From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 19 04:02:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CA1A16A4CF for ; Sun, 19 Sep 2004 04:02:40 +0000 (GMT) Received: from mail.hostthecoast.org (dsl-230-142.ipns.com [209.210.230.142]) by mx1.FreeBSD.org (Postfix) with SMTP id 7FCEB43D45 for ; Sun, 19 Sep 2004 04:02:39 +0000 (GMT) (envelope-from jtd@hostthecoast.org) Received: (qmail 44686 invoked from network); 19 Sep 2004 04:00:40 -0000 Received: from dsl-230-144.ipns.com (HELO Jay) (209.210.230.144) by mail.hostthecoast.org with SMTP; 19 Sep 2004 04:00:40 -0000 From: "J.T. Davies" To: Date: Sat, 18 Sep 2004 21:02:08 -0700 Message-ID: <000c01c49dfd$7e556970$90e6d2d1@Jay> MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Dynamic rules & stats X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 04:02:40 -0000 Please someone smack me around and correct me if I'm mistaken. =20 I'm using 5.1 Release p13 =20 I've got IPFW2 enabled. Stateless & stateful rules are working = correctly. I'm trying to incorporate/"upgrade" to dynamic rulesets, but I'm = confused. =20 I've got the following rules: =20 1000 check-state 2000 allow tcp from any 1024-65535 to mysvrIP 25,110 in via = outsideinterface setup keep-state =20 =20 Now, when I check mail from an outside client (mail transfer is = successful), and then I do IPFW SHOW, the traffic counters for rule 2000 are ever increasing, but 1000 stays at 0. Every mail transfer (whether POP3 or = SMTP) increments 2000, but never 1000. =20 Is this correct? I *thought* that this should work somewhat like the "setup" and the "established" methods of a stateful firewall = configuration. =20 If I remark rule 1000...traffic still passes through. =20 Oh, I also do see dynamic rules being created/expired by running 'ipfw = -d -e list' =20 Ideas? Currently, it seems the rules are working, but the "0" for rule = 1000 bothers me. Should I be bothered? Thanks all! J.T. From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 19 06:29:34 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0C9616A4CE for ; Sun, 19 Sep 2004 06:29:34 +0000 (GMT) Received: from debug.ro (debug.ro [81.196.162.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id D505C43D31 for ; Sun, 19 Sep 2004 06:29:33 +0000 (GMT) (envelope-from cristi@debug.ro) Received: from debug.ro (localhost.ro [127.0.0.1]) by debug.ro (8.13.1/8.13.1) with ESMTP id i8J6TVRj094563 for ; Sun, 19 Sep 2004 09:29:31 +0300 (EEST) (envelope-from cristi@debug.ro) Received: from localhost (cristi@localhost) by debug.ro (8.13.1/8.12.9/Submit) with ESMTP id i8J6TQiu094560 for ; Sun, 19 Sep 2004 09:29:26 +0300 (EEST) (envelope-from cristi@debug.ro) Date: Sun, 19 Sep 2004 09:29:25 +0300 (EEST) From: Cristian Ursuleanu To: freebsd-ipfw@freebsd.org Message-ID: <20040919092817.F94550@debug.ro> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: ipfw and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 06:29:34 -0000 Hi, I user FreeBSD 4.10 STABLE with ipfw. I have a problem: From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 19 06:40:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 262F616A4DB for ; Sun, 19 Sep 2004 06:40:53 +0000 (GMT) Received: from debug.ro (debug.ro [81.196.162.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E1DB43D39 for ; Sun, 19 Sep 2004 06:40:50 +0000 (GMT) (envelope-from cristi@debug.ro) Received: from debug.ro (localhost.ro [127.0.0.1]) by debug.ro (8.13.1/8.13.1) with ESMTP id i8J6enTG094822 for ; Sun, 19 Sep 2004 09:40:49 +0300 (EEST) (envelope-from cristi@debug.ro) Received: from localhost (cristi@localhost) by debug.ro (8.13.1/8.12.9/Submit) with ESMTP id i8J6eiZX094819 for ; Sun, 19 Sep 2004 09:40:44 +0300 (EEST) (envelope-from cristi@debug.ro) Date: Sun, 19 Sep 2004 09:40:44 +0300 (EEST) From: Cristian Ursuleanu To: freebsd-ipfw@freebsd.org Message-ID: <20040919093421.F94568@debug.ro> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Sep 2004 06:40:53 -0000 Hi, I have a problem with ipfw: (10.0.0.x) (ed0)(10.0.0.1)(rl0) (1.2.3.4) --LAN----------------FreeBSD--------------ISP_1 | |(rl1) | | (5.6.7.8) |_________________ISP_2 thw default route is 1.2.3.4 ( $ route add -net 0.0.0.0 1.2.3.4 ) I want to forward only port 80 from LAN to ISP_2 . I do: $ natd -p 8668 -interface rl0 $ natd -p 8669 -interface rl1 $ ipfw add 500 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 $ ipfw add 1000 divert 8668 all from any to any rl0 $ ipfw add 2000 divert 8669 all from any to any rl1 and it's seems not to work . 'tcpdump' on rl1 show connections from 10.0.0.2.3122 > WEB_SERVER.80 , and it must be: 5.6.7.8 > WEB_SERVER.80 is missing the natd . what is wrong? thanks. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 04:44:10 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A89BC16A4CE for ; Mon, 20 Sep 2004 04:44:10 +0000 (GMT) Received: from mx9.yandex.ru (mx9.yandex.ru [213.180.200.