From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 19 14:51:11 2007 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34B0816A46B for ; Sun, 19 Aug 2007 14:51:11 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.229]) by mx1.freebsd.org (Postfix) with ESMTP id BABB613C428 for ; Sun, 19 Aug 2007 14:51:10 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so666938wra for ; Sun, 19 Aug 2007 07:51:08 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ULDmn3dzDIlTU8kGDkmLJ2WhfxG1FrKHeN78XhWjJUo1GEU3EiThkR75DgzgSkht6EOu4UApXxtmFaeosFuvGikATBQAvjpWIQHvdOMr/DJGKPLLKhqGXteSAkPvWVKejgakcRRF1Gq4re5EHJqeJezpmzYHpwBRAiMLJtldrDM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=AY8zs+ZctUlCB2W59iWsencdTw4St3x6s0jvMAC2EaRwze+TiPBidC2lEMYDqJP1oR3QczbD+gijuGQMl2KlVBHc3JA51oMKTBh2OFS3kEUrBYk3jleNdWF+Tn7TYEEB2tKo4B5ICQNON/UAfTW4ZmJurhqHcm7gN296kA/kbh0= Received: by 10.90.95.11 with SMTP id s11mr7520554agb.1187535068444; Sun, 19 Aug 2007 07:51:08 -0700 (PDT) Received: by 10.65.159.7 with HTTP; Sun, 19 Aug 2007 07:51:08 -0700 (PDT) Message-ID: Date: Sun, 19 Aug 2007 11:51:08 -0300 From: "Eduardo Meyer" To: "Vadim Goncharov" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: ipfw@freebsd.org Subject: Re: All I have is one packet! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2007 14:51:11 -0000 On 8/8/07, Vadim Goncharov wrote: > 06.08.07 @ 23:05 Eduardo Meyer wrote: > > > I have tried, for many weeks, ng_tag to tag packets for ipfw > > filtering. I could make it work fine. However, I have one problem. I > > want to make a state that will match any packet, on any protocol, > > between the peers. Why? Because all I have, is one packet. And this > > packet however, wont always be in the same transport protocol. > > > > For example, I can identify session initialization on TCP packets, but > > once initialized, all communication between peers happen via UDP. > > > > I know such a thing dont exist in ipfw. However, I would like to know > > if someone can suggest changes to the code that would do this. Would > > also be great if I could have a sysctl OID to tune state-timing of > > this unusual behavior, differently from the existing sysctl mibs on > > "dyn" stuff on ipfw. > > > > Every suggestion on a feature like that, would be appreciated. > > Yes, dynamic rules in ipfw are not intended for supporting state created > in the middle of the session, wuth the default sysctl settings it will be > kept for 1 second (which, however, is enough for shaping of fast > transfers). I think, precise controlling of dynamic rules from both > userland and kernel should be added to ipfw, to modify existing rules on > the fly (or even more features, like pfsync). As a hackish dirty > workaround, may be it should be only one keyword, something like > "keep-state-middle", to create normal dynamic rule without initial SYNs. > > But you've said about even more complex behaviour, like init on TCP, > continue with UDP. That's difficult to implement in kernel, and may be > even not suitable for ipfw. Currently (I think), you can try to emulate > this behaviour by divert'ing tagged by ng_tag packet to userland program, > like snort_inline (from ports collection) with needed scripting, which > will trigger adding proper rules to firewall (you should also care about > expiring that connection on SYNs and RSTs, though). That's exactly the point. However, from a simplistic and probably ignorant point of view on this matter, like mine, I believed it to be in fact a much more simple "state", which would only compare IP addresses (src<->dst) for the match, so I could just ipfw add X allow { tcp or udp } from any to any keep-iponly-state tagged Y It would be helpfull with many protocols which in fact use a transport proto (like TCP) to do actual session initialization while using another transport proto (UDP, DDP, whatever) for the real traffic; many things do this nowadays; Would such a feature be possible? -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 20 01:09:19 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B42E16A41A for ; Mon, 20 Aug 2007 01:09:19 +0000 (UTC) (envelope-from root@runemedia.net) Received: from runemedia.net (206-225-83-111.dedicated.abac.net [206.225.83.111]) by mx1.freebsd.org (Postfix) with ESMTP id 299CB13C45B for ; Mon, 20 Aug 2007 01:09:19 +0000 (UTC) (envelope-from root@runemedia.net) Received: (qmail 1202 invoked by uid 0); 19 Aug 2007 14:30:28 -0400 Date: 19 Aug 2007 14:30:28 -0400 Message-ID: <20070819183028.1197.qmail@runemedia.net> To: freebsd-ipfw@freebsd.org From: dating24 MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Your account on dating24.ro Enjoy! