From owner-freebsd-ipfw@FreeBSD.ORG Sun May 6 20:15:58 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 91E9016A401 for ; Sun, 6 May 2007 20:15:58 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outO.internet-mail-service.net (outO.internet-mail-service.net [216.240.47.238]) by mx1.freebsd.org (Postfix) with ESMTP id 808F013C448 for ; Sun, 6 May 2007 20:15:58 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Sun, 06 May 2007 13:15:58 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 1899E125B53; Sun, 6 May 2007 13:15:56 -0700 (PDT) Message-ID: <463E377E.2000300@elischer.org> Date: Sun, 06 May 2007 13:15:58 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Jason Hills References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> In-Reply-To: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 May 2007 20:15:58 -0000 Jason Hills wrote: > Hello. > > How can I do policy routing with ipfw+natd? > > I started 2 natd processes, using natd.conf and natd2.conf > respectively, but things dont work. My rules are: > > ext_ifi1="em0" > ext_ifi2="em1" > > divert 8668 ip from $net1 to any out via $ext_if1 > divert 8669 ip from $net2 to any out via $ext_if2 > > divert 8668 ip from any to any via $ext_if1 > divert 8669 ip from any to any via $ext_if2 > > My defaultrouter is the one on $ext_if1. > > It works for port 8668 but doesnt work for 8669 (the second xDSL link) > what version of freeBSD? in -current you can implement a routing table via FWD and tables. in 6.x you need to specify the next hop. and an more explicit rule. the fwd rule is a terminal rule.. (processing does not continue, however while divert is a termianl rule, the natd reinjects the packet back into the firewall at eh rule number AFTER thr rule that did the divert, so you can treat it as if it was non terminating. this means that you need to do the NAT before you do the FWD. julian From owner-freebsd-ipfw@FreeBSD.ORG Sun May 6 21:28:27 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AD6B116A400 for ; Sun, 6 May 2007 21:28:27 +0000 (UTC) (envelope-from ap@bnc.net) Received: from bis.bonn.org (www.bis.bonn.org [217.110.117.102]) by mx1.freebsd.org (Postfix) with ESMTP id 431D513C46C for ; Sun, 6 May 2007 21:28:26 +0000 (UTC) (envelope-from ap@bnc.net) Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net) by bis.bonn.org (CommuniGate Pro SMTP 5.1.8) with ESMTPSA id 5376048; Sun, 06 May 2007 22:28:19 +0200 X-SpamCatcher-Score: 2 [X] Received: from [194.39.194.134] (account ap HELO [194.39.194.134]) by bnc.net (CommuniGate Pro SMTP 5.1.7) with ESMTPSA id 2741035; Sun, 06 May 2007 22:27:19 +0200 In-Reply-To: <463E377E.2000300@elischer.org> References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463E377E.2000300@elischer.org> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Achim Patzner Date: Sun, 6 May 2007 22:28:00 +0200 To: Julian Elischer X-Mailer: Apple Mail (2.752.3) Cc: Jason Hills , ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 May 2007 21:28:27 -0000 On 06.05.2007, at 22:15, Julian Elischer wrote: > Jason Hills wrote: >> It works for port 8668 but doesnt work for 8669 (the second xDSL >> link) It has been working for me for years (since 4.something). > this means that you need to do the NAT before you do the FWD. As he was talking about PPPoE - I would either use a device like the Level-One FBR-4000 or do the PPPoE on the FreeBSD router itself and put NAT into the ppp setup. Achim From owner-freebsd-ipfw@FreeBSD.ORG Mon May 7 11:08:31 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E32D16A400 for ; Mon, 7 May 2007 11:08:31 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6F2F213C45A for ; Mon, 7 May 2007 11:08:31 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l47B8VTU078674 for ; Mon, 7 May 2007 11:08:31 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l47B8TgP078670 for freebsd-ipfw@FreeBSD.org; Mon, 7 May 2007 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 May 2007 11:08:29 GMT Message-Id: <200705071108.l47B8TgP078670@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2007 11:08:31 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp p conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots 22 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 7 11:21:17 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1A97216A402 for ; Mon, 7 May 2007 11:21:17 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp2.yandex.ru (smtp2.yandex.ru [213.180.200.18]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3E513C459 for ; Mon, 7 May 2007 11:21:16 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:24518 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S3375995AbXEGLVJ (ORCPT ); Mon, 7 May 2007 15:21:09 +0400 X-Comment: RFC 2476 MSA function at smtp2.yandex.ru logged sender identity as: bu7cher Message-ID: <463F0BA2.1020404@yandex.ru> Date: Mon, 07 May 2007 15:21:06 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Jim Sifferle References: <339646.2974.qm@web55403.mail.re4.yahoo.com> In-Reply-To: <339646.2974.qm@web55403.mail.re4.yahoo.com> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem applying TOS/DSCP patch in 6.2 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2007 11:21:17 -0000 Jim Sifferle wrote: > Am I missing some intermediate steps? Thanks for any help... You can try to make with DEBUG_FLAGS=-I/usr/src/sys or replace header /usr/include/netinet/ip_fw.h with patched /usr/src/sys/netinet/ip_fw.h -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Mon May 7 11:50:59 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B0B0B16A403 for ; Mon, 7 May 2007 11:50:59 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp5.yandex.ru (smtp5.yandex.ru [87.250.248.71]) by mx1.freebsd.org (Postfix) with ESMTP id E2B4513C487 for ; Mon, 7 May 2007 11:50:58 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:32710 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S1041749AbXEGLSg (ORCPT ); Mon, 7 May 2007 15:18:36 +0400 X-Comment: RFC 2476 MSA function at smtp5.yandex.ru logged sender identity as: bu7cher Message-ID: <463F0B7B.10705@yandex.ru> Date: Mon, 07 May 2007 15:20:27 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Jim Sifferle References: <339646.2974.qm@web55403.mail.re4.yahoo.com> In-Reply-To: <339646.2974.qm@web55403.mail.re4.yahoo.com> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem applying TOS/DSCP patch in 6.2 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2007 11:50:59 -0000 Jim Sifferle wrote: > Am I missing some intermediate steps? Thanks for any help... You can try to make with DEBUG_FLAGS=-I/usr/src/sys or replace header /usr/include/netinet/ip_fw.h with patched /usr/src/sys/netinet/ip_fw.h -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Mon May 7 22:17:33 2007 Return-Path: X-Original-To: Freebsd-ipfw@freebsd.org Delivered-To: Freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0C5E716A401 for ; Mon, 7 May 2007 22:17:33 +0000 (UTC) (envelope-from Kirk.Davis@epsb.ca) Received: from Exchange22.EDU.epsb.ca (exchange22.epsb.ca [198.161.119.187]) by mx1.freebsd.org (Postfix) with ESMTP id D68DD13C44C for ; Mon, 7 May 2007 22:17:32 +0000 (UTC) (envelope-from Kirk.Davis@epsb.ca) Received: from Exchange24.EDU.epsb.ca ([10.0.5.121]) by Exchange22.EDU.epsb.ca with Microsoft SMTPSVC(6.0.3790.1830); Mon, 7 May 2007 16:05:31 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 7 May 2007 16:05:31 -0600 Message-ID: In-reply-to: <463E377E.2000300@elischer.