From owner-freebsd-ipfw@freebsd.org Sun Mar 6 20:40:44 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4BF7AAC1FB5; Sun, 6 Mar 2016 20:40:44 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1481E8E2; Sun, 6 Mar 2016 20:40:44 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u26KeWoZ084554; Sun, 6 Mar 2016 12:40:37 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603062040.u26KeWoZ084554@gw.catspoiler.org> Date: Sun, 6 Mar 2016 12:40:31 -0800 (PST) From: Don Lewis Subject: Re: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet To: ralsaadi@swin.edu.au cc: aqm@ietf.org, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org, garmitage@swin.edu.au In-Reply-To: <6545444AE21C2749939E637E56594CEA3C187192@gsp-ex02.ds.swin.edu.au> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2016 20:40:44 -0000 On 26 Feb, Rasool Al-Saadi wrote: > Dear all, > > I would like to announce that we (myself and Grenville Armitage) > released Dummynet AQM v0.1, which is an independent implementation of > CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet framework, based on the > IETF CoDel [1] and FQ-CoDel [2] Internet-Drafts. We prepared patches > for FreeBSD11-CURRENT-r295345 and FreeBSD 10.x-RELEASE (10.0, 10.1, > 10.2), and a technical report of our implementation. > > Patches and documentation can be found in: > http://caia.swin.edu.au/freebsd/aqm The FreeBSD 10 patch applies cleanly to FreeBSD 10.3-PRERELEASE, but the build fails on i386: /usr/src/sbin/ipfw/dummynet.c:166:5: error: format specifies type 'long' but the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] ep->par[0], ^~~~~~~~~~ /usr/src/sbin/ipfw/dummynet.c:167:5: error: format specifies type 'long' but the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] ep->par[1] ); ^~~~~~~~~~ /usr/src/sbin/ipfw/dummynet.c:177:5: error: format specifies type 'long' but the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] ep->par[0], ^~~~~~~~~~ /usr/src/sbin/ipfw/dummynet.c:178:5: error: format specifies type 'long' but the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] ep->par[1], ^~~~~~~~~~ /usr/src/sbin/ipfw/dummynet.c:179:5: error: format specifies type 'long' but the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] ep->par[3], ^~~~~~~~~~ /usr/src/sbin/ipfw/dummynet.c:180:5: error: format specifies type 'long' but the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] ep->par[4], ^~~~~~~~~~ /usr/src/sbin/ipfw/dummynet.c:181:5: error: format specifies type 'long' but the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] ep->par[5] ^~~~~~~~~~ The proper fix for this on FreeBSD is to cast these values to intmax_t and use the %jd printf format. From owner-freebsd-ipfw@freebsd.org Mon Mar 7 02:46:00 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4BBA9AC2012; Mon, 7 Mar 2016 02:46:00 +0000 (UTC) (envelope-from ralsaadi@swin.edu.au) Received: from iport1.cc.swin.edu.au (iport1.cc.swin.edu.au [136.186.0.49]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2F9813; Mon, 7 Mar 2016 02:45:58 +0000 (UTC) (envelope-from ralsaadi@swin.edu.au) X-IronPort-AV: E=Sophos;i="5.22,549,1449493200"; d="scan'208";a="17932489" Received: from gsp-ex03.ds.swin.edu.au (HELO outlook.swin.edu.au) ([136.186.126.19]) by iport1.cc.swin.edu.au with ESMTP; 07 Mar 2016 13:44:48 +1100 Received: from GSP-EX02.ds.swin.edu.au ([169.254.2.71]) by gsp-ex03.ds.swin.edu.au ([169.254.3.89]) with mapi id 14.03.0279.002; Mon, 7 Mar 2016 13:44:48 +1100 From: Rasool Al-Saadi To: Don Lewis CC: "freebsd-net@freebsd.org" , Grenville Armitage , "aqm@ietf.org" , "freebsd-ipfw@freebsd.org" Subject: RE: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet Thread-Topic: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet Thread-Index: AdFwoEB9RcA1ON/lTEC2HgPx0zqG6gG6/jCAACNZWyA= Date: Mon, 7 Mar 2016 02:44:48 +0000 Message-ID: <6545444AE21C2749939E637E56594CEA3C1AC4B9@gsp-ex02.ds.swin.edu.au> References: <6545444AE21C2749939E637E56594CEA3C187192@gsp-ex02.ds.swin.edu.au> <201603062040.u26KeWoZ084554@gw.catspoiler.org> In-Reply-To: <201603062040.u26KeWoZ084554@gw.catspoiler.org> Accept-Language: en-AU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [136.186.126.11] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2016 02:46:00 -0000 > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd- > ipfw@freebsd.org] On Behalf Of Don Lewis > Sent: Monday, 7 March 2016 7:41 AM > To: Rasool Al-Saadi > Cc: freebsd-net@freebsd.org; Grenville Armitage > ; aqm@ietf.org; freebsd-ipfw@freebsd.org > Subject: Re: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's > ipfw/dummynet >=20 > On 26 Feb, Rasool Al-Saadi wrote: > > Dear all, > > > > I would like to announce that we (myself and Grenville Armitage) > > released Dummynet AQM v0.1, which is an independent implementation > of > > CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet framework, based on > the > > IETF CoDel [1] and FQ-CoDel [2] Internet-Drafts. We prepared patches > > for FreeBSD11-CURRENT-r295345 and FreeBSD 10.x-RELEASE (10.0, 10.1, > > 10.2), and a technical report of our implementation. > > > > Patches and documentation can be found in: > > http://caia.swin.edu.au/freebsd/aqm >=20 > The FreeBSD 10 patch applies cleanly to FreeBSD 10.3-PRERELEASE, but the > build fails on i386: >=20 > /usr/src/sbin/ipfw/dummynet.c:166:5: error: format specifies type 'long' = but > the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] > ep->par[0], > ^~~~~~~~~~ > /usr/src/sbin/ipfw/dummynet.c:167:5: error: format specifies type 'long' = but > the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] > ep->par[1] ); > ^~~~~~~~~~ > /usr/src/sbin/ipfw/dummynet.c:177:5: error: format specifies type 'long' = but > the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] > ep->par[0], > ^~~~~~~~~~ > /usr/src/sbin/ipfw/dummynet.c:178:5: error: format specifies type 'long' = but > the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] > ep->par[1], > ^~~~~~~~~~ > /usr/src/sbin/ipfw/dummynet.c:179:5: error: format specifies type 'long' = but > the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] > ep->par[3], > ^~~~~~~~~~ > /usr/src/sbin/ipfw/dummynet.c:180:5: error: format specifies type 'long' = but > the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] > ep->par[4], > ^~~~~~~~~~ > /usr/src/sbin/ipfw/dummynet.c:181:5: error: format specifies type 'long' = but > the argument has type 'int64_t' (aka 'long long') [-Werror,-Wformat] > ep->par[5] > ^~~~~~~~~~ >=20 >=20 > The proper fix for this on FreeBSD is to cast these values to intmax_t an= d use > the %jd printf format. >=20 Thanks for testing the patch and fixing the problem. We will apply your fix= to the next version of our patch. Regards, Rasool From owner-freebsd-ipfw@freebsd.org Mon Mar 7 07:32:10 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 467D0AC1788 for ; Mon, 7 Mar 2016 07:32:10 +0000 (UTC) (envelope-from urrutiaaliciazym@outlook.com) Received: from BLU004-OMC1S37.hotmail.com (blu004-omc1s37.hotmail.com [65.55.116.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CA2F8793 for ; Mon, 7 Mar 2016 07:32:09 +0000 (UTC) (envelope-from urrutiaaliciazym@outlook.com) Received: from BLU176-W32 ([65.55.116.8]) by BLU004-OMC1S37.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sun, 6 Mar 2016 23:31:02 -0800 X-TMN: [EeFVo62+oxcuEDoQfZ9zlDPbD7yoXe5d] X-Originating-Email: [urrutiaaliciazym@outlook.com] Message-ID: From: Jose Estevez To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Mon, 7 Mar 2016 07:31:02 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 07 Mar 2016 07:31:02.0892 (UTC) FILETIME=[4D815AC0:01D17843] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2016 07:32:10 -0000 Hey Handsome! You look so sexy)) I will not sleep for days just to wait for= your call and come to you to give you what you want to show all its warmth= and affection and to show my beautiful chocolate a body that can give you = very=2C very much fun=2C believe me that everything I'm saying now very tru= e and I really I bet all the desire awaited our meeting=2C in which you'll = be my master and I am your slave=2C that this second will to fulfill your e= very whim=2C after me you will be fully satisfied. Come to me. You'll be ha= ppy. If Honeywell Is Going To Split In 3=2C Here Are 3 Appealing Deals.The new s= outh: in search of the right to vote in Camden=2C Alabama.Titan Internation= al Inc (TWI) Issues Earnings Results.Deirdre Sullivan: 'The seed of Needlew= ork was anger=2C and I wanted it to feel raw'.Women and children: Balochist= an=2C PPHI sign nutrition MoU.Centenary to host SCAC Tournament.The most po= pular dog breed in America.Brancel to farmers: Speak up.toddler sentenced t= o life in prison.China's innovation drive should first target its grossly i= nefficient state-owned companies.NH Supreme Court rejects appeal of woman c= onvicted in child starvation case.Liz Biro: Peek inside new Nada restaurant= .Xavier's Jalen Reynolds attempts to tear down the rim with one-handed dunk= .Radio flash came from galaxy six billion light years away: study.Apple tel= ls employees why it won't help hack San Bernardino shooter's phone.Trump's = Third Straight Win Has Rivals Looking for Answers.Tear gas greets PRD deleg= ates in Oaxaca.Centralised security screening inefficient=2C risky.CPCRI ce= ntenary celebrations on March 12.The most popular dog breed in America.GOOD= NEWS: Dancing with the West Texas Stars - Mirror Ball Winner.Titan Interna= tional calls time on ag machinery downturn.A dying doctor's memoir.Titan St= ory Time Initiative Takes Children Around the Globe.Rising to the nutrition= challenge: South Africa's new obesity research centre.Smart spellers vie f= or bee bragging rights.Baby Conceived On Valentine's Day Born With Heart-Sh= aped Birthmark.How to get Pippa Middleton's heart-shaped clutch.Gucci AW16 = show report Milan Fashion Week.At risk: mental health of new mothers and mo= thers-to-be.Pug sessions give young offenders rare doses of delight at Long= Creek.Arsenal trio set for summer exit after Arsene Wenger decides against= new contracts.Snowboarding The Fourth Phase=2C Kendall and Kylie - a legjo= bb mobiljtkok a hten.Dave Grohl and Kelsey Rohr from Nirvana's Heart Shaped= Box video reunite.Eco-tourist community camp at the remote North Luangwa N= ational Park=2C Zambia.War of Words Over Biju Centenary.England's Goode can= 't wait to 'tear into' Ireland.Hollister completes Learning Experience Acad= emy.Prepare For Corn Earworm In 2016.Serpentine unzips Bjarke Ingels' Pavil= ion and 4 Summer Houses.Weekenders: Allyn Mansion in Lake Geneva=2C Wiscons= in.Clueless Cats From Faraway.Zambia: Govt Spurs Lufwanyama Growth.Ukraine = hero braves oncoming traffic to rescue a toddler.New memoir brings to life = iconic Red Hook bar Sunny's.TV Review: 'Pretty Little Liars' 617 We've All = Got Baggage.Rubio on attacking Trump: I didn't run for office to tear up ot= her Republicans An error occurred..Chief happy with development.Kari=2C Sha= wn Olson dance to Mirror Ball trophy.Pizza Hut introduces this secret menu = item - just for Valentine's Day.American Railcar Industries Inc (ARII) Drop= s 6.59% on February 23.New Nissan Titan XD a mountain goat off-road.Joseph = Patterson Appealing Sentence in Death of Adrian Peterson's Son.Arsenal midf= ielder Mathieu Flamini facing Emirates exit this summer.Dad pleads not guil= ty in slaying of toddler.23 February 2016 in News: Taking Titan's temperatu= re 2004-2016.Kosovo Opposition Releases Tear Gas in Parliament.President Ob= ama Responds to Republican Refusal to Consider SCOTUS Nominees.Helping the = babies born drug-dependent.Ex-Calif. State Sen. Leeland Yee=2C gun control = champion=2C heading to prison for weapons trafficking.Book illustrator teac= hes Art Lab for Geneva Reads.Hong Kong - Extended Edition' Is Better Left i= n the Shadows.Trump's style proves less appealing to Mich. GOP women.Mother= was previously being investigated as toddler left alone in burning Brookly= n home.Arsenal trio set for summer exit after Arsene Wenger decides against= new contracts.New Cosgrove Housing Complex on the Way.Inslee to outline ch= anges for I-405 toll lanes today.Hollister mayor switches to public email f= or city business.The 4 Best Ways to Add That Wow Factor to Your Resume.This= Week In Sales: KanColle Kai=2C Attack on Titan=2C Street Fighter V Take Ov= er The Charts.Ukraine hero braves oncoming traffic to rescue a toddler.Thou= ghts on students and the inefficiency of being human.Glanbia continues grow= th with earnings to 214M.Does Vaginal Seeding Hurt=2C Not Help Newborns?.Gi= rl hit=2C killed saving toddler from car.Musings of a tired mind and the ex= citement surrounding our first daffy's.ACOG: Vaginal Estrogen Safe for Brea= st Ca Survivors.Africa Investigates=2C Ep. 4: Corruption Costs Lives.Dynamo= Kiev 1-3 Man City: Sergio Aguero and David Silva score in win - 5 things w= e learned.Patnaik unveils logo for Biju birth centenary celebrations.Work f= or the dole is inefficient and unreasonable and should be dismantled: ACOSS= .Canadian Serial Killer's Memoir Removed From Amazon After Protests.A dying= doctor's memoir.3 new cases of Zika virus reported in Florida.Is Trump mak= ing the GOP greater again?.Is it narcissistic to write a memoir?.Missing to= ddler found on golf course after climbing out of crib=2C walking out front = door.Proctor: Pick the right pots for your plants.Inside Hope Solo's innova= tive goalkeeper training and fitness.Zambia: President Extends Olive Branch= to Opposition.Ex-Calif. State Sen. Leeland Yee=2C gun control champion=2C = heading to prison for weapons trafficking.Senators spar with EPA over ethan= ol mandate.CATASTROPHIC FAILURE.Game of Thrones Wrap Dresses and Other Clot= hes You Should Actually Wear.Two arrested for burglarizing Hollister school= .England's Goode can't wait to 'tear into' Ireland.Chemical biology Addicti= ng bugs to nonstandard amino acids.Sierra Leone News: With support from Chr= istian Aid=2C Cordaid:SEND.Summer to bring more construction at WeGo.Daily = Telegraph February 25 1916.Be Literary: Glazed pumpkin scones delicious way= to warm up.Titan International Inc (TWI) Issues Earnings Results.The new s= outh: in search of the right to vote in Camden=2C Alabama.Kind-hearted Simo= n Cowell donates 25000 so cancer-stricken toddler can receive treatment.Kan= ye West just announced a new album for summer and insulted the Grammys in a= n epic tweetstorm.Those lovable lugs=2C pugs.American Railcar Industries=2C= Inc. Reports Record Revenues=2C Earnings and Shipments for 2015.Women and = children: Balochistan=2C PPHI sign nutrition MoU.Sierra Leone: Njala Univer= sity Starts New Course in Food and Nutrition Security and Right to Food.Kin= d-hearted Simon Cowell donates 25000 so cancer-stricken toddler can receive= treatment.Wibu presenta a Embedded World CodeMeter Embedded.Updated 2016 W= in-Loss Projections for Every NBA Team Entering March.Patriot's Colony Resi= dent Writing Memoir on His Stand Against Racial Injustice.Nissan Titan news= : Titan XD's half-ton truck unveiled.Canadian Serial Killer's Memoir Remove= d From Amazon After Protests.France Commemorates Centenary of WWI Battle of= Verdun.Park Ridge spends more than $13000 defending=2C appealing developer= 's lawsuit.Pug sessions give young offenders rare doses of delight at Long = Creek.Recipe: Rice Dumpling Stuffed with Glazed Teriyaki in Lotus Leaf.Dad = pleads not guilty in slaying of toddler daughter.This Tear-Jerking Ford Ad = Makes A Really Important Point About Family.The prisoner's nutrition dilemm= a.Centenary College in Hackettstown names 13th president.A teacher who rape= d a seven-year-old student is appealing because a juror was 'smiling'.Damod= ar Bed Agrawal at odds over Biju centenary celebrations.Hollister complete= s Learning Experience Academy.Freedom Hill announces first batch of summer = shows.Lawmakers agree to agree JERRY CORNFIELD.Cornell Nutrition Division = Partners with World Health Organization.CPCRI centenary celebrations on Mar= ch 12.ACOG: Vaginal Estrogen Safe for Breast Ca Survivors.Love Bug Wears It= s Heart on Its Leg.Sam Frost confesses to having a limited vocabulary and b= rands her life 'ridiculous'.What the girl from Nirvana's 'Heart-Shaped Box'= music video looks like now.Centenary College names new president.Accelerat= ed Mobile Pages: Googles schnelle Mobilseiten verndern die Suche.Senators s= par with EPA over ethanol mandate.Is Derek Hough Becoming a Judge on Dancin= g With the Stars After Julianne's Exit?.Centenary College names new preside= nt.Arsenal trio set for summer exit after Arsene Wenger decides against new= contracts.Zambia: Chief's Spouses Step Up Early Marriages Fight.Make Honey= Glazed Baby Back Ribs.Beetles with heart-shaped leg joints and a 'one-trac= k mind' discovered in Belize.17 goals and a shootout needed for the Regina = Pats 7th straight win.Wibu presenta a Embedded World CodeMeter Embedded.Gar= dening: Keep romance thriving throughout the year with heart-shaped plants.