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 01:09:19 -0000 [1]www.dating24.ro - anunturi - prietenii - intalniri - matrimoniale - - chat privat - chat public - poze - [2]Intra si tu alaturi de prietenii tai in comunitatea dating24.ro Te asteptam! [3]Inregistreaza-te acum! _________________________________________________________________ Utilizatorii Yahoo, Gmail sau Hotmail! In cazul in care ati primit acest mesaj in Bulk va rugam sa adaugati adresa noreply@dating24.ro in Adress Book sau la Contacte Personale, dupa caz. Va multumim pentru intelegere si va uram succes in continuare. Echipa [4]dating24.ro References 1. http://www.dating24.ro/ 2. http://www.dating24.ro/ 3. http://www.dating24.ro/inregistrare_pas1.php 4. http://www.dating24.ro/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 20 11:08:23 2007 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAD8616A49E for ; Mon, 20 Aug 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CC40813C48D for ; Mon, 20 Aug 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7KB8N6l087446 for ; Mon, 20 Aug 2007 11:08:23 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7KB8MMa087442 for freebsd-ipfw@FreeBSD.org; Mon, 20 Aug 2007 11:08:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Aug 2007 11:08:22 GMT Message-Id: <200708201108.l7KB8MMa087442@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 11:08:24 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti o kern/115261 ipfw [ipfw]: incorrect 'ipfw: pullup failed' with IPv6 no-n o bin/115372 ipfw [ipfw] [patch] "ipfw show" prints ill result. 15 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form 25 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 20 11:59:48 2007 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F09D316A419 for ; Mon, 20 Aug 2007 11:59:47 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.freebsd.org (Postfix) with ESMTP id 55A3A13C4D3 for ; Mon, 20 Aug 2007 11:59:47 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id 630F2104F95; Mon, 20 Aug 2007 18:59:45 +0700 (NOVST) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4YoCv23fWpJR; Mon, 20 Aug 2007 18:59:44 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id F3FE3104F1F; Mon, 20 Aug 2007 18:59:43 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Aug 2007 18:59:44 +0700 Received: from nuclight.avtf.net ([83.172.2.235]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Aug 2007 18:59:44 +0700 Date: Mon, 20 Aug 2007 18:59:42 +0700 To: "Eduardo Meyer" References: From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 20 Aug 2007 11:59:44.0065 (UTC) FILETIME=[98D1A310:01C7E321] Cc: ipfw@freebsd.org Subject: Re: All I have is one packet! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2007 11:59:48 -0000 19.08.07 @ 21:51 Eduardo Meyer wrote: >> Yes, dynamic rules in ipfw are not intended for supporting state created >> in the middle of the session, wuth the default sysctl settings it will >> be >> kept for 1 second (which, however, is enough for shaping of fast >> transfers). I think, precise controlling of dynamic rules from both >> userland and kernel should be added to ipfw, to modify existing rules on >> the fly (or even more features, like pfsync). As a hackish dirty >> workaround, may be it should be only one keyword, something like >> "keep-state-middle", to create normal dynamic rule without initial SYNs. >> >> But you've said about even more complex behaviour, like init on TCP, >> continue with UDP. That's difficult to implement in kernel, and may be >> even not suitable for ipfw. Currently (I think), you can try to emulate >> this behaviour by divert'ing tagged by ng_tag packet to userland >> program, >> like snort_inline (from ports collection) with needed scripting, which >> will trigger adding proper rules to firewall (you should also care about >> expiring that connection on FINs and RSTs, though). > > That's exactly the point. However, from a simplistic and probably > ignorant point of view on this matter, like mine, I believed it to be > in fact a much more simple "state", which would only compare IP > addresses (src<->dst) for the match, so I could just > > ipfw add X allow { tcp or udp } from any to any keep-iponly-state tagged > Y > > It would be