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Policy Routing natd+ipfw Thread-Index: AceQG2DMfPpequKZR3SRw2Sqxn60MgA14ctQ References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463E377E.2000300@elischer.org> From: "Kirk Davis" To: "Julian Elischer" X-OriginalArrivalTime: 07 May 2007 22:05:31.0955 (UTC) FILETIME=[D479C030:01C790F3] Cc: Freebsd-ipfw@freebsd.org Subject: RE: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2007 22:17:33 -0000 =20 Julian Elischer wrote: >=20 > in -current you can implement a routing table via FWD and tables. > in 6.x you need to specify the next hop. and an more explicit rule. Is there any information floating around on how to do this in current using the FWD rules and tables? Any pointer on where to look. Right now I am using fwd rules on our BGP router (Quagga & FreeBSD 6.2) to force one of our subnets out a particular interface and avoid the routing table but I would prefer to do it more like a dual routing table where I can make more routing decisions than just forcing all packets from that subnet out the interface. I could test it on one of our current boxes. >=20 > julian ---- Kirk From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 00:04:25 2007 Return-Path: X-Original-To: Freebsd-ipfw@freebsd.org Delivered-To: Freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4A1D216A41A for ; Tue, 8 May 2007 00:04:25 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outG.internet-mail-service.net (outG.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id 5A2EE13C459 for ; Tue, 8 May 2007 00:02:58 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Mon, 07 May 2007 17:02:57 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 6F6B4125B43; Mon, 7 May 2007 17:02:57 -0700 (PDT) Message-ID: <463FBE30.90009@elischer.org> Date: Mon, 07 May 2007 17:02:56 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Kirk Davis References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463E377E.2000300@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Freebsd-ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 00:04:25 -0000 Kirk Davis wrote: > > Julian Elischer wrote: >> in -current you can implement a routing table via FWD and tables. >> in 6.x you need to specify the next hop. and an more explicit rule. > > Is there any information floating around on how to do this in current > using the FWD rules and tables? Any pointer on where to look. man ipfw on -current basically you can implement alternate routing tables.. ipfw table 1 add 0.0.0.0/0 4.5.6.7 # default route for table 1 ipfw table 1 add 2.3.4.0/24 5.4.3.2 # but not for packets to 2.3.4.x ipfw table 2 add 0.0.0.0/0 7.6.5.4 #default route for table 2 ipfw table 2 add 2.3.4.0/24 6.5.4.3 # but differnet route for packets to 2.3.4.x ipfw add 100 allow ip from 1.2.3.0/24 to any out ipfw add 110 fwd tablearg ip from 1.2.4.0/24 to table(1) out ipfw add 120 fwd tablearg ip from 1.2.5.0/24 to table(2) out > > Right now I am using fwd rules on our BGP router (Quagga & FreeBSD > 6.2) to force one of our subnets out a particular interface and avoid > the routing table but I would prefer to do it more like a dual routing > table where I can make more routing decisions than just forcing all > packets from that subnet out the interface. I could test it on one of > our current boxes. > >> julian > > ---- Kirk From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 00:06:09 2007 Return-Path: X-Original-To: Freebsd-ipfw@freebsd.org Delivered-To: Freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1583E16A400 for ; Tue, 8 May 2007 00:06:09 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outT.internet-mail-service.net (outT.internet-mail-service.net [216.240.47.243]) by mx1.freebsd.org (Postfix) with ESMTP id F23D713C457 for ; Tue, 8 May 2007 00:06:08 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Mon, 07 May 2007 17:06:08 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id BE0C2125A23; Mon, 7 May 2007 17:06:07 -0700 (PDT) Message-ID: <463FBEEF.9080708@elischer.org> Date: Mon, 07 May 2007 17:06:07 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Kirk Davis References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463E377E.2000300@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Freebsd-ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 00:06:09 -0000 Kirk Davis wrote: > > Julian Elischer wrote: >> in -current you can implement a routing table via FWD and tables. >> in 6.x you need to specify the next hop. and an more explicit rule. > > Is there any information floating around on how to do this in current > using the FWD rules and tables? Any pointer on where to look. > > Right now I am using fwd rules on our BGP router (Quagga & FreeBSD > 6.2) to force one of our subnets out a particular interface and avoid > the routing table but I would prefer to do it more like a dual routing > table where I can make more routing decisions than just forcing all > packets from that subnet out the interface. I could test it on one of > our current boxes. actually the kernel code is in the 6 branch but the ipfw program has not been taught how to set the values yet.. > >> julian > > ---- Kirk > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 16:07:46 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4546016A402 for ; Tue, 8 May 2007 16:07:46 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: from web88009.mail.re2.yahoo.com (web88009.mail.re2.yahoo.com [206.190.37.196]) by mx1.freebsd.org (Postfix) with SMTP id E08E313C44B for ; Tue, 8 May 2007 16:07:40 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: (qmail 77183 invoked by uid 60001); 8 May 2007 15:40:58 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Eq3K0ZwveoYx5ioeDdTKHIVe6jBNl6RdKUsmDBUi1Sn7rfIVK54v+m5luRIo8SWBFjjr96AH+nHfCSyvLSKQVbhiZgCX7CrWyhMQ42wzfTLjD3OOjAG93B18MC87+tjV21HT83VCfx/ayKtL9kQYYpVyqB/VwnQQ7FayqzmUcVQ=; X-YMail-OSG: wuTxU_sVM1kfap3_rl91ya0R5pvkSDtI0KeR_vhISJLxRQnjk1txPw.04rfx8TenzTP.u4zk6GgWvXQqmscaPORJOgGKumCY.BhFI5pBqXYsJ7XjOeXgViQn.F6XA2gjyNJx7V.fGBBntL_On5kfWTl_QSdtSynOUNHS7NvzwlT6PfA0IfMo Received: from [74.100.62.56] by web88009.mail.re2.yahoo.com via HTTP; Tue, 08 May 2007 11:40:58 EDT Date: Tue, 8 May 2007 11:40:58 -0400 (EDT) From: Gardner Bell To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-ID: <853764.71287.qm@web88009.mail.re2.yahoo.com> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW and NATD problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 