From bu7cher at yandex.ru Mon Jun 2 04:40:17 2008 From: bu7cher at yandex.ru (Andrey V. Elsukov) Date: Mon Jun 2 04:40:20 2008 Subject: tablearg q'n In-Reply-To: <484113B4.4010006@mail.ru> References: <484113B4.4010006@mail.ru> Message-ID: <48437998.1040807@yandex.ru> rihad wrote: > ipfw add pipe tablearg ip from 'table(0)' to 'table(1)' > > Which of the two tables will tablearg come from? Last 'table' argument will be used for tablearg. >Any way to make the choice explicit? Patches are welcome =) -- WBR, Andrey V. Elsukov From bugmaster at FreeBSD.org Mon Jun 2 11:06:54 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 2 11:07:06 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200806021106.m52B6sAY093188@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] [request] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 30 problems total. From fportnoy at mail.plymouth.edu Mon Jun 2 21:02:15 2008 From: fportnoy at mail.plymouth.edu (Fred Portnoy) Date: Mon Jun 2 21:02:22 2008 Subject: bridgeing not routing In-Reply-To: <2079218658.1034491212438588445.JavaMail.root@cygnus.plymouth.edu> Message-ID: <1732391433.1036781212439358454.JavaMail.root@cygnus.plymouth.edu> I'm looking at a packet from a packet capture. The packet's IP address was sourced within our LAN, destination a server out on the Internet (it is a tcp ack, part of an ongoing session) The packet's mac addresses were sourced from the inside interface of the firewall and destination to our LAN's core router. Our firewall is operating in bridging mode, however, not routing. It has a management IP address on the inside interface, but that's it. No other IP address assigned. Under what conditions would an ipfw bridging firewall grab hold of an outgoing packet and send it back, substituting it's own mac address for the source and the inner LAN router for the destination? TIA for any insight Fred Portnoy Network Analyst Plymouth State University "unfettered by edgy modernisms, or classical influences" From davids at webmaster.com Mon Jun 2 23:30:11 2008 From: davids at webmaster.com (David Schwartz) Date: Mon Jun 2 23:30:18 2008 Subject: bridgeing not routing In-Reply-To: <1732391433.1036781212439358454.JavaMail.root@cygnus.plymouth.edu> Message-ID: > I'm looking at a packet from a packet capture. The packet's IP > address was sourced within our LAN, destination a server out on > the Internet (it is a tcp ack, part of an ongoing session) The > packet's mac addresses were sourced from the inside interface of > the firewall and destination to our LAN's core router. Our > firewall is operating in bridging mode, however, not routing. It > has a management IP address on the inside interface, but that's > it. No other IP address assigned. > > Under what conditions would an ipfw bridging firewall grab hold > of an outgoing packet and send it back, substituting it's own mac > address for the source and the inner LAN router for the destination? > > TIA for any insight > > Fred Portnoy > Network Analyst > Plymouth State University There are probably a few reasons I can't think of, but there are a few obvious ones. First, the machine that sent the packet may have the firewall's management IP set as its default route or as a route to that destination. Second, the machine that sent the packet may have received an ICMP redirect from the firewall. Third, the packet might be maliciously crafted. Fourth, the firewall may have either fragmented or reassembled the packet. DS From dmartens at fresnochristian.com Wed Jun 4 23:47:33 2008 From: dmartens at fresnochristian.com (David Martens) Date: Wed Jun 4 23:47:37 2008 Subject: fwd problem Message-ID: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> I'm trying to set up a transparent proxy using two machines, the gateway and the proxy. The proxy is 192.168.3.22 and is listening on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 so everything is on the same subnet. I set the following rules on the gateway: 00100 