From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 7 19:10:10 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB14616A41F for ; Sun, 7 Aug 2005 19:10:10 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60FE243D46 for ; Sun, 7 Aug 2005 19:10:09 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 2700E1FFAD4 for ; Sun, 7 Aug 2005 21:10:08 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id D3AC01FFAD3; Sun, 7 Aug 2005 21:10:05 +0200 (CEST) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 6DAF51538C; Sun, 7 Aug 2005 19:09:56 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 6348815384 for ; Sun, 7 Aug 2005 19:09:56 +0000 (UTC) Date: Sun, 7 Aug 2005 19:09:56 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: FreeBSD ipfw mailing list Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Subject: ipfw ipv6 problems + patch needing review X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Aug 2005 19:10:10 -0000 Hi, with the current implementation of ipfw + IPv6 we ran into a number of problems. 1st category: syntax. You will find some information about this on the page at [1]. 2nd category: functionality. There had been problems with extension headers and reading the code we discovered that there was no logging for IPv6 *joy*. I got told that no reject code for v6 is another showstopper for moving from ip6fw to ipfw. There is a patch at [2] to address the extension header bug, Ipv6 logging and TCP RST/ICMPv6 unreach features. I need feedback on this to get it in before 6.0 so please test and review and let me know. The idea is to give people one clear set of things for ipv4 and one clear set for ipv6. When running v6 using ip or any is almost impossible with the current implementation apart from the default rule. It's a fixup patch to get the functionality in for 6.0 and leave the cleanup for later. Not more not less. Greetings Bjoern A. Zeeb [1] http://sources.zabbadoz.net/freebsd/ipfw-v6.html [2] http://sources.zabbadoz.net/freebsd/patchset/ip_fw2.c-rev.1.106-10.diff -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 8 09:48:41 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36DF816A41F for ; Mon, 8 Aug 2005 09:48:41 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD29543D48 for ; Mon, 8 Aug 2005 09:48:39 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 2134E24C973 for ; Mon, 8 Aug 2005 11:35:57 +0200 (CEST) Date: Mon, 8 Aug 2005 12:49:20 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <5210286161.20050808124920@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: strange problem with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 09:48:41 -0000 Hi! I have an freebsd (5.4) server that act as gateway. NAT is done with ipnat and traffic shaping with ipfw+dummynet. I have this problem: server work whell, but after aproximatively 5 min. my private interface stop responding (i dont have ping, nothing). After i give "ipfw flush" and reload ipfw script, my server work again. Where is my problem? My ipfw script is: #!/bin/sh cmd="/sbin/ipfw -q" pif="rl0" lif="fxp0" local_net="192.168.101.0/24" down="250Kbit/s" up="200Kbit/s" games_ports="27005,27010,27015,27016,27017,27018,27019,27020" #flush rules $cmd flush $cmd add 50 allow ip from $local_net to $local_net via $lif $cmd add 200 deny ip from any to any 80 in via $lif $cmd add 200 skipto 300 ip from $local_net to any in via $lif $cmd add 200 skipto 300 ip from any to $local_net out via $lif $cmd add 200 deny ip from any to any via $lif $cmd pipe 1 config bw $down $cmd pipe 2 config bw 128kbits/s mask dst-ip 0xffffff $cmd queue 1 config pipe 1 weight 1 mask dst-ip 0xffffff $cmd add 500 pipe 2 ip from any $games_ports to any out via $lif $cmd add 500 skipto 600 ip from any $games_ports to any out via $lif $cmd add 500 queue 1 ip from any to any out via $lif $pif is public interface and $lif is private interface and my sysctl.conf contain: net.inet.ip.fw.one_pass=0 For moment i resolv this running ipfw script every at 3 min. with crontab but this is not normal solution. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 8 11:01:54 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C40C916A420 for ; Mon, 8 Aug 2005 11:01:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80A3643D45 for ; Mon, 8 Aug 2005 11:01:54 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j78B1sw4006816 for ; Mon, 8 Aug 2005 11:01:54 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j78B1reW006810 for freebsd-ipfw@freebsd.org; Mon, 8 Aug 2005 11:01:53 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Aug 2005 11:01:53 GMT Message-Id: <200508081101.j78B1reW006810@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 11:01:54 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] kern/75483 ipfw ipfw count does not count o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw [patch] Add setnexthop and defaultroute f 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 8 11:02:32 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EBA516A41F for ; Mon, 8 Aug 2005 11:02:32 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B2B243D45 for ; Mon, 8 Aug 2005 11:02:32 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j78B2VKv007368 for ; Mon, 8 Aug 2005 11:02:31 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j78B2VcG007362 for ipfw@freebsd.org; Mon, 