16:07:46 -0000 Hi all, I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet. My network setup looks like so. 192.168.x.x bge1 - 192.168.x.x bge0 x.x.x.x --LAN------------Switch---------FreeBSD-------------------------------ISP Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues. When it comes to accessing the internet I get a hostname lookup failure. Any help resolving this is greatly appreciated. Gardner mx1# ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in via bge0 00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1 00600 deny ip from any to 10.0.0.0/8 via bge0 00700 deny ip from any to 172.16.0.0/12 via bge0 00800 deny ip from any to 192.168.0.0/16 via bge0 00900 deny ip from any to 0.0.0.0/8 via bge0 01000 deny ip from any to 169.254.0.0/16 via bge0 01100 deny ip from any to 192.0.2.0/24 via bge0 01200 deny ip from any to 224.0.0.0/4 via bge0 01300 deny ip from any to 240.0.0.0/4 via bge0 01400 divert 8668 ip from any to any in via bge0 01500 allow ip from any to any via bge1 01600 deny ip from 10.0.0.0/8 to any via bge0 01700 deny ip from 172.16.0.0/12 to any via bge0 01800 deny ip from 192.168.0.0/16 to any via bge0 01900 deny ip from 0.0.0.0/8 to any via bge0 02000 deny ip from 169.254.0.0/16 to any via bge0 02100 deny ip from 192.0.2.0/24 to any via bge0 02200 deny ip from 224.0.0.0/4 to any via bge0 02300 deny ip from 240.0.0.0/4 to any via bge0 02400 allow tcp from any to x.x.x.x dst-port 53 out via bge0 setup keep-state 02500 allow udp from any to x.x.x.x dst-port 53 out via bge0 keep-state 02600 allow udp from any to x.x.x.x dst-port 67 out via bge0 keep-state 02700 allow tcp from any to any dst-port 80 out via bge0 setup keep-state 02800 allow tcp from any to any dst-port 443 out via bge0 setup keep-state 02900 allow tcp from any to any dst-port 25 out via bge0 setup keep-state 03000 allow tcp from any to any dst-port 110 out via bge0 setup keep-state 03100 allow tcp from any to any dst-port 21 out via bge0 setup keep-state 03200 allow tcp from any to any dst-port 3724 out via bge0 setup keep-state 03300 allow icmp from any to any out via bge0 keep-state 03400 allow tcp from any to any dst-port 43 out via bge0 setup keep-state 03500 allow udp from any to any dst-port 123 out via bge0 keep-state 03600 reset tcp from any to any dst-port 113 in via bge0 03700 allow udp from x.x.x.x to any dst-port 68 in via bge0 keep-state 03800 deny tcp from any to any dst-port 137 in via bge0 03900 deny tcp from any to any dst-port 138 in via bge0 04000 deny tcp from any to any dst-port 139 in via bge0 04100 deny tcp from any to any dst-port 389 in via bge0 04200 deny tcp from any to any dst-port 445 in via bge0 04300 deny ip from any to any frag 04400 deny log logamount 3 ip from any to 255.255.255.255 65535 deny ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 16:43:53 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4371C16A400 for ; Tue, 8 May 2007 16:43:53 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: from web88007.mail.re2.yahoo.com (web88007.mail.re2.yahoo.com [206.190.37.194]) by mx1.freebsd.org (Postfix) with SMTP id EA2CA13C45B for ; Tue, 8 May 2007 16:43:52 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: (qmail 8238 invoked by uid 60001); 8 May 2007 16:43:52 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=afI/mKbrfe8e3bBkUdfgfgcVvAHAA2Z+e2JIrzK2iaiK0hEIu0OIfq3JkqxxgWKbS4ydNrcTcHGfI8eDVH6R/gblb1ISIO5Q4wndjZRecBbzO9VEkQZ4wuK1Ju8ewTwG0f/Z8ng8bXsFeZlhJeSMtrwiaqD+qHOWnqQfs68GoTA=; X-YMail-OSG: QRe1h.gVM1lcn7.c2zpoUa.QCJXeVjHqNf36ySS98H0l1VaNl6MK7S.70HS0bPEb8kd.dzeZvfurEgfgKbJLxg5t8eBfQGF6mFnf86s6gXJx1Ppnr_TdHLoZ2oyxDsGcHRczI8zNySs- Received: from [74.100.62.56] by web88007.mail.re2.yahoo.com via HTTP; Tue, 08 May 2007 12:43:52 EDT Date: Tue, 8 May 2007 12:43:52 -0400 (EDT) From: Gardner Bell To: John Nielsen , freebsd-ipfw@freebsd.org In-Reply-To: <200705081221.46248.lists@jnielsen.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <282919.6049.qm@web88007.mail.re2.yahoo.com> Cc: Gardner Bell Subject: Re: IPFW and NATD problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 16:43:53 -0000 --- John Nielsen wrote: > On Tuesday 08 May 2007 11:40:58 am Gardner Bell wrote: > > Hi all, > > > > I've been following the IPFW section in the handbook and > /etc/rc.firewall > > to try and setup a gateway for my home LAN but I'm having a bit of > trouble > > getting access to the internet. My network setup looks like so. > > > > 192.168.x.x bge1 - 192.168.x.x bge0 > x.x.x.x > > > --LAN------------Switch---------FreeBSD-------------------------------ISP > > > > Bge0 successfully receives an IP from my ISP's DHCP server and I > can ping > > the LAN without any issues. When it comes to accessing the > internet I get > > a hostname lookup failure. > > > > Any help resolving this is greatly appreciated. > > Do you have "gateway_enable=yes" in your /etc/rc.conf? (check the > value of the > net.inet.ip.forwarding sysctl). dan@mx1$ cat /etc/rc.conf | grep gateway gateway_enable="YES" dan@mx1$ sysctl -a | grep ip.for net.inet.ip.forwarding: 1 > > What DNS server is your LAN machine trying to use? Can you ping it > (or > anything else) by IP? My LAN is presently using MY ISP's DNS server until I get a caching name server configured on the gateway. I can't ping the DNS server by IP or hostname but I can ping everything else that is on my LAN by IP. Including the switch, the IP that is assigned to bge1 and all the IPs I have assigned to the machines behind the switch. > > JN > Gardner From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 16:53:14 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E20116A400 for ; Tue, 8 May 2007 16:53:14 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from ns1.jnielsen.net (ns1.jnielsen.net [69.55.238.237]) by mx1.freebsd.org (Postfix) with ESMTP id 6D32F13C469 for ; Tue, 8 May 2007 16:53:14 +0000 (UTC) (envelope-from lists@jnielsen.net) Received: from localhost (jn@ns1 [69.55.238.237]) (authenticated bits=0) by ns1.jnielsen.net (8.12.9p2/8.12.9) with ESMTP id l48GOXfW064892; Tue, 8 May 2007 12:24:34 -0400 (EDT) (envelope-from lists@jnielsen.net) From: John Nielsen To: freebsd-ipfw@freebsd.org Date: Tue, 8 May 2007 12:21:45 -0400 User-Agent: KMail/1.9.6 References: <853764.71287.qm@web88009.mail.re2.yahoo.com> In-Reply-To: <853764.71287.qm@web88009.mail.re2.yahoo.com> X-Face: #X5#Y*q>F:]zT!DegL3z5Xo'^MN[$8k\[4^3rN~wm=s=Uw(sW}R?3b^*f1Wu*.<=?utf-8?q?of=5F4NrS=0A=09P*M/9CpxDo!D6?