From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 05:46:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6264B16A4CE for ; Sun, 28 Dec 2003 05:46:50 -0800 (PST) Received: from moutvdomng.kundenserver.de (moutvdom.kundenserver.de [212.227.126.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D7F443D2F for ; Sun, 28 Dec 2003 05:46:48 -0800 (PST) (envelope-from liamfoy@sepulcrum.org) Received: from [212.227.126.220] (helo=mrelayng.kundenserver.de) by moutvdomng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AabFn-0003ur-00 for freebsd-ipfw@freebsd.org; Sun, 28 Dec 2003 14:46:47 +0100 Received: from [217.43.129.115] (helo=sepulcrum.org) by mrvdomng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AabFm-00052J-00 for freebsd-ipfw@freebsd.org; Sun, 28 Dec 2003 14:46:46 +0100 Message-ID: <3FEEDEC6.6050601@sepulcrum.org> Date: Sun, 28 Dec 2003 13:46:46 +0000 From: Liam Foy User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031114 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20031227200050.47AD316A511@hub.freebsd.org> In-Reply-To: <20031227200050.47AD316A511@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: freebsd-ipfw Digest, Vol 40, Issue 4 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Dec 2003 13:46:50 -0000 freebsd-ipfw-request@freebsd.org wrote: >Send freebsd-ipfw mailing list submissions to > freebsd-ipfw@freebsd.org > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >or, via email, send a message with subject or body 'help' to > freebsd-ipfw-request@freebsd.org > >You can reach the person managing the list at > freebsd-ipfw-owner@freebsd.org > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of freebsd-ipfw digest..." > > >Today's Topics: > > 1. need testers for a ipfw rule generation script! (Boris Staeblow) > 2. Re: need testers for a ipfw rule generation script! > (Bjoern A. Zeeb) > 3. Re: need testers for a ipfw rule generation script! > (Boris Staeblow) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Fri, 26 Dec 2003 22:29:55 +0100 >From: Boris Staeblow >Subject: need testers for a ipfw rule generation script! >To: freebsd-ipfw@freebsd.org >Message-ID: <200312262229.55270.bs@dva.in-berlin.de> >Content-Type: text/plain; charset="iso-8859-1" > >Hello, > >I need some testers for a ipfw rule generation script. >Because I have to administer some dialup internet-routers based on FreeBSD I >?ve >written this script to simplify the ipfw rule maintainance. >Many rules are collected from serval FreeBSD forums, HOWTO?S and man-pages. > >here is the README: > > >FIRE V1.07, 23 Dec. 2003, first public release >---------------------------------------------- > >The "fire" script creates a set of ipfw rules dynamically, depending of >the settings in the main configuration file. > >Although this script is flexible, the main target is a single local network >with internet-access over an internet-connected device (usually tunX from >ppp) > >- Of course I`m grateful for improvements, as I?m not a firewall > and script expert! >- Forgive any mistake in writing. >- DO NOT TRUST THE RESULTING IPFW-RULES BLINDLY!!! CHECK RULES WITH "ipfw >list"! >- USE THIS SCRIPT AT YOUR OWN RISK! >- Send comments, suggestions and diff?s to bs at dva.in-berlin.de :) > >download the latest version at http://dva.dyndns.org > >Boris > > > >------------------------------ > >Message: 2 >Date: Fri, 26 Dec 2003 22:23:28 +0000 (UTC) >From: "Bjoern A. Zeeb" >Subject: Re: need testers for a ipfw rule generation script! >To: Boris Staeblow >Cc: freebsd-ipfw@freebsd.org >Message-ID: > >Content-Type: TEXT/PLAIN; charset=ISO-8859-1 > >On Fri, 26 Dec 2003, Boris Staeblow wrote: > > > >>I need some testers for a ipfw rule generation script. >>Because I have to administer some dialup internet-routers based on FreeBSD I >>?ve >>written this script to simplify the ipfw rule maintainance. >>Many rules are collected from serval FreeBSD forums, HOWTO?S and man-pages. >> >> > >I have just scrolled through this thing with pg_down and