8 Aug 2005 11:02:31 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Aug 2005 11:02:31 GMT Message-Id: <200508081102.j78B2VcG007362@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 11:02:32 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 8 11:57:15 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D208416A41F for ; Mon, 8 Aug 2005 11:57:15 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7566743D45 for ; Mon, 8 Aug 2005 11:57:05 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id AD95224C974 for ; Mon, 8 Aug 2005 13:44:12 +0200 (CEST) Date: Mon, 8 Aug 2005 14:57:18 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <868811314.20050808145718@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: teoretical question about ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 11:57:15 -0000 Hi! I have this situation: ipfw pipe 1 config bw 512kbits/s ipfw queue 1 config pipe 1 mask dst-ip 0xffffff ipfw add queue 1 ip from any to any out via $private_interface Acording with man pages, this configurations give to each host same bandwith. My question: I have 2 users: first download an file from an good server with maximum speed posibil second download an file with very little speed from another server My rules split bandwith equal for both users in this case? More exactly, each user have 256kbits/s, even if an user cannot use all bandwith? From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 8 18:48:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2A7F16A41F for ; Mon, 8 Aug 2005 18:48:03 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 671D143D49 for ; Mon, 8 Aug 2005 18:48:03 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id E34FC3233F7; Mon, 8 Aug 2005 20:48:01 +0200 (CEST) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 485C2405B; Mon, 8 Aug 2005 20:48:16 +0200 (CEST) Date: Mon, 8 Aug 2005 20:48:16 +0200 From: Jeremie Le Hen To: vladone Message-ID: <20050808184816.GO45385@obiwan.tataz.chchile.org> References: <868811314.20050808145718@spaingsm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <868811314.20050808145718@spaingsm.com> User-Agent: Mutt/1.5.9i Cc: freebsd-ipfw@freebsd.org Subject: Re: teoretical question about ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2005 18:48:03 -0000 Hi, > I have this situation: > ipfw pipe 1 config bw 512kbits/s > ipfw queue 1 config pipe 1 mask dst-ip 0xffffff > ipfw add queue 1 ip from any to any out via $private_interface > > Acording with man pages, this configurations give to each host same > bandwith. > My question: > I have 2 users: > first download an file from an good server with maximum speed posibil > second download an file with very little speed from another server > > My rules split bandwith equal for both users in this case? More > exactly, each user have 256kbits/s, even if an user cannot > use all bandwith? I'm not 100% sure about it, but as a long time user of ipfw/dummynet, I would say that bandwidth not used by the second one will be given to the first one. However Luigi surely has the right answer on this. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 9 20:24:45 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BAAC16A41F for ; Tue, 9 Aug 2005 20:24:45 +0000 (GMT) (envelope-from maverick31337@vfemail.net) Received: from ybbsmtp14.mail.mci.yahoo.co.jp (ybbsmtp14.mail.mci.yahoo.co.jp [210.80.241.188]) by mx1.FreeBSD.org (Postfix) with SMTP id 6F8B04476F for ; Tue, 9 Aug 2005 20:24:44 +0000 (GMT) (envelope-from maverick31337@vfemail.net) Received: from unknown (HELO ?192.168.0.1?) (badtrans666@219.197.212.140 with plain) by ybbsmtp14.mail.mci.yahoo.co.jp with SMTP; 9 Aug 2005 20:24:43 -0000 X-Apparently-From: Message-ID: <42F9110A.5080204@vfemail.net> Date: Wed, 10 Aug 2005 05:24:42 +0900 From: "Tetsuji \"Maverick\" Rai" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050728 SeaMonkey/1.0a MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: firewall/nat question: simple, but no example found X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2005 20:24:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've been using Linux and know iptables well, but I don't know ipfw although I had been using FreeBSD for 3 years good old days w/o firewall with dial up connection ;) So here goes my question. I am building a FreeBSD gateway at home. It obtains an external IP address from ISP dynamically using dhcp and I have two other boxes (and some virtual boxes) internally using static private network addresses (192.168.x.x). I want to set up a firewall/nat so that 1. The gateway (also a web server) accepts tcp port 80 and (probably) 25 from outside. but incoming tcp/udp ports 1-1024,1043,10000 connections are blocked. 2. Inside private network, nothing is blocked. Isn't it so simple? But I cannot find any nice examples...the default rc.firewall contains examples using the static ip address, but not DHCP. I want to specify the interface not ip address. BTW my external interface is rl0 (dhcp) and the internal one is fxp0 (static). Thanks in advance! - -- Tetsuji 'Maverick' Rai PGP Key fingerprint = 2021 6BF9 CEA3 73DE FF17 B326 F4DA F04E F784 3B85 gpg fingerprint Aviation Jokes: http://www.geocities.com/tetsuji_rai/ Profile http://maverick.ns1.name/ http://maverick.IsASecret.