From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:05:24 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B437616A452; Sun, 3 Jul 2005 00:05:23 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BA1543D55; Sun, 3 Jul 2005 00:05:16 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id B66A55CC48; Sat, 2 Jul 2005 17:04:45 -0700 (PDT) Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id 138E9AE1D0; Tue, 19 Feb 2002 02:56:25 -0800 (PST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 8831A55449; Tue, 19 Feb 2002 02:49:44 -0800 (PST) (envelope-from owner-freebsd-arch@FreeBSD.ORG) Received: by hub.freebsd.org (Postfix, from userid 538) id 6466437B405; Tue, 19 Feb 2002 02:56:18 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id 52D292E8007; Tue, 19 Feb 2002 02:56:18 -0800 (PST) Received: by hub.freebsd.org (bulk_mailer v1.12); Tue, 19 Feb 2002 02:56:18 -0800 Delivered-To: freebsd-arch@freebsd.org Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by hub.freebsd.org (Postfix) with ESMTP id AA9AA37B404; Tue, 19 Feb 2002 02:56:08 -0800 (PST) Received: from regency.nsu.ru ([193.124.210.26] helo=cytherea.weblab.nsu.ru) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 16d7wJ-0006Hi-00; Tue, 19 Feb 2002 16:56:03 +0600 Received: (from danfe@localhost) by cytherea.weblab.nsu.ru (8.11.6/8.11.6) id g1JAuU965842; Tue, 19 Feb 2002 16:56:30 +0600 (NOVT) (envelope-from danfe) From: Alexey Dokuchaev To: arch@freebsd.org Message-ID: <20020219165630.A62749@cytherea.weblab.nsu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-arch@FreeBSD.ORG X-Loop: FreeBSD.ORG Precedence: bulk Status: RO Lines: 95 Cc: ipfw@freebsd.org Subject: Improvements to ipfw code (followup) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:05:24 -0000 X-Original-Date: Tue, 19 Feb 2002 16:56:30 +0600 X-List-Received-Date: Sun, 03 Jul 2005 00:05:24 -0000 Hello, Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements, along with a patch, by Julian Assange . A PR (misc/2386) was then filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason. It seems to never raise any interest afterwards, despite the fact that this work definitely worth considering. I will forward original mail at the end for those who's interested. My particular interest in this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections, which is a neat thing of course. However, to be able to provide any service, I need to allow incoming connections as well, and this is where I got somewhat disappointed: I cannot control who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind() to the [freed] unprivileged port. One might say this is not a big deal, since servers tend to restart themselves in case of any failure, however, for example, FTP passive mode requires setup connections allowed in certain port range, and I really want only ftp user to be able to bind() to those ports. At present, there is no way in IPFW to open ports for specific user/group only, while Julian's patch seems to solve the problem. Time to revise this stuff again? :-) The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff. Sincerely, Alexey Dokuchaev ------ Forwarded message ------ Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) From: proff@suburbia.net To: hackers@freebsd.org, security@freebsd.org Subject: new firewall code [uid/gid/bind() etc] Message-ID: <19970106200116.16168.qmail@suburbia.net> I tried posting the patches but, at 55k, it seems majordumbo has (silently) rejected them. You may find them at: ftp://suburbia.net/tmp/ipfw.diff My "socket credentials" patches allow you to: punch wormholes, or restrict access to the IPPORT_RESERVED space, or restrict access to bind() altogether based on: (a) uid (b) gid (including secondary groups) (c) port (d) protocol (e) interface And more importantly: Restrict access to packets being sent/received on any socket based on: (a) the packet (per normal ipfw rules) (b) uid (c) gid (including secondary groups) The former permits constructs like: /* let uid sendmail bind to port 25 */ # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind /* only let inetd bind - we presume inetd still needs to run as root for uid switching when forking off clients */ # addgroup inetd # chgrp inetd /usr/sbin/inetd # chmod 2700 /usr/sbin/inetd # killall inetd # ipfw add accept all from any to any bind gid inetd uid root # /* default policy is to deny bind */ /* keep those without security clearance out of secret network */ # ipfw add accept all from any to any via ed0 gid secret # ipfw add deny all from any to any via ed0 gid any Loging has also been enhanced: # ipfw add 60000 accept log all from any to any bind /* example of named starting up */ ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind Cheers, Julian ------ End of forwarded message ------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:05:24 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD85316A453; Sun, 3 Jul 2005 00:05:23 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ACE843D1F; Sun, 3 Jul 2005 00:05:17 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 2B9E35CBC5; Sat, 2 Jul 2005 17:04:46 -0700 (PDT) Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id D7BF1AE1FE; Tue, 19 Feb 2002 08:41:14 -0800 (PST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 31F7655420; Tue, 19 Feb 2002 08:34:32 -0800 (PST) (envelope-from owner-freebsd-arch@FreeBSD.ORG) Received: by hub.freebsd.org (Postfix, from userid 538) id 4A8A237B404; Tue, 19 Feb 2002 08:41:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id DBAEE2E8001; Tue, 19 Feb 2002 08:41:08 -0800 (PST) Received: by hub.freebsd.org (bulk_mailer v1.12); Tue, 19 Feb 2002 08:41:08 -0800 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3C3BB37B402; Tue, 19 Feb 2002 08:40:39 -0800 (PST) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.5) with SMTP id g1JGe4D02855; Tue, 19 Feb 2002 11:40:04 -0500 (EST) (envelope-from robert@fledge.watson.org) From: Robert Watson X-Sender: robert@fledge.watson.org To: Alexey Dokuchaev In-Reply-To: <20020219165630.A62749@cytherea.weblab.nsu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG X-Loop: FreeBSD.ORG Precedence: bulk Status: RO Lines: 110 Cc: arch@freebsd.org, ipfw@freebsd.org Subject: Re: Improvements to ipfw code (followup) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:05:24 -0000 X-Original-Date: Tue, 19 Feb 2002 11:40:03 -0500 (EST) X-List-Received-Date: Sun, 03 Jul 2005 00:05:24 -0000 Just as a slight follow-up I should have included in my earlier e-mail: the merging of ucred and pcred should make this patch now be able to support real and saved uids/gids as well as effective uids/gids, meaning that it can be used to also restrict setuid applications such as ping. