone who already knows what he's doing. Just my $0.02 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 9:45:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id AEABC37B416 for ; Fri, 22 Feb 2002 09:45:11 -0800 (PST) Received: (qmail 6446 invoked from network); 22 Feb 2002 17:45:11 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 22 Feb 2002 17:45:11 -0000 Message-ID: <3C7683A7.4010207@tenebras.com> Date: Fri, 22 Feb 2002 09:45:11 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020218 X-Accept-Language: en-us MIME-Version: 1.0 To: Michael Sierchio Cc: Luigi Rizzo , FreeBSD user , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> <20020222092703.A62387@iguana.icir.org> <3C7682C7.10009@tenebras.com> <3C76830D.4090807@tenebras.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael Sierchio wrote: > Michael Sierchio wrote: > >> Luigi Rizzo wrote: >> >>> You can use queues (WF2Q+) to do this kind of sharing. Digging myself further in the hole -- the manpage on ipfw mentions queue, doesn't give examples, and the mention is opaque. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 10:29:17 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by hub.freebsd.org (Postfix) with ESMTP id 58F8B37B416 for ; Fri, 22 Feb 2002 10:29:14 -0800 (PST) Received: by mail.tgd.net (Postfix, from userid 1001) id 5014B20F05; Fri, 22 Feb 2002 10:29:13 -0800 (PST) Date: Fri, 22 Feb 2002 10:29:13 -0800 From: Sean Chittenden To: Michael Sierchio Cc: Luigi Rizzo , FreeBSD user , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? Message-ID: <20020222102913.L10003@ninja1.internal> References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> <20020222092703.A62387@iguana.icir.org> <3C7682C7.10009@tenebras.com> <3C76830D.4090807@tenebras.com> <3C7683A7.4010207@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C7683A7.4010207@tenebras.com>; from "kudzu@tenebras.com" on Fri, Feb 22, 2002 at = 09:45:11AM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > >>> You can use queues (WF2Q+) to do this kind of sharing. > > Digging myself further in the hole -- the manpage on ipfw > mentions queue, doesn't give examples, and the mention is > opaque. If you're trying to do rate-shapping, you might want to check out dummynet(4). That man page helped me the most in setting up rate-shapping. -sc -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 17: 3:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 7189F37B428 for ; Fri, 22 Feb 2002 17:03:37 -0800 (PST) Received: (qmail 7108 invoked from network); 23 Feb 2002 01:03:36 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 23 Feb 2002 01:03:36 -0000 Message-ID: <3C76EA67.8010807@tenebras.com> Date: Fri, 22 Feb 2002 17:03:35 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020218 X-Accept-Language: en-us MIME-Version: 1.0 To: Sean Chittenden Cc: Luigi Rizzo , FreeBSD user , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> <20020222092703.A62387@iguana.icir.org> <3C7682C7.10009@tenebras.com> <3C76830D.4090807@tenebras.com> <3C7683A7.4010207@tenebras.com> <20020222102913.L10003@ninja1.internal> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sean Chittenden wrote: > If you're trying to do rate-shapping, you might want to check out > dummynet(4). That man page helped me the most in setting up > rate-shapping. -sc Care to share examples? For example, is bandwidth reservation possible (which is what the question seemed to be), or is this achieved indirectly through bandwidth limiting of other traffic? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 22 19:30:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 99FFA37B402 for ; Fri, 22 Feb 2002 19:30:09 -0800 (PST) Received: (qmail 7444 invoked from network); 23 Feb 2002 03:30:08 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 23 Feb 2002 03:30:08 -0000 Message-ID: <3C770CC0.5080508@tenebras.com> Date: Fri, 22 Feb 2002 19:30:08 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.8) Gecko/20020218 X-Accept-Language: en-us MIME-Version: 1.0 Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> <20020222092703.A62387@iguana.icir.org> <3C7682C7.10009@tenebras.com> <3C76830D.4090807@tenebras.com> <3C7683A7.4010207@tenebras.com> <20020222102913.L10003@ninja1.internal> <3C76EA67.8010807@tenebras.com> <20020222180001.A24470@ninja1.internal> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sean Chittenden wrote: >>From dummynet(4): > > ipfw pipe 1 config bw 1Mbit/s > ipfw add pipe 1 ip from A to B out > ipfw add pipe 1 ip from B to A in bw limiting pipes I get -- using queues to reserve bandwidth I don't. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Feb 23 0:38:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by hub.freebsd.org (Postfix) with ESMTP id E7E0A37B404 for ; Sat, 23 Feb 2002 00:38:09 -0800 (PST) Received: by mail.tgd.net (Postfix, from userid 1001) id 3B5CA20F07; Fri, 22 Feb 2002 18:00:01 -0800 (PST) Date: Fri, 22 Feb 2002 18:00:01 -0800 From: Sean Chittenden To: Michael Sierchio Cc: Luigi Rizzo , FreeBSD user , freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw, dummynet, weights, and ssh? Message-ID: <20020222180001.A24470@ninja1.internal> References: <20020222031809.M37938-100000@Amber.XtremeDev.com> <3C7673C6.9060706@tenebras.com> <20020222092703.A62387@iguana.icir.org> <3C7682C7.10009@tenebras.com> <3C76830D.4090807@tenebras.com> <3C7683A7.4010207@tenebras.com> <20020222102913.L10003@ninja1.internal> <3C76EA67.8010807@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3C76EA67.8010807@tenebras.com>; from "kudzu@tenebras.com" on Fri, Feb 22, 2002 at = 05:03:35PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > If you're trying to do rate-shapping, you might want to check out > > dummynet(4). That man page helped me the most in setting up > > rate-shapping. -sc > > Care to share examples? For example, is bandwidth reservation > possible (which is what the question seemed to be), or is this > achieved indirectly through bandwidth limiting of other traffic? From dummynet(4): ipfw pipe 1 config bw 1Mbit/s ipfw add pipe 1 ip from A to B out ipfw add pipe 1 ip from B to A in where A can be one of the following (from ipfw(8)): ipno An IP number of the form 1.2.3.4. Only this exact IP number will match the rule. ipno/bits An IP number with a mask width of the form 1.2.3.4/24. In this case all IP numbers from 1.2.3.0 to 1.2.3.255 will match. ipno:mask An IP number with a mask of the form 1.2.3.4:255.255.240.0. In this case all IP numbers from 1.2.0.0 to 1.2.15.255 will match. You can also add ports to that in the same way you would make a normal filewall rule. -sc -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Feb 23 3: 6:25 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by hub.freebsd.org (Postfix) with ESMTP id 5526237B402 for ; Sat, 23 Feb 2002 03:06:19 -0800 (PST) Received: from xtremedev.com (xtremedev.com [216.241.38.65]) by mail.XtremeDev.com (Postfix) with ESMTP id B502270603; Sat, 23 Feb 2002 04:06:13 -0700 (MST) Date: Sat, 23 Feb 2002 04:06:13 -0700 (MST) From: FreeBSD user To: Sean Chittenden Cc: Michael Sierchio , Luigi Rizzo , Subject: Re: ipfw, dummynet, weights, and ssh? In-Reply-To: <20020222180001.A24470@ninja1.internal> Message-ID: <20020223034914.G38013-100000@Amber.XtremeDev.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I don't understand how this is a bandwidth reservation issue. I simply want ssh packets to receive priority over all other packets. Does this mean I have to specifically set aside say, some amount of bandwidth even if there are no ssh connects at the time? I don't understand the issue, I guess, of what's involved in giving priority to ssh packets. Is it indeed a bandwidth reservation issue, or is there no such thing as priority when dealing with packets leaving and entering an interface? Btw. I'm on a RADSL that's dynamic, so I have no idea at any given moment in time how much bandwidth I've got from QWest. From their rep, they said anywhere from 128kb to 1.2mb. Dunno if that's true or not, but I don't know if I can simply say to ipfw, "I've got a 128kb pipe, set aside 5kb at all times for ssh packets" Do I have to specify a bandwidth? From reading dummynet(4), it's refering to a queue with pipes. I don't know the exact workings of dummynet, but from what I remember of my datastructured class on queues, can't ssh packets entering a queue be moved to the head of the line before other packets currently in the queue? So say, I specify one pipe that all packets have to go through. And when a ssh packet enters the pipe and it gets pulled out of order and moved immediately to the head of the queue/pipe? Just tossing thoughts around.. Please don't take my idle thoughts as anything but that. I guess I can try reading the ipfw/dummynet sources, but with my diminuitive programming background, I think I'd have better luck deciphering Bush's budget plans. On Fri, 22 Feb 2002, Sean Chittenden wrote: > > > If you're trying to do rate-shapping, you might want to check out > > > dummynet(4). That man page helped me the most in setting up > > > rate-shapping. -sc > > > > Care to share examples? For example, is bandwidth reservation > > possible (which is what the question seemed to be), or is this > > achieved indirectly through bandwidth limiting of other traffic? > > From dummynet(4): > > ipfw pipe 1 config bw 1Mbit/s > ipfw add pipe 1 ip from A to B out > ipfw add pipe 1 ip from B to A in > > where A can be one of the following (from ipfw(8)): > > ipno An IP number of the form 1.2.3.4. Only this exact IP > number will match the rule. > > ipno/bits An IP number with a mask width of the form 1.2.3.4/24. > In this case all IP numbers from 1.2.3.0 to 1.2.3.255 > will match. > > ipno:mask An IP number with a mask of the form > 1.2.3.4:255.255.240.0. In this case all IP numbers > from 1.2.0.0 to 1.2.15.255 will match. > > > You can also add ports to that in the same way you would make a normal > filewall rule. -sc > > -- > Sean Chittenden > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message