helpfull with many protocols which in fact use a transport > proto (like TCP) to do actual session initialization while using > another transport proto (UDP, DDP, whatever) for the real traffic; > many things do this nowadays; > > Would such a feature be possible? Yes, in theory. But I'm not sure that such a patch will be merged into official tree. Also, one can think about link negotiation with another IP (src<->dst) pair, not this hosts: imagine direct FTP transfer between two servers or P2P application where clients negotiate connection parameters via server, and then only actual data in undetectable connection flows between them. So in general case you again need specialized protocol analyzer. For example, in your case with only IPs - can you say when dynamic rule will expire? -- WBR, Vadim Goncharov From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 23 14:42:19 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A84B716A468; Thu, 23 Aug 2007 14:42:19 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7EF2613C48D; Thu, 23 Aug 2007 14:42:19 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from freefall.freebsd.org (sem@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7NEgJri092865; Thu, 23 Aug 2007 14:42:19 GMT (envelope-from sem@freefall.freebsd.org) Received: (from sem@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7NEgJ1g092861; Thu, 23 Aug 2007 14:42:19 GMT (envelope-from sem) Date: Thu, 23 Aug 2007 14:42:19 GMT Message-Id: <200708231442.l7NEgJ1g092861@freefall.freebsd.org> To: sem@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: sem@FreeBSD.org Cc: Subject: Re: kern/115755: [ipfw][patch] unify message and add a rule number where limit was reached X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Aug 2007 14:42:19 -0000 Synopsis: [ipfw][patch] unify message and add a rule number where limit was reached Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: sem Responsible-Changed-When: Thu Aug 23 14:41:31 UTC 2007 Responsible-Changed-Why: Over to maintainer http://www.freebsd.org/cgi/query-pr.cgi?pr=115755 From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 24 12:13:58 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69F0F16A417 for ; Fri, 24 Aug 2007 12:13:58 +0000 (UTC) (envelope-from yamamoto436@oki.com) Received: from gwf1.oki.co.jp (gwf1.oki.co.jp [202.226.91.186]) by mx1.freebsd.org (Postfix) with ESMTP id 34DDE13C491 for ; Fri, 24 Aug 2007 12:13:58 +0000 (UTC) (envelope-from yamamoto436@oki.com) Received: by gwf1.oki.co.jp (Postfix, from userid 0) id 9F410CF996; Fri, 24 Aug 2007 20:53:07 +0900 (JST) Received: from s24c22.dm1.oii.oki.co.jp [172.26.76.72] by gwf1.oki.co.jp with ESMTP id WAA28972; Fri, 24 Aug 2007 20:53:07 +0900 Received: from aoi.bmc.oki.co.jp (localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id UAA24627 for ; Fri, 24 Aug 2007 20:53:02 +0900 Received: (qmail 30505 invoked from network); 24 Aug 2007 20:53:01 +0900 Received: from tulip.bmc.oki.co.jp (172.19.236.119) by aoi.bmc.oki.co.jp with SMTP; 24 Aug 2007 20:53:00 +0900 Received: from localhost (tulip.bmc.oki.co.jp [172.19.236.119]) by tulip.bmc.oki.co.jp (8.14.1/8.13.6) with ESMTP id l7OBqwfD062528 for ; Fri, 24 Aug 2007 20:52:58 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Fri, 24 Aug 2007 20:52:58 +0900 (JST) Message-Id: <20070824.205258.48475190.yamamoto436@oki.com> To: freebsd-ipfw@freebsd.org From: Hideki Yamamoto In-Reply-To: <200708231442.l7NEgJ1g092861@freefall.freebsd.org> References: <200708231442.l7NEgJ1g092861@freefall.freebsd.org> X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ng_ipfw + ng_bridge X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2007 12:13:58 -0000 Hi, I am installing FreeBSD boxes to bridge two IPv6 networks over IPv4 udp tunnel. This network requires packet filtering on bridge node. I have installed netgraph to bridge networks, but have not yet installed packet filtering on it. Ordinary ipfw command cannot filter packet on netgraph. I have found the ng_ipfw that seems to be able to control packet filter onto netgraph nodes, but I do not understand what to do. Does anyone knows any information about it? Thanks in advance. Regards, Hideki Yamamoto. ----------------------------------------------------------------- Hideki YAMAMOTO (Dr.) | Broadband Media Solutions Department-1 | E-mail: yamamoto436@oki.com Broadband Media Company | Tel: +81-48-420-7012 Oki Electric Industry Co., Ltd. | FAX: +81-48-420-7016