= Sierra Leone: Njala University Starts New Course in Food and Nutrition Secu= rity and Right to Food.How a Trump win in South Carolina could tear the GOP= apart.Two arrested for burglarizing Hollister school.American Railcar Indu= stries=2C Inc. Reports Record Revenues=2C Earnings and Shipments for 2015.T= he most popular dog breed in America.Roper St. Francis chef=2C nutrition ex= pert warn of juicing without checking sugar content.Rubio on attacking Trum= p: I didn't run for office to tear up other Republicans An error occurred..= Young and the Restless Spoilers: Is Summer Falling for Luca?.National Nutri= tion Month: Developing better eating habits.Living for now and not the fara= way ideal.Centenary College chooses new president.Arsenal trio set for summ= er exit after Arsene Wenger decides against new contracts.Tornadoes tear th= rough Deep South. And this storm system isn't over..Appointments=2C Resigna= tions=2C Deaths (2/26/2016).Taraba government suspends four district and tw= o village heads over illegal migrant occupancy.Those lovable lugs=2C pugs.R= ecurrent Preeclampsia Tied to Heart Troubles.Report on why the state releas= ed inmates due out soon Cornfield.Mit 5D-Glasscheibe Daten fr Milliarden J= ahre speichern.BJD announces five committees for Biju birth centenary.17 go= als and a shootout needed for the Regina Pats 7th straight win.6 ways to ma= ke your game more appealing to speedrunners.How to Quit Your Job and Become= a Pet Photographer.Kylie Jenner wears shirt and white Y-fronts for Wonderl= and magazine shoot.Dave Grohl Reunites With Girl From 'Heart-Shaped Box' Vi= deo.Considering brain size as a yardstick=2C Dodos probably possessed intel= ligence level of a pigeon.Michigan mom cried then slept after toddler's dea= th.Heat confirm tear in Udrih's foot=2C further trimming depth.Appointments= =2C Resignations=2C Deaths (2/26/2016).The new south: in search of the righ= t to vote in Camden=2C Alabama.Site Mobile Navigation.Gucci AW16 show repor= t Milan Fashion Week.On the Road Review: Nissan Titan XD Turbodiesel Pickup= Truck.Is Derek Hough Becoming a Judge on Dancing With the Stars After Juli= anne's Exit?.Meet the love pugs: Cambridge walkies group goes all romantic = for Valentine's Day.Get set for an Indian summer as Victoria hurtles toward= autumn.Tornado Outbreak Kills at Least 7=2C Including Virginia Toddler Th= e Weather Channel.Napa County expects jump in Zika virus testing.Designer d= og breed Goberian rising in popularity.Berkeley County jury hears alternati= ve scenario for toddler's death.Hollister police arrest attempted robbery s= uspect after chase.French hold firm against German onslaught at Verdun.Dave= Grohl reunites with little girl from Nirvana's Heart-Shaped Box video 23 y= ears later.Is There a Middle Way on Female Genital Mutilation?.Dave Grohl R= eunites With Girl From 'Heart-Shaped Box' Video.Apple Appealing Court Order= To Break Into iPhone Of San Bernardino Shooter.Serpentine Summer Houses in= clude looping wooden pavilion and inverted replica building.Berkeley County= jury hears alternative scenario for toddler's death.Britain's Verdun Cente= nary tribute to French war memorials.Liz Biro: Peek inside new Nada restaur= ant.Work for the dole is inefficient and unreasonable and should be dismant= led: ACOSS.Which Oscar-Nominated Movie Will Win Best Picture? Let's Predict= Based on the Trailers Alone.17 goals and a shootout needed for the Regina = Pats 7th straight win.Mother was previously being investigated as toddler l= eft alone in burning Brooklyn home.Heat confirm tear in Udrih's foot=2C fur= ther trimming depth.Dish of the Day: Heart-Shaped Pizza for Your Valentine = from Joe's Place.Titan International calls time on ag machinery downturn.UK= Baby Conceived On Valentine's Day Bears Heart-Shaped Birthmark.CATASTROPHI= C FAILURE.BJD announces five committees for Biju birth centenary.Social med= ia activity sparks rumor that Antonio Brown will join 'Dancing With the Sta= rs'.Work for the dole is inefficient and unreasonable and should be dismant= led: ACOSS.In Shift=2C Marco Rubio Attacks Donald Trump By Name Ahead of De= bate.Pink flamingos on the way in Hollister.NCB donates to Senior Nutrition= Program.Taraba governor suspends 7 district heads over land allocation.The= Originals recap: 'Heart Shaped Box'.Sierra Leone News: With support from C= hristian Aid=2C Cordaid:SEND.Appointments=2C Resignations=2C Deaths (2/26/2= 016).Are the New 'Game of Thrones' Season 6 Promo Pics Teasing Fan Favorite= 's Return?.Hong Kong - Extended Edition' Is Better Left in the Shadows.Damo= dar Bed Agrawal at odds over Biju centenary celebrations.Afghanistan war: = Just what was the point?.Heat confirm tear in Udrih's foot=2C further trimm= ing depth.Ukraine hero braves oncoming traffic to rescue a toddler.Publishe= r scores memoir of 'Concussion' doctor.Cheers and Jeers: Wednesday.Saudi Oi= l Minister: 'Inefficient Producers Will Have To Get Out'.Report: Police fin= d missing Syracuse toddler's body.Livonia engineer earns LEED certification= .Double-Orange Glazed Cookies.Proctor: Pick the right pots for your plants.= Dama-Vedu in verbal duel over Biju birth centenary.The 2016 Esseffies: The = Film Awards that Tell It Like It Is.toddler sentenced to life in prison.Str= ipper mom accused of leaving toddler to die in fire was being probed for ne= glect.Wrestling Senior Salutes: Rill=2C Ndokaj=2C McBryde=2C Hollister Comp= ete for the Final Time in Alumni.Cooks' Exchange: A hodge-podge or hotchpot= of recipes.Ter Stegen save was the difference in Arsenal loss to Barcelona= - Giroud.Hollister Students=2C Employees Experiencing Improved Security Fe= atures.Biju Centenary Gets A Logo.Dave Grohl Reunites With Girl From 'Heart= -Shaped Box' Video.Chemical biology Addicting bugs to nonstandard amino aci= ds.Father charged with killing toddler found in NY waterway.Celebrate Valen= tine's Day with a Heart-Shaped Pizza.President Obama Responds to Republican= Refusal to Consider SCOTUS Nominees.Four killed as tornadoes tear across e= ast coast of US.Lawmakers agree to agree JERRY CORNFIELD.Cops ID toddler w= ho died=3B probing 'signs of trauma=2C' source says. = From owner-freebsd-ipfw@freebsd.org Mon Mar 7 08:22:23 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12D84AC3277 for ; Mon, 7 Mar 2016 08:22:23 +0000 (UTC) (envelope-from garridokellypvr@outlook.com) Received: from COL004-OMC1S17.hotmail.com (col004-omc1s17.hotmail.com [65.55.34.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E6AD7B56 for ; Mon, 7 Mar 2016 08:22:22 +0000 (UTC) (envelope-from garridokellypvr@outlook.com) Received: from COL125-W24 ([65.55.34.7]) by COL004-OMC1S17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 7 Mar 2016 00:21:16 -0800 X-TMN: [rf/vx/ufkiEscqRSCizW7rCPZhigSlUZ] X-Originating-Email: [garridokellypvr@outlook.com] Message-ID: From: Maria Ole To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Mon, 7 Mar 2016 08:21:16 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 07 Mar 2016 08:21:16.0812 (UTC) FILETIME=[51F10CC0:01D1784A] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2016 08:22:23 -0000 Hey Handsome! Come to me. I'm ready to experience any sexual orientations = with you. I sure find what you surprise and delight in my arsenal of all s= orts of pleasant and intriguing stuff and I'm ready to show them to you=2C = and if you are ready to plunge with me in endless experiments then welcome = to my ship=2C I really want to look into your eyes right now and understand= what you now want to I am sure that read in them longing to come into my b= ody and get maximum pleasure=2C and believe me I can give you this much=2C = I will include all of its secret ability and will stir your mind with renew= ed vigor=2C and this strength Buda omnipotent. Come to me. I wait. TDOT crews hit the road repairing potholes.Novak Djokovic=2C in 'the peak o= f my career' knows his pinnacle is unparalleled.People cheer as fire damage= s hotel being converted into refugee home in Germany.Yellowstone County res= idents to decide on expanding senior services.Investx acquires MHA Lighting= .Djokovic wins 700th career match.Alan Turing letter on how to win at solit= aire sells for 94000.Mouni Roy denies engagement rumours.Owner Of Emaciated= Dog Says He Thought She Had Worms.Once booming=2C Pakistan's bourse now se= es some bloody days.Filipino dies after falling 13 metres while repairing s= hip.Zimbabwe: Self Pride Lacking in Zimbabwe's Economy=2C Says Mangudya.Col= orado State vs. Wyoming preview: Border War continues in Fort Collins.3 Mad= ison Bloody Marys worth waking up for.Gaslight Anthem's Brian Fallon premie= res video for 'Nobody Wins'.Teeming with teens: Career fair draws 'em in.Mi= nmar Gaslight Productions Presents THREESOME: An Evening of One Acts.Public= comment sought on Yellowstone road project.Macquarie Lowers DISH Network C= orp (DISH) Price Target to $62.00.Bison Slaughter Begins At Yellowstone: 90= 0 Animals Will Die In Politically-Motivated Cull.Repairing blocked drainage= channel off Old Jacksonville could cost well over $1 million.Du Pakistan = la Sude=2C le priple solitaire d'un jeune migrant.Novak Djokovic=2C in 'the= peak of my career' knows his pinnacle is unparalleled.Guest opinion: Don't= transport bison out of Yellowstone Park.Gardiner neighbors angry about tri= bal elk hunt.Two-year-old Nigerian boy accused of being a witch rescued by = aid workers.Matchbox 20 Singer Rob Thomas Apologizes for Racist Joke During= Australian Show.Authorities hunt those who abandoned an emaciated dog in P= rince George's County.Donald Trump Attacks Chicago Cubs' Ownership.Novak Dj= okovic=2C in 'the peak of my career' knows his pinnacle is unparalleled.Kvy= at: New qualifying looks 'a mess'.WWII mess kit brings NJ family=2C English= couple together.Emaciated rescue dog struggles to eat=2C until veterinaria= n climbs into crate to comfort her.Ferrari SF16-H : la F1 de la victoire po= ur la Scuderia en 2016 ?.Scuderia Ferrari Unveils Their SF16-H For The 2016= F1 Season.New developer of northeast Eugene's Crescent Village planning ma= jor expansion.Label-Free Detection Market by Technology=2C Products=2C Appl= ications - Global Forecasts to 2020.Minmar Gaslight Productions Presents TH= REESOME: An Evening of One Acts.An offer they can't refuse jobs for refuge= es in Godfather country.Why Crescent Point Energy Corp. May Be the 1 Energy= Company Worth Buying.First Iowa=2C Now Nevada: Why the Caucus System Is a = Mess.Career expo matches potential employees=2C employers.Pope Vs. Trump: '= Not Christian' to Only Build Border Walls.Woman displaced after fire rips t= hrough her home in west Tulsa.The Latest: Belgium imposes controls on Frenc= h border.Wyoming's Larry Shyatt celebrates rivalry win by dancing on the st= ate border.Castletroy look to pack to shake off Crescent in derby clash.Hac= kers Can Mess with Your Nissan Leaf from Anywhere in the World.SolarReserve= : Crescent Dunes Overcomes Limitation Of Battery Storage.This is what Donal= d Rumsfeld wants inscribed on his gravestone.Media ownership law reform gen= erally welcomed by the sector.Rot ist die Hoffnung.Willow TV Scores New Dea= l with Dish.NZ v Aus 2nd Test Review: Australia clinch series with a 7-wick= et win.Yellowstone: A Wild Place of Perpetual Discovery.Ralston Reports: Ne= vada's perfect petri dish grew Trump culture.Litchfield Park woman arrested= on animal cruelty charges for severely emaciated horses.Waldorf Astoria ch= ooses next iconic dish.Djokovic reaches yet another milestone with 700th ca= reer victory.Nevada's GOP caucuses were a chaotic mess=2C in 4 tweets.At le= ast 10 displaced by downtown apartment fire.Graham-area woman accused of ne= glecting alpacas=2C emaciated horse=2C other animals.OSU wrestling: Beavers= dominate Boise State in Border War.Beauty Trend On Trial: DAKS Super-Smoky= Eye.Intolerance=2C economic mess themes of 2015-16: P Chidambaram.Atlantic= Technology Tweaks In-Wall Home-Theater Speakers.Sunrise Park Resort offers= free skiing on Leap Day.Rob Thomas apologizes for unintentional racist jok= e during Aussie show.Inter Milan striker Mauro Icardi makes Liverpool admis= sion.Fiber-Optic Technology Helps Heal Wounds Faster.Dog's 'Emaciated' Corp= se Found In Bergen County Home.Gorham Street fire was unintentional=2C Madi= son Fire Department says.Review: Iron Maiden opens Book of Souls world tour= in Sunrise.Oklahoma basketball: Spangler produces career night in final Be= dlam matchup.Luxury hotel for cats comes with Roberto Cavalli wallpaper and= Swarovski food bowls.Get a Closer Look at New Renderings For Seattle's 100= -Story Skyscraper.Govt to monitor 'integrity' of Central government employe= es.The Next Chapter for Lamborghini.Yellowstone super volcano 'could erupt = in 2016' and wipe out the Earth.Litchfield Park woman arrested on animal cr= uelty charges for severely emaciated horses.New=2C ambitious sounds arise o= n Be/Non's 'Sunrise/Sunset' album.Owner Of Emaciated Dog Says He Thought Sh= e Had Worms.VR And AR Will Be Mobile's Demand Driver=2C Not Its Replacement= .Medtronic (MDT) Announces Presentation of Positive Solitaire Stent Retriev= er Data at ISC.Girolamo=2C tibia rotta dal calcio di un cavallo.Toro Rosso = onthult STR11 met donkerblauwe testlivery.DISH Network's Sling TV Expands S= trategic Partnership With Willow TV (NASDAQ:DISH).Indigenous children almos= t twice as likely to be hospitalised for unintentional injuries.Riskiest Ba= nk Debt a Mess' as Scandinavia Carves Out Own Rules.Why Crescent Point Ener= gy Corp. May Be the 1 Energy Company Worth Buying.BC SPCA searching for own= er of emaciated dog abandoned at West Vancouver pet store.Keep a Spatula in= the Dishwasher=2C Put the Dish Drainer in the Sink=2C and More Easy Cleanu= p Tips.F1 2016: la presentazione venerd 19 in diretta video sul sito Scuder= ia Ferrari.Lynchburg College accepts ownership of Historic Sandusky.Dish: N= o Plans to Build Network With Spectrum Holdings.Clean-up mission: No more s= atellite dish antennas in this Dubai community.Luxury hotel for cats comes = with Roberto Cavalli wallpaper and Swarovski food bowls.Denmark Refugee Cri= sis Update: Copenhagen Extends Border Controls Within Schengen Zone.Roman R= eigns is the Unintentional Heel of WrestleMania Feud.Mauro Ranallo Misses W= WE Smackdown Tapings Due To Flu.UFC 196: Conor McGregor opens as heavy favo= rite over Nate Diaz.UI crews repairing 985 outages in Easton.1ere tape : Vo= eckler en solitaire.MATCH REPORT: Late Craig Mackail-Smith winner brings ra= re home joy for Luton Town.Belgium reintroduces border controls to stave of= f migrant wave.Label-Free Detection Market by Technology=2C Products=2C App= lications - Global Forecasts to 2020.Levy to expand Meals on Wheels=2C othe= r senior services=2C makes Yellowstone County primary ballot.Reluctant stud= ent finds new career at the tech.Emaciated=2C frozen puppy taken in by Anim= al Rescue League=3B shelter open through night.Increasing the sensitivity o= f optical current sensors.Clean-up mission: No more satellite dish antennas= in this Dubai community.Forbes Travel Guide's 2016 Awards lists Paris as h= ottest destination for luxury escape.Indigenous children almost twice as li= kely to be hospitalised for unintentional injuries.Increasing the sensitivi= ty of optical current sensors.REVASCAT: Thrombectomy's Impact in Acute Stro= ke Extends to 1 Year.Un PSE pour L'Equipe 21 ?.SF16-H unleashed by Scuderia= Ferrari.Ten Career-Damaging Habits You'll Never Know You've Got.Dish's Sli= ng TV wins support.Where's The Dialogue On JNU? This Lazy Mud-Slinging Does= n't Count.FC Dallas exchanges Blas Perez for Whitecaps' Mauro Rosales.SF16-= H unleashed by Scuderia Ferrari.40 years after bloody protest=2C gay rights= pioneers get the apology they deserve.Filipino dies after falling 13 metre= s while repairing ship.Fiorentina's Mauro Zarate claims Inter Milan players= punched him twice.Dish: Favorite Elbys moments=2C new restaurants and more= .Sunrise Park Resort offers free skiing on Leap Day.Emaciated=2C frozen pup= py taken in by Animal Rescue League=3B shelter open through night.Dodos: Tr= usting Maybe=2C But Not Stupid.Emaciated dog abandoned in West Vancouver: B= .C. SPCA.Hackers Can Mess with Your Nissan Leaf from Anywhere in the World.= Marine Corps Tattoo Battle.Solar plant capable of generating night power go= es online near Tonopah.Scuderia Toro Rosso im Portrt.Mauro Ranallo Update= =2C Nikki Bella Talks Health With Divas (Video)=2C Favorite WWE Network Sho= ws.Casio Edifice announces official sponsorship of Scuderia Toro Rosso.Dish= CEO Names Sling TV's Biggest Problem.Fearing Calais migrants=2C Belgium im= poses controls on French border.Paramount Must Explain 'Star Trek' in Court= or Lose Ownership.Authorities looking for suspects who abandoned emaciated= dog.:itLo snow-show della Rossa di Maranello il 25 febbraio a Livigno:.TDO= T crews hit the road repairing potholes.UFC 196: Conor McGregor opens as he= avy favorite over Nate Diaz.First Yellowstone grizzly spotted out of its de= n.Spangler's career night leads Sooners past Cowboys.Luxury hotel for cats = comes with Roberto Cavalli wallpaper and Swarovski food bowls.Spangler's ca= reer night leads Sooners past Cowboys.A living symbol of American West unde= r threat as Yellowstone bison cull begins.Indigenous children almost twice = as likely to be hospitalised for unintentional injuries.Yellowstone County = residents to decide on expanding senior services.Journey Through Yellowston= e expedition begins Feb. 20.Media ownership law reform generally welcomed b= y the sector.Gardiner neighbors angry about tribal elk hunt.Bear seen in Ye= llowstone=2C Hibernation ending.Toro Rosso onthult STR11 met donkerblauwe t= estlivery.New=2C ambitious sounds arise on Be/Non's 'Sunrise/Sunset' album.