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 19 Feb 2002, Alexey Dokuchaev wrote: > Hello, > > Back in 1997, an email was sent to hackers@ about some substantial firewall code improvements, > along with a patch, by Julian Assange . A PR (misc/2386) was then > filled, but marked 'closed' shortly after submission due to 'Misfiled PR' reason. It seems to > never raise any interest afterwards, despite the fact that this work definitely worth considering. > > I will forward original mail at the end for those who's interested. My particular interest in > this comes from a fact that uid/gid-based IPFW filtering only works for outgoing connections, > which is a neat thing of course. However, to be able to provide any service, I need to allow > incoming connections as well, and this is where I got somewhat disappointed: I cannot control > who's bind()'ing to whatever port (if outside setup connections are allowed), and if, say, for > whatever reason my cvsupd (or ircd, or quaked) exits, any malicious user process can issue bind() > to the [freed] unprivileged port. One might say this is not a big deal, since servers tend to > restart themselves in case of any failure, however, for example, FTP passive mode requires setup > connections allowed in certain port range, and I really want only ftp user to be able to bind() > to those ports. At present, there is no way in IPFW to open ports for specific user/group only, > while Julian's patch seems to solve the problem. > > Time to revise this stuff again? :-) > > The URL Julian gives in his email is no longer valid, but his patches are in PR misc/2386, and > also can be found at ftp://regency.nsu.ru/tmp/ipfw.diff. > > Sincerely, > Alexey Dokuchaev > > ------ Forwarded message ------ > Date: Tue, 7 Jan 1997 07:01:16 +1100 (EST) > From: proff@suburbia.net > To: hackers@freebsd.org, security@freebsd.org > Subject: new firewall code [uid/gid/bind() etc] > Message-ID: <19970106200116.16168.qmail@suburbia.net> > > I tried posting the patches but, at 55k, it seems majordumbo has > (silently) rejected them. You may find them at: > > ftp://suburbia.net/tmp/ipfw.diff > > My "socket credentials" patches allow you to: > > punch wormholes, or restrict access to the IPPORT_RESERVED space, or > restrict access to bind() altogether based on: > > (a) uid > (b) gid (including secondary groups) > (c) port > (d) protocol > (e) interface > > And more importantly: > > Restrict access to packets being sent/received on any socket based on: > > (a) the packet (per normal ipfw rules) > (b) uid > (c) gid (including secondary groups) > > The former permits constructs like: > > /* let uid sendmail bind to port 25 */ > # ipfw add accept wormhole on tcp from any 25 to any uid sendmail bind > > /* only let inetd bind - we presume inetd still needs to run as root > for uid switching when forking off clients */ > > # addgroup inetd > # chgrp inetd /usr/sbin/inetd > # chmod 2700 /usr/sbin/inetd > # killall inetd > # ipfw add accept all from any to any bind gid inetd uid root > # /* default policy is to deny bind */ > > /* keep those without security clearance out of secret network */ > # ipfw add accept all from any to any via ed0 gid secret > # ipfw add deny all from any to any via ed0 gid any > > Loging has also been enhanced: > > # ipfw add 60000 accept log all from any to any bind > /* example of named starting up */ > > ipfw: 5000 Allow TCP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.222:53 0.0.0.0:0 via ed0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 203.4.184.217:53 0.0.0.0:0 via ppp0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 127.0.0.1:53 0.0.0.0:0 via lo0 uid 67 gid 0 pid 1280 bind > ipfw: 5000 Allow UDP 0.0.0.0:53 0.0.0.0:0 uid 67 gid 0 pid 1280 bind > > Cheers, > Julian > > ------ End of forwarded message ------ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-arch" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:05:24 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F07D016A420; Sun, 3 Jul 2005 00:05:23 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C4F243D62; Sun, 3 Jul 2005 00:05:18 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 7017A5CC57; Sat, 2 Jul 2005 17:04:46 -0700 (PDT) Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id EC90AAE0C7; Tue, 19 Feb 2002 19:39:35 -0800 (PST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 150C155D64; Tue, 19 Feb 2002 19:32:45 -0800 (PST) (envelope-from owner-freebsd-arch@FreeBSD.ORG) Received: by hub.freebsd.org (Postfix, from userid 538) id 3AAB737B416; Tue, 19 Feb 2002 19:39:28 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id 13DA12E8080; Tue, 19 Feb 2002 19:39:28 -0800 (PST) Received: by hub.freebsd.org (bulk_mailer v1.12); Tue, 19 Feb 2002 19:39:27 -0800 Delivered-To: freebsd-arch@freebsd.org Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by hub.freebsd.org (Postfix) with ESMTP id C4A0037B404; Tue, 19 Feb 2002 19:39:14 -0800 (PST) Received: from regency.nsu.ru ([193.124.210.26] helo=cytherea.weblab.nsu.ru) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 16dNav-0003yV-00; Wed, 20 Feb 2002 09:39:01 +0600 Received: (from danfe@localhost) by cytherea.weblab.nsu.ru (8.11.6/8.11.6) id g1K3dXG80972; Wed, 20 Feb 2002 09:39:33 +0600 (NOVT) (envelope-from danfe) From: Alexey Dokuchaev To: Robert Watson Message-ID: <20020220093933.A78191@cytherea.weblab.nsu.ru> References: <20020219165630.A62749@cytherea.weblab.nsu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from rwatson@freebsd.org on Tue, Feb 19, 2002 at 11:40:03AM -0500 Sender: owner-freebsd-arch@FreeBSD.ORG X-Loop: FreeBSD.ORG Precedence: bulk Status: RO Lines: 18 Cc: arch@freebsd.org, ipfw@freebsd.org Subject: Re: Improvements to ipfw code (followup) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:05:25 -0000 X-Original-Date: Wed, 20 Feb 2002 09:39:33 +0600 X-List-Received-Date: Sun, 03 Jul 2005 00:05:25 -0000 On Tue, Feb 19, 2002 at 11:40:03AM -0500, Robert Watson wrote: > Just as a slight follow-up I should have included in my earlier e-mail: > the merging of ucred and pcred should make this patch now be able to > support real and saved uids/gids as well as effective uids/gids, meaning > that it can be used to also restrict setuid applications such as ping. Cool! Right now I am cleaning up this 5-year old patch to catch up with current IPFW code, fixing possible bugs, and separating optimizations and features stuff for easier reviewing and testing. I like the idea of supporting real and saved uids/gids as well as effective ones, I think I will include this functionality as soon as I get the whole thing working with current -CURRENT. Regs, Alexey Dokuchaev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:19:54 2005 Return-Path: X-Original-To: ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 677D716A43D; Sun, 3 Jul 2005 00:19:53 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 062F644083; Sun, 3 Jul 2005 00:13:47 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 6BD405ECD0; Sat, 2 Jul 2005 17:10:38 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id 5A31E5C9B4 for ; Sat, 11 Sep 2004 16:24:46 -0700 (PDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id BD7EE562B3; Sat, 11 Sep 2004 23:24:45 +0000 (GMT) (envelope-from owner-freebsd-bugs@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 5F8BF16A4D2; Sat, 11 Sep 2004 23:24:45 +0000 (GMT) Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAD0E16A4CE; Sat, 11 Sep 2004 23:24:43 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAFD243D5A; Sat, 11 Sep 2004 23:24:43 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) i8BNOhC5063601; Sat, 11 Sep 2004 23:24:43 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8BNOhVA063597; Sat, 11 Sep 2004 23:24:43 GMT (envelope-from linimon) From: Mark Linimon Message-Id: <200409112324.i8BNOhVA063597@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-bugs@freebsd.org Errors-To: owner-freebsd-bugs@freebsd.