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFC+REK9NrwTveEO4URAs8KAJ9R+KCeArtI7/op4y3TlHQI3n/wmQCfQ0BF GeyuJ9dEccxdFFqOfng/yj4= =54jR -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 9 20:43:38 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB30016A41F for ; Tue, 9 Aug 2005 20:43:38 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80EAF43D48 for ; Tue, 9 Aug 2005 20:43:38 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id DD8CD5D15; Tue, 9 Aug 2005 16:43:37 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23678-01; Tue, 9 Aug 2005 16:43:34 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-79-217.ny325.east.verizon.net [68.161.79.217]) by pi.codefab.com (Postfix) with ESMTP id 453B15C58; Tue, 9 Aug 2005 16:43:34 -0400 (EDT) Message-ID: <42F91577.6020202@mac.com> Date: Tue, 09 Aug 2005 16:43:35 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050801 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Tetsuji \"Maverick\" Rai" References: <42F9110A.5080204@vfemail.net> In-Reply-To: <42F9110A.5080204@vfemail.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: firewall/nat question: simple, but no example found X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2005 20:43:39 -0000 Tetsuji "Maverick" Rai wrote: [ ... ] > I want to set up a firewall/nat so that > > 1. The gateway (also a web server) accepts tcp port 80 and (probably) 25 > from outside. but incoming tcp/udp ports 1-1024,1043,10000 connections > are blocked. > 2. Inside private network, nothing is blocked. > > Isn't it so simple? http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 10 05:05:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0EBD16A422; Wed, 10 Aug 2005 05:05:35 +0000 (GMT) (envelope-from slrzcvtjiml@careertran.com) Received: from mail-gateway.gearhost.com (12-217-45-156.client.mchsi.com [12.217.45.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id C97AE45EC4; Wed, 10 Aug 2005 04:35:05 +0000 (GMT) (envelope-from slrzcvtjiml@careertran.com) Message-id: <006201c59d64$e1d7e4c0$532ac07a@kubvho> From: "Caroline Peacock" To: , , , Date: Tue, 09 Aug 2005 21:32:22 -0800 MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.4180 X-Mailer: Microsoft Outlook Express 6.00.2800.8543 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit Cc: reg@freebsd.org, freebsd-ipfw@freebsd.org, aic7xxx@freebsd.org, lth@freebsd.org Subject: Intelligent Investor Report X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 05:05:43 -0000 NEXT GENERATION BROADBAND SOLUTION !!BREAKING NEWS!! ---------------------------------------- SUMMARY : -Nayna (NAYN.OB) created an innovative & integrated broadband solution -Revolutionizing "The First Mi|e" broadband access networks in the process -De|ivering broadband access so|utions to help drive a major paradigm shift ---------------------------------------- Symbo|: NAYN.OB Recent price: $0.30 - $2.50 volume: 7,170 shares(4/16/05): 35.8mm (est) Equity market capita|ization: $34mm ---------------------------------------- WORLDWIDE BROADBAND : -Wor|dwide number of broadband subscribers including Cab|e, DSL and Fiber to the premise about 128 mil|ion in Q3, 2004 and expected to grow to 287 mi||ion by 2009 -Emerging Markets such as India expecting broadband subscribers growth from 3 mi|lion to 20 mi|lion subscribers by 2007 -Fastest Growth Market is Asia Pacific; Expected Equipment Growth from $24.5 bil|ion to $58.8 bil|ion by 2008 ---------------------------------------- MARKET GROWTH DRIVERS : -Increasing broadband demand for residential app|ications such as streaming music, peer-to-peer sharing app|ications, on|ine games, video-on-demand, HDTV, etc.! -Increasing demand for VoIP services in the enterprises -Acce|erated computing systems evo|ution inc|uding future growth in multi-processor cores, c|usters, distributed data storage schemes and adaptive agents ---------------------------------------- PARADIGM SHIFT TO ETHERNET OVER FIRST MILE (EFM) NETWORKS: 1."First Mile" Gigabit Ethernet And Ethernet Passive Optica| Networks (EPON) -Fiber to the premise (business, mu|ti-unit dwe||ing, home premise), a gigantic point-to-multipoint broadband fire hose -Designed to increase service provider revenue by de|ivering high-margin broadband data, voice and video (HDTV, Digital TV, CATV) services -Paradigm shift driving cost reduction with one network by rep|acing three separate voice, data and video networks -Wide app|icability for te|ecom carriers, municipalities, enterprises, large sca|e, multi-unit dwe|ling builders, systems integrators 2. Converged, simu|taneous triple p|ay solutions -Bund|ed data, video, voice, and circuit-switched service convergence solutions -Includes Internet Te|ephony (VoIP), broadband services, 3G wire|ess, satel|ite channels, and security networks ---------------------------------------- NAYNA's ETHERNET OVER FIRST MILE (EFM) SOLUTION -EFM-based ExressSTREAM a|lows carriers and others to provide revenue generating services including: Ethernet, E1, T1, standard te|ephony,VoIP, IP video, & RF video. -Combines layer two and |ayer three Ethernet switching/routing techno|ogy -Integrates a|l types of user services over EPON and Gigabit Point-to-Point Ethernet -Supports a comprehensive suite of networking protocols, including IP, SIP, SNMP and TDM. User services inc|ude Ethernet private lines and VPNs,TDM private |ines,video & VoIP -Provides industry-standard compatibi|ity, interoperability, quality of service, economics, ease of use, and virtually unlimited bandwidth required to de|iver today and tomorrow's voice, video and data services ---------------------------------------- COMPANY PROFILE: -Based in Denver, Co|orado, earned a profit on revenues of more than $10 mil|ion. -Has more than 50 emp|oyees and provides: tai|ored hardware, software, insta||ation, system upgrades,network consolidation, rapid problem response via help desk and rapid equipment rep|acement to customers ---------------------------------------- Customer |ist: Western Union The Sports Authority (NYSE: TSA) Qwest Communications International ---------------------------------------- INTELLECTUAL PROPERTY : Over ten patents in the area of networking and optical networking ---------------------------------------- Nothing in this e-mai| should be considered personalized investment advice. A|though our employees may answer your general customer service questions, they are not |icensed under securities laws to address your particular investment situation. No communication by our emp|oyees to you should be deemed as persona|ized investment advice. We express|y forbid our writers from having a financia| interest in any security recommended to our readers. Al| of our employees and agents must wait 24 hours after on-|ine pub|ication or 72 hours after the mailing of printed-on|y pub|ication prior to fol|owing an initia| recommendation. Any investments recommended in this letter should be made on|y after consu|ting with your investment advisor and only after reviewing the prospectus or financial statements of the company. To cancel by mail or for any other subscription issues, rep|y please to: daily_tip42@ yahoo.com (c) 2005 Investment News|etter Al| Rights Reserved From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 10 05:53:29 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE52816A612 for ; Wed, 10 Aug 2005 05:53:07 +0000 (GMT) (envelope-from maverick31337@vfemail.net) Received: from ybbsmtp07.mail.mci.yahoo.co.jp (ybbsmtp07.mail.mci.yahoo.co.jp [210.80.241.156]) by mx1.FreeBSD.org (Postfix) with SMTP id 2B3DD44427 for ; Tue, 9 Aug 2005 22:38:19 +0000 (GMT) (envelope-from maverick31337@vfemail.net) Received: from unknown (HELO ?192.168.0.1?) (badtrans666@219.197.212.140 with plain) by ybbsmtp07.mail.mci.yahoo.co.jp with SMTP; 9 Aug 2005 22:38:17 -0000 X-Apparently-From: Message-ID: <42F93059.8050709@vfemail.net> Date: Wed, 10 Aug 2005 07:38:17 +0900 From: "Tetsuji \"Maverick\" Rai" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050728 SeaMonkey/1.0a MIME-Version: 1.0 To: Chuck Swiger References: <42F9110A.5080204@vfemail.net> <42F91577.6020202@mac.com> In-Reply-To: <42F91577.6020202@mac.com> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: firewall/nat question: simple, but no example found X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Aug 2005 05:53:32 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Swiger wrote: > Tetsuji "Maverick" Rai wrote: > [ ... ] >> I want to set up a firewall/nat so that >> >> 1. The gateway (also a web server) accepts tcp port 80 and (probably) 25 >> from outside. but incoming tcp/udp ports 1-1024,1043,10000 connections >> are blocked. >> 2. Inside private network, nothing is blocked. >> >> Isn't it so simple? > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html > > Thanks! It's simple as I expected, but I forgot the FreeBSD site itself.. I was looking at other sites. - -- Tetsuji 'Maverick' Rai PGP Key fingerprint = 2021 6BF9 CEA3 73DE FF17 B326 F4DA F04E F784 3B85 gpg fingerprint Aviation Jokes: http://www.geocities.com/tetsuji_rai/ Profile http://maverick.ns1.name/ http://maverick.IsASecret.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFC+TBZ9NrwTveEO4URAoiEAJitc60SI5NlYtCN3odQOW3qp9LRAJsHWL2G 9VCd4tSqhMrfWzAwfOn4cw== =NA+q -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 11 16:01:58 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 658DE16A41F for ; Thu, 11 Aug 2005 16:01:58 +0000 (GMT) (envelope-from vpeleh@mail.lviv.ua) Received: from omega.uar.net (Omega.UAR.Net [194.44.214.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEDA143D45 for ; Thu, 11 Aug 2005 16:01:57 +0000 (GMT) (envelope-from vpeleh@mail.lviv.ua) Received: from localhost (localhost [127.0.0.1]) by omega.uar.net (8.12.10/8.12.9) with ESMTP id j7BFwO8j058876 for ; Thu, 11 Aug 2005 18:58:24 +0300 (EEST) Received: from omega.uar.net ([127.0.0.1]) by localhost (omega.uar.