From bogdan_inedit at yahoo.com Mon Dec 1 00:47:41 2008 From: bogdan_inedit at yahoo.com (bogdan oprea) Date: Mon Dec 1 00:47:47 2008 Subject: ipfw triple homed bridge Message-ID: <44691.25194.qm@web50303.mail.re2.yahoo.com> i have a freebsd 7 box with the following configuration: vr0---box---rl0 ???????? | ??????? rl1 i bridged vr0 and rl0 using this commands in rc.conf: cloned_interfaces="bridge0" ifconfig_bridge0="inet x.x.x.x/24 addm vr0 addm rl0 up" ifconfig_vr0="up" ifconfig_rl0="up" rl1 has routing enabled with: gateway_enable="YES" ifconfig_rl1="inet y.y.y.y? netmask 255.255.255.192" when creating rules such as: ipfw add 100 ip from any to any in via vr0 or ipfw add 100 ip from any to any in via rl0 i see no traffic but when creating rules like ipfw add 100 ip from any to any in via bridge0 i see traffic i was wondering if i can add rules based on vr0 and rl0, not on bridge0, because i wan't to limit some ports on vr0 and i want dhcpd server to serve only on rl0 i also have in sysctl.conf: net.link.bridge.ipfw=1 net.link.bridge.ipfw_arp=1 From bugmaster at FreeBSD.org Mon Dec 1 03:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 1 03:08:20 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200812011106.mB1B6uBE052578@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total. From brett at net24.co.nz Mon Dec 1 19:25:19 2008 From: brett at net24.co.nz (Brett Davidson) Date: Mon Dec 1 19:25:26 2008 Subject: Is there anything weird I should know about using ipfw on alias addresses? In-Reply-To: <493461B5.1040704@net24.co.nz> References: <20081201120023.9E1821065688@hub.freebsd.org> <20081201233222.L34249@sola.nimnet.asn.au> <493461B5.1040704@net24.co.nz> Message-ID: <4934A806.2060809@net24.co.nz> Relevant ifconfig entry shows the alias addresses correctly bound. bce1: flags=8843 mtu 1500 options=3b inet 210.5.50.5 netmask 0xffffffe0 broadcast 210.5.50.31 inet 210.5.51.32 netmask 0xffffffff broadcast 210.5.51.32 inet 210.5.51.27 netmask 0xffffffff broadcast 210.5.51.27 inet 210.5.51.33 netmask 0xffffffff broadcast 210.5.51.33 inet 210.5.51.34 netmask 0xffffffff broadcast 210.5.51.34 inet 210.5.51.42 netmask 0xffffffff broadcast 210.5.51.42 inet 210.5.51.4 netmask 0xffffffff broadcast 210.5.51.4 ether 00:1c:c4:c0:56:94 media: Ethernet autoselect (1000baseSX ) status: active Relevant /etc/rc.conf entries : ifconfig_bce1="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias0="inet 210.5.50.5 netmask 255.255.255.224" ifconfig_bce1_alias1="inet 210.5.51.4 netmask 255.255.255.255" ifconfig_bce1_alias2="inet 210.5.51.27 netmask 255.255.255.255" ifconfig_bce1_alias3="inet 210.5.51.32 netmask 255.255.255.255" ifconfig_bce1_alias4="inet 210.5.51.33 netmask 255.255.255.255" ifconfig_bce1_alias5="inet 210.5.51.34 netmask 255.255.255.255" ifconfig_bce1_alias6="inet 210.5.51.42 netmask 255.255.255.255" Creating an ipfw rule and testing it from the command line works (connects out from master address, not alias) ipfw -q add 02012 allow tcp from any to 208.69.123.164 80 out via bce1 setup keep-state >From website on alias address, the firewall blocks the packets. Interesting entries in /var/log/security : Dec 1 16:42:25 kernel: ipfw: 9999 Deny TCP 210.5.50.5:49708 208.69.123.164:80 out via bce1 In a normal world the packet would match!!!!! What's goin' on here Willis? >From what I can see, this MUST have something to do with the way ipfw is working with aliased addresses but I'm blowed if I know what is wrong. Cheers, Brett. From bugmaster at FreeBSD.org Mon Dec 8 03:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 8 03:08:11 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200812081106.mB8B6vKj014291@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total. From avg at icyb.net.ua Mon Dec 8 04:05:30 2008 From: avg at icyb.net.ua (Andriy Gapon) Date: Mon Dec 8 04:05:36 2008 Subject: rc.firewall: default loopback rules are set up even for custom file In-Reply-To: <4937B194.1020606@icyb.net.ua> References: <4937B194.1020606@icyb.net.ua> Message-ID: <493D0A6A.7060102@icyb.net.ua> on 04/12/2008 12:31 Andriy Gapon said the following: > I've just realized that I see in releng/7 something that I did not see > in releng/6 - even if I use a file with custom rules in firewall_type I > still get default loopback rules installed. > I think that this is not correct, I am using custom rules exactly > because I want to control *everything* (e.g. all deny rules come with > log logamount xxx). > Comments? -- Andriy Gapon From dado at korolev-net.ru Mon Dec 8 13:45:52 2008 From: dado at korolev-net.ru (Evgenii Davidov) Date: Mon Dec 8 13:46:23 2008 Subject: kernel nat memory usage? Message-ID: <20081208212024.GD87800@korolev-net.ru> tell me please: does kernel nat in ipfw have a memory leak like ng_nat+libalias: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/115526 ? i haven't tested it yet thank you -- Evgenii V Davidov From p.pisati at oltrelinux.com Tue Dec 9 13:43:46 2008 From: p.pisati at oltrelinux.com (Paolo Pisati) Date: Tue Dec 9 13:43:53 2008 Subject: kernel nat memory usage? In-Reply-To: <20081208212024.GD87800@korolev-net.ru> References: <20081208212024.GD87800@korolev-net.ru> Message-ID: <493EE3EA.7090500@oltrelinux.com> Evgenii Davidov wrote: > tell me please: > > does kernel nat in ipfw have a memory leak like ng_nat+libalias: > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/115526 > ? > i haven't tested it yet > i've never been able to reproduce that bug: i resemble there was a memory leak/a resource was never returned in libalias, but it was plugged months ago. could you update that box (7.x or HEAD) and try again? bye, P. From bugmaster at FreeBSD.org Mon Dec 15 03:06:54 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 15 03:08:18 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200812151106.mBFB6r6n004360@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total. From gloomygroup at hotmail.com Thu Dec 18 01:31:51 2008 From: gloomygroup at hotmail.com (Gloomy Group) Date: Thu Dec 18 01:31:57 2008 Subject: IPFW firewall rule in mpd pppoe server to single pc behind router Message-ID: Hello all, I have freebsd mpd pppoe server. Users connect to internet by giving username and password. My problem is some users put router and share internet connection with other pc. Is it possbile to disable internet sharing in server by rate limiting with ipfw firewall scripts. So that if users keep router or does nat in their pc to share internet then only single pc can access to internet. Is is possible? _________________________________________________________________ Send e-mail anywhere. No map, no compass. http://windowslive.com/Explore/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_anywhere_122008 From smithi at nimnet.asn.au Thu Dec 18 01:57:39 2008 From: smithi at nimnet.asn.au (Ian Smith) Date: Thu Dec 18 01:57:46 2008 Subject: IPFW firewall rule in mpd pppoe server to single pc behind router In-Reply-To: References: Message-ID: <20081218204044.H29108@sola.nimnet.asn.au> On Thu, 18 Dec 2008, Gloomy Group wrote: > I have freebsd mpd pppoe server. Users connect to internet by giving > username and password. My problem is some users put router and share > internet connection with other pc. Is it possbile to disable internet > sharing in server by rate limiting with ipfw firewall scripts. So > that if users keep router or does nat in their pc to share internet > then only single pc can access to internet. Is is possible? Detecting that a connection is shared using NAT? Not that I know of. Rate limiting per connection with dummynet pipes, easy enough. If you limit the bandwidth, why would you need to care how many pcs share it? cheers, Ian From smithi at nimnet.asn.au Thu Dec 18 19:35:50 2008 From: smithi at nimnet.asn.au (Ian Smith) Date: Thu Dec 18 19:36:01 2008 Subject: IPFW firewall rule in mpd pppoe server to single pc behind router In-Reply-To: References: <20081218204044.H29108@sola.nimnet.asn.au> Message-ID: <20081219140743.M29108@sola.nimnet.asn.au> On Fri, 19 Dec 2008, Gloomy Group wrote: > Hello Ian, > > I have implemented traffic shaping with dummy net pipe. But i want > to strictly control the internet sharing to single pc. Is there other > way of allowing like MAC address restricting to 2 pc coming from that > source ip. > > > Date: Thu, 18 Dec 2008 20:57:36 +1100 > > From: smithi@nimnet.asn.au > > To: gloomygroup@hotmail.com > > CC: freebsd-ipfw@freebsd.org > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router > > > > On Thu, 18 Dec 2008, Gloomy Group wrote: > > > I have freebsd mpd pppoe server. Users connect to internet by giving > > > username and password. My problem is some users put router and share > > > internet connection with other pc. Is it possbile to disable internet > > > sharing in server by rate limiting with ipfw firewall scripts. So > > > that if users keep router or does nat in their pc to share internet > > > then only single pc can access to internet. Is is possible? > > > > Detecting that a connection is shared using NAT? Not that I know of. > > > > Rate limiting per connection with dummynet pipes, easy enough. If you > > limit the bandwidth, why would you need to care how many pcs share it? Not that I know of. You're only going to see the MAC address of a directly connected system, not those of any other box connected to the first one's other interface, even if you are able to do ARP over PPPoE. This is more people-policy stuff I think, unlikely to have a technical solution. Some ISPs tell people they're not permitted to use NAT, but I've not heard of any way of actually and reliably detecting its use. One way to block use of the particular form of NAT implemented in M$ XP is to give users addresses in the 192.168.0.x range, with 192.168.0.1 as (your end's) gateway address .. since this latter address is forcibly assigned to the NAT box's inside interface by XP's 'internet connection sharing' .. but there are other NAT systems for windows users out there. Others may know more than I do about this, of course .. if you wish to pursue it further, net@freebsd.org would be the more appropriate list. cheers, Ian From bobw at esllc.com Fri Dec 19 05:42:40 2008 From: bobw at esllc.com (LaGatorVII) Date: Fri Dec 19 05:42:46 2008 Subject: IPFW newbie question. Message-ID: <21091035.post@talk.nabble.com> I need help with a basic dummynet(ipfw) configuration on FreeBSD 6.1. I need unlimited traffic on the local subnet X.X.X.192/28. The FreeBSD Box's IP is X.X.X.193 and it has aliases for many other IPs in the subnet. These are "live" internet IP address not private. The external interface is 'bge0'. I want to limit ALL other traffic, incoming and outgoing. Any traffic not destined for the local network will burn precious CoLo bandwidth. I am thinking outbound 30KBytes\s out and 10KBytes\s in. But I am not sure. The server runs all our internet services. Here is a paste from the last email from the colo company: 95th Percentile = 49.51KBps = 396.09Kbps Maximum = 186.94KBps = 1495.50Kbps I would like that 95th percentile to end up back down around 30KBps, and I think this drastic step would cause it to be much lower. Any advice is appreciated. I know this is probably simple but searching around the web everyone seems to use a little different syntax, and I can't afford to mess this up. Thanks in advance. -- View this message in context: http://www.nabble.com/IPFW-newbie-question.-tp21091035p21091035.