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on elvis.mu.org X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Level: Cc: Subject: Re: kern/71366: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule) X-BeenThere: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:19:54 -0000 X-Original-Date: Sat, 11 Sep 2004 23:24:43 GMT X-List-Received-Date: Sun, 03 Jul 2005 00:19:54 -0000 Synopsis: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule) Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sat Sep 11 23:24:30 GMT 2004 Responsible-Changed-Why: Over to mailing list. http://www.freebsd.org/cgi/query-pr.cgi?pr=71366 _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:45:48 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2C0416A519; Sun, 3 Jul 2005 00:45:47 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AB3843D8C; Sun, 3 Jul 2005 00:28:56 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id D9229653B4; Sat, 2 Jul 2005 17:28:49 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id A0CF65D9DC for ; Mon, 1 Nov 2004 04:20:48 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 0F65155CE8; Mon, 1 Nov 2004 12:20:20 +0000 (GMT) (envelope-from owner-freebsd-current@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 08C4416A4EA; Mon, 1 Nov 2004 12:20:19 +0000 (GMT) Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCD9E16A4CE; Mon, 1 Nov 2004 12:20:14 +0000 (GMT) Received: from poison2.syncrontech.com (adsl-nat.syncrontech.com [213.28.98.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F09943D1F; Mon, 1 Nov 2004 12:20:13 +0000 (GMT) (envelope-from ari@suutari.iki.fi) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.57])iA1CK8L6030602; Mon, 1 Nov 2004 14:20:09 +0200 (EET) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.syncrontech.com [62.71.8.37]) iA1CK7b2043496; Mon, 1 Nov 2004 14:20:07 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> From: "Ari Suutari" To: "Vincent Poy" References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-current@freebsd.org Errors-To: owner-freebsd-current@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on elvis.mu.org X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.0 X-Spam-Level: Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Andre Oppermann , freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:45:49 -0000 X-Original-Date: Mon, 1 Nov 2004 14:20:10 +0200 X-List-Received-Date: Sun, 03 Jul 2005 00:45:49 -0000 Hi, > The counters for queue 1 keeps increasing when I do a ftp out even for > non-ACK packets but the other counters for queue 2-4 doesn't move at > all so it seems like everything is going out one queue instead of what > the rules actually say. I have one pipe configured as 480Kbit/sec > which is what rules 63005-63008 does. Are you using IPsec ? Ari S. _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:45:51 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1208216A45E; Sun, 3 Jul 2005 00:45:48 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D9C8448E2; Sun, 3 Jul 2005 00:28:54 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 3A35C65374; Sat, 2 Jul 2005 17:28:49 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id A8D1A5D65B for ; Mon, 1 Nov 2004 05:13:28 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id C572955ABD; Mon, 1 Nov 2004 13:13:25 +0000 (GMT) (envelope-from owner-freebsd-net@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 032DD16A4E0; Mon, 1 Nov 2004 13:13:25 +0000 (GMT) Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 102F116A4CE for ; Mon, 1 Nov 2004 13:13:22 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C12C43D46 for ; Mon, 1 Nov 2004 13:13:21 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so130315rnk for ; Mon, 01 Nov 2004 05:13:21 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=iXAalXBYT44OWlIM6Pen5lfuSUZcOCt3D8gklVEEiKZ6yfW3hnB3a++BEbNvdIyVVErUzOmhjMOq3bIfp5p3VbpIB5NwaH4UpP2kr4Xjn+H1v2XAwHJwsGybCz3cDvTX1pMae9T6Llb9AWRQdCnUmnDRj4kGQMU62INgc0UWfzM= Received: by 10.38.66.50 with SMTP id o50mr718621rna; Mon, 01 Nov 2004 05:13:21 -0800 (PST) Received: by 10.38.14.49 with HTTP; Mon, 1 Nov 2004 05:13:21 -0800 (PST) Message-ID: <429af92e041101051357fc2384@mail.gmail.com> From: Vincent Poy To: Ari Suutari In-Reply-To: <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> <429af92e041101021638e8598e@mail.gmail.com> <02d801c4c00d$24fc2a30$2508473e@sad.syncrontech.com> X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-net@freebsd.org Errors-To: owner-freebsd-net@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on elvis.mu.org X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00,RCVD_BY_IP autolearn=ham version=3.0.0 X-Spam-Level: Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Andre Oppermann , freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-ipfw@freebsd.org Reply-To: Vincent Poy List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:45:52 -0000 X-Original-Date: Mon, 1 Nov 2004 05:13:21 -0800 X-List-Received-Date: Sun, 03 Jul 2005 00:45:52 -0000 On Mon, 1 Nov 2004 14:20:10 +0200, Ari Suutari wrote: > > The counters for queue 1 keeps increasing when I do a ftp out even for > > non-ACK packets but the other counters for queue 2-4 doesn't move at > > all so it seems like everything is going out one queue instead of what > > the rules actually say. I have one pipe configured as 480Kbit/sec > > which is what rules 63005-63008 does. > > Are you using IPsec ? > > Ari S. Nope... As you can see, I'm just using ipfw2 with dummynet for pipe/queue just for traffic shaping. Cheers, Vince _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:45:53 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DBA816A457; Sun, 3 Jul 2005 00:45:50 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F940448DD; Sun, 3 Jul 2005 00:28:54 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 3E1776536E; Sat, 2 Jul 2005 17:28:52 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id 03FF25CDD4 for ; Mon, 1 Nov 2004 02:16:51 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 113CA558CD; Mon, 