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 36061-13-3 for ; Thu, 11 Aug 2005 18:58:13 +0300 (EEST) Received: from VPELEH1 ([194.44.214.108]) by omega.uar.net (8.12.10/8.12.10) with ESMTP id j7BFuCEw043257 for ; Thu, 11 Aug 2005 18:56:12 +0300 (EEST) Date: Thu, 11 Aug 2005 19:00:36 +0300 From: Volodya Pelekh X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1591062177.20050811190036@mail.lviv.ua> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Problem with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Volodya Pelekh List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:01:58 -0000 I have problem with dummynet in FreeBSD 5.4 When i create any(10Mbit/s) pipe for my any host in local network, delay for this host rise from 1-3 ms to 15-20 ms, freebsd 5.3 i have not see something that pings before i add pipes ping 192.168.1.3 PING 192.168.1.3 (192.168.1.3): 56 data bytes 64 bytes from 192.168.1.3: icmp_seq=0 ttl=125 time=2.314 ms 64 bytes from 192.168.1.3: icmp_seq=1 ttl=125 time=3.506 ms ^C --- 192.168.1.3 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.314/2.910/3.506/0.596 ms ipfw pipe 3 config bw 10Mbit/s queue 3MB ipfw pipe 4 config bw 10Mbit/s queue 3MB ipfw a 3 pipe 4 ip from 192.168.1.3 to me ipfw a 3 pipe 3 ip from me to 192.168.1.3 pings after i add pipes ping 192.168.1.3 PING 192.168.1.3 (192.168.1.3): 56 data bytes 64 bytes from 192.168.1.3: icmp_seq=0 ttl=125 time=13.902 ms 64 bytes from 192.168.1.3: icmp_seq=1 ttl=125 time=19.183 ms 64 bytes from 192.168.1.3: icmp_seq=2 ttl=125 time=19.651 ms 64 bytes from 192.168.1.3: icmp_seq=3 ttl=125 time=19.891 ms 64 bytes from 192.168.1.3: icmp_seq=4 ttl=125 time=19.458 ms ^C --- 192.168.1.3 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 13.902/18.417/19.891/2.269 ms My Kernel achine i386 cpu I686_CPU ident AERO options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options MD_ROOT # MD is a potential root device options NFSCLIENT # Network Filesystem Client options NFSSERVER # Network Filesystem Server options NFS_ROOT # NFS usable as /, requires NFSCLIENT options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_GPT # GUID Partition Tables. options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options SCSI_DELAY=15000 # Delay (in ms) before probing SCSI options KTRACE # ktrace(1) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. device apic # I/O APIC options VM_KMEM_SIZE_SCALE="1" options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=300 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options DUMMYNET options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_PPPOE options NETGRAPH_SOCKET options NETGRAPH_TEE options IPFILTER options IPFILTER_LOG options DEVICE_POLLING options TCPDEBUG options TCP_DROP_SYNFIN device isa device pci device fdc device ata device atadisk # ATA disk drives device ataraid # ATA RAID drives device atapicd # ATAPI CDROM drives options ATA_STATIC_ID # Static device numbering device atkbdc # AT keyboard controller device atkbd # AT keyboard device vga # VGA video card driver device splash # Splash screen and screen saver support device sc device agp # support several AGP chipsets device npx device pmtimer device cbb # cardbus (yenta) bridge device pccard # PC Card (16-bit) bus device cardbus # CardBus (32-bit) bus # Serial (COM) ports device sio # 8250, 16[45]50 based serial ports device miibus # MII bus support device fxp # Intel EtherExpress PRO/100B (82557, 82558) device rl # RealTek 8129/8139 device tl # Texas Instruments ThunderLAN device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') device loop # Network loopback device mem # Memory and kernel memory devices device io # I/O device device random # Entropy device device ether # Ethernet support device ppp # Kernel PPP device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device bpf # Berkeley packet filter Sorry for my English Thanks Wait for answer ---------------------------------------------------------------------- UARNet Volodymyr Pelekh Tel: +38 0322 97 91 16 E-mail mailto:vpeleh@mail.lviv.ua ---------------------------------------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 11 16:18:34 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1832416A41F for ; Thu, 11 Aug 2005 16:18:34 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id B530F43D45 for ; Thu, 11 Aug 2005 16:18:33 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 13C035CBE; Thu, 11 Aug 2005 12:18:33 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27807-09; Thu, 11 Aug 2005 12:18:31 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-79-217.ny325.east.verizon.net [68.161.79.217]) by pi.codefab.com (Postfix) with ESMTP id 2461C5C51; Thu, 11 Aug 2005 12:18:30 -0400 (EDT) Message-ID: <42FB7A5A.5060802@mac.com> Date: Thu, 11 Aug 2005 12:18:34 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050801 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Volodya Pelekh References: <1591062177.20050811190036@mail.lviv.ua> In-Reply-To: <1591062177.20050811190036@mail.lviv.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:18:34 -0000 Volodya Pelekh wrote: > I have problem with dummynet in FreeBSD 5.4 > When i create any(10Mbit/s) pipe for my any host in local network, delay for this host > rise from 1-3 ms to 15-20 ms, freebsd 5.3 i have not see something > that Have you set HZ to a high value? The ping numbers suggest you have the default setting of HZ=100, which means you often seen 10-20 ms of latency for local traffic... -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 11 16:49:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EC1816A41F for ; Thu, 11 Aug 2005 16:49:25 +0000 (GMT) (envelope-from vpeleh@mail.lviv.ua) Received: from omega.uar.net (Omega.UAR.Net [194.44.214.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68CDD43D46 for ; Thu, 11 Aug 2005 16:49:24 +0000 (GMT) (envelope-from vpeleh@mail.lviv.ua) Received: from localhost (localhost [127.0.0.1]) by omega.uar.net (8.12.10/8.12.9) with ESMTP id j7BGjp8j037629; Thu, 11 Aug 2005 19:45:51 +0300 (EEST) Received: from omega.uar.net ([127.0.0.1]) by localhost (omega.uar.