= Ankara Bombing Update: Kurdish Militant Group TAK Claims Responsibility For= Attack.Josh Adams and Wyoming thump Colorado State for 5th straight Border= War win.First Yellowstone grizzly spotted out of its den.OSU wrestling: Be= avers dominate Boise State in Border War.Haight Street's Burger Urge To Cha= nge Ownership=2C But Not Menu.Career expo matches potential employees=2C em= ployers.Medtronic touts pooled analysis supporting its stroke-fighting Soli= taire stent retriever.Cristiano Ronaldo 'Cutting Muscle' To Prolong Real Ma= drid Career.Why Crescent Point Energy Corp. Is Finally About to Live Up to = its Potential.Musicnotes.com Launches Microsoft Windows 10 Sheet Music Play= er App.Luther Dickinson Hurry Up Sunrise.Lobi Stars introduce Player Monthl= y award.Leonard found guilty of all counts in Richmond Hill trial.Najpodjet= nika ideja: S fret friendom lahko na kitari solirate kot Jimi Hendrix.Repai= ring a classic Chris-Craft.The Littlest Dobro from Ivan Rosenberg.Dish: Fav= orite Elbys moments=2C new restaurants and more.Shuffle at Lamborghini send= s CEO to Quattro GmbH.Fitness Plan Day 56: Begin your day by catching the s= unrise.Media ownership law reform generally welcomed by the sector.Cellmate= : Avery is a 'disgusting human being'.Plaisir solitaire : sujet tabou pas u= niquement ddi aux hommes.Zarate shocked by three-match ban.Teeming with tee= ns: Career fair draws 'em in.Wyoming's Larry Shyatt celebrates rivalry win = by dancing on the state border.Bison Slaughter at Yellowstone: Culling of H= undreds Begins.Atlantic Technology Announces New In-Wall Home Theater Speak= ers=2C Prices Start at $350.A living symbol of American West under threat a= s Yellowstone bison cull begins.Wyoming's Larry Shyatt celebrates rivalry w= in by dancing on the state border.Nel nome di Nuvolari=2C rinasce la sua sc= uderia.Leonard found guilty of all counts in Richmond Hill trial.First Yell= owstone grizzly spotted out of its den.DOT: Korean resort cannot claim owne= rship of domain.Mauro Ranallo Tweets Update About His Health.DISH Network's= Sling TV Expands Strategic Partnership With Willow TV (NASDAQ:DISH).UNICEF= : Syria Ceasefire to Offer Opportunity to Start Repairing Country.Art Beat:= A life alive with color.Crescent-shaped croissants consigned to history as= Tesco says Brits prefer straight pastries.UPDATED x2: Mauro Ranallo Not at= Last Night's Smackdown Tapings Due to The Flu.The Gruesome Snapchat That L= ed to 2 College Students' Shocking Arrests.Man sentenced after abandoning e= maciated dog in Johnston.WATCH LIVE ON 7NEWS SUNRISE: Shelter-in-place has = been lifted for Kinder.Fiorentina's Mauro Zarate claims Inter Milan players= punched him twice.Fitness Plan Day 56: Begin your day by catching the sunr= ise.Developer launches its own home-building business in South Carolina.Aut= horities hunt those who abandoned an emaciated dog in Prince George's Count= y.MUSIC: Solo album lets The Gaslight Anthem's Brian Fallon start over.Giro= lamo=2C incidente in scuderia=2C tibia rotta. A fine marzo sar di nuovo in = pista.Pingree says Kennebunk woman facing 'unintentional' discrimination fr= om Marine Corps.Mauro Ranallo Misses WWE Smackdown Tapings Due To Flu.Cresc= ent Communities is getting into the homebuilding business.US checks foreign= border crossers with eye scans.Appellate court denies Pickett petition=2C = ending ownership battle of downtown property.SolarReserve: Crescent Dunes O= vercomes Limitation Of Battery Storage.UNICEF: Syria Ceasefire to Offer Opp= ortunity to Start Repairing Country.Structural effect of poly(ethylene glyc= ol) segmental length on biofouling and hemocompatibility.OSU wrestling: Bea= vers dominate Boise State in Border War.Reluctant student finds new career = at the tech.Girolamo=2C incidente in scuderia=2C tibia rotta. A fine marzo = sar di nuovo in pista.Crescent Dunes 24-Hour Solar Tower Is Online.Lobi Sta= rs introduce Player Monthly award.Bande-annonce Sky : Diane Kruger=2C fragi= le et solitaire.Mauro Ranallo Working WWE Fastlane Kickoff?=2C Stat On Trip= le H's Reign=2C Kevin Owens On 'KOMania'.Take steps to ensure meds don't en= danger kids.Roman Reigns is the Unintentional Heel of WrestleMania Feud.The= Latest: Belgium imposes controls on French border.Still no agreement on re= pairing Laconia parking garage.Cristiano Ronaldo open to acting career. = From owner-freebsd-ipfw@freebsd.org Tue Mar 8 14:31:10 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3F78AC3F64 for ; Tue, 8 Mar 2016 14:31:10 +0000 (UTC) (envelope-from acedoricardobn@outlook.com) Received: from BLU004-OMC1S26.hotmail.com (blu004-omc1s26.hotmail.com [65.55.116.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 76443B9C for ; Tue, 8 Mar 2016 14:31:10 +0000 (UTC) (envelope-from acedoricardobn@outlook.com) Received: from BLU181-W39 ([65.55.116.7]) by BLU004-OMC1S26.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 8 Mar 2016 06:30:03 -0800 X-TMN: [WCY4TPQ5CA46e0N17WYX28mNq7VF4KRf] X-Originating-Email: [acedoricardobn@outlook.com] Message-ID: From: Luis Sanchez To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Tue, 8 Mar 2016 14:30:03 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Mar 2016 14:30:03.0756 (UTC) FILETIME=[010A82C0:01D17947] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 14:31:10 -0000 Hey Stranger! I'm waiting for you)) I know you want to touch my body=2C my = breast and enjoy it softness and tenderness. Come and feel it! You'll under= stand how beautiful and desirable it is and how she wants male tenderness. = I have very sensitive nipples and they wants to feel your first kiss and wa= nt more affection)) Please don't keep me waiting for your lips)) Come and d= o that! I have a very sensitive body)) I have been missing a strong guy. = I yearn you passionately included in all my holes. Taste me and you'll want= to stay with me. I'm waiting for you. My profile and photos : http://d8eiijcp.lyonyakx3.tumblr.com/ MuggleNet The World's #1 Harry Potter Site = HomeSite About Us Contact Us Press = Internships History Year in Review Merchandise Advertise Special ProjectsSp= ecialty Sites The MuggleNet Family MuggleNet Academia Alohomora! AudioFicti= ons MuggleCast SpeakBeasty Fan Fiction InteractiveBooks Harry Potter J.K. R= owling Other Novels Potter Coloring Books Name Origins Quotes The Little Th= ingsHarry Potter The Harry Potter Films Harry Potter Cast Harry Potter Crew= DVDs & Special Editions Music Video GamesFantastic Beasts The Fantastic Be= asts Films Fantastic Beasts Cast Fantastic Beasts CrewDiscussion Alohomora!= Forums COS Forums The QuibblerBlog Author Takeover Blogitorials Book Revie= ws Interviews Listicle Movie Reviews Staff Reports Theatre Reviews Wizolymp= icsMuggle World Charity Exhibition Fandom Projects Pottermore Quidditch = = From owner-freebsd-ipfw@freebsd.org Tue Mar 8 14:41:13 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB0A6AC7543 for ; Tue, 8 Mar 2016 14:41:13 +0000 (UTC) (envelope-from mascaraquemoralespyi@outlook.com) Received: from SNT004-OMC1S35.hotmail.com (snt004-omc1s35.hotmail.com [65.55.90.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A481E6BB for ; Tue, 8 Mar 2016 14:41:13 +0000 (UTC) (envelope-from mascaraquemoralespyi@outlook.com) Received: from SNT149-W75 ([65.55.90.9]) by SNT004-OMC1S35.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 8 Mar 2016 06:41:07 -0800 X-TMN: [BKJ0JKnLjWLooBJYfqn7IXZXHkuLEV3f] X-Originating-Email: [mascaraquemoralespyi@outlook.com] Message-ID: From: Jacqueline Lopez To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Tue, 8 Mar 2016 14:41:07 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Mar 2016 14:41:07.0643 (UTC) FILETIME=[8CBFA0B0:01D17948] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 14:41:13 -0000 Hey Stranger! Come here. I want to meet you just now. I'm ready to give yo= u exotic sex on your property=2C it will be the proudest moment in your lif= e that will remain forever in you and your thoughts. We want passionate lov= e that not for a moment will leave us and our bodies=2C everything will be = like a fairy tale with an erotic end=2C tell you ever read this=2C trust yo= u like it and you will want to read it more than once. Our bodies will begi= n the love story. We'll touch each other and will not want to leave. This = moving will be the most pleasant moment in our meeting=2C because first enc= ounter is always exciting=2C and then passion=2C unbridled sex=2C and a lot= of desire and fire. Come here. I'm waiting for you. My profile and photos : http://pnj1q5cq.neledvadla6.tumblr.com/ =0D home About = Mariska Hargita= y August Miklos Friedrich Hermann Mariska hargitay and = August Hermann - [b]Nam= e:[/b] August Miklos Friedrich Hermann Hargitay = August Miklos Friedrich Herman= n - [i][b]Post n=BA[/b] 190 [b]Dad: [/b = August Miklos Friedrich Hermann! - Les= Ptits Bout De Choux De Nos = -hilary-swank-august-miklos-friedrich-hermann-ama= ya_3943291.jpg = August Miklos Friedrich Hermann | Celebrity Baby Names | NameCan= dy.com = August Miklos Friedrich Hermann August was born on june 28th=2C = august miklo= s fridrich hermann hargitay - montageaugust - Fotolog = August Miklos Friedrich H= ermann with mom Mariska Hargitay at the set = August Miklos Hermann - [b]August = Miklos Hermann [/b]([b]4 1/2 years = Hargitay Photo - Mariska Hargitay Son Augus= t Miklos Friedrich Hermann = August Miklos Friedrich Hermann Picture 1 = august miklos her= mann Follow me on ... Twitter = Facebook Instagram GitHub Dribbble = LinkedIn =A9 Unttled. Design: HTML5 UP. = Get in touch = = = = From owner-freebsd-ipfw@freebsd.org Tue Mar 8 15:39:35 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB69EAC3723 for ; Tue, 8 Mar 2016 15:39:35 +0000 (UTC) (envelope-from torresandresrll@outlook.com) Received: from BLU004-OMC1S37.hotmail.com (blu004-omc1s37.hotmail.com [65.55.116.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 44084CEE for ; Tue, 8 Mar 2016 15:39:34 +0000 (UTC) (envelope-from torresandresrll@outlook.com) Received: from BLU178-W14 ([65.55.116.7]) by BLU004-OMC1S37.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 8 Mar 2016 07:39:28 -0800 X-TMN: [yfRW1kSFlbE/kVgDaKW77muArpw2elxL] X-Originating-Email: [torresandresrll@outlook.com] Message-ID: From: To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Tue, 8 Mar 2016 15:39:27 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Mar 2016 15:39:28.0005 (UTC) FILETIME=[B3207B50:01D17950] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 15:39:35 -0000 Hey Sweety! I invite you to spend a beautiful time together))Our meeting wi= ll be beautiful and desirable. I'll let you squeeze my Boobs=2C which love= s to feel strong male hands and feel your lips and gentle tongue. I'll make= you a relaxing massage=2C after touch of relaxation with exciting blowjob.= I'm doing so great=2C believe me)) my mouth and tongue are fine workers an= d masters of their craft=2C and then I will start to bring you to a state o= f frantic ecstasy which will lead to exhaustion sex in the most lewd and ex= plicit poses. I'm waiting for you. Come to me. My profile and photos : http://l8u5f1cq.uryvaykinxk3.tumblr.com/ contact@company.com +123 = 456 7890 Enquire Now! = Car On Rehab = =20 Menu HomeContact UsPrivacy PolicySite Map = = Substance Abuse Facilities In San Diego = March 6=2C 2016 | No Comments = | Uncategorized = Georgetown University Hospital Alco= hol And Drug Abuse Clinic Drug Dependence Treatment Methods Sep 28=2C 2015 = =85 The treatment system for substance use disorders is comprised of =85 Th= e Brief Marijuana Dependence Counseling (BMDC) program is an =85 Jan 4=2C 2= 016 =85 Addiction treatment programs typically focus on getting sober and p= reventing =85 Opioids may be more [=85] Read More =BB = Drug And Alcohol Rehabilitation Centres Rockhampton = March 6=2C 2016 = | No Comments | Uncategorized = Dec 23=2C 20= 11 =85 =85 community located in Central Queensland=2C inland of Rockhampton= . =85 The parties to the Woorabinda Rehabilitation Facility ILUA consent to= =85 a residential program for Woorabinda residents with drug and alcohol = =85 to open the rehabilitation centre in Woorabinda in early 2012 (CQID=2C = Home=3B About CQID). Rural Health Continuing Education=2C Stream [=85] Read More =BB = Monitoring And Evaluating Youth Substance Abuse Prevention Pr= ograms March 6=2C 2016 = | No Comments | Uncategorized = = The National Drug Control Budget Funding Highlights FY 2017 Funding Hig= hlights. Click here for details on the President=92s FY 2017 drug control b= udget request. CRAFFT screening tool for adolescent substance abuse. =85 Th= e optimal means of assessing the implications of a positive drug-test resul= t is an evaluation of the =85 Schools are appropriate settings for [=85] Read More =BB = Georgetown University Hospital Alcohol And Drug Abuse Clinic = March 6=2C 2016 = | No Comments | Uncategorized = Dru= g Dependence Treatment Methods Sep 28=2C 2015 =85 The treatment system for = substance use disorders is comprised of =85 The Brief Marijuana Dependence = Counseling (BMDC) program is an =85 Jan 4=2C 2016 =85 Addiction treatment p= rograms typically focus on getting sober and preventing =85 Opioids may be = more easily recognized by drug names such as =85 [=85] Read More =BB = Drug And Alcohol Counselor Resume Examples = March 6=2C 2016 | No Com= ments | Uncategorized = Feb 17=2C 2016 =B7 P= ART 26=97FITNESS FOR DUTY PROGRAMS. Part Index. Subpart A=97Administrative = Provisions. Sec. 26.1 Purpose. 26.3 Scope. 26.4 FFD program =85 Substance A= buse prevention and treatment policies and programs are thoroughly =85 Indi= viduals who experience problems related to SA will receive counseling and = =85 and use of any intoxicating substance not intended for human [=85] Read More =BB = Drug Treatment In Texas That Is Low Cost = March 6=2C 2016 | No Comme= nts | Uncategorized = Get the details on IVF = cost=2C including donor egg cost=2C embryos cost=2C and =85 new approach to= fertility treatment=2C uses lower doses of fertility drugs and involves le= ss =85 Low cost=2C No cost Alcohol and Drug Treatment Directory. Treatment= =2C Sober Living=2C Halfway Homes=2C Family Help=2C Online Resources and Mo= re. Updated 8.4.15 Here are several resources [=85] Read More =BB = From owner-freebsd-ipfw@freebsd.org Tue Mar 8 17:39:15 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B97BFAC82F8 for ; Tue, 8 Mar 2016 17:39:15 +0000 (UTC) (envelope-from dominguezmurielsq@outlook.com) Received: from BLU004-OMC1S15.hotmail.com (blu004-omc1s15.hotmail.com [65.55.116.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7CA581EFA for ; Tue, 8 Mar 2016 17:39:15 +0000 (UTC) (envelope-from dominguezmurielsq@outlook.com) Received: from BLU180-W25 ([65.55.116.9]) by BLU004-OMC1S15.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 8 Mar 2016 09:38:08 -0800 X-TMN: [C4vKxNeXGE8wLqdMxzjm7QmZEueLjMLu] X-Originating-Email: [dominguezmurielsq@outlook.com] Message-ID: From: To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Tue, 8 Mar 2016 17:38:07 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Mar 2016 17:38:08.0023 (UTC) FILETIME=[46FD0270:01D17961] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 17:39:15 -0000 Hey Handome! Do you want to plunge into the world of gentle touches and unf= orgettable sensations? I will help relieve stress=2C fatigue and make eroti= c fantasies I know what to do with you. I'm just a sexy girl who can and wa= nts to be with you right now in this moment and to give you a world of pass= ion=2C my young body will be only yours=2C you will be able to enjoy an exo= tic chocolate body ready to give you what you so desire and want=2C I will = be like candy for you sweet and delicious=2C and that it will evoke in you = an insatiable passion that will burn in our Affairs=2C your head and make y= ou quiver in ecstasy of pleasure=2C it will be beautiful moments that will = be a very long time to haunt your memory. Come here. My profile and photos : http://h2jc5qcq.svetlanagp6.tumblr.com/ Skip to main content = Advertisement = = = = Connec= t Contact Us Login/Register Join APhA = Search form Search Advanced Search = = = LEARNPRACTICEGET INVOLVEDSHOP = ABOUTNEWS = = = Search form Search Advanced S= earch = From owner-freebsd-ipfw@freebsd.org Tue Mar 8 20:02:14 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D529AC78BD for ; Tue, 8 Mar 2016 20:02:14 +0000 (UTC) (envelope-from medinaluishqq@outlook.com) Received: from SNT004-OMC1S40.hotmail.com (snt004-omc1s40.hotmail.com [65.54.61.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 27172D03 for ; Tue, 8 Mar 2016 20:02:14 +0000 (UTC) (envelope-from medinaluishqq@outlook.com) Received: from SNT150-W24 ([65.55.90.8]) by SNT004-OMC1S40.