did not read >it but there are things that always catch one's eye: > >please write 1000x times[1]: port 136 is neither netbios nor microsoft ! >write it like this: 135,137-139,445 > >[1] the use of scripting languages is permitted ;-))) > > > After reading about what boris has wrote, I have been working on something similar but in php. It will show IPFW statistics, and generate rules much like Metacortex for OpenBSD. It can work for both IPFW and IPF once a single configuration has been changed. Anyone got any comments, or ideas people would like to see? Anyone think such an idea is useful ?. Thanks in advance, -Liam-foy From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 10:00:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF7BD16A4CE for ; Sun, 28 Dec 2003 10:00:12 -0800 (PST) Received: from hirsch.in-berlin.de (hirsch.in-berlin.de [192.109.42.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6BFB743D2F for ; Sun, 28 Dec 2003 10:00:10 -0800 (PST) (envelope-from bs@dva.in-berlin.de) X-Envelope-From: bs@dva.in-berlin.de Received: from hirsch.in-berlin.de (localhost [127.0.0.1]) hBSI08Zl025057 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 28 Dec 2003 19:00:08 +0100 Received: (from uucp@localhost)hBSI035Y025004; Sun, 28 Dec 2003 19:00:03 +0100 Received: from dva.intranet.local (dva.intranet.local [10.0.0.10]) by dva.in-berlin.de (Postfix) with ESMTP id F0E49285F8; Sun, 28 Dec 2003 18:56:14 +0100 (CET) From: Boris Staeblow To: "Bjoern A. Zeeb" Date: Sun, 28 Dec 2003 18:56:14 +0100 User-Agent: KMail/1.5.4 References: <200312262229.55270.bs@dva.in-berlin.de> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <200312281856.14776.bs@dva.in-berlin.de> X-Scanned-By: MIMEDefang 2.38 cc: freebsd-ipfw@freebsd.org Subject: Re: need testers for a ipfw rule generation script! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Dec 2003 18:00:12 -0000 > write it like this: 135,137-139,445 I´ve released V1.08 today. Download it at http://dva.dyndns.org Boris Staeblow From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 14:30:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E926416A4CE for ; Sun, 28 Dec 2003 14:30:11 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DE4943D39 for ; Sun, 28 Dec 2003 14:30:10 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id B4B331FF91D; Sun, 28 Dec 2003 23:30:08 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 123811FF90C; Sun, 28 Dec 2003 23:30:07 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id DF3B4153ED; Sun, 28 Dec 2003 22:27:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id D511915329; Sun, 28 Dec 2003 22:27:30 +0000 (UTC) Date: Sun, 28 Dec 2003 22:27:30 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Boris Staeblow In-Reply-To: <200312281856.14776.bs@dva.in-berlin.de> Message-ID: References: <200312262229.55270.bs@dva.in-berlin.de> <200312281856.14776.bs@dva.in-berlin.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-ipfw@freebsd.org Subject: Re: need testers for a ipfw rule generation script! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Dec 2003 22:30:12 -0000 On Sun, 28 Dec 2003, Boris Staeblow wrote: > > write it like this: 135,137-139,445 > > I=B4ve released V1.08 today. Download it at http://dva.dyndns.org DNS can also be TCP. (noted by a colleague who seemed to have a closer look at it). --=20 Bjoern A. Zeeb=09=09=09=09bzeeb at Zabbadoz dot NeT 56 69 73 69 74=09=09=09=09http://www.zabbadoz.net/ From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 15:55:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D094316A4CE for ; Sun, 28 Dec 2003 15:55:05 -0800 (PST) Received: from hirsch.in-berlin.de (hirsch.in-berlin.de [192.109.42.