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 05075-09-2; Thu, 11 Aug 2005 19:45:40 +0300 (EEST) Received: from VPELEH1 ([194.44.214.108]) by omega.uar.net (8.12.10/8.12.10) with ESMTP id j7BGhuEw028754; Thu, 11 Aug 2005 19:43:56 +0300 (EEST) Date: Thu, 11 Aug 2005 19:48:20 +0300 From: Volodya Pelekh X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <875355983.20050811194820@mail.lviv.ua> To: Chuck Swiger In-Reply-To: <42FB7A5A.5060802@mac.com> References: <1591062177.20050811190036@mail.lviv.ua> <42FB7A5A.5060802@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re[2]: Problem with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Volodya Pelekh List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:49:25 -0000 Yes it set at default value sysctl kern.clockrate kern.clockrate: { hz = 100, tick = 10000, profhz = 1024, stathz = 128 } but in freebsd 4.5, 5.3 in my network this set in HZ 100 too, and i have not this problem on those computers FreeBSD 4.5 sysctl kern.clockrate kern.clockrate: { hz = 100, tick = 10000, tickadj = 5, profhz = 1024, stathz = 128 } router# uname -a FreeBSD _______ 4.5-RELEASE FreeBSD 4.5-RELEASE #5: Wed Dec 8 16:36:11 EET 2004 _________:/usr/src/sys/compile/DSL i386 FreeBSD 5.4 sysctl kern.clockrate kern.clockrate: { hz = 100, tick = 10000, profhz = 1024, stathz = 128 } uname -a FreeBSD test.uar.net 5.3-RELEASE FreeBSD 5.3-RELEASE #1: Wed May 11 14:53:44 UTC 2005 thanks Thursday, August 11, 2005, 7:18:34 PM, You wrote: > Volodya Pelekh wrote: >> I have problem with dummynet in FreeBSD 5.4 >> When i create any(10Mbit/s) pipe for my any host in local network, delay for this host >> rise from 1-3 ms to 15-20 ms, freebsd 5.3 i have not see something >> that > Have you set HZ to a high value? The ping numbers suggest you have the default > setting of HZ=100, which means you often seen 10-20 ms of latency for local > traffic... ---------------------------------------------------------------------- UARNet Volodymyr Pelekh Tel: +38 0322 97 91 16 E-mail mailto:vpeleh@mail.lviv.ua ---------------------------------------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 11 16:59:13 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8477A16A41F for ; Thu, 11 Aug 2005 16:59:13 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26D8543D49 for ; Thu, 11 Aug 2005 16:59:13 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 684E95DE1; Thu, 11 Aug 2005 12:59:12 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28048-01; Thu, 11 Aug 2005 12:59:11 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-79-217.ny325.east.verizon.net [68.161.79.217]) by pi.codefab.com (Postfix) with ESMTP id B09BE5CEA; Thu, 11 Aug 2005 12:59:10 -0400 (EDT) Message-ID: <42FB83E1.5020706@mac.com> Date: Thu, 11 Aug 2005 12:59:13 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050801 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Volodya Pelekh References: <1591062177.20050811190036@mail.lviv.ua> <42FB7A5A.5060802@mac.com> <875355983.20050811194820@mail.lviv.ua> In-Reply-To: <875355983.20050811194820@mail.lviv.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:59:13 -0000 Volodya Pelekh wrote: > Yes it set at default value > sysctl kern.clockrate > kern.clockrate: { hz = 100, tick = 10000, profhz = 1024, stathz = 128 } > > but in freebsd 4.5, 5.3 in my network this set in HZ 100 too, and i > have not this problem on those computers How much of a difference changing HZ makes may depend on a lot of things such as whether you are using device polling, etc, but if you care about reducing the latency observed by network stats to below 10 ms, adding: kern.hz="1000" ...to /boot/loader.conf and rebooting is definitely worth the try. As the manpage for dummynet itself says: Generally, the following options are required: options IPFIREWALL options DUMMYNET options HZ=1000 # strongly recommended Additionally, one may want to increase the number of mbuf clusters (used to store network packets) according to the sum of the bandwidth-delay products and queue sizes of all configured pipes. Also, you ought to upgrade that 4.5 system to 4.11 if you can, there are some significant security issues which have been issued between the two, BTW. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 12 07:05:08 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66EC816A41F for ; Fri, 12 Aug 2005 07:05:08 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3A4743D5C for ; Fri, 12 Aug 2005 07:05:07 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 9559124C6C3 for ; Fri, 12 Aug 2005 08:51:56 +0200 (CEST) Date: Fri, 12 Aug 2005 10:04:42 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1581417195.20050812100442@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: problem: MAC in via internal interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 07:05:08 -0000 Hi! I want to permit only traffic from my network class throught internal interface. So i put in ipfw rules this rule to see what traffic is: $cmd add 51 count log logamount 0 all from not $local_net to any in via $lif I study my logs and i find this: Aug 12 09:58:14 freebsd kernel: ipfw: 51 Count UDP 0.0.0.0:68 255.255.255.255:67 in via fxp0 Aug 12 09:58:14 freebsd kernel: ipfw: 51 Count UDP 0.0.0.0:68 255.255.255.255:67 in via fxp0 Aug 12 09:58:18 freebsd kernel: ipfw: 51 Count MAC in via fxp0 When i deny this traffic, network freeze after 3-10 min. I think is because, is blocked traffic inidcate by "MAC in via fxp0". What kind of traffic is this? I can't block ilegal traffic to this reason. From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 12 07:09:25 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF2EE16A41F for ; Fri, 12 Aug 2005 07:09:25 +0000 (GMT) (envelope-from hugle@vkt.lt) Received: from sender.vkt.lt (sender.vkt.lt [212.59.30.