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 8 Mar 2016 12:01:07 -0800 X-TMN: [/WfxZaerkDBtk3fx1H6TWH2inOz1/Hgp] X-Originating-Email: [medinaluishqq@outlook.com] Message-ID: From: To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Tue, 8 Mar 2016 20:01:06 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Mar 2016 20:01:07.0475 (UTC) FILETIME=[40BD7E30:01D17975] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 20:02:14 -0000 Hey Handsome! I can be right now with you.You need only to call me and com= e to me. If you prefer to invite me I'll be near soon)) I'll come to you li= ke the plane)) It will be a matter of seconds=2C which for me will seem lik= e forever=2C because I'm going to wait for our appointments=2C we need only= to look each other once and we immediately understand what you want insane= ly the same=2C and it's going to be perfect because you don't need to expla= in anything=2C we'll do what we want. Come to me. I'm waiting for you. My profile and photos : http://7xv3etco.guzenkov6sjw.tumblr.com/ = = = Home Dashboard = Calorie Camp Goals Friend Finder = Logging = Food Log Activity Log Weight Log = Analysis Meals Favorites Recip= es Custom Foods Community = Forums Groups = Journals Profile Mailbox = Foods Over= view Food Browser Recipe Browser New= Recipe Unit Converter Exerci= se Overview Act= ivity Browser Exercise Plan Workout Center = Beginner's Corner Tools = Overview Diet Profile = BMI Tool Burn Meter Calorie Target = Apps Advice = Advice Experts Videos = Q & A Books Versus = Blog Blog Home= Tips & Updates Dieting & You Succes= s Stories Recipes Healthy Eating = = Foods = Foods Activities R= ecipes Forums Groups = = = = = Create FREE Account Ex= isting User: Login = Overview Food Bro= wser Recipe Browser New Recipe Unit Conver= ter = Calories in Distinction C= ookies Foods > Baked Products > = Cookies = Wondering how many calories are in Distinction Cookies? Manufactured by Le= clerc = From owner-freebsd-ipfw@freebsd.org Tue Mar 8 20:34:28 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF061AC8802 for ; Tue, 8 Mar 2016 20:34:28 +0000 (UTC) (envelope-from sosadamarisjy@outlook.com) Received: from BLU004-OMC1S34.hotmail.com (blu004-omc1s34.hotmail.com [65.55.116.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8125F802 for ; Tue, 8 Mar 2016 20:34:28 +0000 (UTC) (envelope-from sosadamarisjy@outlook.com) Received: from BLU177-W4 ([65.55.116.8]) by BLU004-OMC1S34.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 8 Mar 2016 12:33:21 -0800 X-TMN: [+sGL2/T5PJ39Wi2ZWVCXmcpB+JvvAyxi] X-Originating-Email: [sosadamarisjy@outlook.com] Message-ID: From: To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Tue, 8 Mar 2016 20:33:21 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Mar 2016 20:33:21.0648 (UTC) FILETIME=[C198DF00:01D17979] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 20:34:28 -0000 Hey Handsome! I'm a real lady that is created for sexual pleasures with dec= ent kings)) Do you want to be my King? You will not be able to leave my bea= utiful body for a single moment=2C believe me I'll seduce you with great pa= ssion and desire. My Breasts will be very excited to burn off my feelings a= nd desires. You will want to kiss=2C and trust me she will not mind)) So I = want to enjoy the oral sex with you that will drive us insane and our head= around such emotions. I can imagine how we're doing and how good we are fr= om our emotions and feelings. And then you will want to get me. I'm waiting= for you. Come to me. My profile and photos : http://rdwg7hco.rodion-lyubovinin896.tumblr.com/ HomeSolutions Data Governance Security Compliance SPHEREboardArticl= esNews & EventsAbout UsSuccessesSPHEREfeedVideosCareersContact = = FacebookTwitterLinkedInRSS = = HomeSolutions Data Governance Security Compliance SPHEREboardArticle= sNews & EventsAbout UsSuccessesSPHEREfeedVideosCareersContact Ho= meSolutions Data Governance Security Compliance SPHEREboardArticlesNews & E= ventsAbout UsSuccessesSPHEREfeedVideosCareersContact Atlas AirBla= ckRockBarclays WealthSanofi AventisSungardBank of AmericaMerrill LynchBGC P= artnersBarclaysCignaBloombergAllianceBernsteinCredit AgricoleRoyal Bank of = CanadaBarclays RetailAmerican StandardMSR StudiosJefferiesCantor Fitzgerald= Credit SuisseNeuberger BermanRBCCMMcGraw-Hill Financial = Experts in Dat= a Governance=2C=20 Security and Compliance Find Out More = We work with Best-of-Breed =20 Solutions Learn more about these solutions = Meet the SPHERE Team = Let's Go = = From owner-freebsd-ipfw@freebsd.org Tue Mar 8 22:39:30 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B262FAC8618 for ; Tue, 8 Mar 2016 22:39:30 +0000 (UTC) (envelope-from mundoantoniocuv@outlook.com) Received: from BLU004-OMC1S13.hotmail.com (blu004-omc1s13.hotmail.com [65.55.116.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 71CD0F7B for ; Tue, 8 Mar 2016 22:39:29 +0000 (UTC) (envelope-from mundoantoniocuv@outlook.com) Received: from BLU183-W5 ([65.55.116.8]) by BLU004-OMC1S13.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 8 Mar 2016 14:38:23 -0800 X-TMN: [P8LCZ2NSrFRM/wl1LCz7GDUIze8udHQT] X-Originating-Email: [mundoantoniocuv@outlook.com] Message-ID: From: To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Tue, 8 Mar 2016 22:38:23 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 08 Mar 2016 22:38:23.0475 (UTC) FILETIME=[3908D430:01D1798B] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2016 22:39:30 -0000 Hey Handsome! Look at me. My appearance is so bright that will drive anyon= e insane. I can be tender and the same time full of debauchery for you)). Y= ou'll drown in my passion))=2C we will cover hurricane of ecstasy and real = fun=2C my skillful hands will lure you and with you farther and farther=2C= is absolutely no limit. I'll swallow your cock and be gentle with it at fi= rst=2C and then starts all harder and deeper shove it in your mouth and you= will feel how deep he went in there=2C and then when you get the full thri= ll and cum from these emotions we will move to the main dish: my beautiful = body=2C and all my sweet holes will be opened for you. Come to me. I'm wai= ting for you. My profile and photos : http://vbb1sscn.guzenkov6sjw.tumblr.com/ NewsSportsBusinessReal EstateSign InSubscribeSign InSubscribeHomeCustomer S= ervice Site InformationContact UsAbout UsHerald StoreRSS FeedsSpecial Secti= onsAdvertiseAdvertise with UsMedia KitMobileMobile Apps & eReaders Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 57647AC79E7; Wed, 9 Mar 2016 07:58:34 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D7A8647; Wed, 9 Mar 2016 07:58:34 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u297wOvK009237; Tue, 8 Mar 2016 23:58:28 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603090758.u297wOvK009237@gw.catspoiler.org> Date: Tue, 8 Mar 2016 23:58:23 -0800 (PST) From: Don Lewis Subject: Re: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet To: ralsaadi@swin.edu.au cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org, garmitage@swin.edu.au In-Reply-To: <6545444AE21C2749939E637E56594CEA3C187192@gsp-ex02.ds.swin.edu.au> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 07:58:34 -0000 On 26 Feb, Rasool Al-Saadi wrote: > Dear all, > > I would like to announce that we (myself and Grenville Armitage) released Dummynet AQM v0.1, which is an independent implementation of CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet framework, based on the IETF CoDel [1] and FQ-CoDel [2] Internet-Drafts. > We prepared patches for FreeBSD11-CURRENT-r295345 and FreeBSD 10.x-RELEASE (10.0, 10.1, 10.2), and a technical report of our implementation. > > Patches and documentation can be found in: > http://caia.swin.edu.au/freebsd/aqm Without the patch below, the dummynet module fails to load # kldload dummynet.ko kldload: can't load dummynet.ko: No such file or directory and the following is printed to /var/log/messages: link_elf: symbol sysctl__net_inet_ip_dummynet_children undefined I believe this patch is needed for FreeBSD 11 and all FreeBSD 10 releases. --- sys/netpfil/ipfw/ip_dn_io.c.prev 2016-03-06 00:51:38.012058648 -0800 +++ sys/netpfil/ipfw/ip_dn_io.c 2016-03-08 21:54:47.036921030 -0800 @@ -154,7 +154,7 @@ SYSCTL_DECL(_net_inet); SYSCTL_DECL(_net_inet_ip); -static SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet, CTLFLAG_RW, 0, "Dummynet"); +SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet, CTLFLAG_RW, 0, "Dummynet"); /* wrapper to pass dn_cfg fields to SYSCTL_* */ //#define DC(x) (&(VNET_NAME(_base_dn_cfg).x)) From owner-freebsd-ipfw@freebsd.org Wed Mar 9 08:37:06 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8363BAC8292; Wed, 9 Mar 2016 08:37:06 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.kissl.de (host64.kissl.de [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "*.shmhost.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4E9C2F67; Wed, 9 Mar 2016 08:37:05 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.lastsummer.de (ipservice-092-217-228-193.092.217.pools.vodafone-ip.de [92.217.228.193]) (Authenticated sender: web104p1) by host64.kissl.de (Postfix) with ESMTPSA id 25E466A60A; Wed, 9 Mar 2016 09:30:15 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet From: Franco Fichtner In-Reply-To: <201603090758.u297wOvK009237@gw.catspoiler.org> Date: Wed, 9 Mar 2016 09:30:14 +0100 Cc: ralsaadi@swin.edu.au, freebsd-net@freebsd.org, garmitage@swin.edu.au, freebsd-ipfw@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <22B0B893-3350-4DDF-925C-A35459807EC1@lastsummer.de> References: <201603090758.u297wOvK009237@gw.catspoiler.org> To: Don Lewis X-Mailer: Apple Mail (2.3112) X-Virus-Scanned: clamav-milter 0.99 at host64.kissl.de X-Virus-Status: Clean X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 08:37:06 -0000 > On 09 Mar 2016, at 8:58 AM, Don Lewis wrote: >=20 > On 26 Feb, Rasool Al-Saadi wrote: >> Dear all, >>=20 >> I would like to announce that we (myself and Grenville Armitage) = released Dummynet AQM v0.1, which is an independent implementation of = CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet framework, based on the = IETF CoDel [1] and FQ-CoDel [2] Internet-Drafts. >> We prepared patches for FreeBSD11-CURRENT-r295345 and FreeBSD = 10.x-RELEASE (10.0, 10.1, 10.2), and a technical report of our = implementation. Great work, Rasool. We are happy with the results of our tests so far. >> Patches and documentation can be found in: >> http://caia.swin.edu.au/freebsd/aqm >=20 > Without the patch below, the dummynet module fails to load >=20 > # kldload dummynet.ko > kldload: can't load dummynet.ko: No such file or directory It works for 10.2-RELEASE with the vanilla patch: root@sensey:~ # kldstat Id Refs Address Size Name 1 10 0xffffffff80200000 2148a60 kernel 2 1 0xffffffff82411000 6129 tmpfs.ko 3 1 0xffffffff82418000 2275 aesni.ko 4 1 0xffffffff8241b000 10dd amdtemp.ko 5 1 0xffffffff8241d000 7761 unionfs.ko root@sensey:~ # kldload dummynet root@sensey:~ # kldstat Id Refs Address Size Name 1 21 0xffffffff80200000 2148a60 kernel 2 1 0xffffffff82411000 6129 tmpfs.ko 3 1 0xffffffff82418000 2275 aesni.ko 4 1 0xffffffff8241b000 10dd amdtemp.ko 5 1 0xffffffff8241d000 7761 unionfs.ko 6 1 0xffffffff82425000 c9f8 dummynet.ko 7 1 0xffffffff82432000 caeb ipfw.ko root@sensey:~ # dmesg [...] ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to = accept, logging disabled DUMMYNET 0 with IPv6 initialized (100409) load_dn_aqm dn_aqm CODEL loaded load_dn_sched dn_sched FIFO loaded load_dn_sched dn_sched QFQ loaded load_dn_sched dn_sched RR loaded load_dn_sched dn_sched WF2Q+ loaded load_dn_sched dn_sched PRIO loaded load_dn_sched dn_sched FQ_CODEL loaded= From owner-freebsd-ipfw@freebsd.org Wed Mar 9 16:02:14 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 88F82AC90B3 for ; Wed, 9 Mar 2016 16:02:14 +0000 (UTC) (envelope-from murillomoraleshg@outlook.com) Received: from BLU004-OMC1S18.hotmail.com (blu004-omc1s18.hotmail.com [65.55.116.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0D93531D for ; Wed, 9 Mar 2016 16:02:13 +0000 (UTC) (envelope-from murillomoraleshg@outlook.com) Received: from BLU178-W47 ([65.55.116.8]) by BLU004-OMC1S18.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Wed, 9 Mar 2016 08:02:07 -0800 X-TMN: [DJEck7t6xYCV4I+hhnNqIp4A3LI49PiJ] X-Originating-Email: [murillomoraleshg@outlook.com] Message-ID: From: To: "freebsd-ipfw@freebsd.org" Subject: ipfw Date: Wed, 9 Mar 2016 16:02:07 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 09 Mar 2016 16:02:07.0875 (UTC) FILETIME=[0815ED30:01D17A1D] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 16:02:14 -0000 Hey Sweety! Fabulous enchantress will come to you for an unforgettable plea= sure that will be bright and colorful)) Your new world will seem completely= different=2C beautiful and very colorful with me. How we can be excited to= gether! I'll give you the fantastic moments in the bed. You'll be happy to= meet me again)) What do you think about role games? Come to me and we'll= play)) My photos : http://zg3m80cc.borislavbj06.tumblr.com/ HomeMen's HatsWomen's HatsKid's HatsHats By StyleHats By BrandSaleWholesal= eBack to main menuMen's Hats - Featured StylesMen's HatsArmy HatsBaseball C= apsBeaniesBeretsBowler HatsBucket HatsCowboy HatsFedora HatsFez HatsFisherm= an CapsFlat CapsIndiana Jones HatsLeather HatsNewsboy CapsOutdoor HatsPacka= ble HatsPanama HatsPith HelmetsPork Pie HatsRain HatsSnapback CapsStraw Hat= sSun HatsTop HatsTrapper HatsTrilby HatsWinter HatsHats in Larger SizesView= All Our Men's HatsWomen's Hats - Featured StylesWomen's HatsBaseball HatsB= eaniesBeretsBucket HatsCloche HatsCowboy HatsFascinatorsFaux Fur HatsFlat C= apsFloppy HatsOccasion HatsPackable HatsPetite SizesPillbox HatsRain HatsSt= raw HatsSun HatsSun VisorsTrapper HatsTrilby HatsWedding HatsWinter HatsWom= en's - NEW HATSWomen's Hats on SaleView All Our Women's HatsKids Hats - Fea= tured StylesKid's HatsBaby HatsBoys HatsGirls HatsKid's Baseball CapsKid's = BeaniesKid's BeretsKid's Flat CapsKid's Sun HatsKid's Trilby HatsKid's Wint= er HatsKid's Hats on SaleView All Our Kid's HatsPopular Styles -Hats By Sty= leArmy HatsBaseball CapsBeanies & Beanie HatsBeretsBowler HatsBucket HatsCl= oche HatsCowboy HatsFancy Dress HatsFedora HatsFez HatsFisherman CapsFlat C= apsIndiana Jones HatsHats Made In EnglandNewsboy CapsOccasion HatsPanama Ha= tsPillbox HatsPith HelmetsPork Pie HatsRain HatsSnapback CapsStraw HatsSumm= er HatsTop HatsTrilby HatsWinter HatsView All StylesPopular Brands -Hats By= BrandAdidas HatsBailey HatsBarbour HatsBetmar HatsBorsalino HatsBrixton Ha= tsCarhartt HatsChristys' HatsCity Sport CapsConverse HatsFailsworth HatsFle= xfit CapsGoorin HatsJaxon & James HatsKangolMitchell & NessNew Era CapsNY H= at CompanyNike HatsThe North FaceOlney HatsPatagonia HatsStarter CapsStetso= n Hatssur la t=EAte HatsTilley HatsTimberland HatsVans HatsView All our Bra= ndsSale HatsSaleMen's Hats on SaleWomen's Hats on SaleKid's Hats on SaleBas= eball Caps on SaleBeanie Hats on SaleBerets on SaleBucket Hats on SaleFancy= Dress Hats on SaleFlat Caps on SaleOccasion Hats on SaleRain Hats on SaleS= traw Hats on SaleSun Hats on SaleTrapper Hats on SaleTrilby Hats on SaleWin= ter Hats on SaleSale Hats Under 10 GBPView All Sale HatsWholesale Hats - Fe= atured StylesWholesaleWholesale Beanie HatsWholesale BeretsWholesale Bowler= HatsWholesale Bucket HatsWholesale Cloche HatsWholesale Cowboy HatsWholesa= le Fedora HatsWholesale Fez HatsWholesale Fiddler CapsWholesale Flat CapsWh= olesale Leather HatsWholesale Newsboy CapsWholesale Pillbox HatsWholesale P= ith HelmetsWholesale Pork Pie HatsWholesale Rain HatsWholesale Straw HatsWh= olesale Sun HatsWholesale Top HatsWholesale Trapper HatsWholesale Trilby Ha= tsWholesale Men's HatsWholesale Women's HatsWholesale Kids HatsWholesale Ja= xon & JamesWholesale sur la t=EAteWholesale Hats On SaleView All Wholesale = Packs = = = = Sea= rch = From owner-freebsd-ipfw@freebsd.org Wed Mar 9 17:33:07 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2539FAC9B0B for ; Wed, 9 Mar 2016 17:33:07 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0B7A1967 for ; Wed, 9 Mar 2016 17:33:07 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29HX05o011028 for ; Wed, 9 Mar 2016 09:33:04 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603091733.u29HX05o011028@gw.catspoiler.org> Date: Wed, 9 Mar 2016 09:32:59 -0800 (PST) From: Don Lewis Subject: ipwf dummynet vs. kernel NAT and firewall rules To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 17:33:07 -0000 I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this patch: , but I'm running into a problem that I think is caused by an interaction between in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue instances using example 3.3a from this document with the appropriate bandwidths, but otherwise default tunings to shape both inbound and outbound traffic. My inside network is a /24 and I have an external /29 (ext/29) network that I don't want to rate limit. My outside network interface is re0. I'm using the /etc/rc.firewall "simple" firewall configuration. The problem that I'm having crops up when I actually try to add the firewall rules to select the traffic that I want to rate limit. The first rule in the list is: 100 allow ip from any to any via lo0 The second rule is numbered 200 and is first anti-spoofing rule. If I add *either* of these two rules, then I'm no longer able to communicate between hosts on my internal network and the rest of the world: ipfw 110 add queue 1 ip from not ext/29 to any in recv re0 ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0 It seems like the inbound rule should be early in the rule list so that any inbound traffic that gets dropped by the firewall rules gets counted even if it is dropped by later rules. It also seems like the outbound rule needs to be before any allow rules since an allow rule would skip the remaining rules and would not count that traffic. Unfortunately the ipfw documentation doesn't really describe the interaction between dummynet, NAT, and other firewall rules. Unfortunately this is a live system, so it is difficult to do controlled experiments and look at the ipfw counters to see where things might be going into the weeds ... From owner-freebsd-ipfw@freebsd.org Wed Mar 9 17:48:11 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 565C2AC914C for ; Wed, 9 Mar 2016 17:48:11 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from host64.kissl.de (host64.kissl.de [213.239.241.