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7128543D1F for ; Mon, 20 Sep 2004 04:44:09 +0000 (GMT) (envelope-from sbakalyas@yandex.ru) Received: from ip-16-21.tagiltelecom.ru ([217.114.16.21]:58126 "EHLO 217.114.16.21" smtp-auth: "sbakalyas" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S687841AbUITEoI (ORCPT ); Mon, 20 Sep 2004 08:44:08 +0400 Date: Mon, 20 Sep 2004 10:44:11 +0600 From: stepan X-Mailer: The Bat! (v2.00.6) Business Organization: =?Windows-1251?B?0uDj6Osg0uXr5eru7A==?= X-Priority: 3 (Normal) Message-ID: <1847420828.20040920104411@yandex.ru> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 8bit Subject: how may i deny many streams downloads using ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stepan List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 04:44:10 -0000 Hi all! Please tell me, how to set disable of many streams download (using Flashget or Reget) via my FreeBSD-4.7.1 router using firewall. My `pipe' settings are ineffective where whit this programs. Best regards stepan mailto:sbakalyas@yandex.ru From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 06:25:23 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7B1316A4CE for ; Mon, 20 Sep 2004 06:25:23 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3788B43D2D for ; Mon, 20 Sep 2004 06:25:22 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i8K6LkIh020325 for ; Mon, 20 Sep 2004 08:21:46 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i8K6Lhdn020317; Mon, 20 Sep 2004 08:21:43 +0200 (CEST) (envelope-from tw@wsf.at) Date: Mon, 20 Sep 2004 06:21:42 -0000 To: "J.T. Davies" , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040920082142.eeekl07rke80s4@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Dynamic rules & stats X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 06:25:23 -0000 "J.T. Davies" schrieb: > Please someone smack me around and correct me if I'm mistaken. > > I'm using 5.1 Release p13 > > I've got IPFW2 enabled. Stateless & stateful rules are working correctly. > I'm trying to incorporate/"upgrade" to dynamic rulesets, but I'm confused. > > I've got the following rules: > > 1000 check-state > 2000 allow tcp from any 1024-65535 to mysvrIP 25,110 in via outsideinterface > setup keep-state > > > Now, when I check mail from an outside client (mail transfer is successful), > and then I do IPFW SHOW, the traffic counters for rule 2000 are ever > increasing, but 1000 stays at 0. Every mail transfer (whether POP3 or SMTP) > increments 2000, but never 1000. > > Is this correct? I *thought* that this should work somewhat like the > "setup" and the "established" methods of a stateful firewall configuration. No need to worry. For dynamic rules, it's always the parent rule (which 'created' the dynamic one) where the counters are incremented (in your setup 2000) > If I remark rule 1000...traffic still passes through. "If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule." (man ipfw) Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 06:47:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9392216A4CF for ; Mon, 20 Sep 2004 06:47:35 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFB0843D1F for ; Mon, 20 Sep 2004 06:47:34 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i8K6i0Cr020783 for ; Mon, 20 Sep 2004 08:44:00 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i8K6hxdn020770; Mon, 20 Sep 2004 08:43:59 +0200 (CEST) (envelope-from tw@wsf.at) Date: Mon, 20 Sep 2004 06:43:59 -0000 To: Cristian Ursuleanu , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 06:47:35 -0000 Cristian Ursuleanu schrieb: > > > Hi, > > I have a problem with ipfw: > > > (10.0.0.x) (ed0)(10.0.0.1)(rl0) (1.2.3.4) > --LAN----------------FreeBSD--------------ISP_1 > | > |(rl1) > | > | (5.6.7.8) > |_________________ISP_2 > > > > thw default route is 1.2.3.4 > ( $ route add -net 0.0.0.0 1.2.3.4 ) > > I want to forward only port 80 from LAN to ISP_2 . > > I do: > $ natd -p 8668 -interface rl0 > $ natd -p 8669 -interface rl1 > > $ ipfw add 500 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 > $ ipfw add 1000 divert 8668 all from any to any rl0 > $ ipfw add 2000 divert 8669 all from any to any rl1 > > and it's seems not to work . > 'tcpdump' on rl1 show connections from 10.0.0.2.3122 > WEB_SERVER.80 , and > it must be: 5.6.7.8 > WEB_SERVER.80 > > is missing the natd . > > what is wrong? The 'fwd' action terminates the search through the ruleset, so your rule 2000 will never match on outgoing packets to :80. Try putting the 'fwd' statement after 2000 ('divert' re-injects packets at the next rule), something like this: add 2010 fwd 5.6.7.8 tcp from any to any 80 out recv ed0. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 11:02:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0BC916A4CE for ; Mon, 20 Sep 2004 11:02:54 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B736D43D2D for ; Mon, 20 Sep 2004 11:02:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i8KB2sds001898 for ; Mon, 20 Sep 2004 11:02:54 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8KB2rAn001891 for ipfw@freebsd.org; Mon, 20 Sep 2004 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 20 Sep 2004 11:02:53 GMT Message-Id: <200409201102.i8KB2rAn001891@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 11:02:54 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 16:28:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 862D016A4CE for ; Mon, 20 Sep 2004 16:28:49 +0000 (GMT) Received: from debug.ro (debug.ro [81.196.162.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id C12BC43D1D for ; Mon, 20 Sep 2004 16:28:48 +0000 (GMT) (envelope-from cristi@debug.ro) Received: from debug.ro (localhost.ro [127.0.0.1]) by debug.ro (8.13.1/8.13.1) with ESMTP id i8KGSkxO029592; Mon, 20 Sep 2004 19:28:46 +0300 (EEST) (envelope-from cristi@debug.ro) Received: from localhost (cristi@localhost) by debug.ro (8.13.1/8.12.9/Submit) with ESMTP id i8KGSjYD029589; Mon, 20 Sep 2004 19:28:45 +0300 (EEST) (envelope-from cristi@debug.ro) Date: Mon, 20 Sep 2004 19:28:45 +0300 (EEST) From: Cristian Ursuleanu To: Thomas Wolf In-Reply-To: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> Message-ID: <20040920192709.K29498@debug.ro> References: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 16:28:49 -0000 from ipfw manual: "divert port Divert packets that match this rule to the divert(4) socket bound to port port. The search terminates. ----------------- " On Mon, 20 Sep 2004, Thomas Wolf wrote: > > Cristian Ursuleanu schrieb: > > > > > > > Hi, > > > > I have a problem with ipfw: > > > > > > (10.0.0.x) (ed0)(10.0.0.1)(rl0) (1.2.3.4) > > --LAN----------------FreeBSD--------------ISP_1 > > | > > |(rl1) > > | > > | (5.6.7.8) > > |_________________ISP_2 > > > > > > > > thw default route is 1.2.3.4 > > ( $ route add -net 0.0.0.0 1.2.3.4 ) > > > > I want to forward only port 80 from LAN to ISP_2 . > > > > I do: > > $ natd -p 8668 -interface rl0 > > $ natd -p 8669 -interface rl1 > > > > $ ipfw add 500 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 > > $ ipfw add 1000 divert 8668 all from any to any rl0 > > $ ipfw add 2000 divert 8669 all from any to any rl1 > > > > and it's seems not to work . > > 'tcpdump' on rl1 show connections from 10.0.0.2.3122 > WEB_SERVER.80 , and > > it must be: 5.6.7.8 > WEB_SERVER.80 > > > > is missing the natd . > > > > what is wrong? > > The 'fwd' action terminates the search through the ruleset, so > your rule 2000 will never match on outgoing packets to :80. > Try putting the 'fwd' statement after 2000 ('divert' re-injects > packets at the next rule), something like this: > add 2010 fwd 5.6.7.8 tcp from any to any 80 out recv ed0. > > Thomas > > -- > Thomas Wolf > Wiener Software Fabrik > Dubas u. Wolf GMBH > 1050 Wien, Mittersteig 4 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 18:02:46 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD7AF16A4CE for ; Mon, 20 Sep 2004 18:02:46 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id C192543D41 for ; Mon, 20 Sep 2004 18:02:45 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i8KHxADa041585 for ; Mon, 20 Sep 2004 19:59:10 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i8KHx7dn041572; Mon, 20 Sep 2004 19:59:07 +0200 (CEST) (envelope-from tw@wsf.at) Date: Mon, 20 Sep 2004 17:59:06 -0000 To: jose@hostarica.com, Cristian Ursuleanu From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040920195906.eedkv0u7mcookk@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 18:02:47 -0000 Jose Hidalgo Herrera schrieb: > You are right, but Tomas too!, > > what is missing here is: > # sysctl -w net.inet.ip.fw.one_pass=1 No, this sysctl is for dummynet only and does not affect natd. Natd always re-injects packets into the firewall: "After translation by natd, packets re-enter the firewall at the rule number following the rule number that caused the diversion" (man natd) > Use the divert first, with one_pass=1 the package will > be reinjected and the your fwd rule will work just fine. > > --- this will do > sysctl -w net.inet.ip.fw.one_pass=1 > > natd -p 8668 -interface rl0 > natd -p 8669 -interface rl1 > > ipfw add 1000 divert 8668 all from any to any rl0 > ipfw add 2000 divert 8669 all from any to any rl1 > ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 > --- No, this will not work, you should omit the 'from 10.0.0.0/24' part. After being translated by natd, the packets coming from the LAN will no longer have 10.0.0.0/24 as src-addr. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 18:09:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E078716A4CE for ; Mon, 20 Sep 2004 18:09:31 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01F2043D49 for ; Mon, 20 Sep 2004 18:09:31 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i8KI5t4Q041942 for ; Mon, 20 Sep 2004 20:05:55 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i8KI5tdn041929; Mon, 20 Sep 2004 20:05:55 +0200 (CEST) (envelope-from tw@wsf.at) Date: Mon, 20 Sep 2004 18:05:55 -0000 To: Cristian Ursuleanu , Thomas Wolf From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040920200555.eei75hvd9c00wg@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 18:09:32 -0000 Cristian Ursuleanu schrieb: > > from ipfw manual: > > "divert port > Divert packets that match this rule to the divert(4) > socket bound to port port. The search terminates. > ----------------- > " Ah, ok, my statement was misleading. You're right, 'divert' does not re-inject packets by itself - but 'natd' does. Thomas > On Mon, 20 Sep 2004, Thomas Wolf wrote: > > > > > Cristian Ursuleanu schrieb: > > > > > > > > > > > Hi, > > > > > > I have a problem with ipfw: > > > > > > > > > (10.0.0.x) (ed0)(10.0.0.1)(rl0) (1.2.3.4) > > > --LAN----------------FreeBSD--------------ISP_1 > > > | > > > |(rl1) > > > | > > > | (5.6.7.8) > > > |_________________ISP_2 > > > > > > > > > > > > thw default route is 1.2.3.4 > > > ( $ route add -net 0.0.0.0 1.2.3.4 ) > > > > > > I want to forward only port 80 from LAN to ISP_2 . > > > > > > I do: > > > $ natd -p 8668 -interface rl0 > > > $ natd -p 8669 -interface rl1 > > > > > > $ ipfw add 500 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 > > > $ ipfw add 1000 divert 8668 all from any to any rl0 > > > $ ipfw add 2000 divert 8669 all from any to any rl1 > > > > > > and it's seems not to work . > > > 'tcpdump' on rl1 show connections from 10.0.0.2.3122 > WEB_SERVER.80 , and > > > it must be: 5.6.7.8 > WEB_SERVER.80 > > > > > > is missing the natd . > > > > > > what is wrong? > > > > The 'fwd' action terminates the search through the ruleset, so > > your rule 2000 will never match on outgoing packets to :80. > > Try putting the 'fwd' statement after 2000 ('divert' re-injects > > packets at the next rule), something like this: > > add 2010 fwd 5.6.7.8 tcp from any to any 80 out recv ed0. > > > > Thomas > > > > -- > > Thomas Wolf > > Wiener Software Fabrik > > Dubas u. Wolf GMBH > > 1050 Wien, Mittersteig 4 > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 20:12:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E23016A4D1 for ; Mon, 20 Sep 2004 20:12:40 +0000 (GMT) Received: from debug.ro (debug.ro [81.196.162.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F8C443D53 for ; Mon, 20 Sep 2004 20:12:39 +0000 (GMT) (envelope-from cristi@debug.ro) Received: from debug.ro (localhost.ro [127.0.0.1]) by debug.ro (8.13.1/8.13.1) with ESMTP id i8KKCbZ6059070; Mon, 20 Sep 2004 23:12:37 +0300 (EEST) (envelope-from cristi@debug.ro) Received: from localhost (cristi@localhost) by debug.ro (8.13.1/8.12.9/Submit) with ESMTP id i8KKCa7W059067; Mon, 20 Sep 2004 23:12:37 +0300 (EEST) (envelope-from cristi@debug.ro) Date: Mon, 20 Sep 2004 23:12:36 +0300 (EEST) From: Cristian Ursuleanu To: Jose Hidalgo Herrera In-Reply-To: <1095699476.14974.13.camel@jose.hostarica.net> Message-ID: <20040920230225.Y58694@debug.ro> References: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> <1095699476.14974.13.camel@jose.hostarica.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Thomas Wolf cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 20:12:40 -0000 you are wight! but, I do some tests and it seems to work only when: net.inet.ip.fw.one_pass=0 if net.inet.ip.fw.one_pass=0 then packets are reinjected into firewall , and when net.inet.ip.fw.one_pass=1 are not. I use: FreeBSD 4.10 STABLE , and ipfw1. "net.inet.ip.fw.one_pass: 1 Forces a single pass through the firewall. If set to 0, packets coming out of a pipe will be reinjected into the firewall starting with the rule after the matching one. " On Mon, 20 Sep 2004, Jose Hidalgo Herrera wrote: > You are right, but Tomas too!, > > what is missing here is: > # sysctl -w net.inet.ip.fw.one_pass=1 > > Use the divert first, with one_pass=1 the package will > be reinjected and the your fwd rule will work just fine. > > --- this will do > sysctl -w net.inet.ip.fw.one_pass=1 > > natd -p 8668 -interface rl0 > natd -p 8669 -interface rl1 > > ipfw add 1000 divert 8668 all from any to any rl0 > ipfw add 2000 divert 8669 all from any to any rl1 > ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 > --- > -- > Jose Hidalgo > PGP: 15524480 > jose at hostarica.com > http://www.hostarica.com > > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 21:52:23 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44E1B16A4CE for ; Mon, 20 Sep 2004 21:52:23 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEDE743D2F for ; Mon, 20 Sep 2004 21:52:20 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 7F31AFD6F; Mon, 20 Sep 2004 10:57:42 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id 531CEF827; Mon, 20 Sep 2004 10:57:41 -0600 (CST) From: Jose Hidalgo Herrera To: Cristian Ursuleanu In-Reply-To: <20040920192709.K29498@debug.ro> References: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> <20040920192709.K29498@debug.ro> Content-Type: text/plain Organization: Corp. Hosta Rica Message-Id: <1095699476.14974.13.