allow ip from any to any via lo0 00110 deny ip from any to 127.0.0.0/8 via en0 00800 divert 8668 ip from any to any via en0 00850 deny ip from any to any in frag 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 When I get a packet count (ipfw -a list) rule 990 increments when I try to access a web page. On the proxy box I have the following rules: 00100 allow tcp from 192.168.3.22 to any 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 rule 110 never receives any forwarded packets. Any ideas what I've done wrong here? The http requests do go out, but are not forwarded through the proxy. From fazaeli at sepehrs.com Thu Jun 5 10:14:26 2008 From: fazaeli at sepehrs.com (H.fazaeli) Date: Thu Jun 5 10:14:28 2008 Subject: fwd problem In-Reply-To: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> Message-ID: <4847B603.6080105@sepehrs.com> This is what is happening: 1. Client's packet match with fwd rule on gateway. 2. gateway tries to fwd packet to 192.168.3.2. For this, it should replace destination mac address with that of proxy (192.168.3.22). 3. gateway fails to obtain proxy mac address, since it is not on the same subnet as proxy (can not use arp). 4. fwd rule drops the packet. FIX: assign a 192.168.3.XXX address to the gateway's interface which proxy is supposed to be reachable from. David Martens wrote: > I'm trying to set up a transparent proxy using two machines, the > gateway and the proxy. The proxy is 192.168.3.22 and is listening on > port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 so > everything is on the same subnet. > > I set the following rules on the gateway: > > 00100 allow ip from any to any via lo0 > 00110 deny ip from any to 127.0.0.0/8 via en0 > 00800 divert 8668 ip from any to any via en0 > 00850 deny ip from any to any in frag > 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 > > When I get a packet count (ipfw -a list) rule 990 increments when I > try to access a web page. > > On the proxy box I have the following rules: > > 00100 allow tcp from 192.168.3.22 to any > 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 > > rule 110 never receives any forwarded packets. Any ideas what I've > done wrong here? The http requests do go out, but are not forwarded > through the proxy. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Best regards. Hooman Fazaeli Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352 From gavin at FreeBSD.org Fri Jun 6 12:10:05 2008 From: gavin at FreeBSD.org (Gavin Atkinson) Date: Fri Jun 6 12:10:07 2008 Subject: kern/115755: [ipfw][patch] unify message and add a rule number where limit was reached Message-ID: <200806061210.m56CA4KL015114@freefall.freebsd.org> The following reply was made to PR kern/115755; it has been noted by GNATS. From: Gavin Atkinson To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/115755: [ipfw][patch] unify message and add a rule number where limit was reached Date: Fri, 06 Jun 2008 13:04:12 +0100 This has not yet been MFC'd to RELENG_6. However, I'm not sure it can be, as it does change the format of a logged message, so may be unsuitable to merge to a STABLE branch. Opinions? Please close if it can't be merged. Gavin From dmartens at fresnochristian.com Fri Jun 6 21:03:28 2008 From: dmartens at fresnochristian.com (David Martens) Date: Fri Jun 6 21:03:30 2008 Subject: fwd problem In-Reply-To: <4847B603.6080105@sepehrs.com> References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> <4847B603.6080105@sepehrs.com> Message-ID: <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> I've taken H.Fazaeli's suggestion and moved the proxy to the same class C as the gateway with no change. So now my rule set on the gateway is: 00100 allow ip from any to any via lo0 00110 deny ip from any to 127.0.0.0/8 via en0 00800 divert 8668 ip from any to any via en0 00850 deny ip from any to any in frag 00890 allow ip from any to 192.168.0.2 00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80 And on the