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id F358143D49 for ; Fri, 12 Aug 2005 07:09:24 +0000 (GMT) (envelope-from hugle@vkt.lt) Received: (qmail 25306 invoked by uid 89); 12 Aug 2005 07:09:23 -0000 Received: by simscan 1.1.0 ppid: 25300, pid: 25302, t: 0.4289s scanners: attach: 1.1.0 clamav: 0.86.2/m:33/d:1007 spam: 3.0.4 Received: from unknown (HELO ip-212-59-26-55.static.vkt.lt) (hugle@vkt.lt@212.59.26.55) by 0 with SMTP; 12 Aug 2005 07:09:22 -0000 Date: Fri, 12 Aug 2005 10:09:25 +0300 From: Jara X-Mailer: The Bat! (v3.5) Professional X-Priority: 3 (Normal) Message-ID: <1179467822.20050812100925@vkt.lt> To: freebsd-ipfw@freebsd.org In-Reply-To: <1581417195.20050812100442@spaingsm.com> References: <1581417195.20050812100442@spaingsm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on sender.vkt.lt X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=AWL,BAYES_00, HELO_DYNAMIC_IPADDR autolearn=no version=3.0.4 Subject: Re: problem: MAC in via internal interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 07:09:26 -0000 hi, I think it is because after 2-3 mins you start blocking ARP queries which results in smth like that machine doesn't know others machine HW address, she tries to get this address again and no answer Jarek --------------------------------------- > Hi! > I want to permit only traffic from my network class throught internal > interface. So i put in ipfw rules this rule to see what traffic is: > $cmd add 51 count log logamount 0 all from not $local_net to any in via $lif > I study my logs and i find this: > Aug 12 09:58:14 freebsd kernel: ipfw: 51 Count UDP 0.0.0.0:68 255.255.255.255:67 in via fxp0 > Aug 12 09:58:14 freebsd kernel: ipfw: 51 Count UDP 0.0.0.0:68 255.255.255.255:67 in via fxp0 > Aug 12 09:58:18 freebsd kernel: ipfw: 51 Count MAC in via fxp0 > When i deny this traffic, network freeze after 3-10 min. I think is > because, is blocked traffic inidcate by "MAC in via fxp0". > What kind of traffic is this? I can't block ilegal traffic to this > reason. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 12 07:16:41 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B345116A41F for ; Fri, 12 Aug 2005 07:16:41 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28C4843D49 for ; Fri, 12 Aug 2005 07:16:41 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 280C524C6C3 for ; Fri, 12 Aug 2005 09:03:31 +0200 (CEST) Date: Fri, 12 Aug 2005 10:16:22 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <759045036.20050812101622@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <1179467822.20050812100925@vkt.lt> References: <1581417195.20050812100442@spaingsm.com> <1179467822.20050812100925@vkt.lt> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: problem: MAC in via internal interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 07:16:41 -0000 And how permit this traffic? From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 12 07:43:46 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF63316A41F for ; Fri, 12 Aug 2005 07:43:46 +0000 (GMT) (envelope-from hugle@vkt.lt) Received: from sender.vkt.lt (sender.vkt.lt [212.59.30.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id C21B743D5A for ; Fri, 12 Aug 2005 07:43:45 +0000 (GMT) (envelope-from hugle@vkt.lt) Received: (qmail 28969 invoked by uid 89); 12 Aug 2005 07:43:44 -0000 Received: by simscan 1.1.0 ppid: 28962, pid: 28964, t: 0.3158s scanners: attach: 1.1.0 clamav: 0.86.2/m:33/d:1007 spam: 3.0.4 Received: from unknown (HELO ip-212-59-26-55.static.vkt.lt) (hugle@vkt.lt@212.59.26.55) by 0 with SMTP; 12 Aug 2005 07:43:43 -0000 Date: Fri, 12 Aug 2005 10:43:47 +0300 From: Jara X-Mailer: The Bat! (v3.5) Professional X-Priority: 3 (Normal) Message-ID: <1089226315.20050812104347@vkt.lt> To: freebsd-ipfw@freebsd.org In-Reply-To: <759045036.20050812101622@spaingsm.com> References: <1581417195.20050812100442@spaingsm.com> <1179467822.20050812100925@vkt.lt> <759045036.20050812101622@spaingsm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on sender.vkt.lt X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=AWL,BAYES_00, HELO_DYNAMIC_IPADDR autolearn=no version=3.0.4 Subject: Re[3]: problem: MAC in via internal interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 07:43:46 -0000 Try out this: ipfw add 00001 allow ip from any to any layer2 mac-type 0x0806 this type is arp request/reply as far as i remember Jarek --------------------------------------- > And how permit this traffic? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 12 08:48:30 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9944616A41F for ; Fri, 12 Aug 2005 08:48:30 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37C3443D53 for ; Fri, 12 Aug 2005 08:48:29 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id AA81E24C6C3 for ; Fri, 12 Aug 2005 10:35:18 +0200 (CEST) Date: Fri, 12 Aug 2005 11:48:05 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1024573863.20050812114805@spaingsm.