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From leander.schaefer at gmx.net Fri Dec 19 07:07:21 2008 From: leander.schaefer at gmx.net (Leander S.) Date: Fri Dec 19 07:07:28 2008 Subject: ===== Port/Traffic Redirection ===== Message-ID: <494BB265.4070201@gmx.net> Hi, I'm trying to get a captive portal- / transparent proxy- like attitude on my IPFW traffic. I actually want to divert all http traffic to the webserver on the same IPFW diverting machine. I tried rules like that but I sadly never got it working. SERVERSIDE: my Apache webserver is listening on port 8080 AND also 80. CLIENTSIDE: I'm guessing my clients http requests on port 80 as well as 8080 and 443 ############################################################################################### ############################################################################################### ### HTTP Traffic forwarding to Apache:8080 ${fwcmd} add 21200 allow tcp from any to ${LAN_IP} 80,443,8080 in via ${LAN_if} ${fwcmd} add 21300 allow tcp from any to ${LAN_IP} 80,443,8080 out via ${LAN_if} ${fwcmd} add 21400 fwd ${LAN_IP},8080 tcp from ${LAN} to me 80,443,8080 setup in via ${LAN_if} keep-state ### Package Detour ${fwcmd} add 21500 allow all from any to any out via ${LAN_if} ############################################################################################### ############################################################################################### ^^ Btw. my IPFW denies packages by default. ^^ I'm not quite sure if those make sense at all?! Thanks, Leander From leander.schaefer at googlemail.com Fri Dec 19 07:34:50 2008 From: leander.schaefer at googlemail.com (Leander S.) Date: Fri Dec 19 07:34:56 2008 Subject: ===== Port/Traffic Redirection ===== Message-ID: <494BB884.7070400@googlemail.com> Hi, I'm trying to get a captive portal- / transparent proxy- like attitude on my IPFW traffic. I actually want to divert all http traffic to the webserver on the same IPFW diverting machine. I tried rules like that but I sadly never got it working. SERVERSIDE: my Apache webserver is listening on port 8080 AND also 80. CLIENTSIDE: I'm guessing my clients http requests on port 80 as well as 8080 and 443 ############################################################################################### ############################################################################################### ### HTTP Traffic forwarding to Apache:8080 ${fwcmd} add 21200 allow tcp from any to ${LAN_IP} 80,443,8080 in via ${LAN_if} ${fwcmd} add 21300 allow tcp from any to ${LAN_IP} 80,443,8080 out via ${LAN_if} ${fwcmd} add 21400 fwd ${LAN_IP},8080 tcp from ${LAN} to me 80,443,8080 setup in via ${LAN_if} keep-state ### Package Detour ${fwcmd} add 21500 allow all from any to any out via ${LAN_if} ############################################################################################### ############################################################################################### ^^ Btw. my IPFW denies packages by default. ^^ I'm not quite sure if those make sense at all?! Thanks, Leander From goffredo at gmail.com Fri Dec 19 15:47:34 2008 From: goffredo at gmail.com (Joao Rocha Braga Filho) Date: Fri Dec 19 15:47:40 2008 Subject: kernel nat memory usage? Message-ID: I was looking the archives and found this thread. I don't know about kernel nat memory leak, but there is one in natd. The memory use and the CPU load increases, and don't stop. I am a ISP and have almost 500 users, and some a Lan Houses, schools, offices... If the bug is in the same lib used by both, the problem is the same. I subscribed this list so tell this problem. I know, it is the wrong place, but seemed logical to include this observation in this tread. Thanks, Jo?o Rocha. -- goffredo@gmail.com From gloomygroup at hotmail.com Sat Dec 20 17:08:19 2008 From: gloomygroup at hotmail.com (Gloomy Group) Date: Sat Dec 20 17:08:26 2008 Subject: IPFW firewall rule in mpd pppoe server to single pc behind router In-Reply-To: <20081219140743.M29108@sola.nimnet.asn.au> References: <20081218204044.H29108@sola.nimnet.asn.au> <20081219140743.M29108@sola.nimnet.asn.au> Message-ID: Is there anything like setting ttl value to 1 like linux iptables do have. > Date: Fri, 19 Dec 2008 14:35:47 +1100 > From: smithi@nimnet.asn.au > To: gloomygroup@hotmail.com > CC: ipfw@freebsd.org > Subject: RE: IPFW firewall rule in mpd pppoe server to single pc behind router > > On Fri, 19 Dec 2008, Gloomy