1 Nov 2004 10:16:49 +0000 (GMT) (envelope-from owner-freebsd-net@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 6902516A4DC; Mon, 1 Nov 2004 10:16:48 +0000 (GMT) Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEBC916A4CF for ; Mon, 1 Nov 2004 10:16:44 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B53D43D76 for ; Mon, 1 Nov 2004 10:16:43 +0000 (GMT) (envelope-from vincepoy@gmail.com) Received: by rproxy.gmail.com with SMTP id 79so122441rnk for ; Mon, 01 Nov 2004 02:16:42 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=OIMXm/F7s+zHqKPDd5T9Ye1gtRbEALIg20gM+JjnGK7hrKcwvx7OULiUFup8IWbN2qZMQSI7cqhv1kBWxFr93LFe2TuVPZSylo6VxcTuqsuqEYyEVcwou8bNbfIRcrym5GQFJiJYU/OtbAu3qt79MnjefmPQGPNOY4RLCjB+Q3U= Received: by 10.38.150.78 with SMTP id x78mr646511rnd; Mon, 01 Nov 2004 02:16:42 -0800 (PST) Received: by 10.38.14.49 with HTTP; Mon, 1 Nov 2004 02:16:42 -0800 (PST) Message-ID: <429af92e041101021638e8598e@mail.gmail.com> From: Vincent Poy To: Ari Suutari In-Reply-To: <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <200410300927.51286.ari@suutari.iki.fi> <429af92e04103118435b35f235@mail.gmail.com> <016901c4bfe5$77c19d90$2508473e@sad.syncrontech.com> X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-net@freebsd.org Errors-To: owner-freebsd-net@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on elvis.mu.org X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,RCVD_BY_IP autolearn=ham version=3.0.0 X-Spam-Level: Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Andre Oppermann , freebsd-ipfw@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong X-BeenThere: freebsd-ipfw@freebsd.org Reply-To: Vincent Poy List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:45:53 -0000 X-Original-Date: Mon, 1 Nov 2004 02:16:42 -0800 X-List-Received-Date: Sun, 03 Jul 2005 00:45:53 -0000 Hi, I don't know how to explain my problem but it goes something like this... root@bigbang [2:05am][/home/vince] >> ipfw show 00049 1557131 244839199 skipto 100 ip from 208.201.244.224/29 to any 00050 12072800468 917651580916 divert 8668 ip from any to any via xl0 00100 69518 8548222 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 63000 0 0 allow ip from any to 10.0.0.0/8 out 63001 0 0 allow ip from any to 172.16.0.0/12 out 63002 312 16048 allow ip from any to 192.168.0.0/16 out 63003 24237 2952214 allow ip from any to 208.201.244.224/29 out 63004 667879 129410867 queue 1 tcp from any to any tcpflags ack out 63005 1 40 queue 2 tcp from any to any dst-port 22,23 out 63006 38782 3364689 queue 2 udp from any to any not dst-port 80,443 out 63007 43021 2194871 queue 3 ip from any to any dst-port 80,443 out 63008 5467 405319 queue 4 ip from any to any out 65000 1795325 424479044 allow ip from any to any 65535 0 0 deny ip from any to any The counters for queue 1 keeps increasing when I do a ftp out even for non-ACK packets but the other counters for queue 2-4 doesn't move at all so it seems like everything is going out one queue instead of what the rules actually say. I have one pipe configured as 480Kbit/sec which is what rules 63005-63008 does. ipfw pipe show and ipfw queue show would seem normal except the Source IP and Destination IP is stuck with the first processed queues information while only the counters for queue 1 updates. root@bigbang [2:12am][/home/vince] >> ipfw pipe show 00001: 480.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 100 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 673549 137223155 0 0 2303 q00002: weight 66 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 udp 208.201.244.225/1026 208.201.224.11/53 40022 3470523 0 0 0 q00003: weight 33 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3750 199.181.132.105/80 43058 2196795 0 0 0 q00004: weight 1 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 5492 407173 0 0 0 root@bigbang [2:12am][/home/vince] >> ipfw queue show q00001: weight 100 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 673550 137223195 0 0 2303 q00002: weight 66 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 udp 208.201.244.225/1026 208.201.224.11/53 40025 3470881 0 0 0 q00003: weight 33 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3750 199.181.132.105/80 43058 2196795 0 0 0 q00004: weight 1 pipe 1 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 208.201.244.226/3748 205.188.179.233/5190 5493 407225 0 0 0 I don't know how else I would test this. Cheers, Vince On Mon, 1 Nov 2004 09:35:58 +0200, Ari Suutari wrote: > >I am experiencing the same problem as well when I updated from a March > > 6, 2004 -CURRENT to the October 19, 2004 -CURRENT. The problem still > > exists with the October 27, 2004 -CURRENT. I'm using ipfw/dummynet > > for outgoing queues with the ACK packets having the highest priority > > in it's own queue. However, it seems like while the queues are there, > > the information on ipfw queue show doesn't update at all as the Source > > and Destination IP is still the same as the first packet after bootup > > while the counters change but the ACK packets are not sent on it's own > > queue but rather with all other packets. I know it is related with > > pfil_hook when ipfw was converted. > > This is not related to pfil_hook conversion. The problem is also present > in > FreeBSD 4.x-STABLE (just tested it). I think that history of ipfw and > ipsec > interaction goes like this: > > - in the very beginning, a packet that was processed by ipsec didn't > hit ipfw at all in unencrypted form, ie. one was able to able to > filter esp > and ah protocols only. > > - someone fixed this, apparently for incoming packets only, but this > some folks were upset by the fact that they would have to add a rule > for unencrypted protocols into ipfw. At that time (in ipfw1), there > was > possibility to check that unencrypted packet actually came from ipsec > (ie. ipfw ipsec flag wasn't implemented) > > - IPSEC_FILTERGIF option was added. If set, incoming packets go > through ipfw twice (encrypted and unencrypted). If not set, packets > go > to ipfw only once (encrypted). > > Currently outgoing packets are always processed like IPSEC_FILTERGIF was > not set (I like to have it set, because I need quite fine-grained > firewalling > even inside my ipsec tunnels, which are between different companies). > What > I was suggesting (ie. moving pfil_hook processing in ip_output before > ipsec stuff) wasn't really correct: This change should be conditional > based on > IPSEC_FILTERGIF setting: The change I described should be done only > when IPSEC_FILTERGIF is set. > > Now, ip_output is quite central part in ip stack. I would be happy if > someone > who knows that part better than me could implement this (I can sure test > it easily). > > Ari S. > > > > > > > Cheers, > > Vince > > > > On Sat, 30 Oct 2004 09:27:50 +0300, Ari Suutari > > wrote: > >> Hi, > >> > >> I noticed that processing order of ipsec and ipfw (pfil_hook) is not > >> correct