=)IY1w<9B1jB; tBQf[RU-R<,I)e"$q7N7 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200705081221.46248.lists@jnielsen.net> X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on ns1.jnielsen.net X-Virus-Status: Clean Cc: Gardner Bell Subject: Re: IPFW and NATD problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 16:53:14 -0000 On Tuesday 08 May 2007 11:40:58 am Gardner Bell wrote: > Hi all, > > I've been following the IPFW section in the handbook and /etc/rc.firewall > to try and setup a gateway for my home LAN but I'm having a bit of trouble > getting access to the internet. My network setup looks like so. > > 192.168.x.x bge1 - 192.168.x.x bge0 x.x.x.x > --LAN------------Switch---------FreeBSD-------------------------------ISP > > Bge0 successfully receives an IP from my ISP's DHCP server and I can ping > the LAN without any issues. When it comes to accessing the internet I get > a hostname lookup failure. > > Any help resolving this is greatly appreciated. Do you have "gateway_enable=yes" in your /etc/rc.conf? (check the value of the net.inet.ip.forwarding sysctl). What DNS server is your LAN machine trying to use? Can you ping it (or anything else) by IP? JN From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 17:11:25 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 22A0B16A402 for ; Tue, 8 May 2007 17:11:25 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: from pearl.ibctech.ca (pearl.ibctech.ca [208.70.104.210]) by mx1.freebsd.org (Postfix) with ESMTP id D1E2313C43E for ; Tue, 8 May 2007 17:11:24 +0000 (UTC) (envelope-from iaccounts@ibctech.ca) Received: (qmail 7138 invoked by uid 1002); 8 May 2007 16:44:43 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(208.70.107.100):. Processed in 16.093105 secs); 08 May 2007 16:44:43 -0000 Received: from unknown (HELO ?192.168.1.210?) (steve@ibctech.ca@208.70.107.100) by pearl.ibctech.ca with (DHE-RSA-AES256-SHA encrypted) SMTP; 8 May 2007 16:44:26 -0000 Message-ID: <4640A8EA.1040309@ibctech.ca> Date: Tue, 08 May 2007 12:44:26 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Gardner Bell References: <853764.71287.qm@web88009.mail.re2.yahoo.com> In-Reply-To: <853764.71287.qm@web88009.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW and NATD problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 17:11:25 -0000 Gardner Bell wrote: > Hi all, > > I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet. My network setup looks like so. > > 192.168.x.x bge1 - 192.168.x.x bge0 x.x.x.x > --LAN------------Switch---------FreeBSD-------------------------------ISP > > Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues. When it comes to accessing the internet I get a hostname lookup failure. > > Any help resolving this is greatly appreciated. > > > Gardner > > mx1# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from 192.168.1.0/24 to any in via bge0 > 00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1 > 00600 deny ip from any to 10.0.0.0/8 via bge0 > 00700 deny ip from any to 172.16.0.0/12 via bge0 > 00800 deny ip from any to 192.168.0.0/16 via bge0 > 00900 deny ip from any to 0.0.0.0/8 via bge0 > 01000 deny ip from any to 169.254.0.0/16 via bge0 > 01100 deny ip from any to 192.0.2.0/24 via bge0 > 01200 deny ip from any to 224.0.0.0/4 via bge0 > 01300 deny ip from any to 240.0.0.0/4 via bge0 > 01400 divert 8668 ip from any to any in via bge0 What happens if you switch the above line to bge1, as opposed to bge0? I haven't used natd in a couple years, but from what I can tell, you are trying to divert packets that are inbound from the Internet, as opposed to diverting packets from the LAN. What does /etc/natd.conf state? If the above does not work, perhaps you could start with a minimalistic ruleset, having only allow rules, and then a blanket rule to deny at the bottom? Steve From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 18:23:36 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A161D16A400 for ; Tue, 8 May 2007 18:23:36 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: from web88002.mail.re2.yahoo.com (web88002.mail.re2.yahoo.com [206.190.37.189]) by mx1.freebsd.org (Postfix) with SMTP id 5698C13C448 for ; Tue, 8 May 2007 18:23:36 +0000 (UTC) (envelope-from gbell72@rogers.com) Received: (qmail 5170 invoked by uid 60001); 8 May 2007 18:23:35 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=rogers.com; h=X-YMail-OSG:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=mqsidXe0XOFXPbvgCYbuUorLBjtjk0VMAumiVN6wK1piXUK1kCUGQZYcLn0SUI72+qAAwN5YxBwhWTeEtY6RQTizj5B6GLNXKJbCQEdpK3LcEZO2TxhN3QIN9ob3+3dot7QaiBbPeccj9zRZJU+dVSv8rVscqNgttq+5e3tOySo=; X-YMail-OSG: h6V3KOQVM1l98j69LDwwKNDKmqLTwhwVMGBbpMmw098l7lPr7uVTN4JTOKh6wXoRdQ-- Received: from [74.100.62.56] by web88002.mail.re2.yahoo.com via HTTP; Tue, 08 May 2007 14:23:34 EDT Date: Tue, 8 May 2007 14:23:34 -0400 (EDT) From: Gardner Bell To: iaccounts@ibctech.ca In-Reply-To: <200705081221.46248.lists@jnielsen.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <458115.4028.qm@web88002.mail.re2.yahoo.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW and NATD problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 18:23:36 -0000 --- Steve Bertrand wrote: Gardner Bell wrote: > Hi all, > > I've been following the IPFW section in the handbook and /etc/rc.firewall to try and setup a gateway for my home LAN but I'm having a bit of trouble getting access to the internet. My network setup looks like so. > > 192.168.x.x bge1 - 192.168.x.x bge0 x.x.x.x > --LAN------------Switch---------FreeBSD-------------------------------ISP > > Bge0 successfully receives an IP from my ISP's DHCP server and I can ping the LAN without any issues. When it comes to accessing the internet I get a hostname lookup failure. > > Any help resolving this is greatly appreciated. > > > Gardner > > mx1# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from 192.168.1.0/24 to any in via bge0 > 00500 deny log logamount 3 ip from x.x.x.x/25 to any in via bge1 > 00600 deny ip from any to 10.0.0.0/8 via bge0 > 00700 deny ip from any to 172.16.0.0/12 via bge0 > 00800 deny ip from any to 192.168.0.0/16 via bge0 > 00900 deny ip from any to 0.0.0.0/8 via bge0 > 01000 deny ip from any to 169.254.0.0/16 via bge0 > 01100 deny ip from any to 192.0.2.0/24 via bge0 > 01200 deny ip from any to 224.0.0.0/4 via bge0 > 01300 deny ip from any to 240.0.0.0/4 via bge0 > > 01400 divert 8668 ip from any to any in via bge0 > > What happens if you switch the above line to bge1, as opposed to bge0? I am able to ping the internet if I change my divert rule to bge1 but lose any connectivity to the LAN. I can only ping 192.168.1.1 ie: bge1 > I haven't used natd in a couple years, but from what I can tell, you are > trying to divert packets that are inbound from the Internet, as opposed > to diverting packets from the LAN. Ok..I was pretty sure that natd_interface had to be set to the nic facing the internet as the manual and /etc/defaults/rc.conf mention. > > What does /etc/natd.conf state? Don't have an /etc/natd.conf as of yet but I'm using -deny_incoming in natd_flags. The natd command shows: /sbin/natd -deny_incoming -dynamic -n bge0 > If the above does not work, perhaps you could start with a minimalistic > ruleset, having only allow rules, and then a blanket rule to deny at the > bottom? I'll give that a try. > Steve Gardner ps: I'm not subscribed to the list..hope I didn't munge the quotes up too bad. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 18:54:41 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A0F0116A406 for ; Tue, 8 May 2007 18:54:41 +0000 (UTC) (envelope-from tyomitch@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.224]) by mx1.freebsd.org (Postfix) with ESMTP id 6171313C44C for ; Tue, 8 May 2007 18:54:41 +0000 (UTC) (envelope-from tyomitch@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so1962049wra for ; Tue, 08 May 2007 11:54:40 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=VEv866anbXw0EkHwjc5zfK1B+npaeBSfeeONlvLrHQMHyWQDks7BvABI8jzC/Iy7ucDaVcB0RCydEtp+C7t+9fVpPa/i93psuzuUG5C00Y00acVyEbpGHfB/QjolUHZz8sFJsrlcZZa8el3LyouixbOn6k3leLtbftjhoSjU2ZQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=Of/2FmnvPxCCtvk/eBxaTR4jPV1bDrZc85vES6ijre0Fko2t4oQepMC+saJmS9r8k+/iCczs2cKLuReJheRL/zTMGxNfqrtHIAjur9cNLQAuLJC4r4X2pe+k3BAdrtsksxvXK/1uvjECK7rWUMt8w5Ccdt8Ym17rUv0E8qdw7VE= Received: by 10.78.180.18 with SMTP id c18mr2581751huf.1178649017667; Tue, 08 May 2007 11:30:17 -0700 (PDT) Received: by 10.78.165.10 with HTTP; Tue, 8 May 2007 11:30:12 -0700 (PDT) Message-ID: <2a38baa40705081130o52ad24d6l9ab1e6d6647e81ef@mail.gmail.com> Date: Wed, 9 May 2007 00:30:12 +0600 From: "A. Skrobov" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: a sysctl variable to query last ipfw rule number X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 18:54:41 -0000 Such a variable is useful in scripts that add blocks of rules containing skipto actions; instead of hardcoding numbers for all the rules, they could be derived dynamically. As an additional bonus, keeping track of the last rule number reduces overhead in add_rule when no rule number is specified (and partially puts that overhead to remove_rule instead). Since rules are added more often than they are deleted, this seems a performance improvement as well. Could someone please review my patch? It's made for a very old ipfw2 version, the one bundled with 5.4-RELEASE, but the relevant code doesn't seem to have changed since then. *** ip_fw2.c.orig Sun Feb 6 21:16:20 2005 --- ip_fw2.c Tue May 8 23:38:37 2007 *************** *** 191,196 **** --- 191,197 ---- static int fw_debug = 1; static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ + static unsigned int last_rule = 0; #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); *************** *** 199,204 **** --- 200,207 ---- &fw_enable, 0, "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW, &autoinc_step, 0, "Rule number autincrement step"); + SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, last_rule, CTLFLAG_RD, + &last_rule, 0, "Number of last added rule"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass, CTLFLAG_RW | CTLFLAG_SECURE3, &fw_one_pass, 0, *************** *** 2585,2595 **** /* * locate the highest numbered rule before default */ ! for (f = chain->rules; f; f = f->next) { ! if (f->rulenum == IPFW_DEFAULT_RULE) ! break; ! rule->rulenum = f->rulenum; ! } if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step) rule->rulenum += autoinc_step; input_rule->rulenum = rule->rulenum; --- 2588,2594 ---- /* * locate the highest numbered rule before default */ ! rule->rulenum = last_rule; if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step) rule->rulenum += autoinc_step; input_rule->rulenum = rule->rulenum; *************** *** 2612,2617 **** --- 2611,2618 ---- } flush_rule_ptrs(chain); done: + if (last_rule < rule->rulenum) + last_rule = rule->rulenum; static_count++; static_len += l; IPFW_WUNLOCK(chain); *************** *** 2631,2637 **** static struct ip_fw * remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule, struct ip_fw *prev) { ! struct ip_fw *n; int l = RULESIZE(rule); IPFW_WLOCK_ASSERT(chain); --- 2632,2638 ---- static struct ip_fw * remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule, struct ip_fw *prev) { ! struct ip_fw *n, *f; int l = RULESIZE(rule); IPFW_WLOCK_ASSERT(chain); *************** *** 2647,2652 **** --- 2648,2660 ---- static_count--; static_len -= l; + if (rule->rulenum >= last_rule) /* it should always be <=, but who knows */ + for (f = chain->rules; f; f = f->next) { + if (f->rulenum == IPFW_DEFAULT_RULE) + break; + last_rule = f->rulenum; + } + rule->next = chain->reap; chain->reap = rule; *************** *** 2690,2695 **** --- 2698,2705 ---- prev = rule; rule = rule->next; } + + last_rule = 0; /* how come static_count doesn't need the explicit reset? */ } /** *************** *** 3454,3459 **** --- 3464,3470 ---- IPFW_LOCK_DESTROY(&layer3_chain); return (error); } + last_rule = 0; ip_fw_default_rule = layer3_chain.rules; printf("ipfw2 initialized, divert %s, " From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 19:38:18 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52EA016A400 for ; Tue, 8 May 2007 19:38:18 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outY.internet-mail-service.net (outY.internet-mail-service.net [216.240.47.248]) by mx1.freebsd.org (Postfix) with ESMTP id 3F75013C44C for ; Tue, 8 May 2007 19:38:18 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 08 May 2007 12:38:17 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 7CB30125B24; Tue, 8 May 2007 12:38:17 -0700 (PDT) Message-ID: <4640D1A3.20605@elischer.org> Date: Tue, 08 May 2007 12:38:11 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: "A. Skrobov" References: <2a38baa40705081130o52ad24d6l9ab1e6d6647e81ef@mail.gmail.com> In-Reply-To: <2a38baa40705081130o52ad24d6l9ab1e6d6647e81ef@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: a sysctl variable to query last ipfw rule number X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 19:38:18 -0000 A. Skrobov wrote: > Such a variable is useful in scripts that add blocks of rules > containing skipto actions; instead of hardcoding numbers for all the > rules, they could be derived dynamically. I'm also looking at a version of skipto that uses RELATIVE numbering. (called just 'skip') i.e. ipfw add 100 skip 50 ip from xxx to yyy ipfw add 120 some rule ipfw add 150 count log ip from any to any # skip rule comes here. > > As an additional bonus, keeping track of the last rule number reduces > overhead in add_rule when no rule number is specified (and partially > puts that overhead to remove_rule instead). Since rules are added more > often than they are deleted, this seems a performance improvement as > well. The one problem I see with this is that you are using a sysctl. This is ok for now but I'm (in the background) working on having more that one instance of a firewall. > > Could someone please review my patch? It's made for a very old ipfw2 > version, the one bundled with 5.4-RELEASE, but the relevant code > doesn't seem to have changed since then. > > *** ip_fw2.c.orig Sun Feb 6 21:16:20 2005 > --- ip_fw2.c Tue May 8 23:38:37 2007 > *************** > *** 191,196 **** > --- 191,197 ---- > > static int fw_debug = 1; > static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ > + static unsigned