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "*.shmhost.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1EFF91C2; Wed, 9 Mar 2016 17:48:10 +0000 (UTC) (envelope-from franco@lastsummer.de) Received: from francos-mbp.lastsummer.de (ipservice-092-217-228-193.092.217.pools.vodafone-ip.de [92.217.228.193]) (Authenticated sender: web104p1) by host64.kissl.de (Postfix) with ESMTPSA id 471256A60A; Wed, 9 Mar 2016 18:48:07 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules From: Franco Fichtner In-Reply-To: <201603091733.u29HX05o011028@gw.catspoiler.org> Date: Wed, 9 Mar 2016 18:48:06 +0100 Cc: freebsd-ipfw@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: References: <201603091733.u29HX05o011028@gw.catspoiler.org> To: Don Lewis X-Mailer: Apple Mail (2.3112) X-Virus-Scanned: clamav-milter 0.99 at host64.kissl.de X-Virus-Status: Clean X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 17:48:11 -0000 Hi Don, If you mean pf(4)-based NAT, there is a patch that originates from m0n0wall that handles the transition. We're using it in OPNsense for that reason. Here is the patch for 10.x, maybe that is what you're looking for: https://github.com/fichtner/freebsd/commit/975130903f.patch We would very much like to upstream this eventually, but are not sure what is needed (on/off switch via sysctl(8) was discussed internally but could be crude). It seems useful to have in some instances. Combining ipfw(4) and pf(4) has proven to be tricky, where even execution order of both of them matters in pfil(9). Cheers, Franco > On 09 Mar 2016, at 6:32 PM, Don Lewis wrote: > > I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this > patch: , but I'm > running into a problem that I think is caused by an interaction between > in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue > instances using example 3.3a from this document > with the > appropriate bandwidths, but otherwise default tunings to shape both > inbound and outbound traffic. My inside network is a /24 and I have an > external /29 (ext/29) network that I don't want to rate limit. My > outside network interface is re0. I'm using the /etc/rc.firewall > "simple" firewall configuration. > > The problem that I'm having crops up when I actually try to add the > firewall rules to select the traffic that I want to rate limit. The > first rule in the list is: > 100 allow ip from any to any via lo0 > The second rule is numbered 200 and is first anti-spoofing rule. If > I add *either* of these two rules, then I'm no longer able to > communicate between hosts on my internal network and the rest of the > world: > > ipfw 110 add queue 1 ip from not ext/29 to any in recv re0 > ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0 > > It seems like the inbound rule should be early in the rule list so that > any inbound traffic that gets dropped by the firewall rules gets counted > even if it is dropped by later rules. It also seems like the outbound > rule needs to be before any allow rules since an allow rule would skip > the remaining rules and would not count that traffic. Unfortunately the > ipfw documentation doesn't really describe the interaction between > dummynet, NAT, and other firewall rules. > > Unfortunately this is a live system, so it is difficult to do controlled > experiments and look at the ipfw counters to see where things might be > going into the weeds ... > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Wed Mar 9 18:09:33 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55A66AC9B56 for ; Wed, 9 Mar 2016 18:09:33 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3D2D0687 for ; Wed, 9 Mar 2016 18:09:33 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29I9PEv011156; Wed, 9 Mar 2016 10:09:29 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603091809.u29I9PEv011156@gw.catspoiler.org> Date: Wed, 9 Mar 2016 10:09:25 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: franco@lastsummer.de cc: freebsd-ipfw@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 18:09:33 -0000 On 9 Mar, Franco Fichtner wrote: > Hi Don, > > If you mean pf(4)-based NAT, there is a patch that originates from > m0n0wall that handles the transition. We're using it in OPNsense > for that reason. Here is the patch for 10.x, maybe that is what > you're looking for: Nope, I'm using ipfw in-kernel NAT, which is not the default in rc.firewall, but is easy to paste in next to or in place of the default natd configuration. case ${firewall_nat_enable} in [Yy][Ee][Ss]) if [ -n "${firewall_nat_interface}" ]; then if echo "${firewall_nat_interface}" | \ grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}" else firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}" fi ${fwcmd} nat 123 config log ${firewall_nat_flags} ${fwcmd} add nat 123 ip4 from any to any via ${firewall_nat_interface} fi ;; esac My suspicion is that if a packet matches the rule to pass it to dummynet that it is bypassing NAT. From owner-freebsd-ipfw@freebsd.org Wed Mar 9 18:17:12 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28233AC9F59 for ; Wed, 9 Mar 2016 18:17:12 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E7952BA1; Wed, 9 Mar 2016 18:17:11 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: by mail-ig0-x229.google.com with SMTP id vs8so79067396igb.1; Wed, 09 Mar 2016 10:17:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=xVk1+ifP+zy1pa06gfO3wn+noW8qb5XkjB1BlVezO4w=; b=Eix7qywyGyCjOtd8nSFnoUk74Z/k50zciNb5f8RNK344/S0O2ulWm+NJqpwqyVajSF xJVERSDeFFNKq3lTQDpKEURFYsOEaY6qYgQGi8KL0xpVpEUHCtQ6EFU9Fh8Dx6C2hKkF x5fBXesdAjzakF7/jWUYlu0S8aBxf+rsYtL/XM9ImnEFzpvm5wPrYz8MrPvKvHCKVfX7 vAe5nZ0iERflT6jgWOI6nS9ZM0ZjYY3KqNLoqfOWEbdU7Y6nWimPrA21HD0wEmq360tg pq8EPoQ2cHvb6KOjFfdsB27dKaWiar+f6DG/eYU56JWtitFB1slBbzdshypsoh1IDBpk NV8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=xVk1+ifP+zy1pa06gfO3wn+noW8qb5XkjB1BlVezO4w=; b=bhshtsYhxPIIbaPPBRWOpAtEJTfAXlPzkSdOXkGd6irTFUzBx+41m8VvXfJlDNtwrJ xEI5qv49RtR7sZx7FP5c6QyG+YIigZgSuhys1CbGJa5xb7JRtLavGCDvr0lt6fpr40I4 4iIxyUAAtpch8YKER/Z4iI011xSgCnPlVDXKMPW27mnyD/4D7p63HE3VBMqOn/CIQ2/Q /n7yk+d7OMgJSpWaSN1Vp2IGoLL+bB6w75rgosoiZYYJLOi6G8fZ8BXKWnoANjkZGfdZ 3g6xAlxHMThDrtaXVc0fuT0maX5/sJMyY8n0ugScQgM7JDkgLhxdy5IR3g3Ah8mxm0MG 7VGg== X-Gm-Message-State: AD7BkJLCNFGLXUkR4OLjTcOO85BFC0AVk8YFIr6O+GmGn97yk7gCoyBY0IlQsQ5JGvyxnxsVMGfg6zh6I0m42g== MIME-Version: 1.0 X-Received: by 10.50.65.1 with SMTP id t1mr27047978igs.34.1457547431312; Wed, 09 Mar 2016 10:17:11 -0800 (PST) Received: by 10.107.140.129 with HTTP; Wed, 9 Mar 2016 10:17:11 -0800 (PST) In-Reply-To: <201603091809.u29I9PEv011156@gw.catspoiler.org> References: <201603091809.u29I9PEv011156@gw.catspoiler.org> Date: Wed, 9 Mar 2016 10:17:11 -0800 Message-ID: Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules From: Freddie Cash To: Don Lewis Cc: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 18:17:12 -0000 On Wed, Mar 9, 2016 at 10:09 AM, Don Lewis wrote: > On 9 Mar, Franco Fichtner wrote: > > Hi Don, > > > > If you mean pf(4)-based NAT, there is a patch that originates from > > m0n0wall that handles the transition. We're using it in OPNsense > > for that reason. Here is the patch for 10.x, maybe that is what > > you're looking for: > > Nope, I'm using ipfw in-kernel NAT, which is not the default in > rc.firewall, but is easy to paste in next to or in place of the default > natd configuration. > > case ${firewall_nat_enable} in > [Yy][Ee][Ss]) > if [ -n "${firewall_nat_interface}" ]; then > if echo "${firewall_nat_interface}" | \ > grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; the= n > firewall_nat_flags=3D"ip > ${firewall_nat_interface} ${firewall_nat_flags}" > else > firewall_nat_flags=3D"if > ${firewall_nat_interface} ${firewall_nat_flags}" > fi > ${fwcmd} nat 123 config log ${firewall_nat_flags} > ${fwcmd} add nat 123 ip4 from any to any via > ${firewall_nat_interface} > fi > ;; > esac > > My suspicion is that if a packet matches the rule to pass it to dummynet > that it is bypassing NAT. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > =E2=80=8BDo you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? If set to 1, the a dummynet match ends the trip through the rules, and the packet never gets to the NAT rules. Or, if a NAT rule matches, the trip through the rules ends, and it never get to the dummynet rules. Depending on which you have first. You'll need to set net.inet.ip.fw.one_pass=E2=80=8B=3D0 in order to re-inje= ct the packet into the rules after it matches a dummynet or NAT rule. Or, do the NAT and dummynet rules on different interfaces to match different traffic. --=20 Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@freebsd.org Wed Mar 9 19:31:42 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70FDDACA022 for ; Wed, 9 Mar 2016 19:31:42 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3AFC31D60 for ; Wed, 9 Mar 2016 19:31:42 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29JOfQE011384; Wed, 9 Mar 2016 11:25:30 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603091925.u29JOfQE011384@gw.catspoiler.org> Date: Wed, 9 Mar 2016 11:24:41 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: fjwcash@gmail.com cc: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 19:31:42 -0000 On 9 Mar, Don Lewis wrote: > On 9 Mar, Freddie Cash wrote: >> On Wed, Mar 9, 2016 at 10:09 AM, Don Lewis wrote: >> >>> On 9 Mar, Franco Fichtner wrote: >>> > Hi Don, >>> > >>> > If you mean pf(4)-based NAT, there is a patch that originates from >>> > m0n0wall that handles the transition. We're using it in OPNsense >>> > for that reason. Here is the patch for 10.x, maybe that is what >>> > you're looking for: >>> >>> Nope, I'm using ipfw in-kernel NAT, which is not the default in >>> rc.firewall, but is easy to paste in next to or in place of the default >>> natd configuration. >>> >>> case ${firewall_nat_enable} in >>> [Yy][Ee][Ss]) >>> if [ -n "${firewall_nat_interface}" ]; then >>> if echo "${firewall_nat_interface}" | \ >>> grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then >>> firewall_nat_flags="ip >>> ${firewall_nat_interface} ${firewall_nat_flags}" >>> else >>> firewall_nat_flags="if >>> ${firewall_nat_interface} ${firewall_nat_flags}" >>> fi >>> ${fwcmd} nat 123 config log ${firewall_nat_flags} >>> ${fwcmd} add nat 123 ip4 from any to any via >>> ${firewall_nat_interface} >>> fi >>> ;; >>> esac >>> >>> My suspicion is that if a packet matches the rule to pass it to dummynet >>> that it is bypassing NAT. >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >> >> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > Aha, I've got it set to 1. > >> If set to 1, the a dummynet match ends the trip through the rules, and the >> packet never gets to the NAT rules. Or, if a NAT rule matches, the trip >> through the rules ends, and it never get to the dummynet rules. Depending >> on which you have first. > > Dummynet is first. > >> You'll need to set net.inet.ip.fw.one_pass?=0 in order to re-inject the >> packet into the rules after it matches a dummynet or NAT rule. Or, do the >> NAT and dummynet rules on different interfaces to match different traffic. > > How do I prevent the re-injected packets from being sent back into > dummynet? My NAT rule looks like it could have the same problem, but > that looks fixable. I just read the fine man page and is says that after re-injection the packet starts with the next rule ... cool! From owner-freebsd-ipfw@freebsd.org Wed Mar 9 19:31:43 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 398BAACA025 for ; Wed, 9 Mar 2016 19:31:43 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 028161D63 for ; Wed, 9 Mar 2016 19:31:42 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29JK0jq011362; Wed, 9 Mar 2016 11:20:52 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603091920.u29JK0jq011362@gw.catspoiler.org> Date: Wed, 9 Mar 2016 11:20:00 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: fjwcash@gmail.com cc: freebsd-ipfw@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=iso-8859-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 19:31:43 -0000 On 9 Mar, Freddie Cash wrote: > On Wed, Mar 9, 2016 at 10:09 AM, Don Lewis wrote: > >> On 9 Mar, Franco Fichtner wrote: >> > Hi Don, >> > >> > If you mean pf(4)-based NAT, there is a patch that originates from >> > m0n0wall that handles the transition. We're using it in OPNsense >> > for that reason. Here is the patch for 10.x, maybe that is what >> > you're looking for: >> >> Nope, I'm using ipfw in-kernel NAT, which is not the default in >> rc.firewall, but is easy to paste in next to or in place of the default >> natd configuration. >> >> case ${firewall_nat_enable} in >> [Yy][Ee][Ss]) >> if [ -n "${firewall_nat_interface}" ]; then >> if echo "${firewall_nat_interface}" | \ >> grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then >> firewall_nat_flags="ip >> ${firewall_nat_interface} ${firewall_nat_flags}" >> else >> firewall_nat_flags="if >> ${firewall_nat_interface} ${firewall_nat_flags}" >> fi >> ${fwcmd} nat 123 config log ${firewall_nat_flags} >> ${fwcmd} add nat 123 ip4 from any to any via >> ${firewall_nat_interface} >> fi >> ;; >> esac >> >> My suspicion is that if a packet matches the rule to pass it to dummynet >> that it is bypassing NAT. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? Aha, I've got it set to 1. > If set to 1, the a dummynet match ends the trip through the rules, and the > packet never gets to the NAT rules. Or, if a NAT rule matches, the trip > through the rules ends, and it never get to the dummynet rules. Depending > on which you have first. Dummynet is first. > You'll need to set net.inet.ip.fw.one_pass?