for outgoing packets. Currently, ipsec processing is done first, > >> which makes packets to go through without firewall inspection. > >> This might be a security problem for someone, but at least it > >> breaks stateful rule handling. > >> > >> My test setup is (all freebsd 5.3-rc1 machines): > >> > >> freebsd laptop <-> ipsec tunnel <->freebsd server > >> > >> When server sends packet to laptop, it now goes like this: > >> > >> ip_output -> ipsec -> ip_output -> ipfw -> network > >> > >> It should go like this: > >> > >> ip_output -> ipfw -> ipsec -> ip_output -> ipfw -> network > >> > >> I think that this could be fixed by just moving pfil_hook > >> processing in ip_output before ipsec processing. > >> > >> Ari S. > >> > >> _______________________________________________ > >> freebsd-current@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-current > >> To unsubscribe, send any mail to > >> "freebsd-current-unsubscribe@freebsd.org" > >> > >> > > > > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 00:49:21 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B224D16A428; Sun, 3 Jul 2005 00:49:21 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19C2044AC5; Sun, 3 Jul 2005 00:31:17 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id D5CA2655C8; Sat, 2 Jul 2005 17:29:15 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id D89F45C9AD for ; Wed, 3 Nov 2004 14:19:48 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id A6CB3570D1; Wed, 3 Nov 2004 22:18:36 +0000 (GMT) (envelope-from owner-freebsd-current@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3664716A4D4; Wed, 3 Nov 2004 22:18:35 +0000 (GMT) Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9ADA316A4CF; Wed, 3 Nov 2004 22:18:29 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7637243D53; Wed, 3 Nov 2004 22:18:29 +0000 (GMT) (envelope-from csjp@freebsd.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) iA3MIT3O060466; Wed, 3 Nov 2004 22:18:29 GMT (envelope-from csjp@freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iA3MIT0Q060465; Wed, 3 Nov 2004 22:18:29 GMT (envelope-from csjp@freebsd.org) X-Authentication-Warning: freefall.freebsd.org: csjp set sender to csjp@freebsd.org using -f From: "Christian S.J. Peron" To: ipfw@freebsd.org Message-ID: <20041103221829.GA60132@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-current@freebsd.org Errors-To: owner-freebsd-current@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on elvis.mu.org X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.0 X-Spam-Level: Cc: current@freebsd.org, net@freebsd.org Subject: [PATCH] testers wanted X-BeenThere: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 00:49:21 -0000 X-Original-Date: Wed, 3 Nov 2004 22:18:29 +0000 X-List-Received-Date: Sun, 03 Jul 2005 00:49:21 -0000 I have generated a patch which appears to solve the lock ordering issues associated with ucred based filtering which results in hard locks (while mpsafenet=1). This patch basically implements a shared locking mechanism. http://people.freebsd.org/~csjp/ip_fw2.c.1099500281.diff It would be appriciated if interested parties could download it, load a large number of rules and try to manipulate (delete/add) rules under high loads. Thanks! -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 3 01:03:59 2005 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6885F16A5FC; Sun, 3 Jul 2005 01:03:10 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id B14FF443A4; Sun, 3 Jul 2005 00:56:01 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 1BDBC609A3; Sat, 2 Jul 2005 17:15:32 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id BC8DC5CA1A for ; Tue, 10 May 2005 06:22:02 -0700 (PDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 3B1EF56E93; Tue, 10 May 2005 13:21:36 +0000 (GMT) (envelope-from owner-freebsd-bugs@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 05D4016A4F8; Tue, 10 May 2005 13:21:31 +0000 (GMT) Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1472D16A4CE; Tue, 10 May 2005 13:21:20 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E190843D5E; Tue, 10 May 2005 13:21:19 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4ADLJal051613; Tue, 10 May 2005 13:21:19 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4ADLJEb051609; Tue, 10 May 2005 13:21:19 GMT (envelope-from arved) From: Tilman Linneweh Message-Id: <200505101321.j4ADLJEb051609@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-bugs@freebsd.org Errors-To: owner-freebsd-bugs@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on elvis.mu.org X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.2 X-Spam-Level: Cc: Subject: Re: kern/76971: ipfw antispoof incorrectly blocks broadcasts X-BeenThere: freebsd-ipfw@freebsd.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 01:03:59 -0000 X-Original-Date: Tue, 10 May 2005 13:21:19 GMT X-List-Received-Date: Sun, 03 Jul 2005 01:03:59 -0000 Synopsis: ipfw antispoof incorrectly blocks broadcasts Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: arved Responsible-Changed-When: Tue May 10 13:20:47 GMT 2005 Responsible-Changed-Why: Over to freebsd-ipfw mailinglist http://www.freebsd.org/cgi/query-pr.cgi?pr=76971 _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 4 11:02:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1613316A41C for ; Mon, 4 Jul 2005 11:02:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 040E443D53 for ; Mon, 4 Jul 2005 11:02:16 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j64B2F4F034541 for ; Mon, 4 Jul 2005 11:02:15 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j64B2Esg034535 for freebsd-ipfw@freebsd.org; Mon, 4 Jul 2005 11:02:14 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 4 Jul 2005 11:02:14 GMT Message-Id: <200507041102.j64B2Esg034535@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 11:02:16 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/11] bin/80913 ipfw /sbin/ipfw2 silently discards MAC addr ar 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca o [2005/05/05] kern/80642 ipfw [patch] IPFW small patch - new RULE OPTIO o [2005/06/28] kern/82724 ipfw Add setnexthop and defaultroute features 4 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 4 11:02:53 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C77A416A41C for ; Mon, 4 Jul 2005 11:02:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B164B43D58 for ; Mon, 4 Jul 2005 11:02:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j64B2rdF035064 for ; Mon, 4 Jul 2005 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j64B2qUe035058 for ipfw@freebsd.org; Mon, 4 Jul 2005 11:02:52 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 4 Jul 2005 11:02:52 GMT Message-Id: <200507041102.j64B2qUe035058@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 11:02:53 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported f [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 4 14:44:40 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A405016A41C for ; Mon, 4 Jul 2005 14:44:40 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from gorgo.centroin.com.br (gorgo.centroin.com.br [200.225.63.