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 20 Sep 2004 10:57:56 -0600 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd 0.1 cc: Thomas Wolf cc: jose@hostarica.com cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 21:52:23 -0000 You are right, but Tomas too!, what is missing here is: # sysctl -w net.inet.ip.fw.one_pass=1 Use the divert first, with one_pass=1 the package will be reinjected and the your fwd rule will work just fine. --- this will do sysctl -w net.inet.ip.fw.one_pass=1 natd -p 8668 -interface rl0 natd -p 8669 -interface rl1 ipfw add 1000 divert 8668 all from any to any rl0 ipfw add 2000 divert 8669 all from any to any rl1 ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 --- -- Jose Hidalgo PGP: 15524480 jose at hostarica.com http://www.hostarica.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 22 02:25:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5A8E16A4CE for ; Wed, 22 Sep 2004 02:25:22 +0000 (GMT) Received: from web11505.mail.yahoo.com (web11505.mail.yahoo.com [216.136.172.37]) by mx1.FreeBSD.org (Postfix) with SMTP id 70A0843D48 for ; Wed, 22 Sep 2004 02:25:22 +0000 (GMT) (envelope-from mukden@yahoo.com) Message-ID: <20040922022522.34335.qmail@web11505.mail.yahoo.com> Received: from [17.202.43.89] by web11505.mail.yahoo.com via HTTP; Tue, 21 Sep 2004 19:25:22 PDT Date: Tue, 21 Sep 2004 19:25:22 -0700 (PDT) From: Muk Dunkin To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: dynamic TCP rule lifetime is too short X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 02:25:22 -0000 Hi all, In ipfw2.c, if keep-alive option was turned off, once a TCP (SYN,ACK) dynamic rule gets removed (UNLINK) because it's lifetime has expired, subsequent TCP ACK dynamic rule gets created with a very short timeout (1 sec). net.inet.ip.fw.dyn_rst_lifetime (default of 1 second) was used instead of net.inet.ip.fw.dyn_ack_lifetime for the newly created TCP ACK dynamic rule, as a result, the rule gets added and removed (time expired) over and over again. Here's the scenario: turn off keep-alive via sysctl allow tcp from any to any telnet keep-state deny all from any to any host1 telnet to host2 -- dynamic rule (300s) STATE tcp host1 <-> host2 was created wait after the 300s has lapsed, check dynamic rule table ipfw -dt list dynamic rule tcp host1<->host2 is gone type something from host1 telnet window no new dynamic rule gets created, 'cuz it was added and removed after 1 second. Shouldn't net.inet.ip.fw.dyn_ack_lifetime be used instead of net.inet.ip.fw.dyn_rst_lifetime in when we update q->expire in lookup_dyn_rule()? MC __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 22 13:59:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33D7816A4D0 for ; Wed, 22 Sep 2004 13:59:20 +0000 (GMT) Received: from smtp-md2.infolink.com.br (smtp-md2.infolink.com.br [200.187.64.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FADF43D31 for ; Wed, 22 Sep 2004 13:59:19 +0000 (GMT) (envelope-from R2@infolinks.com.br) Received: from md2.infolink.com.br (md2.infolink.com.br [200.187.64.90]) by smtp-md2.infolink.com.br (Postfix) with ESMTP id 30C63158EC0 for ; Wed, 22 Sep 2004 10:59:17 -0300 (BRT) Received: from infolinks.com.br ([200.187.64.91]) by md2.infolink.com.br ; Wed, 22 Sep 2004 10:59:16 -0300 BRT Message-ID: <41518533.8050607@infolinks.com.br> Date: Wed, 22 Sep 2004 10:59:15 -0300 From: R2 User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040701 X-Accept-Language: pt-br, pt, en-us, en MIME-Version: 1.0 Cc: freebsd-ipfw@freebsd.org References: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> <1095699476.14974.13.camel@jose.hostarica.net> <20040920230225.Y58694@debug.ro> In-Reply-To: <20040920230225.Y58694@debug.ro> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rcpt-To: Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 13:59:20 -0000 Cristian Ursuleanu wrote: >you are wight! > >but, I do some tests and it seems to work only when: >net.inet.ip.fw.one_pass=0 > >if net.inet.ip.fw.one_pass=0 then packets are reinjected into firewall , >and when net.inet.ip.fw.one_pass=1 are not. > >I use: FreeBSD 4.10 STABLE , and ipfw1. > >"net.inet.ip.fw.one_pass: 1 > Forces a single pass through the firewall. If set to 0, > packets coming out of a pipe will be reinjected into the > firewall starting with the rule after the matching one. >" > > >On Mon, 20 Sep 2004, Jose Hidalgo Herrera wrote: > > > >>You are right, but Tomas too!, >> >>what is missing here is: >># sysctl -w net.inet.ip.fw.one_pass=1 >> >>Use the divert first, with one_pass=1 the package will >>be reinjected and the your fwd rule will work just fine. >> >>--- this will do >> sysctl -w net.inet.ip.fw.one_pass=1 >> >> natd -p 8668 -interface rl0 >> natd -p 8669 -interface rl1 >> >> ipfw add 1000 divert 8668 all from any to any rl0 >> ipfw add 2000 divert 8669 all from any to any rl1 >> ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 >>--- >>-- >>Jose Hidalgo >>PGP: 15524480 >>jose at