=0 in order to re-inject the > packet into the rules after it matches a dummynet or NAT rule. Or, do the > NAT and dummynet rules on different interfaces to match different traffic. How do I prevent the re-injected packets from being sent back into dummynet? My NAT rule looks like it could have the same problem, but that looks fixable. The NAT traffic should also pass through dummynet unless it is to or from the /29 outside network. Locally originated traffic ("me") passing through the external interface should also go through dummynet unless the other host is on the /29. From owner-freebsd-ipfw@freebsd.org Wed Mar 9 19:37:44 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09A9FACA39D for ; Wed, 9 Mar 2016 19:37:44 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BE1EB62C for ; Wed, 9 Mar 2016 19:37:43 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-yk0-x230.google.com with SMTP id y66so25398744ykd.2 for ; Wed, 09 Mar 2016 11:37:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=bPIvXonX6Ew3qZFngN9lpzMhd8rPO/5JegWR7iiWzYw=; b=CGsN3tbtUZkKrGrFcRpsKu975LLljkdzntO+fb+yIqTJyaKOOcaTzTJwDpHqCzPWa/ P3tbZCCgtcoev38pPAApE0ynCHrPixi+gzo1Sj2HOIaLkT8sOuBCfNw8Q/RfS54o53yE TgfL0jjV7hLL8WU6E/7f0ZD8ppj0Go2ZWeMkWi3cI0Qk5iywgjaArH5GNZ1JMfax4749 nIb0vjQD26Qd5rnu3Or/A4bdlmKaXQznpjm0BPir0bCJuJC5Sf5t8tHs1B1b1BMj8PcS vGPwre2IiJNN8nGRYPllmLr3IKMX0Z8oU5tMeGeKBUsWu4kmazabbwUNDovpoPTrcRwv O5NQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=bPIvXonX6Ew3qZFngN9lpzMhd8rPO/5JegWR7iiWzYw=; b=TTOLD6fXXy5MFDsEBN2Ei/Btgc4QTnpvcO0R9Y4ZMxXUqfCzcOQ0KpTeDBUhiiJnwB cobr1aEzFwPhRNAEIajk9GX/aOFiIKc34eonQShHpuw7PM31evNM2C35KSwyASnSRLqE J1nZ6ZDEXiZp72tQ8+YlG8mvEFvKnVzhKyG4z81JNh0nJnTE1cdp/WoS/7nxOIBHrRcz CrgOuiFxZEVifQHCtuwwDd+FAHlhuykFguTGnmDYbYQ3GmyoRUCMYPixVavqeJdPkngQ EDlugChuBAzGAyhoDCWyjDU+zxBWuWat07gpIPb0+HmVkyyosgKNwLyBPF368FVkV9EW x6LA== X-Gm-Message-State: AD7BkJLtvHNsyt0lIUFu516b2okkzitQidbybtNBjL8INMDg/wD6KrWjc/imWzikD360Jsn9r4cAB7AT8ARZVePW MIME-Version: 1.0 X-Received: by 10.37.31.87 with SMTP id f84mr19224139ybf.151.1457552262736; Wed, 09 Mar 2016 11:37:42 -0800 (PST) Received: by 10.37.77.193 with HTTP; Wed, 9 Mar 2016 11:37:42 -0800 (PST) In-Reply-To: <201603091920.u29JK0jq011362@gw.catspoiler.org> References: <201603091920.u29JK0jq011362@gw.catspoiler.org> Date: Wed, 9 Mar 2016 11:37:42 -0800 Message-ID: Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules From: Michael Sierchio To: Don Lewis Cc: Freddie Cash , "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 19:37:44 -0000 Rules will only match if all components match. So you seem to understand that packets will be seen twice - once IN, once OUT. If you write in recv EXT_IP out xmit EXT_IP the rule actions won't get executed twice on packets. On Wed, Mar 9, 2016 at 11:20 AM, Don Lewis wrote: > On 9 Mar, Freddie Cash wrote: > > On Wed, Mar 9, 2016 at 10:09 AM, Don Lewis wrote: > > > >> On 9 Mar, Franco Fichtner wrote: > >> > Hi Don, > >> > > >> > If you mean pf(4)-based NAT, there is a patch that originates from > >> > m0n0wall that handles the transition. We're using it in OPNsense > >> > for that reason. Here is the patch for 10.x, maybe that is what > >> > you're looking for: > >> > >> Nope, I'm using ipfw in-kernel NAT, which is not the default in > >> rc.firewall, but is easy to paste in next to or in place of the default > >> natd configuration. > >> > >> case ${firewall_nat_enable} in > >> [Yy][Ee][Ss]) > >> if [ -n "${firewall_nat_interface}" ]; then > >> if echo "${firewall_nat_interface}" | \ > >> grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; > then > >> firewall_nat_flags="ip > >> ${firewall_nat_interface} ${firewall_nat_flags}" > >> else > >> firewall_nat_flags="if > >> ${firewall_nat_interface} ${firewall_nat_flags}" > >> fi > >> ${fwcmd} nat 123 config log > ${firewall_nat_flags} > >> ${fwcmd} add nat 123 ip4 from any to any via > >> ${firewall_nat_interface} > >> fi > >> ;; > >> esac > >> > >> My suspicion is that if a packet matches the rule to pass it to dummynet > >> that it is bypassing NAT. > >> _______________________________________________ > >> freebsd-ipfw@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >> > > > > ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > Aha, I've got it set to 1. > > > If set to 1, the a dummynet match ends the trip through the rules, and > the > > packet never gets to the NAT rules. Or, if a NAT rule matches, the trip > > through the rules ends, and it never get to the dummynet rules. > Depending > > on which you have first. > > Dummynet is first. > > > You'll need to set net.inet.ip.fw.one_pass?=0 in order to re-inject the > > packet into the rules after it matches a dummynet or NAT rule. Or, do > the > > NAT and dummynet rules on different interfaces to match different > traffic. > > How do I prevent the re-injected packets from being sent back into > dummynet? My NAT rule looks like it could have the same problem, but > that looks fixable. > > The NAT traffic should also pass through dummynet unless it is to or > from the /29 outside network. Locally originated traffic ("me") passing > through the external interface should also go through dummynet unless > the other host is on the /29. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Wed Mar 9 21:01:09 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ECC11AC8060 for ; Wed, 9 Mar 2016 21:01:09 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D341C754 for ; Wed, 9 Mar 2016 21:01:09 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29L0wwH011694; Wed, 9 Mar 2016 13:01:02 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603092101.u29L0wwH011694@gw.catspoiler.org> Date: Wed, 9 Mar 2016 13:00:58 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: fjwcash@gmail.com cc: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 21:01:10 -0000 On 9 Mar, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: >> On 9 Mar, Freddie Cash wrote: >>> >>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >> >> Aha, I've got it set to 1. >> >>> If set to 1, the a dummynet match ends the trip through the rules, and the >>> packet never gets to the NAT rules. Or, if a NAT rule matches, the trip >>> through the rules ends, and it never get to the dummynet rules. Depending >>> on which you have first. >> >> Dummynet is first. >> >>> You'll need to set net.inet.ip.fw.one_pass?=0 in order to re-inject the >>> packet into the rules after it matches a dummynet or NAT rule. Or, do the >>> NAT and dummynet rules on different interfaces to match different traffic. >> >> How do I prevent the re-injected packets from being sent back into >> dummynet? My NAT rule looks like it could have the same problem, but >> that looks fixable. > > I just read the fine man page and is says that after re-injection the > packet starts with the next rule ... cool! Ignoring dummynet for a moment since I haven't added those rules back ... DNS lookups break when I set net.inet.ip.fw.one_pass=0. This machine is running BIND as a DNS forwarder and I have this rule to allow DNS lookups in and out: pass udp from me to any 53 out via re0 keep-state If BIND has the results of a lookup cached, then I get the expected query results from an internal host when I set net.inet.ip.fw.one_pass=0, but if the results are not cached I get ";; connection timed out; no servers could be reached" when I do a lookup on an internal host, and running the query on the firewall machine also does not work. If BIND has the query cached, I am able to download from servers on the internet to an internal host, so that indicates that NAT is functioning, but it shouldn't be involved in DNS lookups. From owner-freebsd-ipfw@freebsd.org Wed Mar 9 21:03:51 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 296D6AC82A3 for ; Wed, 9 Mar 2016 21:03:51 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id ED5FBA74 for ; Wed, 9 Mar 2016 21:03:50 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29L3foZ011712; Wed, 9 Mar 2016 13:03:45 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603092103.u29L3foZ011712@gw.catspoiler.org> Date: Wed, 9 Mar 2016 13:03:41 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: kudzu@tenebras.com cc: fjwcash@gmail.com, freebsd-ipfw@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 21:03:51 -0000 On 9 Mar, Michael Sierchio wrote: > Rules will only match if all components match. So you seem to understand > that packets will be seen twice - once IN, once OUT. If you write > > in recv EXT_IP > out xmit EXT_IP > > the rule actions won't get executed twice on packets. That's what I'm using for the dummynet rules. My concert was if the re-injected packets were checked by all the rules starting from the top, in which case out xmit would match both entering and leaving dummynet. Since the implementation is smart enough to start checking where it previously left off, then that's not an issue. From owner-freebsd-ipfw@freebsd.org Wed Mar 9 23:02:27 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 593EFAC9E01 for ; Wed, 9 Mar 2016 23:02:27 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C5EB6DB for ; Wed, 9 Mar 2016 23:02:27 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29N2IYm012240; Wed, 9 Mar 2016 15:02:22 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603092302.u29N2IYm012240@gw.catspoiler.org> Date: Wed, 9 Mar 2016 15:02:18 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: fjwcash@gmail.com cc: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2016 23:02:27 -0000 On 9 Mar, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: >> On 9 Mar, Don Lewis wrote: >>> On 9 Mar, Freddie Cash wrote: > >>>> >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >>> >>> Aha, I've got it set to 1. >>> >>>> If set to 1, the a dummynet match ends the trip through the rules, and the >>>> packet never gets to the NAT rules. Or, if a NAT rule matches, the trip >>>> through the rules ends, and it never get to the dummynet rules. Depending >>>> on which you have first. >>> >>> Dummynet is first. >>> >>>> You'll need to set net.inet.ip.fw.one_pass?=0 in order to re-inject the >>>> packet into the rules after it matches a dummynet or NAT rule. Or, do the >>>> NAT and dummynet rules on different interfaces to match different traffic. >>> >>> How do I prevent the re-injected packets from being sent back into >>> dummynet? My NAT rule looks like it could have the same problem, but >>> that looks fixable. >> >> I just read the fine man page and is says that after re-injection the >> packet starts with the next rule ... cool! > > Ignoring dummynet for a moment since I haven't added those rules back > ... DNS lookups break when I set net.inet.ip.fw.one_pass=0. This > machine is running BIND as a DNS forwarder and I have this rule to > allow DNS lookups in and out: > pass udp from me to any 53 out via re0 keep-state > > If BIND has the results of a lookup cached, then I get the expected > query results from an internal host when I set > net.inet.ip.fw.one_pass=0, but if the results are not cached I get > ";; connection timed out; no servers could be reached" when I do a > lookup on an internal host, and running the query on the firewall > machine also does not work. If BIND has the query cached, I am able > to download from servers on the internet to an internal host, so that > indicates that NAT is functioning, but it shouldn't be involved in DNS > lookups. It looks like the problem was an interaction between net.inet.ip.fw.one_pass, my NAT rules, and my keep-state rules. My nat rule was: nat 123 ip4 from any to any via re0 so it was matching by outgoing DNS queries even though they didn't need to be NATed. I think that when net.inet.ip.fw.one_pass=1, the DNS queries were totally being handled by NAT and not using the keep-state rule at all. I'm wondering if net.inet.ip.fw.one_pass=0 was interfering with setting the ipfw dynamic state and the response packet was getting blocked after it was reinjected by NAT. In any case, changing my NAT rules to this make things work: nat 123 ip4 from internal/24 to any out xmit re0 nat 123 ip4 from any to me in recv re0 The "me" in the second rule should really be the address of re0, but that's not readily available. From owner-freebsd-ipfw@freebsd.org Thu Mar 10 00:15:07 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BF66AC98BD; Thu, 10 Mar 2016 00:15:07 +0000 (UTC) (envelope-from ralsaadi@swin.edu.au) Received: from iport2.cc.swin.edu.au (iport2.cc.swin.edu.au [136.186.0.52]) by mx1.freebsd.org (Postfix) with ESMTP id C67B6AEF; Thu, 10 Mar 2016 00:15:06 +0000 (UTC) (envelope-from ralsaadi@swin.edu.au) X-IronPort-AV: E=Sophos;i="5.24,313,1454936400"; d="scan'208";a="17870105" Received: from gsp-ex01.ds.swin.edu.au (HELO outlook.swin.edu.au) ([136.186.126.17]) by iport2.cc.swin.edu.au with ESMTP; 10 Mar 2016 11:13:55 +1100 Received: from GSP-EX02.ds.swin.edu.au ([169.254.2.71]) by gsp-ex01.ds.swin.edu.au ([169.254.1.193]) with mapi id 14.03.0279.002; Thu, 10 Mar 2016 11:13:55 +1100 From: Rasool Al-Saadi To: Don Lewis CC: "freebsd-net@FreeBSD.org" , "freebsd-ipfw@FreeBSD.org" , Grenville Armitage Subject: RE: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet Thread-Topic: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet Thread-Index: AdFwoEB9RcA1ON/lTEC2HgPx0zqG6gI3P/+AADimT8A= Date: Thu, 10 Mar 2016 00:13:54 +0000 Message-ID: <6545444AE21C2749939E637E56594CEA3C1B0A7C@gsp-ex02.ds.swin.edu.au> References: <6545444AE21C2749939E637E56594CEA3C187192@gsp-ex02.ds.swin.edu.au> <201603090758.u297wOvK009237@gw.catspoiler.org> In-Reply-To: <201603090758.u297wOvK009237@gw.catspoiler.org> Accept-Language: en-AU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [136.186.126.11] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 00:15:07 -0000 On Wednesday, 9 March 2016, Don Lewis wrote: >=20 > On 26 Feb, Rasool Al-Saadi wrote: > > Dear all, > > > > I would like to announce that we (myself and Grenville Armitage) releas= ed > Dummynet AQM v0.1, which is an independent implementation of CoDel and > FQ-CoDel for FreeBSD's ipfw/dummynet framework, based on the IETF > CoDel [1] and FQ-CoDel [2] Internet-Drafts. > > We prepared patches for FreeBSD11-CURRENT-r295345 and FreeBSD 10.x- > RELEASE (10.0, 10.1, 10.2), and a technical report of our implementation= . > > > > Patches and documentation can be found in: > > http://caia.swin.edu.au/freebsd/aqm >=20 > Without the patch below, the dummynet module fails to load >=20 > # kldload dummynet.ko > kldload: can't load dummynet.ko: No such file or directory >=20 > and the following is printed to /var/log/messages: >=20 > link_elf: symbol sysctl__net_inet_ip_dummynet_children undefined Thanks again for testing the patch and for providing feedback. It seems that this error (and the compilation error in your previous email)= appears in i386 versions of FreeBSD.=20 > I believe this patch is needed for FreeBSD 11 and all FreeBSD 10 releases= . I will add you patch to Dummynet AQM v0.2. Regards, Rasool Al-Saadi =20 > --- sys/netpfil/ipfw/ip_dn_io.c.prev 2016-03-06 00:51:38.012058648 -0800 > +++ sys/netpfil/ipfw/ip_dn_io.c 2016-03-08 21:54:47.036921030 -0800 > @@ -154,7 +154,7 @@ >=20 > SYSCTL_DECL(_net_inet); > SYSCTL_DECL(_net_inet_ip); > -static SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet, CTLFLAG_RW, 0, > "Dummynet"); > +SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet, CTLFLAG_RW, 0, > +"Dummynet"); >=20 > /* wrapper to pass dn_cfg fields to SYSCTL_* */ > //#define DC(x) (&(VNET_NAME(_base_dn_cfg).x)) From owner-freebsd-ipfw@freebsd.org Thu Mar 10 06:53:39 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE345ACAF01 for ; Thu, 10 Mar 2016 06:53:39 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CAED230; Thu, 10 Mar 2016 06:53:38 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u2A6rYB2044049; Thu, 10 Mar 2016 17:53:35 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 10 Mar 2016 17:53:34 +1100 (EST) From: Ian Smith To: Don Lewis cc: fjwcash@gmail.com, freebsd-ipfw@freebsd.org Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules In-Reply-To: <201603092302.u29N2IYm012240@gw.catspoiler.org> Message-ID: <20160310165323.U61428@sola.nimnet.asn.au> References: <201603092302.u29N2IYm012240@gw.catspoiler.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 06:53:39 -0000 On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > >> On 9 Mar, Don Lewis wrote: > >>> On 9 Mar, Freddie Cash wrote: > >>>> > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > >>> > >>> Aha, I've got it set to 1. I observe that in 99 cases out of 100, the default of 1 is undesired, but it's too late to do anything but advise people - thanks Freddie! [..] > >> I just read the fine man page and is says that after re-injection the > >> packet starts with the next rule ... cool! Make sure the next rule has a higher number; in some (but not all?) uses of one_pass actually restart with the next higher-numbered rule. [..] > It looks like the problem was an interaction between > net.inet.ip.fw.one_pass, my NAT rules, and my keep-state rules. My nat > rule was: > nat 123 ip4 from any to any via re0 > so it was matching by outgoing DNS queries even though they didn't need > to be NATed. I think that when net.inet.ip.fw.one_pass=1, the DNS > queries were totally being handled by NAT and not using the keep-state > rule at all. I'm wondering if net.inet.ip.fw.one_pass=0 was interfering > with setting the ipfw dynamic state and the response packet was getting > blocked after it was reinjected by NAT. > > In any case, changing my NAT rules to this make things work: > > nat 123 ip4 from internal/24 to any out xmit re0 > nat 123 ip4 from any to me in recv re0 'in recv' and 'out xmit' are always clearer than 'via', and someimes (as here) necessary. Another way, assuming you want to NAT everything from internal net(s) would be: nat 123 ip4 from any to any out xmit re0 recv $internal_if > The "me" in the second rule should really be the address of re0, but > that's not readily available. 