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 144DA43D46 for ; Mon, 4 Jul 2005 14:44:39 +0000 (GMT) (envelope-from scuba@centroin.com.br) Received: from hypselo.centroin.com.br (hypselo.centroin.com.br [200.225.63.1]) by gorgo.centroin.com.br (8.12.10/8.12.9) with ESMTP id j64EibDt015853 for ; Mon, 4 Jul 2005 11:44:37 -0300 (EST) Date: Mon, 4 Jul 2005 11:44:37 -0300 (EST) From: Sender: To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: State table X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 14:44:40 -0000 Hi, How can I estimate the amount of memory allocated to the state table of the ipfw. Anyway, is there an option to limit it? Thank you, - Marcelo From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 4 20:56:07 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3366416A41C for ; Mon, 4 Jul 2005 20:56:07 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from llwb135.servidoresdns.net (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAA9443D45 for ; Mon, 4 Jul 2005 20:56:06 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from SERVEREL (unknown [81.12.246.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by llwb135.servidoresdns.net (Postfix) with ESMTP id E85E924C807 for ; Mon, 4 Jul 2005 22:47:50 +0200 (CEST) Date: Mon, 4 Jul 2005 23:56:23 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1923761414.20050704235623@llwb135.servidoresdns.net> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: corect order for ipfw rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 20:56:07 -0000 Hi! I want to build an freeBSD gateway. I had configured all i need, but i dont understand something. What is corect order for ipfw. I have rule that divert traffic: ex: add 50 divert natd all from any to any via rl0 I want to put firewall rule to block some traffic or ports. I want to build some pipe with queue. What is order to corect filter traffic? From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 5 11:49:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEC3216A41C for ; Tue, 5 Jul 2005 11:49:47 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from llwb135.servidoresdns.net (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FD5143D46 for ; Tue, 5 Jul 2005 11:49:47 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from SERVEREL (unknown [81.12.246.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by llwb135.servidoresdns.net (Postfix) with ESMTP id 0198224C841 for ; Tue, 5 Jul 2005 13:41:26 +0200 (CEST) Date: Tue, 5 Jul 2005 14:50:04 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1904693964.20050705145004@llwb135.servidoresdns.net> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 11:49:47 -0000 I want to permit only few MAC address to pass on my gateway. I put in my script this line: ipfw -q -f flush cmd="/sbin/ipfw -q" oif="rl0" pif="fxp1" $cmd add 110 skipto 5000 MAC any 00:0e:a6:81:40:3e in via $pif $cmd add 120 skipto 5000 MAC any 00:50:8b:6b:0c:b2 in via $pif .............................................................. $cmd add 500 deny log MAC any any in via $pif $cmd add 5000 divert natd all from any to any via $oif but not work (block legitimate traffic). How i can do this job? From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 5 17:56:02 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8EAD16A41C for ; Tue, 5 Jul 2005 17:56:02 +0000 (GMT) (envelope-from RoKlein@roklein.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 508C843D46 for ; Tue, 5 Jul 2005 17:56:02 +0000 (GMT) (envelope-from RoKlein@roklein.de) Received: from p54A92A8C.dip0.t-ipconnect.de [84.169.42.140] (helo=[192.168.254.148]) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1DpreI1TBP-00066l; Tue, 05 Jul 2005 19:55:58 +0200 Message-ID: <42CAC9AA.9040708@roklein.de> Date: Tue, 05 Jul 2005 19:55:54 +0200 From: Robert Klein User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: vladone References: <1904693964.20050705145004@llwb135.servidoresdns.net> In-Reply-To: <1904693964.20050705145004@llwb135.servidoresdns.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de login:ed18d71deac0f49a40655750752d3db9 Cc: freebsd-ipfw@freebsd.org Subject: Re: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 17:56:02 -0000 vladone schrieb: >I want to permit only few MAC address to pass on my gateway. >I put in my script this line: >ipfw -q -f flush >cmd="/sbin/ipfw -q" >oif="rl0" >pif="fxp1" > >$cmd add 110 skipto 5000 MAC any 00:0e:a6:81:40:3e in via $pif >$cmd add 120 skipto 5000 MAC any 00:50:8b:6b:0c:b2 in via $pif >.............................................................. >$cmd add 500 deny log MAC any any in via $pif > >$cmd add 5000 divert natd all from any to any via $oif > >but not work (block legitimate traffic). How i can do this job? > > mmm, if I'm right, network trafffic pases through IPFW2 twice, first on layer 2 and later on layer 3, so you have to allow traffic on layer three... ok, the interface was an fxp a long time ago, so I still use $FXP, though the interface is an em, now.....:P Here's a part of my code: #!/bin/sh IPFW=/sbin/ipfw ALL="add allow MAC any " FXP="in via em0" $IPFW -q flush $IPFW -q pipe flush # allow everything not on layer 2 $IPFW add allow all from any to any not layer2 # localhost traffic $IPFW add allow layer2 via lo0 # outbound interface $IPFW add allow layer2 via tun0 # out via em0; $IPFW add allow layer2 out via em0 # in via em0; hostile internal network $IPFW $ALL xx:xx:xx:xx:xx:xx $FXP $IPFW $ALL yy:yy:yy:yy:yy:yy $FXP .... $IPFW add deny log logamount 0 MAC any any $FXP0 regards, Robert From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 5 18:18:21 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C1D816A41C for ; Tue, 5 Jul 2005 18:18:21 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35B0743D49 for ; Tue, 5 Jul 2005 18:18:21 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 36so959141wra for ; Tue, 05 Jul 2005 11:18:20 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=F7WnYTqRG9FHrauMIp0uMvBCK39we+xza0fiU8ks8t2F2K7eSROiUBTz6plNgwC/GEvogtgUSHdFAJS4MlLoUR4I/ldcKPFXldS7H+tbWy6PLDWp+YUVoC0fPjesFtG9v9vxcRERgntFSIIBwVJJFRuBaf+ehSJALEm8K7eP7Ok= Received: by 10.54.2.42 with SMTP id 42mr344532wrb; Tue, 05 Jul 2005 11:18:20 -0700 (PDT) Received: by 10.54.39.65 with HTTP; Tue, 5 Jul 2005 11:18:20 -0700 (PDT) Message-ID: <8eea04080507051118692d783c@mail.gmail.com> Date: Tue, 5 Jul 2005 11:18:20 -0700 From: Jon Simola To: freebsd-ipfw@freebsd.org In-Reply-To: <1904693964.20050705145004@llwb135.servidoresdns.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1904693964.20050705145004@llwb135.servidoresdns.net> Subject: Re: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jon@abccomm.