hostarica.com >>http://www.hostarica.com >> >> >> >> >> >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > You can use this ipfw configuration to solve you problem : ipfw add 100 skipto 2000 all from any to any 80 out xmit rl0 ipfw add 1000 divert natd all from any to any via rl0 ipfw add 2000 divert natd2 all from any to any via rl1 ipfw fwd 5.6.7.9 all from 5.6.7.8 to any out xmit rl0 PS: Default route are sent to rl0 interface and is a necessary to forward all packets with sorce ip 5.6.7.8 to next-hop 5.6.7.9, this last ip is a remote interface of your sevice provider. From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 22 18:37:57 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CEB816A4CE for ; Wed, 22 Sep 2004 18:37:57 +0000 (GMT) Received: from web11509.mail.yahoo.com (web11509.mail.yahoo.com [216.136.129.46]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C81443D5C for ; Wed, 22 Sep 2004 18:37:57 +0000 (GMT) (envelope-from mukden@yahoo.com) Message-ID: <20040922183757.95610.qmail@web11509.mail.yahoo.com> Received: from [17.202.43.86] by web11509.mail.yahoo.com via HTTP; Wed, 22 Sep 2004 11:37:57 PDT Date: Wed, 22 Sep 2004 11:37:57 -0700 (PDT) From: Muk Dunkin To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: ip6fw and dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 18:37:57 -0000 Does anyone know what's the plan for supporting dynamic stateful rules in ip6fw? thx MC _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 22 21:26:58 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80CAF16A4CE for ; Wed, 22 Sep 2004 21:26:58 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46B8F43D46 for ; Wed, 22 Sep 2004 21:26:58 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id i8MLTR09006627; Wed, 22 Sep 2004 14:29:27 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id i8MLTRua006626; Wed, 22 Sep 2004 14:29:27 -0700 Date: Wed, 22 Sep 2004 14:29:27 -0700 From: Brooks Davis To: Muk Dunkin Message-ID: <20040922212927.GA4610@odin.ac.hmc.edu> References: <20040922183757.95610.qmail@web11509.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline In-Reply-To: <20040922183757.95610.qmail@web11509.mail.yahoo.com> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: freebsd-ipfw@freebsd.org Subject: Re: ip6fw and dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 21:26:58 -0000 --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 22, 2004 at 11:37:57AM -0700, Muk Dunkin wrote: > Does anyone know what's the plan for supporting > dynamic stateful rules in ip6fw? It isn't likely to happen. ip6fw is almost certaintly headed for the scrap yard. However, I recently posted a patch to this list based on the work of one of Luigi's students that adds ipfw support for IPv6. I didn't test the packet filtering extensivly since I was intrested in dummynet, but you might want to take a look at it. http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D62714+0+archive/2004/freebsd= -ipfw/20040905.freebsd-ipfw -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --CE+1k2dSO48ffgeK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBUe62XY6L6fI4GtQRAvtjAKCT7iAxIo1CfWTMCtBJGFiYW4QyyQCgj0Y4 lgPWX2RF5XH4Fe2W4doshsQ= =f+id -----END PGP SIGNATURE----- --CE+1k2dSO48ffgeK-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 24 14:22:02 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6567A16A4CE for ; Fri, 24 Sep 2004 14:22:02 +0000 (GMT) Received: from courgette.jml.net (courgette.jml.net [195.82.120.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 069F343D5A for ; Fri, 24 Sep 2004 14:22:02 +0000 (GMT) (envelope-from jamesd@jml.net) Received: from localhost ([127.0.0.1]) by courgette.jml.net with esmtp (Exim 4.30) id 1CAqxU-0007z9-If for freebsd-ipfw@freebsd.org; Fri, 24 Sep 2004 15:22:00 +0100 Date: Fri, 24 Sep 2004 15:22:00 +0100 (BST) From: James Davis To: freebsd-ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Bridging and transparent web-cache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 14:22:02 -0000 I'm setting up a small server to provide traffic shaping services on a network in order to conserve the relatively small bandwifth available. In order to minimise the reconfiguration on site I've configured the server as a bridge. So far it works brilliantly, interactive applications are now usuable at the same time as FTP transfers. I'd like to setup the server to act as a web cache using squid and again I'd like to minimise the reconfiguration required and have squid working transparantly. However I can't appear to get traffic to port 80 redirected to the local squid server, the traffic simply refuses to match the fwd rule. I've searched Google and read over the mailing list archives and I've been left unsure as to whether this configuration is possible or not. Is it? Thanks, James -- "You're turning into a penguin. Stop it" http://jamesd.ukgeeks.co.uk/ From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 24 