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3432443D5C for ; Sun, 28 Dec 2003 15:55:03 -0800 (PST) (envelope-from bs@dva.in-berlin.de) X-Envelope-From: bs@dva.in-berlin.de Received: from hirsch.in-berlin.de (localhost [127.0.0.1]) hBSNt1XX021268 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 29 Dec 2003 00:55:01 +0100 Received: (from uucp@localhost)hBSNt1XO021263; Mon, 29 Dec 2003 00:55:01 +0100 Received: from dva.intranet.local (dva.intranet.local [10.0.0.10]) by dva.in-berlin.de (Postfix) with ESMTP id B681C285F8; Mon, 29 Dec 2003 00:42:38 +0100 (CET) From: Boris Staeblow To: "Bjoern A. Zeeb" Date: Mon, 29 Dec 2003 00:42:38 +0100 User-Agent: KMail/1.5.4 References: <200312262229.55270.bs@dva.in-berlin.de> <200312281856.14776.bs@dva.in-berlin.de> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline Message-Id: <200312290042.38516.bs@dva.in-berlin.de> X-Scanned-By: MIMEDefang 2.38 cc: freebsd-ipfw@freebsd.org Subject: Re: need testers for a ipfw rule generation script! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Dec 2003 23:55:05 -0000 On Sonntag, 28. Dezember 2003 23:27, Bjoern A. Zeeb wrote: > DNS can also be TCP. > (noted by a colleague who seemed to have a closer look at it). under which circumstances is a DNS TCP connection needed? (I´ve never used a DNS TCP rule before - without any problem) Boris Staeblow bs@dva.in-berlin.de From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 16:03:01 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B69916A4CE for ; Sun, 28 Dec 2003 16:03:01 -0800 (PST) Received: from y0d4.mr0vka.eu.org (y0d4.mr0vka.eu.org [195.116.69.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A61A43D46 for ; Sun, 28 Dec 2003 16:02:58 -0800 (PST) (envelope-from lbromirski@mr0vka.eu.org) Received: from mr0vka.eu.org (cn186.neoplus.adsl.tpnet.pl [80.54.210.186]) by y0d4.mr0vka.eu.org (Postfix) with ESMTP id 030B0ED2D for ; Mon, 29 Dec 2003 01:02:52 +0000 (GMT) Message-ID: <3FEF6F28.3000802@mr0vka.eu.org> Date: Mon, 29 Dec 2003 01:02:48 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Mozilla Thunderbird 0.5a (20031219) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <200312262229.55270.bs@dva.in-berlin.de> <200312281856.14776.bs@dva.in-berlin.de> <200312290042.38516.bs@dva.in-berlin.de> In-Reply-To: <200312290042.38516.bs@dva.in-berlin.de> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: need testers for a ipfw rule generation script! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 00:03:01 -0000 Boris Staeblow wrote: > > DNS can also be TCP. > > (noted by a colleague who seemed to have a closer look at it). > under which circumstances is a DNS TCP connection needed? > (I´ve never used a DNS TCP rule before - without any problem) When reply can't be inserted into single UDP datagram - about 64K for systems going per RFC, and about 8K for old very strange implementations. 64K is quite large space for most queries, but I've for example seen bind 9 making TCP connection when asked for zone xfer, that would exceed 512 bytes. It's safe to let tcp/udp 53 get in. -- Łukasz Bromirski lbromirski:mr0vka.eu.org From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 16:10:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA8FE16A4CE for ; Sun, 28 Dec 2003 16:10:10 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0227543D31 for ; Sun, 28 Dec 2003 16:10:09 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 1932C1FF91D; Mon, 29 Dec 2003 01:10:08 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 6C5E51FF90C; Mon, 29 Dec 2003 01:10:06 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 7E3E9153ED; Mon, 29 Dec 2003 00:05:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 73F9615329; Mon, 29 Dec 2003 00:05:22 +0000 (UTC) Date: Mon, 29 Dec 2003 00:05:22 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Boris Staeblow In-Reply-To: <200312290042.38516.bs@dva.in-berlin.de> Message-ID: References: <200312262229.55270.bs@dva.in-berlin.de> <200312281856.14776.bs@dva.in-berlin.de> <200312290042.38516.bs@dva.in-berlin.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de cc: freebsd-ipfw@freebsd.org Subject: Re: need testers for a ipfw rule generation script! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 00:10:11 -0000 On Mon, 29 Dec 2003, Boris Staeblow wrote: > On Sonntag, 28. Dezember 2003 23:27, Bjoern A. Zeeb wrote: > > > DNS can also be TCP. > > (noted by a colleague who seemed to have a closer look at it). > > under which circumstances is a DNS TCP connection needed? > (I=B4ve never used a DNS TCP rule before - without any problem) I I remember correctly it's RFC 1035 /Transport --=20 Bjoern A. Zeeb=09=09=09=09bzeeb at Zabbadoz dot NeT 56 69 73 69 74=09=09=09=09http://www.zabbadoz.net/ From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 19:09:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 145E516A4CE for ; Sun, 28 Dec 2003 19:09:54 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B50043D1D for ; Sun, 28 Dec 2003 19:09:52 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1Aanhq-0008h9-De for freebsd-ipfw@freebsd.org; Mon, 29 Dec 2003 11:04:34 +0800 Message-Id: <6.0.1.1.2.20031229110759.02933610@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Mon, 29 Dec 2003 11:13:27 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: DUMMYNET pipe lifetime X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 03:09:54 -0000 Hi, I'm using DUMMYNET pipes for bandwidth management in FreeBSD 5.2-current. When I change dummynet pipe bandwidth and then when I try to view it using: ipfw pipe show It shows old bandwidth values. I wander how I can immediately see the bandwidth changes. Is there any timing issue in dummynet? What should I do in order to bandwidth changes occur immediately? tia, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 19:49:46 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6849216A4CE for ; Sun, 28 Dec 2003 19:49:46 -0800 (PST) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27D8F43D39 for ; Sun, 28 Dec 2003 19:49:45 -0800 (PST) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with asmtp (Exim 4.24; FreeBSD 5.1) id 1AaoKR-0008tQ-MS for freebsd-ipfw@freebsd.org; Mon, 29 Dec 2003 11:44:27 +0800 Message-Id: <6.0.1.1.2.20031229115136.029ad068@202.179.0.80> X-Sender: ganbold@micom.mng.net@202.179.0.80 X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Mon, 29 Dec 2003 11:53:19 +0800 To: freebsd-ipfw@freebsd.org From: Ganbold Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: DUMMYNET pipe lifetime X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 03:49:46 -0000 Hi, Sorry for my previous message about dummynet pipe, please ignore it. I have to use ipfw pipe flush command. tia, Ganbold From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 28 23:07:25 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B55F16A4CE for ; Sun, 28 Dec 2003 23:07:25 -0800 (PST) Received: from mailbox.wingercom.dk (mailbox.easyspeedy.dk [81.19.240.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C99143D55 for ; Sun, 28 Dec 2003 23:07:21 -0800 (PST) (envelope-from per@xterm.dk) Received: from mailbox.wingercom.dk (localhost [127.0.0.1]) by mailbox.wingercom.dk (Postfix) with SMTP id 0FBCB931AF; Mon, 29 Dec 2003 08:11:24 +0100 (CET) Received: from 62.242.151.142 (SquirrelMail authenticated user per) by mailbox.wingercom.dk with HTTP; Mon, 29 Dec 2003 08:11:24 +0100 (CET) Message-ID: <34589.62.242.151.142.1072681884.squirrel@mailbox.wingercom.dk> Date: Mon, 29 Dec 2003 08:11:24 +0100 (CET) From: "Per Engelbrecht" To: In-Reply-To: References: X-Mailer: SquirrelMail (version 1.2.5) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@freebsd.org Subject: Re: need testers for a ipfw rule generation script! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 07:07:25 -0000 Hi Bjoern, Boris, et al On certain occasions I've seen TCP query's (!) in my log . Don't ask me why, but a thread on the bind-list (a year ago or so) described how someMS-clients used TCP and not UDP to query a DNS server. If you read RFC 1034/1035 you will see that zone-transfer between servers is always TCP,while a query is "always" on UDP. I allow both TCP and UDP query in my firewall ruleset on my public DNS servers for the same reason. /per per@xterm.dk > On Mon, 29 Dec 2003, Boris Staeblow wrote: > >> On Sonntag, 28. Dezember 2003 23:27, Bjoern A. Zeeb wrote: >> >> > DNS can also be TCP. >> > (noted by a colleague who seemed to have a closer look at it). >> >> under which circumstances is a DNS TCP connection needed? >> (I´ve never used a DNS TCP rule before - without any problem) > > I I remember correctly it's RFC 1035 /Transport > > -- > Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT > 56 69 73 69 74 http://www.zabbadoz.net/ > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 29 11:03:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BECA916A4CE for ; Mon, 29 Dec 2003 11:03:38 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9028043DA8 for ; Mon, 29 Dec 2003 11:02:55 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id hBTJ2sFR041583 for ; Mon, 29 Dec 2003 11:02:54 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id hBTJ2sBh041578 for ipfw@freebsd.org; Mon, 29 Dec 2003 11:02:54 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 29 Dec 2003 11:02:54 -0800 (PST) Message-Id: <200312291902.hBTJ2sBh041578@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Dec 2003 19:03:38 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 30 02:20:23 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B37616A4CE for ; Tue, 30 Dec 2003 02:20:23 -0800 (PST) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id D595343D46 for ; Tue, 30 Dec 2003 02:20:20 -0800 (PST) (envelope-from mav@alkar.net) Received: from [212.86.226.11] (HELO alkar.net) by mail.alkar.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 133336576; Tue, 30 Dec 2003 12:20:19 +0200 Message-ID: <3FF15163.8060809@alkar.net> Date: Tue, 30 Dec 2003 12:20:19 +0200 From: Alexander Motin User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6a) Gecko/20031202 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: al vanyushenkov References: <20031230054214.8C30044B31@sumykhimprom.org.ua> In-Reply-To: <20031230054214.8C30044B31@sumykhimprom.org.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: gray network and ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 10:20:23 -0000 al vanyushenkov wrote: > hi all > i have freebsd 4.8 installed and i use ipfw2 with the rules > #!/bin/sh > ipfw='/sbin/ipfw' > $ipfw -f flush > > $ipfw add divert natd all from any to any via ppp0 > $ipfw add allow log all from any to any ^^^^^ this rule matches packets on all innterfaces. Internal too. On internal interface you really have grey addresses. > > my local ethernet card has 192.168.133.7 ip address > and my ppp0 interface has 217.15.x.x ip address. > > when i tried to connect to 195.54.192.44:21 from my local box i got the lines > > Accept TCP 172.16.202.106:4802 195.54.192.44:21 out via ppp0 > Accept TCP 195.54.192.44:21 172.16.202.106:4802 in via ppp0 > and so on. > > as i know 172.16.0.0 are gray addresses and i haven't got any 172.16.x.x networks > in my environment. > Could anybody tell me what 172.16.202.106:4802 does in my log file. -- Alexander Motin mav@alkar.net ISP "Alkar-Teleport" From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 29 21:41:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6D5216A4CE; Mon, 29 Dec 2003 21:41:28 -0800 (PST) Received: from sumykhimprom.org.ua (sumykhimprom.org.ua [193.178.229.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FB3143D2F; Mon, 29 Dec 2003 21:41:27 -0800 (PST) (envelope-from vanyushenkov@nettmail.de) Received: from mobile (mobile.sumykhimprom.org.ua [10.15.7.111]) by sumykhimprom.org.ua (Postfix) with SMTP id 8C30044B31; Tue, 30 Dec 2003 07:42:14 +0200 (EET) From: =?koi8-r?Q?=22?=al vanyushenkov=?koi8-r?Q?=22=20?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------7ER51173KTYNMG" Message-Id: <20031230054214.8C30044B31@sumykhimprom.org.ua> Date: Tue, 30 Dec 2003 07:42:14 +0200 (EET) To: undisclosed-recipients: ; X-Mailman-Approved-At: Tue, 30 Dec 2003 05:06:39 -0800 Subject: gray network and ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 05:41:29 -0000 ------------7ER51173KTYNMG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit hi all i have freebsd 4.8 installed and i use ipfw2 with the rules #!