proxy: 00080 allow tcp from any to any out 00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80 For testing purposes I've set the forward to only a single ip address. Eventually this will be set to the entire /22 subnet. A tcpdump on the LAN interface on the gateway indicates traffic from 192.168.1.60 & and fwd rule increments, but the packets don't make it to the proxy. They are not dropped, the requested web pages load fine in the browser, just no proxy. On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote: > > This is what is happening: > > 1. Client's packet match with fwd rule on gateway. > 2. gateway tries to fwd packet to 192.168.3.2. For this, it should > replace > destination mac address with that of proxy (192.168.3.22). > 3. gateway fails to obtain proxy mac address, since it is not on the > same > subnet as proxy (can not use arp). > 4. fwd rule drops the packet. > > FIX: assign a 192.168.3.XXX address to the gateway's interface > which proxy is supposed to be reachable from. > > > > David Martens wrote: >> I'm trying to set up a transparent proxy using two machines, the >> gateway and the proxy. The proxy is 192.168.3.22 and is listening >> on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 >> so everything is on the same subnet. >> >> I set the following rules on the gateway: >> >> 00100 allow ip from any to any via lo0 >> 00110 deny ip from any to 127.0.0.0/8 via en0 >> 00800 divert 8668 ip from any to any via en0 >> 00850 deny ip from any to any in frag >> 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 >> >> When I get a packet count (ipfw -a list) rule 990 increments when I >> try to access a web page. >> >> On the proxy box I have the following rules: >> >> 00100 allow tcp from 192.168.3.22 to any >> 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 >> >> rule 110 never receives any forwarded packets. Any ideas what I've >> done wrong here? The http requests do go out, but are not forwarded >> through the proxy. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org >> " >> >> > > -- > > > Best regards. > > Hooman Fazaeli > Sepehr S. T. Co. Ltd. > > Web: http://www.sepehrs.com > Tel: (9821)88975701-2 > Fax: (9821)88983352 > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw- > unsubscribe@freebsd.org" From berlowin at yahoo.com Sat Jun 7 03:22:55 2008 From: berlowin at yahoo.com (Edwin Sanjoto) Date: Sat Jun 7 03:22:58 2008 Subject: About IPv6 Firewall and Others Message-ID: <58008.22311.qm@web52510.mail.re2.yahoo.com> Hi All of FreeBSD Experts, I am Newbie in FreeBSD. I am using FreeBSD 6.3. Sorry for my bad English. I just want to ask 2 questions: 1. In your opinion, what are the best rules for implementing firewall in my router which is connected to internet? Like about the protocol or services blocked? Or which is the best rule for default ( is it "deny any to any" or "allow any to any") ? 2. How to setup firewall for IPv6 from beginning? Like, what i must do with the kernel or something else like changing /etc/rc.conf? And how to write the RULES for IPv6? is it different from IPv4? Do you have an example RULES? Thank you very much. Regards, EDWIN Sanyoto (berlowin@yahoo.com) From fazaeli at sepehrs.com Mon Jun 9 10:20:15 2008 From: fazaeli at sepehrs.com (H.fazaeli) Date: Mon Jun 9 10:20:23 2008 Subject: fwd problem In-Reply-To: <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> <4847B603.6080105@sepehrs.com> <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> Message-ID: <484D0256.6000108@sepehrs.com> . on gateway, place fwd rule before divert. . run tcpdump & 'ipfw -a list' on __proxy__ and see if packets really reach the proxy/squid or not. . A network diagram would be helpful in the case the problem still persist. David Martens wrote: > I've taken H.Fazaeli's suggestion and moved the proxy to the same > class C as the gateway with no change. > > So now my rule set on the gateway is: > > 00100 allow ip from any to any via lo0 > 00110 deny ip from