'me' is fine in most cases, unless you are having other addresses routed to you, eg an external /29 or such, if those addresses also match 'me'. Glad you've got it sorted. cheers, Ian From owner-freebsd-ipfw@freebsd.org Thu Mar 10 07:20:13 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E3F6ACAA62; Thu, 10 Mar 2016 07:20:13 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2A5B0F3D; Thu, 10 Mar 2016 07:20:13 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u2A7K1v4013479; Wed, 9 Mar 2016 23:20:06 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603100720.u2A7K1v4013479@gw.catspoiler.org> Date: Wed, 9 Mar 2016 23:20:01 -0800 (PST) From: Don Lewis Subject: Re: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet To: ralsaadi@swin.edu.au cc: freebsd-net@FreeBSD.org, freebsd-ipfw@FreeBSD.org, garmitage@swin.edu.au In-Reply-To: <6545444AE21C2749939E637E56594CEA3C1B0A7C@gsp-ex02.ds.swin.edu.au> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 07:20:13 -0000 On 10 Mar, Rasool Al-Saadi wrote: > > > On Wednesday, 9 March 2016, Don Lewis wrote: >> >> On 26 Feb, Rasool Al-Saadi wrote: >> > Dear all, >> > >> > I would like to announce that we (myself and Grenville Armitage) >> > released >> Dummynet AQM v0.1, which is an independent implementation of CoDel >> and FQ-CoDel for FreeBSD's ipfw/dummynet framework, based on the IETF >> CoDel [1] and FQ-CoDel [2] Internet-Drafts. >> > We prepared patches for FreeBSD11-CURRENT-r295345 and FreeBSD 10.x- >> RELEASE (10.0, 10.1, 10.2), and a technical report of our >> implementation. >> > >> > Patches and documentation can be found in: >> > http://caia.swin.edu.au/freebsd/aqm >> >> Without the patch below, the dummynet module fails to load >> >> # kldload dummynet.ko >> kldload: can't load dummynet.ko: No such file or directory >> >> and the following is printed to /var/log/messages: >> >> link_elf: symbol sysctl__net_inet_ip_dummynet_children undefined > > Thanks again for testing the patch and for providing feedback. > > It seems that this error (and the compilation error in your previous > email) appears in i386 versions of FreeBSD. I was testing on FreeBSD 10.3-PRERELEASE and would have been willing to bet that the difference in behavior was due to a recent change in FreeBSD. After testing, this second bug is also a difference between i386 and amd64. Digging into the problem, this line in ip_dn_io.c: static SYSCTL_NODE(_net_inet_ip, OID_AUTO, dummynet, CTLFLAG_RW, 0, "Dummynet"); gets translated into: static struct sysctl_oid_list sysctl__net_inet_ip_dummynet_children; static struct sysctl_oid sysctl___net_inet_ip_dummynet = { &sysctl__net_inet_ip_children, { ((void *)0) }, (-1), 1|((0x80000000|0x40000000)), (void*)&sysctl__net_inet_ip_dummynet_children, 0, "dummynet", 0, "N", 0, 0, "Dummynet" }; __asm__(".globl " "__start_set_sysctl_set"); __asm__(".globl " "__stop_set_sysctl_set"); static void const * const __set_sysctl_set_sym_sysctl___net_inet_ip_dummynet __attribute__((__section__("set_" "sysctl_set"))) __attribute__((__used__)) = &sysctl___net_inet_ip_dummynet; _Static_assert((((0x80000000|0x40000000)) & 0xf) == 0 || (((0x80000000|0x40000000)) & 0) == 1, "compile-time assertion failed"); by the C preprocessor, and it shows up in the symbol table of the .o file (on amd64): 0000000000000140 b sysctl__net_inet_ip_dummynet_children where "b" indicates that it is a local symbol in the uninitialized data section. The dn_aqm_codel.c and dn_sched_fq_codel.c files also what access to this SYSCTL_NODE, which they indicated by using: SYSCTL_DECL(_net_inet_ip_dummynet); which gets pre-processed to: extern struct sysctl_oid_list sysctl__net_inet_ip_dummynet_children; which results in an undefined symbol in the compiled .o file: U sysctl__net_inet_ip_dummynet_children A symbol declared as an extern in one compilation until should not get linked to a matching symbol defined as a static in another compilation unit. Looking at the symbol table for the module dummynet.ko, I see both the static and undefined versions of the symbol: 00000000000001b0 b sysctl__net_inet_ip_dummynet_children U sysctl__net_inet_ip_dummynet_children For some reason, the kernel linker on amd64 accepts this module, whereas on i386 it is (correctly in my opinion) rejected. I'll try to put together a simple example that I can use to file a FreeBSD bug report. With the patch (on i386), the symbol is defined as global in ip_dn_io.o: 000000b8 B sysctl__net_inet_ip_dummynet_children and there are no undefined versions of this symbol in the .ko file: 00010e4c b sysctl__net_inet_ip_dummynet_children however I don't know why it is no longer a global in the .ko file. From owner-freebsd-ipfw@freebsd.org Thu Mar 10 08:29:02 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 948A2ACA708; Thu, 10 Mar 2016 08:29:02 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 567A8C01; Thu, 10 Mar 2016 08:29:02 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u2A8Smbt013642; Thu, 10 Mar 2016 00:28:52 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603100828.u2A8Smbt013642@gw.catspoiler.org> Date: Thu, 10 Mar 2016 00:28:48 -0800 (PST) From: Don Lewis Subject: Re: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet To: ralsaadi@swin.edu.au cc: aqm@ietf.org, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org, garmitage@swin.edu.au In-Reply-To: <6545444AE21C2749939E637E56594CEA3C187192@gsp-ex02.ds.swin.edu.au> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 08:29:02 -0000 On 26 Feb, Rasool Al-Saadi wrote: > Dear all, > > I would like to announce that we (myself and Grenville Armitage) released Dummynet AQM v0.1, which is an independent implementation of CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet framework, based on the IETF CoDel [1] and FQ-CoDel [2] Internet-Drafts. > We prepared patches for FreeBSD11-CURRENT-r295345 and FreeBSD 10.x-RELEASE (10.0, 10.1, 10.2), and a technical report of our implementation. > > Patches and documentation can be found in: > http://caia.swin.edu.au/freebsd/aqm > > Technical report: > http://caia.swin.edu.au/reports/160226A/CAIA-TR-160226A.pdf I've got some results with running this on my firewall in an attempt to tame a severe bufferbloat problem on my ADSL connection to the outside world. The raw speed numbers reported by my ADSL modem are 6016 Kb/s downstream and 768 Kb/s upstream. I set my MTU to 1492 to avoid fragmentation from PPPoE overhead. Using with things unthrottled, I observe about 5050 Kb/s downstream and 648Kb/s upstream, with a bufferbloat rating of F. I configured the system to use FQ-CoDel, with separate pipes for each direction. Because of the slow upstream speed, I increased the target value for the upstream direction to 25 ms since a maximum size packet will require about 20 ms to send. I also set the net.inet.tcp.experimental.initcwnd10 sysctl value to 0. The latter seemed to help a lot. With this feature enabled, the initial packet blast at the start of the upload caused a large initial latency spike, and the initial transfer rate ended up being very slow and it took a long time to ramp up to its maximum sustained value. My current dummynet pipe bandwidth settings are 4800 Kb/s downstream and 615 Kb/s upstream. The speedtest results for these settings are about 4600 Kb/s downstream and about 600 Kb/s upstream. I'm somewhat disappointed in the bandwith loss, but my bufferbloat rating has improved to mostly A's with some B's. I do still see a large increase in latency at the start of transfers, and then it oscillates for a while before settling down at a reasonable value for the remainder of the transfer. I suspect this is to be expected. It would be nice if the implementation was able to account for the PPPOE and ATM framing overhead like the Linux implementation does. I think that would help performance when there is a mix of packet sizes. From owner-freebsd-ipfw@freebsd.org Thu Mar 10 19:35:42 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B815ACB0C0 for ; Thu, 10 Mar 2016 19:35:42 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40B3930B for ; Thu, 10 Mar 2016 19:35:42 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 4D75120AF5 for ; Thu, 10 Mar 2016 14:35:41 -0500 (EST) Received: from web6 ([10.202.2.216]) by compute4.internal (MEProxy); Thu, 10 Mar 2016 14:35:41 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=Otq8HDdEfZOt6r3 ylqjYD0nF/jk=; b=hPk6clwsGapm1EOkuIU9IsOvoaPPNc2QigPDOqTb9VwP9Dl FHaeFR3GFaqdautKNRLIj/esYWoVVrPrNxnoSRouMs+5UE6sVodCAkILpgpaSFfE Q7NJnVeLbWhzKbrcKcFhlWlf5eqWkaPpl/X6OnWPtp/Q4aUHWOgR+yX6vFr4= Received: by web6.nyi.internal (Postfix, from userid 99) id 2922C4F5B6; Thu, 10 Mar 2016 14:35:41 -0500 (EST) Message-Id: <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> X-Sasl-Enc: mlQ24UJphKtGTw1Su/tEMEaOo8zzCoY/UCLHy+GPxQtG 1457638541 From: Mark Felder To: Ian Smith , Don Lewis Cc: freebsd-ipfw@freebsd.org, fjwcash@gmail.com MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-b28110db In-Reply-To: <20160310165323.U61428@sola.nimnet.asn.au> References: <201603092302.u29N2IYm012240@gw.catspoiler.org> <20160310165323.U61428@sola.nimnet.asn.au> Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules Date: Thu, 10 Mar 2016 13:35:41 -0600 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 19:35:42 -0000 On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > >> On 9 Mar, Don Lewis wrote: > > >>> On 9 Mar, Freddie Cash wrote: > > >>>> > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > >>> > > >>> Aha, I've got it set to 1. > > I observe that in 99 cases out of 100, the default of 1 is undesired, > but it's too late to do anything but advise people - thanks Freddie! > Is there any reason why we shouldn't just change the default for 11-RELEASE? -- Mark Felder ports-secteam member feld@FreeBSD.org From owner-freebsd-ipfw@freebsd.org Thu Mar 10 20:24:34 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32F88ACBBB0 for ; Thu, 10 Mar 2016 20:24:34 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EC160ABA; Thu, 10 Mar 2016 20:24:33 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u2AKOOXW087534 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 10 Mar 2016 12:24:26 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: Don Lewis , fjwcash@gmail.com References: <201603092101.u29L0wwH011694@gw.catspoiler.org> Cc: freebsd-ipfw@freebsd.org From: Julian Elischer Message-ID: <56E1D7F3.5040101@freebsd.org> Date: Thu, 10 Mar 2016 12:24:19 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <201603092101.u29L0wwH011694@gw.catspoiler.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 20:24:34 -0000 On 9/03/2016 1:00 PM, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: >> On 9 Mar, Don Lewis wrote: >>> On 9 Mar, Freddie Cash wrote: >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >>> Aha, I've got it set to 1. >>> >>>> If set to 1, the a dummynet match ends the trip through the rules, and the >>>> packet never gets to the NAT rules. Or, if a NAT rule matches, the trip >>>> through the rules ends, and it never get to the dummynet rules. Depending >>>> on which you have first. >>> Dummynet is first. >>> >>>> You'll need to set net.inet.ip.fw.one_pass?=0 in order to re-inject the >>>> packet into the rules after it matches a dummynet or NAT rule. Or, do the >>>> NAT and dummynet rules on different interfaces to match different traffic. >>> How do I prevent the re-injected packets from being sent back into >>> dummynet? My NAT rule looks like it could have the same problem, but >>> that looks fixable. >> I just read the fine man page and is says that after re-injection the >> packet starts with the next rule ... cool! actually it doesn't... it starts at the next rule NUMBER which may be a different thing. > Ignoring dummynet for a moment since I haven't added those rules back > ... DNS lookups break when I set net.inet.ip.fw.one_pass=0. This > machine is running BIND as a DNS forwarder and I have this rule to > allow DNS lookups in and out: > pass udp from me to any 53 out via re0 keep-state > > If BIND has the results of a lookup cached, then I get the expected > query results from an internal host when I set > net.inet.ip.fw.one_pass=0, but if the results are not cached I get > ";; connection timed out; no servers could be reached" when I do a > lookup on an internal host, and running the query on the firewall > machine also does not work. If BIND has the query cached, I am able > to download from servers on the internet to an internal host, so that > indicates that NAT is functioning, but it shouldn't be involved in DNS > lookups. > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Thu Mar 10 20:29:31 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3B111ACBD75 for ; Thu, 10 Mar 2016 20:29:31 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 005A3BC7; Thu, 10 Mar 2016 20:29:30 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u2AKTS91087549 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 10 Mar 2016 12:29:29 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: Don Lewis , freebsd-ipfw@freebsd.org References: <201603091733.u29HX05o011028@gw.catspoiler.org> From: Julian Elischer Message-ID: <56E1D923.6060405@freebsd.org> Date: Thu, 10 Mar 2016 12:29:23 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <201603091733.u29HX05o011028@gw.catspoiler.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 20:29:31 -0000 On 9/03/2016 9:32 AM, Don Lewis wrote: > I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this > patch: , but I'm > running into a problem that I think is caused by an interaction between > in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue > instances using example 3.3a from this document > with the > appropriate bandwidths, but otherwise default tunings to shape both > inbound and outbound traffic. My inside network is a /24 and I have an > external /29 (ext/29) network that I don't want to rate limit. My > outside network interface is re0. I'm using the /etc/rc.firewall > "simple" firewall configuration. > > The problem that I'm having crops up when I actually try to add the > firewall rules to select the traffic that I want to rate limit. The > first rule in the list is: > 100 allow ip from any to any via lo0 > The second rule is numbered 200 and is first anti-spoofing rule. If > I add *either* of these two rules, then I'm no longer able to > communicate between hosts on my internal network and the rest of the > world: > > ipfw 110 add queue 1 ip from not ext/29 to any in recv re0 > ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0 > > It seems like the inbound rule should be early in the rule list so that > any inbound traffic that gets dropped by the firewall rules gets counted > even if it is dropped by later rules. It also seems like the outbound > rule needs to be before any allow rules since an allow rule would skip > the remaining rules and would not count that traffic. Unfortunately the > ipfw documentation doesn't really describe the interaction between > dummynet, NAT, and other firewall rules. > > Unfortunately this is a live system, so it is difficult to do controlled > experiments and look at the ipfw counters to see where things might be > going into the weeds ... ok so you need to do what I always tell people.. split your rules into separate incoming and outgoing rule sets. so your first rule should be: skipto 10000 all from any to any in. and have separate sets of rules for incoming and outgoing packets. Then you should always set one_pass to 0 and expect your packets to come back to the firewall at the next number. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Thu Mar 10 20:34:45 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F21A4ACA211 for ; Thu, 10 Mar 2016 20:34:45 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CF579F33; Thu, 10 Mar 2016 20:34:45 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u2AKYgZS087577 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 10 Mar 2016 12:34:43 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: Mark Felder , Ian Smith , Don Lewis References: <201603092302.u29N2IYm012240@gw.catspoiler.org> <20160310165323.U61428@sola.nimnet.asn.au> <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> Cc: freebsd-ipfw@freebsd.org, fjwcash@gmail.com From: Julian Elischer Message-ID: <56E1DA5D.6060006@freebsd.org> Date: Thu, 10 Mar 2016 12:34:37 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 20:34:46 -0000 On 10/03/2016 11:35 AM, Mark Felder wrote: > > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: >> On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: >> > On 9 Mar, Don Lewis wrote: >> > > On 9 Mar, Don Lewis wrote: >> > >> On 9 Mar, Don Lewis wrote: >> > >>> On 9 Mar, Freddie Cash wrote: >> > >>>> >> > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >> > >>> >> > >>> Aha, I've got it set to 1. >> >> I observe that in 99 cases out of 100, the default of 1 is undesired, >> but it's too late to do anything but advise people - thanks Freddie! >> > Is there any reason why we shouldn't just change the default for > 11-RELEASE? yeah people will kill you. firewalls don't get rewritten by mergemaster. > > From owner-freebsd-ipfw@freebsd.org Thu Mar 10 20:33:44 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A1B24ACA174 for ; Thu, 10 Mar 2016 20:33:44 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 65D60F0C; Thu, 10 Mar 2016 20:33:44 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u2AKXewo087574 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 10 Mar 2016 12:33:41 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: Ian Smith , Don Lewis References: <201603092302.u29N2IYm012240@gw.catspoiler.org> <20160310165323.U61428@sola.nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org, fjwcash@gmail.com From: Julian Elischer Message-ID: <56E1DA1F.5030703@freebsd.org> Date: Thu, 10 Mar 2016 12:33:35 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <20160310165323.U61428@sola.nimnet.asn.au> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 20:33:44 -0000 On 9/03/2016 10:53 PM, Ian Smith wrote: > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > >> On 9 Mar, Don Lewis wrote: > > >>> On 9 Mar, Freddie Cash wrote: > > >>>> > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > >>> > > >>> Aha, I've got it set to 1. > > I observe that in 99 cases out of 100, the default of 1 is undesired, > but it's too late to do anything but advise people - thanks Freddie! > > [..] > > > >> I just read the fine man page and is says that after re-injection the > > >> packet starts with the next rule ... cool! > > Make sure the next rule has a higher number; in