int last_rule = 0; > > #ifdef SYSCTL_NODE > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); > *************** > *** 199,204 **** > --- 200,207 ---- > &fw_enable, 0, "Enable ipfw"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW, > &autoinc_step, 0, "Rule number autincrement step"); > + SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, last_rule, CTLFLAG_RD, > + &last_rule, 0, "Number of last added rule"); > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass, > CTLFLAG_RW | CTLFLAG_SECURE3, > &fw_one_pass, 0, > *************** > *** 2585,2595 **** > /* > * locate the highest numbered rule before default > */ > ! for (f = chain->rules; f; f = f->next) { > ! if (f->rulenum == IPFW_DEFAULT_RULE) > ! break; > ! rule->rulenum = f->rulenum; > ! } > if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step) > rule->rulenum += autoinc_step; > input_rule->rulenum = rule->rulenum; > --- 2588,2594 ---- > /* > * locate the highest numbered rule before default > */ > ! rule->rulenum = last_rule; > if (rule->rulenum < IPFW_DEFAULT_RULE - autoinc_step) > rule->rulenum += autoinc_step; > input_rule->rulenum = rule->rulenum; > *************** > *** 2612,2617 **** > --- 2611,2618 ---- > } > flush_rule_ptrs(chain); > done: > + if (last_rule < rule->rulenum) > + last_rule = rule->rulenum; > static_count++; > static_len += l; > IPFW_WUNLOCK(chain); > *************** > *** 2631,2637 **** > static struct ip_fw * > remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule, struct ip_fw > *prev) > { > ! struct ip_fw *n; > int l = RULESIZE(rule); > > IPFW_WLOCK_ASSERT(chain); > --- 2632,2638 ---- > static struct ip_fw * > remove_rule(struct ip_fw_chain *chain, struct ip_fw *rule, struct ip_fw > *prev) > { > ! struct ip_fw *n, *f; > int l = RULESIZE(rule); > > IPFW_WLOCK_ASSERT(chain); > *************** > *** 2647,2652 **** > --- 2648,2660 ---- > static_count--; > static_len -= l; > > + if (rule->rulenum >= last_rule) /* it should always be <=, but who > knows */ > + for (f = chain->rules; f; f = f->next) { > + if (f->rulenum == IPFW_DEFAULT_RULE) > + break; > + last_rule = f->rulenum; > + } > + > rule->next = chain->reap; > chain->reap = rule; > > *************** > *** 2690,2695 **** > --- 2698,2705 ---- > prev = rule; > rule = rule->next; > } > + > + last_rule = 0; /* how come static_count doesn't need the explicit > reset? */ > } > > /** > *************** > *** 3454,3459 **** > --- 3464,3470 ---- > IPFW_LOCK_DESTROY(&layer3_chain); > return (error); > } > + last_rule = 0; > > ip_fw_default_rule = layer3_chain.rules; > printf("ipfw2 initialized, divert %s, " > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue May 8 20:05:38 2007 Return-Path: X-Original-To: Freebsd-ipfw@freebsd.org Delivered-To: Freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 264DD16A402 for ; Tue, 8 May 2007 20:05:38 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outB.internet-mail-service.net (outB.internet-mail-service.net [216.240.47.225]) by mx1.freebsd.org (Postfix) with ESMTP id 140A213C465 for ; Tue, 8 May 2007 20:05:38 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Tue, 08 May 2007 13:05:37 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 4FDA9125B2F; Tue, 8 May 2007 13:05:37 -0700 (PDT) Message-ID: <4640D810.1070705@elischer.org> Date: Tue, 08 May 2007 13:05:36 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Kirk Davis References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463E377E.2000300@elischer.org> <463FBEEF.9080708@elischer.org> In-Reply-To: <463FBEEF.9080708@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Freebsd-ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2007 20:05:38 -0000 Julian Elischer wrote: > > > actually the kernel code is in the 6 branch but the ipfw program has not > been taught how to set the values yet.. I just committed the change to RELENG_6 so the head of the 6 branch should be able to do this now. > > >> >>> julian >> >> ---- Kirk >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed May 9 07:37:05 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B57BF16A400 for ; Wed, 9 May 2007 07:37:05 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 8E6C513C44B for ; Wed, 9 May 2007 07:37:05 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1HlgjR-000050-3t for freebsd-ipfw@freebsd.org; Wed, 09 May 2007 00:37:05 -0700 Message-ID: <10389739.post@talk.nabble.com> Date: Wed, 9 May 2007 00:37:05 -0700 (PDT) From: Nicolargo To: freebsd-ipfw@freebsd.org In-Reply-To: <1178280974.4148.2.camel@debian.azercell.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: hennion@alcasat.net References: <10303574.post@talk.nabble.com> <1178280974.4148.2.camel@debian.azercell.com> Subject: Re: IPFW + Bridge + Routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 07:37:05 -0000 PC1: Default route to 172.18.0.254 PC3: Default route to 172.16.1.2 Firewall: Default route to 172.18.0.100 (router to Internet) Thanks for your help. Sarkhan Elkhanzade wrote: > > On Thu, 2007-05-03 at 05:11 -0700, Nicolargo wrote: >> Hi all, >> >> here is y configuration: >> >> PC3 >> | >> | >> FW >> / \ >> / \ >> PC1 PC2 >> >> FW: FreeBSD 6.2 >> Interface PC1 and PC2: bridged (172.18.0.254) >> Interface PC3: Routed (172.16.1.2) >> PC1: 172.18.0.1 >> PC2: 172.18.0.2 >> PC3: 172.16.1.1 >> >> Ipfw: >> ipfw add 1 allow ip from any to any MAC any any >> ipfw add 2 allow ip from any to any >> >> Bridge: >> net.link.ether.bridge_cfg: >> net.link.ether.bridge_ipfw: 0 >> net.link.ether.bridge_ipf: 0 >> net.link.ether.bridge.config: >> net.link.ether.bridge.enable: 1 >> net.link.ether.bridge.predict: 1250 >> net.link.ether.bridge.dropped: 0 >> net.link.ether.bridge.packets: 1294 >> net.link.ether.bridge.ipfw_collisions: 0 >> net.link.ether.bridge.ipfw_drop: 0 >> net.link.ether.bridge.copy: 0 >> net.link.ether.bridge.ipfw: 0 >> net.link.ether.bridge.ipf: 0 >> net.link.ether.bridge.debug: 0 >> net.link.ether.bridge.version: 031224 >> net.link.bridge.ipfw: 1 >> net.link.bridge.pfil_member: 1 >> net.link.bridge.pfil_bridge: 1 >> net.link.bridge.ipfw_arp: 0 >> net.link.bridge.pfil_onlyip: 1 >> >> rc.conf: >> cloned_interfaces="bridge0" >> ifconfig_bridge0="addm bge0 addm em0 up" >> ifconfig_bge0="inet 172.18.0.254 netmask 255.255.255.0" >> ifconfig_em0="up" >> ifconfig_em2="inet 172.16.1.2 netmask 255.255.255.0" >> firewall_enable="YES" >> firewall_script="/etc/ipfw.rules" >> >> The problem is the following: >> PING PC1 -> PC2 : OK >> PING PC2 -> PC1: OK >> PING FW -> ANY: OK >> PING PC1 -> PC3: NOK >> PING PC2 -> PC3: NOK >> PING PC3 -> ANY: NOK >> >> During a PING between PC1 and PC3, a tcpdump on the em2 interface shows: >> 14:10:43.564010 IP 172.18.0.1 > 172.16.1.1: ICMP echo request, id 34831, >> seq >> 7993, length 64 >> 14:10:43.564687 IP 172.16.1.1 > 172.18.0.1: ICMP echo reply, id 34831, >> seq >> 7993, length 64 >> >> but the reply packet is lost in the firewall and never redirected to the >> bridge0 interface... >> Any idea ? >> >> Nicolas >> > Post here > "#route print" on FW PC3 PC1 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- View this message in context: http://www.nabble.com/IPFW-%2B-Bridge-%2B-Routing-tf3686063.html#a10389739 Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Wed May 9 09:48:25 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 06E3016A402 for ; Wed, 9 May 2007 09:48:25 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 7FAE713C44B for ; Wed, 9 May 2007 09:48:24 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from ap-h.matik.com.br (ap-h.