any to 127.0.0.0/8 via en0 > 00800 divert 8668 ip from any to any via en0 > 00850 deny ip from any to any in frag > 00890 allow ip from any to 192.168.0.2 > 00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80 > > > And on the proxy: > > 00080 allow tcp from any to any out > 00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80 > > > For testing purposes I've set the forward to only a single ip > address. Eventually this will be set to the entire /22 subnet. > > A tcpdump on the LAN interface on the gateway indicates traffic from > 192.168.1.60 & and fwd rule increments, but the packets don't make it > to the proxy. They are not dropped, the requested web pages load fine > in the browser, just no proxy. > > > > > On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote: > >> >> This is what is happening: >> >> 1. Client's packet match with fwd rule on gateway. >> 2. gateway tries to fwd packet to 192.168.3.2. For this, it should >> replace >> destination mac address with that of proxy (192.168.3.22). >> 3. gateway fails to obtain proxy mac address, since it is not on the >> same >> subnet as proxy (can not use arp). >> 4. fwd rule drops the packet. >> >> FIX: assign a 192.168.3.XXX address to the gateway's interface >> which proxy is supposed to be reachable from. >> >> >> >> David Martens wrote: >>> I'm trying to set up a transparent proxy using two machines, the >>> gateway and the proxy. The proxy is 192.168.3.22 and is listening >>> on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 >>> so everything is on the same subnet. >>> >>> I set the following rules on the gateway: >>> >>> 00100 allow ip from any to any via lo0 >>> 00110 deny ip from any to 127.0.0.0/8 via en0 >>> 00800 divert 8668 ip from any to any via en0 >>> 00850 deny ip from any to any in frag >>> 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 >>> >>> When I get a packet count (ipfw -a list) rule 990 increments when I >>> try to access a web page. >>> >>> On the proxy box I have the following rules: >>> >>> 00100 allow tcp from 192.168.3.22 to any >>> 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 >>> >>> rule 110 never receives any forwarded packets. Any ideas what I've >>> done wrong here? The http requests do go out, but are not forwarded >>> through the proxy. >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> >> -- >> >> >> Best regards. >> >> Hooman Fazaeli >> Sepehr S. T. Co. Ltd. >> >> Web: http://www.sepehrs.com >> Tel: (9821)88975701-2 >> Fax: (9821)88983352 >> >> >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Best regards. Hooman Fazaeli Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352 From bugmaster at FreeBSD.org Mon Jun 9 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 9 11:07:19 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200806091107.m59B70oD070771@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] [request] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 30 problems total. From roslisukri at gmail.com Tue Jun 10 15:23:55 2008 From: roslisukri at gmail.com (Rosli Sukri) Date: Tue Jun 10 15:23:58 2008 Subject: ipfw route to multigateways Message-ID: hi scenario: users---->[lan]freebsdipfw[wan]----->{gw1,gw2} where gw1 goes to isp1, and gw2 goes to isp2. requirements: ftp, http, https traffic goes to gw1 telnet, ssh, mail and pop goes to gw2 can freebsdipfw do this? From julian at elischer.org Tue Jun 10 17:53:17 2008 From: julian at elischer.org (Julian Elischer) Date: Tue Jun 10 17:53:22 2008 Subject: ipfw route to multigateways In-Reply-To: References: Message-ID: <484EBF8E.3030006@elischer.org> Rosli Sukri wrote: > hi > > scenario: > users---->[lan]freebsdipfw[wan]----->{gw1,gw2} > where gw1 goes to isp1, and gw2 goes to isp2. easily done but how do you ensure the return packets come back the same way? > > > requirements: > ftp, http, https traffic goes to gw1 > telnet, ssh, mail and pop goes to gw2 in -current there are several ways to do this including: * multiple routing tables use a firewall rule to assign incoming packets to different routing tables for forwarding (setfib) (-current only) * Forward rule ipfw add 100 fwd tablearg ip from IP1 to table 1 in xx0 ipfw add 101 fwd tablearg ip from IP2 to table 2 in xx0 and add routing entries into each table * or just use a single address if you don't need a table: ipfw add 100 fwd ISP1 ip from IP1 to any in xx0 ipfw add 101 fwd ISP2 ip from IP2 to any in xx0 * natd.. I'm not an expert in this but it can do some of this * a combination of the above Natd can be used to NAT your outgoing packets so that the return packets come back the same way.. either only NAT the packets to one ISP or Nat them both with different NAT instances. use a fwd rule or setfib rule to decide which ISP to use and limit the NAT to processing packets in or out of that interface. > > can freebsd ipfw do this? > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From opt1k2 at mail.ru Fri Jun 13 18:02:22 2008 From: opt1k2 at mail.ru (Alexey Beketov) Date: Fri Jun 13 18:02:26 2008 Subject: ipfw arp protocol filtering Message-ID: I have two networks,10.10.0.0/16 both, and if_bridge between them. There is two different 10.10.0.1 machines in each network. I need to filter arp on bridge to make no conflicts between 10.10.0.1 machines. How to make it, I using freebsd 7.0 and ipfw? From cswiger at mac.com Fri Jun 13 19:39:04 2008 From: cswiger at mac.com (Chuck Swiger) Date: Fri Jun 13 19:39:09 2008 Subject: ipfw arp protocol filtering In-Reply-To: References: Message-ID: <733D64F7-47AA-4BCF-9677-08A20D39150A@mac.com> On Jun 13, 2008, at 10:50 AM, Alexey Beketov wrote: > I have two networks,10.10.0.0/16 both, and if_bridge between them. > There is two different 10.10.0.1 machines in each network. I need to > filter arp on bridge to make no conflicts between 10.10.0.1 > machines. How to make it, I using freebsd 7.0 and ipfw? Seriously, dude-- don't even try to do this; you will be drawn into networking hell. If you still wish to risk it, consider: sysctl -w net.link.ether.bridge_ipfw=1 sysctl -w net.link.ether.ipfw=1 ipfw add deny mac any 0:1:2:3:4:5 ...add the deny rule twice & change MAC to match those of your two 10.10.0.1 machines. This won't filter ARP traffic, but instead just the ethernet addresses of these two machines from passing through the bridge. If you really want to block ARP, you're better off switching to using a router and NAT forwarding rather than a bridge, but I understand there's a hack like follows: ipfw add deny udp from 0.0.0.0 2054 to 0.0.0.0 -- -Chuck From berlowin at yahoo.com Sat Jun 14 02:27:58 2008 From: berlowin at yahoo.com (Edwin Sanjoto) Date: Sat Jun 14 02:28:02 2008 Subject: About IPFW for IPv6 Message-ID: <285153.62730.qm@web52505.mail.re2.yahoo.com> Hi Guyz... Do you know how to set firewall for IPv6 using IPFW? or may be if you are using another firewall like PF, do you know how to set it? Thanks Guyz, I will wait for your replied soon... Regards, EDWIN Sanyoto (berlowin@yahoo.com) From fabian at wenks.ch Sun Jun 15 20:14:03 2008 From: fabian at wenks.ch (Fabian Wenk) Date: Sun Jun 15 20:14:06 2008 Subject: About IPFW for IPv6 In-Reply-To: <285153.62730.qm@web52505.mail.re2.yahoo.com> References: <285153.62730.qm@web52505.mail.re2.yahoo.com> Message-ID: <48557801.5020203@wenks.ch> Hello Edwin On 14.06.08 04:27, Edwin Sanjoto wrote: > Do you know how to set firewall for IPv6 using IPFW? Just use ipfw the same like for IPv4, then since FreeBSD 6.x it does also support IPv6. If you still have an older version of FreeBSD, use ip6fw. bye Fabian From julian at elischer.org Sun Jun 15 20:43:33 2008 From: julian at elischer.org (Julian Elischer) Date: Sun Jun 15 20:43:37 2008 Subject: About IPFW for IPv6 In-Reply-To: <48557801.5020203@wenks.ch> References: <285153.62730.qm@web52505.mail.re2.yahoo.com> <48557801.5020203@wenks.ch> Message-ID: <48557EF6.3060509@elischer.org> Fabian Wenk wrote: > Hello Edwin > > On 14.06.08 