14:25:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA75316A4D1 for ; Fri, 24 Sep 2004 14:25:16 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0D9543D4C for ; Fri, 24 Sep 2004 14:25:13 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 13170 invoked by uid 1002); 24 Sep 2004 14:27:25 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.64. Clear:RC:1(127.0.0.1):. Processed in 1.418977 secs); 24 Sep 2004 14:27:25 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 24 Sep 2004 14:27:23 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Fri, 24 Sep 2004 10:27:24 -0400 (EDT) Message-ID: <3924.209.167.16.15.1096036044.squirrel@209.167.16.15> In-Reply-To: References: Date: Fri, 24 Sep 2004 10:27:24 -0400 (EDT) From: "Steve Bertrand" To: "James Davis" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-ipfw@freebsd.org Subject: Re: Bridging and transparent web-cache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 14:25:16 -0000 > I'm setting up a small server to provide traffic shaping services on a > network in order to conserve the relatively small bandwifth available. > In > order to minimise the reconfiguration on site I've configured the > server > as a bridge. So far it works brilliantly, interactive applications are > now > usuable at the same time as FTP transfers. > > I'd like to setup the server to act as a web cache using squid and > again > I'd like to minimise the reconfiguration required and have squid > working > transparantly. However I can't appear to get traffic to port 80 > redirected > to the local squid server, the traffic simply refuses to match the fwd > rule. > > I've searched Google and read over the mailing list archives and I've > been > left unsure as to whether this configuration is possible or not. Is > it? > Please submit the pertinent rules in your firewall script, before and including the fwd rules, and include some details in your actual setup. Steve > Thanks, > > James > > -- > "You're turning into a penguin. Stop it" > http://jamesd.ukgeeks.co.uk/ > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 24 14:49:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E97C616A4CE for ; Fri, 24 Sep 2004 14:49:35 +0000 (GMT) Received: from courgette.jml.net (courgette.jml.net [195.82.120.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF85843D3F for ; Fri, 24 Sep 2004 14:49:35 +0000 (GMT) (envelope-from jamesd@jml.net) Received: from localhost ([127.0.0.1]) by courgette.jml.net with esmtp (Exim 4.30) id 1CArOA-0008Tk-Nv; Fri, 24 Sep 2004 15:49:34 +0100 Date: Fri, 24 Sep 2004 15:49:34 +0100 (BST) From: James Davis To: Steve Bertrand In-Reply-To: <3924.209.167.16.15.1096036044.squirrel@209.167.16.15> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: Bridging and transparent web-cache X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 14:49:36 -0000 On Fri, 24 Sep 2004, Steve Bertrand wrote: > Please submit the pertinent rules in your firewall script, before and > including the fwd rules, and include some details in your actual > setup. Before (note that I've recompiled the kernel so that ipfw defaults to accept and I've cut out some irrelevant lines) James. -- # Clear out any old rules ipfw -q flush # Define some bits here to make life easy # Define the external interface (in this case rl0 if the big D-Link card) EXTIF=rl0 INTIF=dc0 # Define the size of the pipe. It's a bit less than the total capacity # to allow for queues PIPESIZE=60kb/s # Set the size of the pipe ipfw pipe 1 config bw $PIPESIZE # Now define the class of data within the pipe. We'll have:- ipfw queue 1 config pipe 1 weight 3 ipfw queue 2 config pipe 1 weight 2 ipfw queue 3 config pipe 1 weight 1 # Now lets define types of traffic and assign the class to each # Web users ipfw add 200 queue 2 tcp from any to any dst-port 80 in via $INTIF ipfw add 210 queue 2 tcp from any to any src-port 80 in via $EXTIF -- Now after... -- # Clear out any old rules ipfw -q flush # Define some bits here to make life easy # Define the external interface (in this case rl0 if the big D-Link card) EXTIF=rl0 INTIF=dc0 IP=192.168.0.76 # Define the size of the pipe. It's a bit less than the total capacity # to allow for queues PIPESIZE=60kb/s # Set the size of the pipe ipfw pipe 1 config bw $PIPESIZE # Now define the class of data within the pipe. We'll have:- ipfw queue 1 config pipe 1 weight 3 ipfw queue 2 config pipe 1 weight 2 ipfw queue 3 config pipe 1 weight 1 # Web users ipfw add 150 queue 1 tcp from $IP any to any dst-port 80 out via $EXTIF ipfw add 160 fwd 127.0.0.1 tcp from any to any dst-port 80 -- "You're turning into a penguin. Stop it" http://jamesd.ukgeeks.co.uk/ From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 24 22:37:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A359016A4CE; Fri, 24 Sep 2004 22:37:54 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C21B43D2D; Fri, 24 Sep 2004 22:37:54 +0000 (GMT) (envelope-from csjp@freebsd.