From owner-freebsd-ipfw Tue Dec 17 14:52:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85E7E37B401 for ; Tue, 17 Dec 2002 14:52:09 -0800 (PST) Received: from delivery.infowest.com (delivery.infowest.com [204.17.177.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2343643ED8 for ; Tue, 17 Dec 2002 14:52:09 -0800 (PST) (envelope-from agifford@infowest.com) Received: from infowest.com (eq.net [208.186.104.163]) by delivery.infowest.com (Postfix) with ESMTP id 342C3E3AD3D for ; Tue, 17 Dec 2002 15:52:00 -0700 (MST) Message-ID: <3DFFAA6F.8020504@infowest.com> Date: Tue, 17 Dec 2002 15:51:27 -0700 From: "Aaron D. Gifford" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Some IPFW2 stateful dynamic rules won't go away Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I've got a box with a three month old version of -STABLE on it that's been up for about 80 days. It uses IPFW2. This box delivers a bit of e-mail each day (perhaps 150,000-200,000 deliveries/day) and doesn't really do much else. Recently it was brought to my attention that a few IPFW2 dynamic stateful tcp rules were hanging around for an excessive amount of time. Two TCP sessions had apparently been created three weeks ago by the mail server, and somehow the dynamic stateful rules that were created by the sessions have persisted for three weeks, sending out the IPFW2 generated TCP keep-alive packets every 5 minutes. On the local mail server side, netstat shows the relevant TCP sockets in the FIN_WAIT_2 state. On the remote side, the admin's firewall logs kept showing TCP ACK packets arriving every 5 min (the keep-alives, I presume). SO now the questions: 1) Are there IPFW2 changes in the past 90 days MFCd to -STABLE that would fix this? Either way, I will be upgrading to a newer kernel/IPFW2. 2) What sequence of events could have resulted in this state of things in the first place? Hmmm... Okay, the TCP session was ESTABLISHED, the local box sends FIN to close things, the remote side ACKs the FIN so now the local socket is in FIN_WAIT_2. The remotely sent FIN gets dropped somewhere on the Internet. The remote side's own firewall at some point decides to expire their temp. dynamic rule or whatever. Now my local box's IPFW2 counter runs down and generates an ACK in both directions, keeping the local socket in FIN_WAIT_2 forever, and the ACK sent to the remote side gets silently dropped by their firewall. Is this plausible? If so, what's to prevent this from happening again? Thanks! Aaron out... (off to upgrade to a newer kernel on the box in question) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Dec 17 18:33:48 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2BC937B401 for ; Tue, 17 Dec 2002 18:33:46 -0800 (PST) Received: from smtp.netcabo.pt (smtp.netcabo.pt [212.113.174.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8452743E4A for ; Tue, 17 Dec 2002 18:33:45 -0800 (PST) (envelope-from brunomiguel@netcabo.pt) Received: from cheetah ([213.22.35.27]) by smtp.netcabo.pt with Microsoft SMTPSVC(5.0.2195.5329); Wed, 18 Dec 2002 02:31:23 +0000 From: "Bruno Afonso" Organization: Artists, Inc. To: freebsd-ipfw@freebsd.org Date: Wed, 18 Dec 2002 02:33:26 -0000 MIME-Version: 1.0 Subject: Dummynet and bandwidth sharing Reply-To: brunomiguel@netcabo.pt Message-ID: <3DFFDE76.8473.48139C@localhost> X-mailer: Pegasus Mail for Windows (v4.02a) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-OriginalArrivalTime: 18 Dec 2002 02:31:23.0208 (UTC) FILETIME=[8E664C80:01C2A63D] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, I am trying to improve the network in my college (I'm a sysadmin there) and in one floor we have about 40 computers being natted. (I use ipnat for that, but that's irrelevant) We don't have a fixed bandwith here, as it changes a lot throughout the day, so I've been seting up pipes with bw 0. (it's a 100megbit network) In order to share the bandwith equally among the users, I am starting to use dummynet. I have setup a global pipe and created queues per ip (src-ip or dst-ip) using mask. I created several queues command (with mask) for "protocol" priorities like http, ssh, etc. (of course, protocol is specified at ipfw ruleset) This is all ok since I want to give certain protocols priority status (like ssh), but I wonder if I wanted to do a different thing: I would like all users to share equally the bandwith, and give priorities for each user inside his own bandwith. I could create a pipe for each user, but for that I will have to create infinite bandwith pipes (and that's a lot of pipes, we have laptop users) and add rules for queues for each pipe. This would mean that if I wanted 4 rules per pipe, I would need at least 4*pipes queues rules, and the same ipfw rules. This would make ssh for a user use his bandwith with priority instead of a "global" priority. Am I missing something? What's the best way to do this? do a shell script ? :-) ps: I am using ipfw1, but I don't mind at all using ipfw2. Many thanks in advance, Bruno Miguel Afonso, Biological Eng. student. brunomiguel at dequim dot ist dot utl dot pt D.E.Q. @ I.S.T. - Portugal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Dec 18 5:53:43 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A615637B401 for ; Wed, 18 Dec 2002 05:53:42 -0800 (PST) Received: from sima.sita.kiev.ua (sima.sita.kiev.ua [193.193.223.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id CCE3043EC5 for ; Wed, 18 Dec 2002 05:53:39 -0800 (PST) (envelope-from ay@sita.kiev.ua) Received: (from ay@localhost) by sima.sita.kiev.ua (8.Who.Cares/8.Who.Cares) id gBIDra895157 for freebsd-ipfw@freebsd.org; Wed, 18 Dec 2002 15:53:36 +0200 (EET) (envelope-from ay) Date: Wed, 18 Dec 2002 15:53:36 +0200 From: Alexander Yeremenko To: freebsd-ipfw@freebsd.org Subject: base rulesets q Message-ID: <20021218155336.A94945@sita.kiev.ua> Reply-To: ay@sita.kiev.ua Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG etc/rc.firewall in most cases reccomends smth like: add XXX pass tcp from any to any established add XXX+N pass tcp from any to me 25 setup What's the use of `setup` keyword here ? To use ipfw to make one more check ? What harm would be in simple add XXX+N pass tcp from any to me 25 ? -- AY7-UANIC || AY15-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message