04:27, Edwin Sanjoto wrote: >> Do you know how to set firewall for IPv6 using IPFW? > > Just use ipfw the same like for IPv4, then since FreeBSD 6.x it does > also support IPv6. If you still have an older version of FreeBSD, use > ip6fw. > there are some features that are not yet suported.. (e.g. tables and fwd I believe) > > bye > Fabian > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From bugmaster at FreeBSD.org Mon Jun 16 11:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 16 11:07:40 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200806161106.m5GB6uEg036740@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] [request] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 30 problems total. From berlowin at yahoo.com Tue Jun 17 03:22:43 2008 From: berlowin at yahoo.com (Edwin Sanjoto) Date: Tue Jun 17 03:22:47 2008 Subject: freebsd-ipfw Digest, Vol 270, Issue 1 Message-ID: <33331.70286.qm@web52504.mail.re2.yahoo.com> >Just use ipfw the same like for IPv4, then since FreeBSD 6.x it >does also support IPv6. If you still have an older version of >FreeBSD, use ip6fw. >bye >Fabian Hmm I have already used it as IPv4 firewall but it didn't work. are icmptypes for ipv6 different from ipv4? i just want to block any echo request to my computer from ipv6 network. This is my Rule: $cmd 00501 allow ipv6-icmp from $net to me in icmptypes 136 via $int $cmd 00502 deny ipv6-icmp from any to me in icmptypes 136 via $int From berlowin at yahoo.com Tue Jun 17 03:24:21 2008 From: berlowin at yahoo.com (Edwin Sanjoto) Date: Tue Jun 17 03:24:26 2008 Subject: Replied to Fabian and Others about ip6fw Message-ID: <8260.72112.qm@web52504.mail.re2.yahoo.com> Hmm I have already used it as IPv4 firewall but it didn't work. are icmptypes for ipv6 different from ipv4? i just want to block any echo request to my computer from ipv6 network. This is my Rule: $cmd 00501 allow ipv6-icmp from $net to me in icmptypes 136 via $int $cmd 00502 deny ipv6-icmp from any to me in icmptypes 136 via $int Regards, EDWIN Sanyoto (berlowin@yahoo.com) From ygsoccer at biolabinc.com Tue Jun 17 06:52:40 2008 From: ygsoccer at biolabinc.com (ygsoccer@biolabinc.com) Date: Tue Jun 17 06:52:44 2008 Subject: Pick up ,the po"hne and" do it Message-ID: <48580AC9.7000705@rohmhaas.com> As expecetd. Com"-pany: Angstrom Micro-systems T.ciker : agms.o.b Suggested:, Buy/hold, Sleling: .40 High Tradnig: 331,485 At'fer the great nwes last week, volume d_ tr'aded hit 331,485. Mo re events will unfold", coim'ng into its own Ans-gtr,om is the one to watch._ The price is sitll low, move fast b"uy amgs frist' .Tuedsay m.orning. From dwmalone at FreeBSD.org Wed Jun 18 06:01:14 2008 From: dwmalone at FreeBSD.org (dwmalone@FreeBSD.org) Date: Wed Jun 18 06:01:16 2008 Subject: kern/111713: [dummynet] [request] Too few dummynet queue slots Message-ID: <200806180601.m5I61DWW054194@freefall.freebsd.org> Synopsis: [dummynet] [request] Too few dummynet queue slots State-Changed-From-To: open->closed State-Changed-By: dwmalone State-Changed-When: Wed Jun 18 06:00:48 UTC 2008 State-Changed-Why: Closed at submitter's request as a suitable feature now exists. David. http://www.freebsd.org/cgi/query-pr.cgi?pr=111713 From raffaele.delorenzo at libero.it Wed Jun 18 14:02:42 2008 From: raffaele.delorenzo at libero.it (Raffaele De Lorenzo) Date: Wed Jun 18 14:03:11 2008 Subject: freebsd-ipfw Digest, Vol 270, Issue 1 In-Reply-To: <33331.70286.qm@web52504.mail.re2.yahoo.com> References: <33331.70286.qm@web52504.mail.re2.yahoo.com> Message-ID: <485912CC.4070707@libero.it> Hi, I see From [RFC4861] the icmpv6 type 136 is still used for "Neighbor Advertisement" messagges 136 Neighbor Advertisement [RFC4861] You must modify your ipfw IPv6 rules... see this URL for all informations: http://www.iana.org/assignments/icmpv6-parameters Anyway the "echo request" message type is 128 and the "echo reply" message type is 129. Cheers Raffaele Edwin Sanjoto wrote: >> Just use ipfw the same like