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) i8OMbsd7086886; Fri, 24 Sep 2004 22:37:54 GMT (envelope-from csjp@freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8OMbs3L086885; Fri, 24 Sep 2004 22:37:54 GMT (envelope-from csjp@freebsd.org) X-Authentication-Warning: freefall.freebsd.org: csjp set sender to csjp@freebsd.org using -f Date: Fri, 24 Sep 2004 22:37:54 +0000 From: "Christian S.J. Peron" To: hackers@freebsd.org Message-ID: <20040924223754.GA86799@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i cc: max@love2party.net cc: ipfw@freebsd.org cc: freebsd-pf@freebsd.org Subject: fixes for ipfw and pf lock ordering issues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 22:37:54 -0000 Good day folks, we need some beta testers Currently, those who utilize ucred based firewalling, i.e. firewall rules which match based on UID, GID or JAIL ID are subject to lock order problems which often results in the system hard locking. (when giant is not present ... debug.mpsafenet=1). This problem affects all FreeBSD firewalls which implement ucred based matching, namely ipfw and pf. The lock order problem exists due to a layering violation which occurs when the IP stack attempts to acquire locks within lower level stacks such as UDP and TCP. Max Laier (mlaier@) and myself have been working together to solve this problem. Together we have generated a set of diffs which do the following: o Add a pointer to a PCB to pfil_hooks o Modify existing pfil_hooks API to handle this extra argument o Modify the pf and ipfw firewalls to utilize this extra argument so that lookups on local outbound TCP and UDP traffic can be deactivated (removing the requirement for holding INP locks, which was a primary suspect for these lock ordering issues). o Implement a shared locking mechanism for firewall rule chain protection The intended results of these changes are: 1) Remove the lock ordering issues which result in system hard locks 2) Avoid redundant PCB lookup overhead improving the overall performance of ucred based rule sets 3) Improving network and firewall parallelism, shared locks give the OS the ability to run multiple evaluation or rule check activations concurrently, which should increase the overall network throughput on devices which have ipfw or pf firewalls enabled (regardless of whether or not these rules contain ucred based constraints). If anyone could help us test these changes that would be great: download: http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff cd /usr/src/sys fetch http://people.freebsd.org/~csjp/inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff patch < inp_pfil_fw_lor_fixes_shared_locks.1096053274.diff Recompile your kernel and any related pf or ipfw modules add some user/group/jail based firewall rules Remember, these are pretty beta so ... be gentle :) -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 24 22:57:06 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58D8D16A4CE; Fri, 24 Sep 2004 22:57:06 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BD8243D5F; Fri, 24 Sep 2004 22:57:06 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CAyzx-0000ms-00; Sat, 25 Sep 2004 00:57:05 +0200 Received: from [217.83.1.154] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CAyzx-0002SW-00; Sat, 25 Sep 2004 00:57:05 +0200 From: Max Laier To: "Christian S.J. Peron" Date: Sat, 25 Sep 2004 00:55:55 +0200 User-Agent: KMail/1.7 References: <20040924223754.GA86799@freefall.freebsd.org> In-Reply-To: <20040924223754.GA86799@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4033428.rfQkKE7BF2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200409250056.10275.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: bz@freebsd.org cc: hackers@freebsd.org cc: ipfw@freebsd.org cc: freebsd-pf@freebsd.org Subject: Re: fixes for ipfw and pf lock ordering issues X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2004 22:57:06 -0000 --nextPart4033428.rfQkKE7BF2 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 25 September 2004 00:37, Christian S.J. Peron wrote: > Good day folks, we need some beta testers > > Currently, those who utilize ucred based firewalling, i.e. firewall > rules which match based on UID, GID or JAIL ID are subject to lock order > problems which often results in the system hard locking. (when giant > is not present ... debug.mpsafenet=3D1). > > This problem affects all FreeBSD firewalls which implement ucred based > matching, namely ipfw and pf. The lock order problem exists due to a > layering violation which occurs when the IP stack attempts to acquire > locks within lower level stacks such as UDP and TCP. =46or the record [just realized that we forgot]: Talking about LOR id 14-17= ... =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4033428.rfQkKE7BF2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBVKYKXyyEoT62BG0RAn4eAJ46af5V5qDZOC5y1Nkf51CLfDDH7QCffFFa KQ2b9SmNIRWsgpa8pz4KveU= =1xo3 -----END PGP SIGNATURE----- --nextPart4033428.rfQkKE7BF2--