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id l499m61e087226; Wed, 9 May 2007 06:48:07 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 9 May 2007 06:47:30 -0300 User-Agent: KMail/1.9.6 References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463E377E.2000300@elischer.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200705090647.31588.asstec@matik.com.br> X-Spam-Status: No, score=-100.5 required=5.0 tests=ALL_TRUSTED,AWL, J_CHICKENPOX_44, MR_DIFF_MID, TW_WU, USER_IN_WHITELIST autolearn=no version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on msrv.matik.com.br X-Virus-Status: Clean Cc: Kirk Davis , Julian Elischer Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 09:48:25 -0000 On Monday 07 May 2007 19:05:31 Kirk Davis wrote: > Julian Elischer wrote: > > in -current you can implement a routing table via FWD and tables. > > in 6.x you need to specify the next hop. and an more explicit rule. > > Is there any information floating around on how to do this in current > using the FWD rules and tables? Any pointer on where to look. > > Right now I am using fwd rules on our BGP router (Quagga & FreeBSD > 6.2) to force one of our subnets out a particular interface and avoid > the routing table but I would prefer to do it more like a dual routing > table where I can make more routing decisions than just forcing all > packets from that subnet out the interface. I could test it on one of > our current boxes. > I do not know enough about quagga but if you really run BGP and quagga does= =20 what BGP is supposed to do I wuold say you shoudl use policy route-map=20 filters for that purpose Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Wed May 9 09:49:38 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0438116A400 for ; Wed, 9 May 2007 09:49:38 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 7D3DC13C46C for ; Wed, 9 May 2007 09:49:37 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from ap-h.matik.com.br (ap-h.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id l499nPlL087243; Wed, 9 May 2007 06:49:25 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 9 May 2007 06:48:50 -0300 User-Agent: KMail/1.9.6 References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463FBEEF.9080708@elischer.org> <4640D810.1070705@elischer.org> In-Reply-To: <4640D810.1070705@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200705090648.50752.asstec@matik.com.br> X-Spam-Status: No, score=-100.5 required=5.0 tests=ALL_TRUSTED,AWL, J_CHICKENPOX_44, MR_DIFF_MID, TW_PF, USER_IN_WHITELIST autolearn=no version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on msrv.matik.com.br X-Virus-Status: Clean Cc: Kirk Davis , Julian Elischer Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 09:49:38 -0000 On Tuesday 08 May 2007 17:05:36 Julian Elischer wrote: > Julian Elischer wrote: > > actually the kernel code is in the 6 branch but the ipfw program has not > > been taught how to set the values yet.. > > I just committed the change to RELENG_6 so the head of the 6 branch should > be able to do this now. > you might have forgotten the man page for it? Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Wed May 9 09:53:26 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B6B5216A400 for ; Wed, 9 May 2007 09:53:26 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 36C9913C43E for ; Wed, 9 May 2007 09:53:25 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from ap-h.matik.com.br (ap-h.matik.com.br [200.152.83.36]) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id l499rCJN087510; Wed, 9 May 2007 06:53:13 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: freebsd-ipfw@freebsd.org Date: Wed, 9 May 2007 06:52:37 -0300 User-Agent: KMail/1.9.6 References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <463FBE30.90009@elischer.org> In-Reply-To: <463FBE30.90009@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200705090652.37906.asstec@matik.com.br> X-Spam-Status: No, score=-100.2 required=5.0 tests=ALL_TRUSTED, AWL, ISO_7BITS, J_CHICKENPOX_44, MR_DIFF_MID, TW_PF, USER_IN_WHITELIST autolearn=no version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on msrv.matik.com.br X-Virus-Status: Clean Cc: Kirk Davis , Julian Elischer Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 09:53:26 -0000 On Monday 07 May 2007 21:02:56 Julian Elischer wrote: > Kirk Davis wrote: > > Julian Elischer wrote: > >> in -current you can implement a routing table via FWD and tables. > >> in 6.x you need to specify the next hop. and an more explicit rule. > > > > Is there any information floating around on how to do this in current > > using the FWD rules and tables? Any pointer on where to look. > > man ipfw on -current > > basically you can implement alternate routing tables.. > > ipfw table 1 add 0.0.0.0/0 4.5.6.7 # default route for table 1 > ipfw table 1 add 2.3.4.0/24 5.4.3.2 # but not for packets to 2.3.4.x > ipfw table 2 add 0.0.0.0/0 7.6.5.4 #default route for table 2 > ipfw table 2 add 2.3.4.0/24 6.5.4.3 # but differnet route for packets to > 2.3.4.x > certainly this still are not routing tables but simplified forward table configurations right? what we still need is kind of route2 implementation like Linux does Joao A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Wed May 9 18:12:46 2007 Return-Path: X-Original-To: Freebsd-ipfw@freebsd.org Delivered-To: Freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 357E816A404 for ; Wed, 9 May 2007 18:12:46 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.freebsd.org (Postfix) with ESMTP id 9614413C45A for ; Wed, 9 May 2007 18:12:45 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.14.1/8.13.1) with ESMTP id l49ICTYQ029283; Wed, 9 May 2007 15:12:30 -0300 (BRT) (envelope-from asstec@matik.com.br) From: AT Matik Organization: Infomatik To: "Kirk Davis" Date: Wed, 9 May 2007 15:12:21 -0300 User-Agent: KMail/1.9.6 References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <200705090647.31588.asstec@matik.com.br> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200705091512.22501.asstec@matik.com.br> X-Spam-Status: No, score=-100.1 required=5.0 tests=ALL_TRUSTED,AWL, J_CHICKENPOX_44,MONOTONE_WORDS_15_2,MR_DIFF_MID,SMILEY,TW_PF,TW_WU, USER_IN_WHITELIST autolearn=no version=3.1.8 X-Spam-Checker-Version: Antispam Datacenter Matik msrv.matik.com.br X-Virus-Scanned: ClamAV version 0.88.4, clamav-milter version 0.88.4 