Group wrote: > > Hello Ian, > > > > I have implemented traffic shaping with dummy net pipe. But i want > > to strictly control the internet sharing to single pc. Is there other > > way of allowing like MAC address restricting to 2 pc coming from that > > source ip. > > > > > Date: Thu, 18 Dec 2008 20:57:36 +1100 > > > From: smithi@nimnet.asn.au > > > To: gloomygroup@hotmail.com > > > CC: freebsd-ipfw@freebsd.org > > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router > > > > > > On Thu, 18 Dec 2008, Gloomy Group wrote: > > > > I have freebsd mpd pppoe server. Users connect to internet by giving > > > > username and password. My problem is some users put router and share > > > > internet connection with other pc. Is it possbile to disable internet > > > > sharing in server by rate limiting with ipfw firewall scripts. So > > > > that if users keep router or does nat in their pc to share internet > > > > then only single pc can access to internet. Is is possible? > > > > > > Detecting that a connection is shared using NAT? Not that I know of. > > > > > > Rate limiting per connection with dummynet pipes, easy enough. If you > > > limit the bandwidth, why would you need to care how many pcs share it? > > Not that I know of. > > You're only going to see the MAC address of a directly connected system, > not those of any other box connected to the first one's other interface, > even if you are able to do ARP over PPPoE. > > This is more people-policy stuff I think, unlikely to have a technical > solution. Some ISPs tell people they're not permitted to use NAT, but > I've not heard of any way of actually and reliably detecting its use. > > One way to block use of the particular form of NAT implemented in M$ XP > is to give users addresses in the 192.168.0.x range, with 192.168.0.1 as > (your end's) gateway address .. since this latter address is forcibly > assigned to the NAT box's inside interface by XP's 'internet connection > sharing' .. but there are other NAT systems for windows users out there. > > Others may know more than I do about this, of course .. if you wish to > pursue it further, net@freebsd.org would be the more appropriate list. > > cheers, Ian _________________________________________________________________ It?s the same Hotmail?. If by ?same? you mean up to 70% faster. http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_broad1_122008 From bugmaster at FreeBSD.org Mon Dec 22 03:06:53 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 22 03:08:17 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200812221106.mBMB6qLC060601@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total. From invite+kju~w1md at facebookmail.com Sun Dec 28 22:15:46 2008 From: invite+kju~w1md at facebookmail.com (Michael Sierchio) Date: Sun Dec 28 22:15:52 2008 Subject: Check out my Facebook profile Message-ID: <0fee55b0c1bd49f509e298b71f93d861@localhost.localdomain> Hi ipfw, I set up a Facebook profile where I can post my pictures, videos and events and I want to add you as a friend so you can see it. First, you need to join Facebook! Once you join, you can also create your own profile. Thanks, Michael To sign up for Facebook, follow the link below: http://www.facebook.com/p.php?i=605054484&k=64AZY4P2SV6M5CDDWFYYTU&r From bugmaster at FreeBSD.org Mon Dec 29 03:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 29 03:08:13 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200812291106.mBTB6uPb024471@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 51 problems total. From kasperskylaura1992 at gmail.com Tue Dec 30 16:52:26 2008 From: kasperskylaura1992 at gmail.com (Kaspersky Laura) Date: Tue Dec 30 16:52:37 2008 Subject: =?iso-8859-1?q?Juszt_L=E1sz=F3val_besz=E9lget=E9s_a_szcientot=F3?= =?iso-8859-1?q?gi=E1r=F3l?= Message-ID: <12301742.DBWRNKQU@gmail.com> Juszt L?szl?val besz?lget?s a szcientol?gi?r?l http://video.google.com/googleplayer.swf?docId=1953111836089262961&hl=en Ismerd Meg a Vil?godat !!!!!