for IPv4, then since FreeBSD 6.x it >> does also support IPv6. If you still have an older version of >> FreeBSD, use ip6fw. >> > > > >> bye >> Fabian >> > > Hmm I have already used it as IPv4 firewall but it didn't work. are icmptypes for ipv6 different from ipv4? i just want to block any echo request to my computer from ipv6 network. > > This is my Rule: > $cmd 00501 allow ipv6-icmp from $net to me in icmptypes 136 via $int > $cmd 00502 deny ipv6-icmp from any to me in icmptypes 136 via $int > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From raffaele.delorenzo at libero.it Wed Jun 18 15:13:27 2008 From: raffaele.delorenzo at libero.it (Raffaele De Lorenzo) Date: Wed Jun 18 15:13:34 2008 Subject: freebsd-ipfw Digest, Vol 270, Issue 1 In-Reply-To: <33331.70286.qm@web52504.mail.re2.yahoo.com> References: <33331.70286.qm@web52504.mail.re2.yahoo.com> Message-ID: <485769AD.3030705@libero.it> Hi, I see From [RFC4861] the icmpv6 type 136 is still used for "Neighbor Advertisement" messagges 136 Neighbor Advertisement [RFC4861] You must modify your ipfw IPv6 rules... see this URL for all informations: http://www.iana.org/assignments/icmpv6-parameters Anyway the "echo request" message type is 128 and the "echo reply" message type is 129. Cheers Raffaele Edwin Sanjoto wrote: >> Just use ipfw the same like for IPv4, then since FreeBSD 6.x it >> does also support IPv6. If you still have an older version of >> FreeBSD, use ip6fw. >> > > > >> bye >> Fabian >> > > Hmm I have already used it as IPv4 firewall but it didn't work. are icmptypes for ipv6 different from ipv4? i just want to block any echo request to my computer from ipv6 network. > > This is my Rule: > $cmd 00501 allow ipv6-icmp from $net to me in icmptypes 136 via $int > $cmd 00502 deny ipv6-icmp from any to me in icmptypes 136 via $int > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From fabian at wenks.ch Wed Jun 18 19:26:36 2008 From: fabian at wenks.ch (Fabian Wenk) Date: Wed Jun 18 19:26:39 2008 Subject: About IPFW for IPv6 In-Reply-To: <48557EF6.3060509@elischer.org> References: <285153.62730.qm@web52505.mail.re2.yahoo.com> <48557801.5020203@wenks.ch> <48557EF6.3060509@elischer.org> Message-ID: <48596162.6060809@wenks.ch> Hello Julian On 15.06.08 22:43, Julian Elischer wrote: > Fabian Wenk wrote: >> Just use ipfw the same like for IPv4, then since FreeBSD 6.x it does >> also support IPv6. If you still have an older version of FreeBSD, use >> ip6fw. >> > > there are some features that are not yet suported.. (e.g. tables and > fwd I believe) I do not know about tables, but fwd sure is brocken and acting strange, see PR 117214 [1]. [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=117214 bye Fabian From raffaele.delorenzo at libero.it Sat Jun 21 10:31:13 2008 From: raffaele.delorenzo at libero.it (Raffaele De Lorenzo) Date: Sat Jun 21 10:31:17 2008 Subject: freebsd-ipfw Digest, Vol 270, Issue 1 In-Reply-To: <7147.22159.qm@web52505.mail.re2.yahoo.com> References: <7147.22159.qm@web52505.mail.re2.yahoo.com> Message-ID: <753F38D0-7643-4626-85B7-9557DFFDAC71@libero.it> The "Neighbor Advertisement" messages are used for routing purples by the Neighbor Discovery Protocol.. The standard SSH port is 22 The standard Telnet port is 23 (ipfw add deny tcp from XXX:XXX:XX to any dst-port 22,23 via YYY) these rules refer to IPFW not IP6FW. You must use IPFW. cheers Raffaele On 19/giu/08, at 04:04, Edwin Sanjoto wrote: > Thanks Raffaele, It works... > > another question that i want to ask is, what is the using of > "Neighbor Advertisement" which is icmptypes 136? > > LAst question: > I don't know the rules to block ssh and telnet. I've already done > this: > $cmd6 00503 allow tcp from 2001::6:111 to any 22,23 in via ed0 > $cmd6 00504 deny tcp from any to any 22,23 in via ed0 > > > But after i display the ip6fw list, i didn't find the rules for > blocking ssh and telnet. > > > Regards, > > EDWIN Sanyoto > (berlowin@yahoo.com) > > > ----- Original Message ---- > From: Raffaele De Lorenzo > To: Edwin Sanjoto > Cc: freebsd-ipfw@freebsd.org > Sent: Tuesday, June 17, 2008 2:37:17 PM > Subject: Re: freebsd-ipfw Digest, Vol 270, Issue 1 > > Hi, > I see From [RFC4861] the icmpv6 type 136 is still used for "Neighbor > Advertisement" messagges > > 136 Neighbor Advertisement [RFC4861] > > You must modify your ipfw IPv6 rules... see this URL for all > informations: > > http://www.iana.org/assignments/icmpv6-parameters > > Anyway the "echo request" message type is 128 and the "echo reply" > message type is 129. > > > > Cheers > > Raffaele > > > From bugmaster at FreeBSD.org Mon Jun 23 11:06:56 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 23 11:07:19 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200806231106.m5NB6tkx064990@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 29 problems total. From jbut at swin.edu.au Sun Jun 29 10:49:22 2008 From: jbut at swin.edu.au (Jason But) Date: Sun Jun 29 10:49:27 2008 Subject: Code release of ipfw NAT support for SCTP in FreeBSD-8 Message-ID: <486765CD.5030206@swin.edu.au> The Centre for Advanced Internet Architectures (CAIA - http://caia.swin.edu.au) is proud to announce the release of alias_sctp version 0.1, a SCTP NAT patch to FreeBSD 8.x. Alias_sctp provides SCTP NAT functionality to the ipfw/ipfw_nat/libalias suite. It is part of the CAIA SONATA project (http://caia.swin.edu.au/urp/sonata). The code has been intentionally kept as separate as possible from the base modules to aid testing and debugging, and make it easier to port to other systems. This project has been made possible in part by a grant from the Cisco University Research Program Fund at Community Foundation Silicon Valley. We welcome and value feedback and comments. Please forward feedback to dahayes@swin.edu.au and jbut@swin.edu.au Download patch from http://caia.swin.edu.au/urp/sonata/downloads.html Features of alias_sctp version 0.1: - Basic configuration through "ipfw nat ... config" commands. - Forwarding of incoming SCTP associations through "ipfw nat ... redirect_addr ..." commands. - A variety of log levels (currently #define, but sysctl in version 0.2). - Stateful SCTP association management. 12345678901234567890123456789012345678901234567890123456789012345678901234567890 - Tested on single-homed hosts, but should work when the multi-homed host is on the global side of the NAT (same mechanism for address translation). - Dynamic hash table size allocation (currently #define, but sysctl in version 0.2). - Initial testing has been for up to 10000 concurrent flows arriving and leaving at about 2000/second. Tested for periods of up to 72 hours. Features in the pipline for further releases: - Sysctl interface for logging, timeouts, hash table size. Status - mostly complete. - Port forwarding and load sharing. Status - mostly complete. - Support for, soon to be specified, enhancements of SCTP to aid interworking with NATs. - New AddIP ASCONF chunks. Status - preliminary coding and investigation. (Requires finalised standards to be completed) - AbortM and ErrorM NAT originated messages. Status - preliminary coding, with work starting on the ipfw send interface - IPv6 support. Status - preliminary investigation. - Global IP address tracing. Status - preliminary investigation. Other tasks: - Exaustive testing of the various configurations and scenarios. - Stress and load testing. - Performance analysis. Jason -- ---------- Dr. Jason But Lecturer Telecommunications Engineering Academic Group Faculty of Information and Communication Technologies Swinburne University of Technology http://www.swinburne.edu.au/ict/telecommshome.htm From bugmaster at FreeBSD.org Mon Jun 30 11:06:59 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 30 11:07:09 2008 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200806301106.m5UB6waZ095774@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 16 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip 29 problems total.