on msrv.matik.com.br X-Virus-Status: Clean Cc: Freebsd-ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 18:12:46 -0000 On Wednesday 09 May 2007 14:05:52 Kirk Davis wrote: > > > > I do not know enough about quagga but if you really run BGP > > and quagga does > > what BGP is supposed to do I wuold say you shoudl use policy > > route-map > > filters for that purpose > > We are probably getting a little off topic for the ipfw list now ;-) > well, maybe we will be forgiven :) > BGP route-maps will not do what I need. I am not trying to change > the routes advertised to my peers (or change the incoming ones that I > receive). What I really need to virtual routing tables that I can then > control how they are updated from the BGP. Since FreeBSD only has one > core routing table then I seem to have to use the firewall rules to > modify the routes. It works but it is a kludge and doesn't scale well. > bypassing bgp with policy forwarding rules does not change route advertisin= g=20 to the bgp neighbour and vice-versa. You can do "redistribute static" if yo= u=20 are an endpoint but would not be wise eventually. Anyway the advertised=20 routes need to be announced by your bgp router upwards and not by any=20 artificial routing scenario otherwise there is no way to say that you get t= he=20 traffic back over the same route, even if you frame bgp and they go out ove= r=20 path 1 you may get them back over path 3,4,5 or any other bgp may decide. A= nd=20 that is the point at the end, bgp does the routing decision when you are=20 running bgp. So it does not matter which routing capacities your OS has=20 because it comes after bgp did it's job. Jo=E3o > I haven't played with them yet but the changes to ipfw may get me > closer to what I am looking for although ipfw probably isn't the best > place to do the full routing solution. > > ---- Kirk > > > A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Wed May 9 18:32:39 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2F7B316A408; Wed, 9 May 2007 18:32:39 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id BC81513C4BC; Wed, 9 May 2007 18:32:38 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l49IWc0v060675; Wed, 9 May 2007 18:32:38 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l49IWcXt060671; Wed, 9 May 2007 18:32:38 GMT (envelope-from maxim) Date: Wed, 9 May 2007 18:32:38 GMT From: Maxim Konovalov Message-Id: <200705091832.l49IWcXt060671@freefall.freebsd.org> To: gfb@vta.com, maxim@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 18:32:39 -0000 Synopsis: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Wed May 9 18:32:01 UTC 2007 State-Changed-Why: Andrey's patch was committed to HEAD. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=80913 From owner-freebsd-ipfw@FreeBSD.ORG Wed May 9 18:40:09 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6DD0816A403 for ; Wed, 9 May 2007 18:40:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5E63A13C458 for ; Wed, 9 May 2007 18:40:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l49Ie84M060784 for ; Wed, 9 May 2007 18:40:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l49Ie85v060777; Wed, 9 May 2007 18:40:08 GMT (envelope-from gnats) Date: Wed, 9 May 2007 18:40:08 GMT Message-Id: <200705091840.l49Ie85v060777@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/80913: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 18:40:09 -0000 The following reply was made to PR bin/80913; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/80913: commit references a PR Date: Wed, 9 May 2007 18:31:56 +0000 (UTC) maxim 2007-05-09 18:31:49 UTC FreeBSD src repository Modified files: sbin/ipfw ipfw2.c Log: o Teach get_mac_addr_mask() to not silently accept incorrect MAC addresses. o Swap a couple of magic 6s by ETHER_ADDR_LEN. PR: bin/80913 Submitted by: Andrey V. Elsukov MFC after: 1 month Revision Changes Path 1.105 +39 -23 src/sbin/ipfw/ipfw2.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu May 10 09:24:07 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0DB0016A402; Thu, 10 May 2007 09:24:07 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id DB3ED13C447; Thu, 10 May 2007 09:24:06 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4A9O6oD069220; Thu, 10 May 2007 09:24:06 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4A9O6IO069216; Thu, 10 May 2007 09:24:06 GMT (envelope-from linimon) Date: Thu, 10 May 2007 09:24:06 GMT From: Mark Linimon Message-Id: <200705100924.l4A9O6IO069216@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/112561: ipfw fwd does not work with some TCP packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 May 2007 09:24:07 -0000 Synopsis: ipfw fwd does not work with some TCP packets Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Thu May 10 09:23:58 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=112561 From owner-freebsd-ipfw@FreeBSD.ORG Fri May 11 08:49:42 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B0AB16A400 for ; Fri, 11 May 2007 08:49:42 +0000 (UTC) (envelope-from igorpopov@newmail.ru) Received: from mx1.mail.wbt.ru (mx1.mail.wbt.ru [80.250.64.6]) by mx1.freebsd.org (Postfix) with ESMTP id 20F0413C448 for ; Fri, 11 May 2007 08:49:42 +0000 (UTC) (envelope-from igorpopov@newmail.ru) Received: from moon.wbt.ru ([80.250.66.38]) by mx1.mail.wbt.ru (Exim) with esmtp sent from for id 1HmQXj-0007c3-QI; Fri, 11 May 2007 11:32:03 +0300 From: Igor Popov Organization: Home To: freebsd-ipfw@freebsd.org Date: Fri, 11 May 2007 11:31:53 +0300 User-Agent: KMail/1.9.6 MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200705111131.54064.igorpopov@newmail.ru> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-ACL-Warn: X-AV 1 1178872323 X-ACL-Warn: X-AV 2 1178872323 X-ACL-Warn: X-AV 3 1178872323 X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0255], KAS30/Release X-SpamTest-Info: Not protected Subject: nat on bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2007 08:49:42 -0000 hi. I have a question about NAT (pf) on bridge. Network diagram: [PPPoE clients 192.168.0.0/16 and real ip] <-->[PPPoE concetrator 80.0.0.1/29]<---->[em0 FreeBSD bridge and NAT 80.0.0.2/29 em1]<----->80.0.0.3/29[BGP Router] Why bridge? Both PPPoE concentrator and BGP router are Cisco routers, there is dynamic routing (EIGRP) between them, so it must be directly connected. FreeBSD should NAT internal ip network and switch on bridge all another packets, is it possible? ifconfig em0 up ifconfig em1 up ifconfig bridge0 addm em0 addm em1 up ifconfig bridge0 inet 80.0.0.2/29 route add default 80.0.0.3 pf rules: table const {192.168.0.0/16} nat on bridge0 tagged TO_NAT tag NATED -> (bridge0) pass in on em1 all keep state pass in on em0 inet tag TO_INET keep state pass in on em0 inet from to any tag TO_NAT keep state pass out on em1 tagged NATED pass out on em1 tagged TO_INET -- You climb to reach the summit, but once there, discover that all roads lead down. -- Stanislaw Lem, "The Cyberiad"