/bin/sh fwcmd=/sbin/ipfw ${fwcmd} -f flush #!/bin/sh ipfw='/sbin/ipfw' $ipfw -f flush $ipfw add divert natd all from any to any via ppp0 $ipfw add allow log all from any to any my local ethernet card has 192.168.133.7 ip address and my ppp0 interface has 217.15.x.x ip address. when i tried to connect to 195.54.192.44:21 from my local box i got the lines Accept TCP 172.16.202.106:4802 195.54.192.44:21 out via ppp0 Accept TCP 195.54.192.44:21 172.16.202.106:4802 in via ppp0 and so on. as i know 172.16.0.0 are gray addresses and i haven't got any 172.16.x.x networks in my environment. Could anybody tell me what 172.16.202.106:4802 does in my log file. Thanks vanyushenkov al _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" ------------7ER51173KTYNMG-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 29 21:41:29 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6D5216A4CE; Mon, 29 Dec 2003 21:41:28 -0800 (PST) Received: from sumykhimprom.org.ua (sumykhimprom.org.ua [193.178.229.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FB3143D2F; Mon, 29 Dec 2003 21:41:27 -0800 (PST) (envelope-from vanyushenkov@nettmail.de) Received: from mobile (mobile.sumykhimprom.org.ua [10.15.7.111]) by sumykhimprom.org.ua (Postfix) with SMTP id 8C30044B31; Tue, 30 Dec 2003 07:42:14 +0200 (EET) From: =?koi8-r?Q?=22?=al vanyushenkov=?koi8-r?Q?=22=20?= MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------7ER51173KTYNMG" Message-Id: <20031230054214.8C30044B31@sumykhimprom.org.ua> Date: Tue, 30 Dec 2003 07:42:14 +0200 (EET) To: undisclosed-recipients: ; X-Mailman-Approved-At: Tue, 30 Dec 2003 05:06:39 -0800 Subject: gray network and ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 05:41:29 -0000 ------------7ER51173KTYNMG Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit hi all i have freebsd 4.8 installed and i use ipfw2 with the rules #!/bin/sh fwcmd=/sbin/ipfw ${fwcmd} -f flush #!/bin/sh ipfw='/sbin/ipfw' $ipfw -f flush $ipfw add divert natd all from any to any via ppp0 $ipfw add allow log all from any to any my local ethernet card has 192.168.133.7 ip address and my ppp0 interface has 217.15.x.x ip address. when i tried to connect to 195.54.192.44:21 from my local box i got the lines Accept TCP 172.16.202.106:4802 195.54.192.44:21 out via ppp0 Accept TCP 195.54.192.44:21 172.16.202.106:4802 in via ppp0 and so on. as i know 172.16.0.0 are gray addresses and i haven't got any 172.16.x.x networks in my environment. Could anybody tell me what 172.16.202.106:4802 does in my log file. Thanks vanyushenkov al _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" ------------7ER51173KTYNMG-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 30 01:26:54 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9769616A4CE for ; Tue, 30 Dec 2003 01:26:54 -0800 (PST) Received: from f12.mail.ru (f12.mail.ru [194.67.57.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id A7F0B43D41 for ; Tue, 30 Dec 2003 01:26:53 -0800 (PST) (envelope-from vanyushenkov@mail.ru) Received: from mail by f12.mail.ru with local id 1AbG9L-000Esg-00 for freebsd-ipfw@freebsd.org; Tue, 30 Dec 2003 12:26:51 +0300 Received: from [193.233.48.103] by msg.mail.ru with HTTP; Tue, 30 Dec 2003 12:26:51 +0300 From: =?koi8-r?Q?=22?=al vanyushenkov=?koi8-r?Q?=22=20?= To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [193.233.48.103] Date: Tue, 30 Dec 2003 12:26:51 +0300 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: X-Mailman-Approved-At: Tue, 30 Dec 2003 05:06:39 -0800 Subject: ftp access X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?koi8-r?Q?=22?=al vanyushenkov=?koi8-r?Q?=22=20?