some (but not all?) uses > of one_pass actually restart with the next higher-numbered rule. the code in reinjection of divert packets takes the rule number that matches, adds one and skips to that (or higher). I think dummynet does the same but have not checked. > > [..] > > > It looks like the problem was an interaction between > > net.inet.ip.fw.one_pass, my NAT rules, and my keep-state rules. My nat > > rule was: > > nat 123 ip4 from any to any via re0 > > so it was matching by outgoing DNS queries even though they didn't need > > to be NATed. I think that when net.inet.ip.fw.one_pass=1, the DNS > > queries were totally being handled by NAT and not using the keep-state > > rule at all. I'm wondering if net.inet.ip.fw.one_pass=0 was interfering > > with setting the ipfw dynamic state and the response packet was getting > > blocked after it was reinjected by NAT. > > > > In any case, changing my NAT rules to this make things work: > > > > nat 123 ip4 from internal/24 to any out xmit re0 > > nat 123 ip4 from any to me in recv re0 > > 'in recv' and 'out xmit' are always clearer than 'via', and someimes (as > here) necessary. Another way, assuming you want to NAT everything from > internal net(s) would be: > > nat 123 ip4 from any to any out xmit re0 recv $internal_if > > > The "me" in the second rule should really be the address of re0, but > > that's not readily available. > > 'me' is fine in most cases, unless you are having other addresses routed > to you, eg an external /29 or such, if those addresses also match 'me'. > > Glad you've got it sorted. > > cheers, Ian > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Thu Mar 10 22:26:10 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41018ACBBAB for ; Thu, 10 Mar 2016 22:26:10 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 22D4DDE6; Thu, 10 Mar 2016 22:26:10 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u2AMPxEe016166; Thu, 10 Mar 2016 14:26:03 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603102226.u2AMPxEe016166@gw.catspoiler.org> Date: Thu, 10 Mar 2016 14:25:59 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: julian@freebsd.org cc: fjwcash@gmail.com, freebsd-ipfw@freebsd.org In-Reply-To: <56E1D7F3.5040101@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 22:26:10 -0000 On 10 Mar, Julian Elischer wrote: > On 9/03/2016 1:00 PM, Don Lewis wrote: >> On 9 Mar, Don Lewis wrote: >>> On 9 Mar, Don Lewis wrote: >>>> On 9 Mar, Freddie Cash wrote: >>>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? >>>> Aha, I've got it set to 1. >>>> >>>>> If set to 1, the a dummynet match ends the trip through the rules, >>>>> and the packet never gets to the NAT rules. Or, if a NAT rule >>>>> matches, the trip through the rules ends, and it never get to the >>>>>dummynet rules. Depending on which you have first. >>>> Dummynet is first. >>>> >>>>> You'll need to set net.inet.ip.fw.one_pass?=0 in order to >>>>> re-inject the packet into the rules after it matches a dummynet or >>>>> NAT rule. Or, do the NAT and dummynet rules on different >>>>>interfaces to match different traffic. How do I prevent the >>>>>re-injected packets from being sent back into >>>> dummynet? My NAT rule looks like it could have the same problem, >>>>but that looks fixable. >>> I just read the fine man page and is says that after re-injection >>> the packet starts with the next rule ... cool! > > actually it doesn't... it starts at the next rule NUMBER which may be > a different thing. Well, I'm using a tweaked copy of /etc/rc.firewall which doesn't specify rule numbers, so the rules are automatically numbered in steps of 100 according to the order in which they are listed in the file. From owner-freebsd-ipfw@freebsd.org Thu Mar 10 22:33:29 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A472ACBE9A for ; Thu, 10 Mar 2016 22:33:29 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1E2CC2E8; Thu, 10 Mar 2016 22:33:29 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u2AMXLCx016193; Thu, 10 Mar 2016 14:33:25 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603102233.u2AMXLCx016193@gw.catspoiler.org> Date: Thu, 10 Mar 2016 14:33:21 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: julian@freebsd.org cc: freebsd-ipfw@freebsd.org In-Reply-To: <56E1D923.6060405@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2016 22:33:29 -0000 On 10 Mar, Julian Elischer wrote: > On 9/03/2016 9:32 AM, Don Lewis wrote: >> I'm trying to add FQ-CoDEL AQM to my FreeBSD 10 firewall box using this >> patch: , but I'm >> running into a problem that I think is caused by an interaction between >> in-kernel NAT and dummynet. I've set up two dummynet pipe/sched/queue >> instances using example 3.3a from this document >> with the >> appropriate bandwidths, but otherwise default tunings to shape both >> inbound and outbound traffic. My inside network is a /24 and I have an >> external /29 (ext/29) network that I don't want to rate limit. My >> outside network interface is re0. I'm using the /etc/rc.firewall >> "simple" firewall configuration. >> >> The problem that I'm having crops up when I actually try to add the >> firewall rules to select the traffic that I want to rate limit. The >> first rule in the list is: >> 100 allow ip from any to any via lo0 >> The second rule is numbered 200 and is first anti-spoofing rule. If >> I add *either* of these two rules, then I'm no longer able to >> communicate between hosts on my internal network and the rest of the >> world: >> >> ipfw 110 add queue 1 ip from not ext/29 to any in recv re0 >> ipfw 120 add queue 2 ip from any to not ext/29 out xmit re0 >> >> It seems like the inbound rule should be early in the rule list so that >> any inbound traffic that gets dropped by the firewall rules gets counted >> even if it is dropped by later rules. It also seems like the outbound >> rule needs to be before any allow rules since an allow rule would skip >> the remaining rules and would not count that traffic. Unfortunately the >> ipfw documentation doesn't really describe the interaction between >> dummynet, NAT, and other firewall rules. >> >> Unfortunately this is a live system, so it is difficult to do controlled >> experiments and look at the ipfw counters to see where things might be >> going into the weeds ... > > ok so you need to do what I always tell people.. split your rules into > separate incoming and outgoing rule sets. > so your first rule should be: > skipto 10000 all from any to any in. > > > and have separate sets of rules for incoming and outgoing packets. I'm somewhat used to that. In a past life I wrote firewall rules for routers that have separate per-interface in and out rulesets. I do recall genrating them from from a script that kept the in and out rules for the desired flows in sync with each other. In this case, it would require a total rewrite from what I have now, which I'm not anxious to tackle at the moment. From owner-freebsd-ipfw@freebsd.org Fri Mar 11 04:46:47 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE7A6ACAFA2 for ; Fri, 11 Mar 2016 04:46:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E039ED8; Fri, 11 Mar 2016 04:46:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id u2B4kfGV089254; Fri, 11 Mar 2016 15:46:42 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 11 Mar 2016 15:46:41 +1100 (EST) From: Ian Smith To: Mark Felder cc: Don Lewis , Julian Elischer , freebsd-ipfw@FreeBSD.org, fjwcash@gmail.com Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules In-Reply-To: <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> Message-ID: <20160311151935.N61428@sola.nimnet.asn.au> References: <201603092302.u29N2IYm012240@gw.catspoiler.org> <20160310165323.U61428@sola.nimnet.asn.au> <1457638541.445340.545617522.5FF4A6BE@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 04:46:47 -0000 On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > >> On 9 Mar, Don Lewis wrote: > > > >>> On 9 Mar, Freddie Cash wrote: > > > >>>> > > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > > >>> > > > >>> Aha, I've got it set to 1. > > > > I observe that in 99 cases out of 100, the default of 1 is undesired, > > but it's too late to do anything but advise people - thanks Freddie! > Is there any reason why we shouldn't just change the default for > 11-RELEASE? Julian fortunately said why more succinctly than I could have :) Perhaps we could add to rc.firewall, just as an example where NAT (either in-kernel or natd) is enabled and where it's being setup: ${fwcmd} disable one_pass would at least indicate that it's generally the Right Thing To Do in the NAT case, but we have no dummynet examples, let alone the several other overloaded uses of one_pass, so still have to rely on folklore .. That said, I've had zero success in offering a patch to rc.firewall, enabling kernel NAT in the 'simple' ruleset .. which Don figured out anyway. Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset fails to allow any ICMP traffic at all? cheers, Ian From owner-freebsd-ipfw@freebsd.org Fri Mar 11 07:32:43 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AA4C3ACC915 for ; Fri, 11 Mar 2016 07:32:43 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 89F59F36; Fri, 11 Mar 2016 07:32:43 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u2B7WVNN017306; Thu, 10 Mar 2016 23:32:35 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603110732.u2B7WVNN017306@gw.catspoiler.org> Date: Thu, 10 Mar 2016 23:32:31 -0800 (PST) From: Don Lewis Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules To: smithi@nimnet.asn.au cc: feld@FreeBSD.org, julian@FreeBSD.org, freebsd-ipfw@FreeBSD.org, fjwcash@gmail.com In-Reply-To: <20160311151935.N61428@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 07:32:43 -0000 On 11 Mar, Ian Smith wrote: > On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > > > On 9 Mar, Don Lewis wrote: > > > > >> On 9 Mar, Don Lewis wrote: > > > > >>> On 9 Mar, Freddie Cash wrote: > > > > >>>> > > > > >>>> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > > > > >>> > > > > >>> Aha, I've got it set to 1. > > > > > > I observe that in 99 cases out of 100, the default of 1 is undesired, > > > but it's too late to do anything but advise people - thanks Freddie! > > > Is there any reason why we shouldn't just change the default for > > 11-RELEASE? > > Julian fortunately said why more succinctly than I could have :) > > Perhaps we could add to rc.firewall, just as an example where NAT > (either in-kernel or natd) is enabled and where it's being setup: > > ${fwcmd} disable one_pass > > would at least indicate that it's generally the Right Thing To Do in > the NAT case, but we have no dummynet examples, let alone the several > other overloaded uses of one_pass, so still have to rely on folklore .. > > That said, I've had zero success in offering a patch to rc.firewall, > enabling kernel NAT in the 'simple' ruleset .. which Don figured out > anyway. > > Oh, and Don: I suppose you noticed that rc.firewall 'simple' ruleset > fails to allow any ICMP traffic at all? Yes, I noticed that. My local version is fixed. From owner-freebsd-ipfw@freebsd.org Fri Mar 11 09:35:01 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 279C2ACBCE0; Fri, 11 Mar 2016 09:35:01 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 09CB31192; Fri, 11 Mar 2016 09:35:01 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u2B9Yo8E017604; Fri, 11 Mar 2016 01:34:55 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201603110934.u2B9Yo8E017604@gw.catspoiler.org> Date: Fri, 11 Mar 2016 01:34:50 -0800 (PST) From: Don Lewis Subject: Re: Dummynet AQM v0.1- CoDel and FQ-CoDel for FreeBSD's ipfw/dummynet To: ralsaadi@swin.edu.au cc: freebsd-net@FreeBSD.org, garmitage@swin.edu.au, freebsd-ipfw@FreeBSD.org In-Reply-To: <201603100720.u2A7K1v4013479@gw.catspoiler.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 09:35:01 -0000 On 9 Mar, To: ralsaadi@swin.edu.au wrote: > On 10 Mar, Rasool Al-Saadi wrote: >> >> >> On Wednesday, 9 March 2016, Don Lewis wrote: >>> Without the patch below, the dummynet module fails to load >>> >>> # kldload dummynet.ko >>> kldload: can't load dummynet.ko: No such file or directory >>> >>> and the following is printed to /var/log/messages: >>> >>> link_elf: symbol sysctl__net_inet_ip_dummynet_children undefined >> >> Thanks again for testing the patch and for providing feedback. >> >> It seems that this error (and the compilation error in your previous >> email) appears in i386 versions of FreeBSD. > > I was testing on FreeBSD 10.3-PRERELEASE and would have been willing to > bet that the difference in behavior was due to a recent change in > FreeBSD. After testing, this second bug is also a difference between > i386 and amd64. > For some reason, the kernel linker on amd64 accepts this module, whereas > on i386 it is (correctly in my opinion) rejected. I'll try to put > together a simple example that I can use to file a FreeBSD bug report. FreeBSD bug report here: From owner-freebsd-ipfw@freebsd.org Fri Mar 11 12:46:48 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDC40ACC6C0 for ; Fri, 11 Mar 2016 12:46:48 +0000 (UTC) (envelope-from kulamani.sethi@gmail.com) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9B04526C for ; Fri, 11 Mar 2016 12:46:48 +0000 (UTC) (envelope-from kulamani.sethi@gmail.com) Received: by mail-io0-x233.google.com with SMTP id g203so143855150iof.2 for ; Fri, 11 Mar 2016 04:46:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=pVUP5616lcXFK6auAv23xTE5tlVnuqXGozogjffJfl4=; b=mgH8DnJLneuuaxfFr8QEgJ7zqpHgePMiuHPH7vWEpHPSKIdC0kzIl5A0jYCyOgRN74 6n438N33+pDKySAX2D/4RhO3xwJXdOAiTByhI1wcSrTRd5sgYwkcl/sZ7a9562eOw+Ry riUK0Gp79pgLKId0m00m8GrdoVg1tiyXQS/Zsgpp3J0sCWSshtLCJfTsz0Tl+gsRnM4E w/qmny54CiTZ6+xKYcWxdEymzTxAKz/8vHtnMeIWwls1wlkXqpUsVvCaUFen28KgmyjA m1mzifpiVA9+F/ChW0nFv7bu3wp+QvWj8sKQRI3XS8gDq6h3AjE/ksbzH7hEBe75tAgy jY+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=pVUP5616lcXFK6auAv23xTE5tlVnuqXGozogjffJfl4=; b=B6mmNQ5cjYnIHLwztWhKZtttatZtNVvF8a3WjhdnzoWC3UjS3ETU1Uz8SlKBijFJOZ f5HSEY4y+MXKaIwVvsh2Tp6/J/T8S9onQ57HlJZXFd6H27eAE1VTkhzgKUE34OAlaX0l +j0mirg5lHpVIfB0VdJQrAOEvC1K32f92ng4gOf28wPdK0AewtI/oOl3tRkrc1T8LGBw XIpbKdnq+DuwkdrZH9ya9mivDqE/K+ZL0okEHCKb7Hvj5GfG0XpiISrl43obDhCT18id v7ijVU5NLpv+0Xm8aao8Cybmro9cI9WoDKELe9KZQjZVCEX/b9HUhrGjVd8Ms0Bctcfl OnuA== X-Gm-Message-State: AD7BkJJWuwHAYdgkqqUoBqyKHrf5j/hd9YeP++h2t4kqRQb5uW7PBB78SOSWf741pQodvM/5GYpUwL0ga/tu4g== MIME-Version: 1.0 X-Received: by 10.107.19.164 with SMTP id 36mr11182509iot.24.1457700407977; Fri, 11 Mar 2016 04:46:47 -0800 (PST) Received: by 10.36.211.73 with HTTP; Fri, 11 Mar 2016 04:46:47 -0800 (PST) Date: Fri, 11 Mar 2016 18:16:47 +0530 Message-ID: Subject: Network goes down when installing ipfw From: Kulamani Sethi To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 12:46:49 -0000 Dear all, I am using ipfw3. When i am installing ipfw driver in windows-7 machine the network goes down. If uninstall that driver again then network comes automatically. That means ipfw driver does not support. I have also digitally signed by Microsoft kernel mode signing process for authenticate the publisher. Process of installing: Local Area Connection-> properties -> Install -> service -> Add ->OK (I can also see there message by system "Driver digitally signed") Could anyone please help me for this issue. Thanks in advance. With Regards, Kulamani Sethi, India From owner-freebsd-ipfw@freebsd.org Fri Mar 11 13:06:42 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36854ACCE46 for ; Fri, 11 Mar 2016 13:06:42 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from smtp.rlwinm.de (smtp.rlwinm.de [148.251.233.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F41BAF7C for ; Fri, 11 Mar 2016 13:06:41 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.local (unknown [87.253.189.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.rlwinm.de (Postfix) with ESMTPSA id C3F0D182C for ; Fri, 11 Mar 2016 14:06:32 +0100 (CET) Subject: Re: Network goes down when installing ipfw To: freebsd-ipfw@freebsd.org References: From: Jan Bramkamp Message-ID: <56E2C2D8.4020701@rlwinm.de> Date: Fri, 11 Mar 2016 14:06:32 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2016 13:06:42 -0000 On 11/03/16 13:46, Kulamani Sethi wrote: > Dear all, > > I am using ipfw3. When i am installing ipfw driver in windows-7 > machine the network goes down. If uninstall that driver again then network > comes automatically. That means ipfw driver does not support. > > I have also digitally signed by Microsoft kernel mode signing > process for authenticate the publisher. > > > Process of installing: Local Area Connection-> properties -> Install -> > service -> Add ->OK (I can also see there message by system "Driver > digitally signed") > > Could anyone please help me for this issue. Thanks in advance. IPFW has a single default match all rule at the end of the ruleset. If no ruleset is loaded it will match (and deny) all traffic by default. This blocks all traffic until a ruleset is loaded. As far as I know IPFW isn't supported on Windows by the FreeBSD project in any way. Look into the documentation on how to load rules and or get in touch with whoever ported IPFW to Windows.