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <1089226315.20050812104347@vkt.lt> References: <1581417195.20050812100442@spaingsm.com> <1179467822.20050812100925@vkt.lt> <759045036.20050812101622@spaingsm.com> <1089226315.20050812104347@vkt.lt> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[4]: problem: MAC in via internal interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 08:48:30 -0000 Thanks! Thanks! Thanks! Work perfect! Now can block any traffic that is illegal. For anyone that is interestedly can put rule how suggest Jara or like this: ipfw add 00001 allow ip from any to any layer2 mac-type arp Is same affair. Thanks again! From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 12 10:56:00 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E93E716A41F for ; Fri, 12 Aug 2005 10:56:00 +0000 (GMT) (envelope-from vpeleh@mail.lviv.ua) Received: from omega.uar.net (Omega.UAR.Net [194.44.214.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D73043D46 for ; Fri, 12 Aug 2005 10:55:59 +0000 (GMT) (envelope-from vpeleh@mail.lviv.ua) Received: from mx1.uar.net (MX1.UAR.Net [194.44.214.16]) by omega.uar.net (8.12.10/8.12.9) with ESMTP id j7CAqA9v029640; Fri, 12 Aug 2005 13:52:16 +0300 (EEST) Received: from localhost (localhost [127.0.0.1]) by mx1.uar.net (8.13.3/8.13.3) with ESMTP id j7CAt8Tf045259; Fri, 12 Aug 2005 13:55:08 +0300 (EEST) Received: from omega.uar.net ([194.44.214.39]) by localhost (mx1.uar.net [194.44.214.16]) (amavisd-new, port 10024) with LMTP id 42218-01-2; Fri, 12 Aug 2005 13:54:22 +0300 (EEST) Received: from VPELEH1 ([194.44.214.108]) by omega.uar.net (8.12.10/8.12.10) with ESMTP id j7CAkLEw065830; Fri, 12 Aug 2005 13:46:21 +0300 (EEST) Date: Fri, 12 Aug 2005 13:51:09 +0300 From: Volodya Pelekh X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1961417412.20050812135109@mail.lviv.ua> To: Chuck Swiger In-Reply-To: <42FB83E1.5020706@mac.com> References: <1591062177.20050811190036@mail.lviv.ua> <42FB7A5A.5060802@mac.com> <875355983.20050811194820@mail.lviv.ua> <42FB83E1.5020706@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at uar.net Cc: freebsd-ipfw@freebsd.org Subject: Re[2]: Problem with dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Volodya Pelekh List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 10:56:01 -0000 Thanks When i set HZ=1000, delay stay normal, i try this on may test computer, but i think it will be working and on server Thank you Thursday, August 11, 2005, 7:59:13 PM, You wrote: > Volodya Pelekh wrote: >> Yes it set at default value >> sysctl kern.clockrate >> kern.clockrate: { hz = 100, tick = 10000, profhz = 1024, stathz = 128 } >> >> but in freebsd 4.5, 5.3 in my network this set in HZ 100 too, and i >> have not this problem on those computers > How much of a difference changing HZ makes may depend on a lot of things such > as whether you are using device polling, etc, but if you care about reducing > the latency observed by network stats to below 10 ms, adding: > kern.hz="1000" > ...to /boot/loader.conf and rebooting is definitely worth the try. As the > manpage for dummynet itself says: > Generally, the following options are required: > options IPFIREWALL > options DUMMYNET > options HZ=1000 # strongly recommended > Additionally, one may want to increase the number of mbuf clusters (used > to store network packets) according to the sum of the bandwidth-delay > products and queue sizes of all configured pipes. > Also, you ought to upgrade that 4.5 system to 4.11 if you can, there are some > significant security issues which have been issued between the two, BTW. ---------------------------------------------------------------------- UARNet Volodymyr Pelekh Tel: +38 0322 97 91 16 E-mail mailto:vpeleh@mail.lviv.ua ---------------------------------------------------------------------- From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 12 15:37:56 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D2B916A41F for ; Fri, 12 Aug 2005 15:37:56 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3387043D48 for ; Fri, 12 Aug 2005 15:37:56 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from SERVEREL (unknown [85.120.13.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 2F78B24C77A for ; Fri, 12 Aug 2005 17:24:43 +0200 (CEST) Date: Fri, 12 Aug 2005 18:37:32 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <392845895.20050812183732@spaingsm.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: traffic shaping with dummynet and priorize questions X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Aug 2005 15:37:56 -0000 Hi! I want to build some traffic shaping. I want to have clients with 128kbs/s and 256kbits/s. So i make two pipe: ipfw pipe 1 config bw 128kbits/s mask dst-ip 0xffffff ipfw pipe 1 config bw 256kbits/s mask dst-ip 0xffffff With this any host in my network receive the maximum bandwith for that pipe according with their account. My question: If network is very busy, total bandwith is not sufficient for all and obviously not reach 128kbits/s, i want to priorize traffic. users with hight bandwith are priorized against users with low bandwith. How i can make this?