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 18:18:21 -0000 On 7/5/05, vladone wrote: > I want to permit only few MAC address to pass on my gateway. MAC filtering is done at layer 2, so you need to allow ipfw access to the layer 2 packets via sysctl -w net.link.ether.ipfw=3D1 And you may desire rules to only allow arp from certain machines, like: allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in recv fxp1 layer2 And traffic, like: allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2 Because you're going to have packets traversing ipfw up to 4 times (layer2 in, layer3 in, layer3 out, layer2 out) you might want to split your firewall rules for efficiency, something like: 50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip traffic inbound fxp1 60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip traffic inbound fxp0 70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether traffic inbound fxp1 80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether traffic inbound fxp0 I've done similar things in the past. Hopefully this gives you some ideas. --=20 Jon Simola Systems Administrator ABC Communications From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 5 20:29:05 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2959716A41C for ; Tue, 5 Jul 2005 20:29:05 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from llwb135.servidoresdns.net (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id B940443D45 for ; Tue, 5 Jul 2005 20:29:04 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from SERVEREL (unknown [81.12.246.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by llwb135.servidoresdns.net (Postfix) with ESMTP id 2AB5424C85C for ; Tue, 5 Jul 2005 22:20:41 +0200 (CEST) Date: Tue, 5 Jul 2005 23:29:25 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <598121599.20050705232925@llwb135.servidoresdns.net> To: freebsd-ipfw@freebsd.org In-Reply-To: <8eea04080507051118692d783c@mail.gmail.com> References: <1904693964.20050705145004@llwb135.servidoresdns.net> <8eea04080507051118692d783c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 20:29:05 -0000 Hello Jon, Tuesday, July 5, 2005, 9:18:20 PM, you wrote: > On 7/5/05, vladone wrote: >> I want to permit only few MAC address to pass on my gateway. > MAC filtering is done at layer 2, so you need to allow ipfw access to > the layer 2 packets via > sysctl -w net.link.ether.ipfw=1 > And you may desire rules to only allow arp from certain machines, like: > allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in > recv fxp1 layer2 > And traffic, like: > allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2 > Because you're going to have packets traversing ipfw up to 4 times > (layer2 in, layer3 in, layer3 out, layer2 out) you might want to split > your firewall rules for efficiency, something like: > 50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip > traffic inbound fxp1 > 60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip > traffic inbound fxp0 > 70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether > traffic inbound fxp1 > 80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether > traffic inbound fxp0 > I've done similar things in the past. Hopefully this gives you some ideas. Thanks! Now it seems to be ok. But i dont know how work mac-type. I see different address passed as parameter like: mac-type 0x809b or mac-type 0x80f3 or mac -type 0x0023 .... -- Best regards, vladone mailto:vladone@llwb135.servidoresdns.net From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 5 22:19:47 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03BB516A41C for ; Tue, 5 Jul 2005 22:19:47 +0000 (GMT) (envelope-from vitadiaz@gmail.com) Received: from smtp207.mail.sc5.yahoo.com (smtp207.mail.sc5.yahoo.com [216.136.129.97]) by mx1.FreeBSD.org (Postfix) with SMTP id D904143D48 for ; Tue, 5 Jul 2005 22:19:46 +0000 (GMT) (envelope-from vitadiaz@gmail.com) Received: (qmail 86493 invoked from network); 5 Jul 2005 22:00:34 -0000 Received: from unknown (HELO ?10.30.10.10?) (vitadiazlistas@201.252.161.141 with plain) by smtp207.mail.sc5.yahoo.com with SMTP; 5 Jul 2005 22:00:33 -0000 Message-ID: <42CB02FB.108@gmail.com> Date: Tue, 05 Jul 2005 19:00:27 -0300 From: vita gmail User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050403) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <1904693964.20050705145004@llwb135.servidoresdns.net> <8eea04080507051118692d783c@mail.gmail.com> <598121599.20050705232925@llwb135.servidoresdns.net> In-Reply-To: <598121599.20050705232925@llwb135.servidoresdns.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2005 22:19:47 -0000 Excuse very I am interested in learning like allowing and to deny MAC in my network and that I have LAN and WLAN with that I solve the subject of the accesses nonallowed. What they have been writing does not remove to me from the doubt to be able for control of access by MAC, they podrian to me to explain a little but of the subject since to continuation of that I must it does firewall. In an answer of Robert Klein it appears that contol by MAC this dice from layer 2 and layer 3 in the other mail does not appear. The example serves but profit not to understand to me like doing firewall with those data. I am thankful to him from already to all. Excuse my ingles is of translator. vladone wrote: > Hello Jon, > > Tuesday, July 5, 2005, 9:18:20 PM, you wrote: > > >>On 7/5/05, vladone wrote: > > >>>I want to permit only few MAC address to pass on my gateway. > > >>MAC filtering is done at layer 2, so you need to allow ipfw access to >>the layer 2 packets via >>sysctl -w net.link.ether.ipfw=1 > > >>And you may desire rules to only allow arp from certain machines, like: >>allow ip from any to any mac-type 0x0806 MAC any 00:11:22:33:44:55 in >>recv fxp1 layer2 > > >>And traffic, like: >>allow ip from any to any MAC any 00:11:22:33:44:55 in recv fxp1 layer2 > > > >>Because you're going to have packets traversing ipfw up to 4 times >>(layer2 in, layer3 in, layer3 out, layer2 out) you might want to split >>your firewall rules for efficiency, something like: > > >>50 skipto 10000 ip from any to any in recv fxp1 not layer2 // ip >>traffic inbound fxp1 >>60 skipto 12000 ip from any to any in recv fxp0 not layer2 // ip >>traffic inbound fxp0 >>70 skipto 14000 ip from any to any in recv fxp1 layer2 // ether >>traffic inbound fxp1 >>80 skipto 16000 ip from any to any in recv fxp0 layer2 // ether >>traffic inbound fxp0 > > >>I've done similar things in the past. Hopefully this gives you some ideas. > > > Thanks! Now it seems to be ok. But i dont know how work mac-type. I > see different address passed as parameter like: mac-type 0x809b or mac-type 0x80f3 or mac > -type 0x0023 .... > > ___________________________________________________________ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 6 10:42:49 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 433D516A41C for ; Wed, 6 Jul 2005 10:42:49 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from llwb135.servidoresdns.net (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE7E143D4C for ; Wed, 6 Jul 2005 10:42:46 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from SERVEREL (unknown [81.12.246.