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 09:26:54 -0000 HI all! I use FreeBSD 4.8 with ipfw2 I have ipfw rules ... check-state ... allow udp from me to any 21 keep-state out via rl0 allow tcp from me to any 21 setup keep-state out via rl0 deny all from any to any rl0 is my internet interface. When i tried to use ftp i connected, ls successfully, but when i tried to get or put files i got records in ipfw.log deny tcp x.x.x.x:20 y.y.y.y:z where x.x.x.x is remote ip address y.y.y.y is my ip address Does anybody know what rules should i add to allow tcp connections from me and deny all connections from outside to me. Thanks vanyushenkov alexey adm@ruskhleb.ru From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 30 05:26:40 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01C3816A4CE for ; Tue, 30 Dec 2003 05:26:40 -0800 (PST) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DD6243D2F for ; Tue, 30 Dec 2003 05:26:38 -0800 (PST) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([67.20.101.103]) by mta11.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20031230132638.UTBP6455.mta11.adelphia.net@barbish>; Tue, 30 Dec 2003 08:26:38 -0500 From: "fbsd_user" To: "al vanyushenkov" , Date: Tue, 30 Dec 2003 08:26:37 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: RE: ftp access X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 13:26:40 -0000 The FTP protocol has to modes, active and passive. In active mode the remote FTP server will request an inbound connection for the data connection and you have no rule to allow it in. In passive mode the requesting FTP session issues the data connection which your rules allow. To fix the problem and still keep your tight firewall, all you have to do is tell the FTP client program you are using to default to passive mode and them everything will work without any changes to your ipfw rules. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of al vanyushenkov Sent: Tuesday, December 30, 2003 4:27 AM To: freebsd-ipfw@freebsd.org Subject: ftp access HI all! I use FreeBSD 4.8 with ipfw2 I have ipfw rules ... check-state ... allow udp from me to any 21 keep-state out via rl0 allow tcp from me to any 21 setup keep-state out via rl0 deny all from any to any rl0 is my internet interface. When i tried to use ftp i connected, ls successfully, but when i tried to get or put files i got records in ipfw.log deny tcp x.x.x.x:20 y.y.y.y:z where x.x.x.x is remote ip address y.y.y.y is my ip address Does anybody know what rules should i add to allow tcp connections from me and deny all connections from outside to me. Thanks vanyushenkov alexey adm@ruskhleb.ru _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 30 12:35:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 315C316A4D0 for ; Tue, 30 Dec 2003 12:35:20 -0800 (PST) Received: from hirsch.in-berlin.de (hirsch.in-berlin.de [192.109.42.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AFD743D1F for ; Tue, 30 Dec 2003 12:35:18 -0800 (PST) (envelope-from bs@dva.in-berlin.de) X-Envelope-From: bs@dva.in-berlin.de Received: from hirsch.in-berlin.de (localhost [127.0.0.1]) hBUKZGGA019435 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 30 Dec 2003 21:35:16 +0100 Received: (from uucp@localhost)hBUKZ2wh019244; Tue, 30 Dec 2003 21:35:02 +0100 Received: from dva.intranet.local (dva.intranet.local [10.0.0.10]) by dva.in-berlin.de (Postfix) with ESMTP id 6F2F62851E; Tue, 30 Dec 2003 21:31:13 +0100 (CET) From: Boris Staeblow To: "Bjoern A. Zeeb" Date: Tue, 30 Dec 2003 21:31:13 +0100 User-Agent: KMail/1.5.4 References: <200312262229.55270.bs@dva.in-berlin.de> <200312290042.38516.bs@dva.in-berlin.de> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200312302131.13179.bs@dva.in-berlin.de> X-Scanned-By: MIMEDefang 2.38 cc: freebsd-ipfw@freebsd.org Subject: Re: need testers for a ipfw rule generation script! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Dec 2003 20:35:20 -0000 > > I I remember correctly it's RFC 1035 /Transport OK, I change the DNS rule from "udp" to "ip" in the next release. Thank you! (and all other testers!) btw, anyone sucessfully installed this script in the meantime? Boris -- Boris Staeblow bs@dva.in-berlin.de http://dva.dyndns.org