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by llwb135.servidoresdns.net (Postfix) with ESMTP id E244E24C734 for ; Wed, 6 Jul 2005 12:34:18 +0200 (CEST) Date: Wed, 6 Jul 2005 13:43:04 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <163992892.20050706134304@llwb135.servidoresdns.net> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: can't limit uploading traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2005 10:42:49 -0000 I have this script: #!/bin/sh cmd="/sbin/ipfw -q" #external interface oif="rl0" #internal interface pif="fxp1" down_bw="100kbit/s" up_bw="70kbit/s" #flush rules $cmd flush $cmd pipe flush $cmd pipe 2 config bw $up_bw $cmd queue 1 config pipe 2 weight 20 $cmd add 100 queue 1 ip from any to any in via $pif # divert prin natd $cmd add 10500 divert natd ip from any to any via $oif If I use: $cmd add 100 queue 1 ip from any to any in via $pif, get an limit at half bandwith from total (aproximatively 40kbits/s). If I use: $cmd add 100 queue 1 ip from any to any out xmit $oif, block my traffic throught gateway. If I use: $cmd add 100 queue 1 ip from any to any out via $oif , also block my traffic. How i can resolv this! From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 8 15:22:34 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F69716A41C for ; Fri, 8 Jul 2005 15:22:34 +0000 (GMT) (envelope-from vitadiazlistas@yahoo.com.ar) Received: from smtp204.mail.sc5.yahoo.com (smtp204.mail.sc5.yahoo.com [216.136.130.127]) by mx1.FreeBSD.org (Postfix) with SMTP id 4463D43D45 for ; Fri, 8 Jul 2005 15:22:34 +0000 (GMT) (envelope-from vitadiazlistas@yahoo.com.ar) Received: (qmail 99397 invoked from network); 8 Jul 2005 15:22:33 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.ar; h=Received:Message-ID:Date:From:User-Agent:X-Accept-Language:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=EWIYbKsz1MKqVJ3BgxqoZ7wom50WwhSjtG8edD63pejA+caJp9bNtgdz9/2n9N5tZWJ9F3Uh2IjeVYb8mXiX/LA2K6k6V36MAQWOQY+QdK8WKpyDCflwnvPzFwb1ZREuqM9yhBpSZFMlm59DK1rFZXFV6vo9uVkmi37kr+sBlek= ; Received: from unknown (HELO ?10.30.10.10?) (vitadiazlistas@201.252.161.141 with plain) by smtp204.mail.sc5.yahoo.com with SMTP; 8 Jul 2005 15:22:32 -0000 Message-ID: <42CE9A32.50806@yahoo.com.ar> Date: Fri, 08 Jul 2005 12:22:26 -0300 From: vitadiazlistas User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050403) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <1904693964.20050705145004@llwb135.servidoresdns.net> <8eea04080507051118692d783c@mail.gmail.com> <598121599.20050705232925@llwb135.servidoresdns.net> <42CB02FB.108@gmail.com> In-Reply-To: <42CB02FB.108@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 15:22:34 -0000 Excuse very I am interested in learning like allowing and to deny MAC in my network and that I have LAN and WLAN with that I solve the subject of the accesses nonallowed. What they have been writing does not remove to me from the doubt to be able for control of access by MAC, they podrian to me to explain a little but of the subject since to continuation of that I must it does firewall. In an answer of Robert Klein it appears that contol by MAC this dice from layer 2 and layer 3 in the other mail does not appear. The example serves but profit not to understand to me like doing firewall with those data. I am thankful to him from already to all. Excuse my ingles is of translator. ___________________________________________________________ 1GB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 9 08:40:35 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E18216A41C for ; Sat, 9 Jul 2005 08:40:35 +0000 (GMT) (envelope-from big@kuwaitnet.net) Received: from orbit.kuwaitnet.net (orbit.kuwaitnet.net [216.40.249.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9F7243D45 for ; Sat, 9 Jul 2005 08:40:34 +0000 (GMT) (envelope-from big@kuwaitnet.net) Received: from [62.150.129.102] (helo=[192.168.0.70]) by orbit.kuwaitnet.net with esmtpa (Exim 4.50) id 1DrAsr-0001AP-EV for freebsd-ipfw@freebsd.org; Sat, 09 Jul 2005 11:40:25 +0300 Message-ID: <42CF8C25.2020402@kuwaitnet.net> Date: Sat, 09 Jul 2005 11:34:45 +0300 From: Bashar User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - orbit.kuwaitnet.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - kuwaitnet.net X-Source: X-Source-Args: X-Source-Dir: Content-Type: text/plain; charset=windows-1256; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: BFD for FreeBSD? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2005 08:40:35 -0000 I was looking for a BFD to install on by freebsd boxes, and found this nice script http://nullmind.com/2005/02/03/brute-force-detection-linuxbsd/ just wondering is that the best script around for freebsd that replaces http://www.rfxnetworks.com/bfd.php for linux? or there is another apf+bfd combination for freebsd like http://www.rfxnetworks.com/bfd.php and http://www.rfxnetworks.com/apf.php replacement? Thanks. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 9 09:40:22 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E653516A41C for ; Sat, 9 Jul 2005 09:40:22 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from llwb135.servidoresdns.net (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84D3643D45 for ; Sat, 9 Jul 2005 09:40:22 +0000 (GMT) (envelope-from vladone@llwb135.servidoresdns.net) Received: from SERVEREL (unknown [81.12.246.122]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by llwb135.servidoresdns.net (Postfix) with ESMTP id B459624C7F5 for ; Sat, 9 Jul 2005 11:31:28 +0200 (CEST) Date: Sat, 9 Jul 2005 12:40:26 +0300 From: vladone X-Mailer: The Bat! (v3.0.1.33) Professional X-Priority: 3 (Normal) Message-ID: <1731024126.20050709124026@llwb135.servidoresdns.net> To: freebsd-ipfw@freebsd.org In-Reply-To: <42CE9A32.50806@yahoo.com.ar> References: <1904693964.20050705145004@llwb135.servidoresdns.net> <8eea04080507051118692d783c@mail.gmail.com> <598121599.20050705232925@llwb135.servidoresdns.net> <42CB02FB.108@gmail.com> <42CE9A32.50806@yahoo.com.ar> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: rules to permit only few MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2005 09:40:23 -0000 Now i test this type of control with: pif is the private interface $cmd add 200 skipto 210 all from any to any in via $pif layer2 $cmd add 200 skipto 4000 all from any to any out via $pif layer2 #client1 $cmd add 210 skipto 3000 MAC any 00:0e:a6:81:40:3e #client2 $cmd add 211 skipto 3000 MAC any 00:50:8b:6b:0c:b2 #deny not allowed $cmd add 212 deny MAC any any in recv $pif layer2 and work pretty. If anyone have another suggestion please post!