From bugmaster at FreeBSD.org Mon Feb 2 03:06:54 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 2 03:08:11 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200902021106.n12B6rRm094458@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 52 problems total. From bugmaster at FreeBSD.org Mon Feb 9 03:06:54 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 9 03:08:21 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200902091106.n19B6r7f009149@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 52 problems total. From gavin at FreeBSD.org Tue Feb 10 05:46:25 2009 From: gavin at FreeBSD.org (gavin@FreeBSD.org) Date: Tue Feb 10 05:46:32 2009 Subject: kern/131558: [ipfw] Inconsistent "via" ipfw behavior Message-ID: <200902101346.n1ADkPX9066378@freefall.freebsd.org> Old Synopsis: Inconsistent "via" ipfw behavior New Synopsis: [ipfw] Inconsistent "via" ipfw behavior Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: gavin Responsible-Changed-When: Tue Feb 10 13:44:03 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). I get the feeling this may be a kernel bug rather than a userspace bug, reclassify. http://www.freebsd.org/cgi/query-pr.cgi?pr=131558 From olli at lurza.secnetix.de Wed Feb 11 06:24:32 2009 From: olli at lurza.secnetix.de (Oliver Fromme) Date: Wed Feb 11 06:24:39 2009 Subject: IPFW performance on SMP (vs. PF) Message-ID: <200902111424.n1BEOU3N012805@lurza.secnetix.de> Hi, I'll have to implement a packet filter on machines with several cores (4 to 8). Which one of the available filters (IPFW, IPF, PF) will provide the best performance on such SMP machines? I heard that PF doesn't support SMP hardware very well -- is that true? Will IPFW be better? Thanks for any insights. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Gesch?ftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M?n- chen, HRB 125758, Gesch?ftsf?hrer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "If Java had true garbage collection, most programs would delete themselves upon execution." -- Robert Sewell From raffaele.delorenzo at libero.it Wed Feb 11 15:04:28 2009 From: raffaele.delorenzo at libero.it (Raffaele De Lorenzo) Date: Wed Feb 11 15:05:05 2009 Subject: Support for IPv6 tables in ipfw? In-Reply-To: <20090211223416.5550A1CC0B@ptavv.es.net> References: <20090211223416.5550A1CC0B@ptavv.es.net> Message-ID: <48EED655-AD6F-4C37-8182-86715F417011@libero.it> Hi, I developed with Luigi (as mentor) and Mariano Tortoriello the first release of ipfw with ipv6 extension. If you and the FreeBSD Community think that the tables functional is a good feature i can develop it for IPv6 protocol. Ciao Raffaele On 11/feb/09, at 23:34, Kevin Oberman wrote: > With all of Luigi's excellent work on ipfw, I'd like to request that > someone familiar with the code look at implementing support for tables > for IPv6. While the IPv6 support in IPFW is generally a bit less > mature > than IPv4, the one functional thing that is completely missing is > tables. Having them would make my life quite a bit easier. It's the > one > thing that I have been unable to work around in my dual-stack > firewalls. > -- > R. Kevin Oberman, Network Engineer > Energy Sciences Network (ESnet) > Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) > E-mail: oberman@es.net Phone: +1 510 486-8634 > Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From oberman at es.net Wed Feb 11 16:42:24 2009 From: oberman at es.net (Kevin Oberman) Date: Wed Feb 11 16:42:31 2009 Subject: Support for IPv6 tables in ipfw? In-Reply-To: Your message of "Wed, 11 Feb 2009 23:50:34 +0100." <48EED655-AD6F-4C37-8182-86715F417011@libero.it> Message-ID: <20090212004222.028CF1CC0B@ptavv.es.net> > From: Raffaele De Lorenzo > Date: Wed, 11 Feb 2009 23:50:34 +0100 > > Hi, > I developed with Luigi (as mentor) and Mariano Tortoriello the first > release of ipfw with ipv6 extension. If you and the FreeBSD Community > think that the tables functional is a good feature i can develop it > for IPv6 protocol. Tables are invaluable for several functions. The most important to me is the ability to create a 'block' list that can be easily updated from a program or script. With a table you just need: add 00500 unreach port ip from table 86 to any in your standard configuration and then a script can do: table 22 add 2001:400:14:23::45 to add a system to the list. To do it without tables means finding an available rule and inserting the rule in the main table. I can do it without tables, but it works much better with them. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 From steve at ibctech.ca Thu Feb 12 06:50:38 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Thu Feb 12 06:50:45 2009 Subject: Support for IPv6 tables in ipfw? In-Reply-To: <48EED655-AD6F-4C37-8182-86715F417011@libero.it> References: <20090211223416.5550A1CC0B@ptavv.es.net> <48EED655-AD6F-4C37-8182-86715F417011@libero.it> Message-ID: <49943732.1060803@ibctech.ca> Raffaele De Lorenzo wrote: > Hi, > I developed with Luigi (as mentor) and Mariano Tortoriello the first > release of ipfw with ipv6 extension. If you and the FreeBSD Community > think that the tables functional is a good feature i can develop it for > IPv6 protocol. I think that tables are extremely functional and valuable, and will test any patches as soon as they are available if you are inclined to implement them for IPv6. Steve From linimon at FreeBSD.org Fri Feb 13 06:30:19 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Fri Feb 13 06:30:31 2009 Subject: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) Message-ID: <200902131430.n1DEUED7040530@freefall.freebsd.org> Old Synopsis: 7-STABLE panic in nat_finalise (tcp=0) New Synopsis: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) Responsible-Changed-From-To: freebsd-net->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Fri Feb 13 14:30:00 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=131601 From ozkan at mersin.edu.tr Mon Feb 16 01:31:02 2009 From: ozkan at mersin.edu.tr (=?ISO-8859-1?Q?=D6zkan_KIRIK?=) Date: Mon Feb 16 01:31:08 2009 Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE Message-ID: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> Hi, i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via if_vlan) . My Server is HP DL380 G4. I am using the on board gigabit nic as wan interface which uses bge driver. My rule set is below: wan_intf="bge1" ipfw nat 100 config ip X.X.X.1 reset same_ports ipfw nat 101 config ip X.X.X.2 reset same_ports ipfw nat 102 config ip X.X.X.3 reset same_ports ... ... ipfw add 5 allow all from any to any layer2 ipfw add 50 checkstate ... ... Other port forwarding and static nat rules without keep-state ... ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via $wan_intf ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via $wan_intf ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via $wan_intf ... ... ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf ... ... About 2 Minutes later after apply this rule set, system writes that bge1 watchdog timeout --- resetting and then system hangs, keyboard doesnt response. No logs can be observed. When i remove all skipto and checkstate rules, system work properly without problems. I suspect about stateful inpection code. some sysctl variables are below: net.inet.ip.fw.dyn_max=32768 net.inet.ip.fw.dyn_ack_lifetime=100 net.inet.ip.fw.dyn_short_lifetime=10 net.inet.ip.fw.one_pass=0 net.inet.ip.dummynet.hash_size=256 kern.maxfiles=32000 kern.ipc.somaxconn=1024 net.inet.ip.process_options=0 net.inet.ip.fastforwarding=1 net.link.ether.ipfw=1 thanks for your interests From bugmaster at FreeBSD.org Mon Feb 16 03:06:55 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 16 03:08:19 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200902161106.n1GB6rIo096159@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 54 problems total. From olli at lurza.secnetix.de Mon Feb 16 06:28:40 2009 From: olli at lurza.secnetix.de (Oliver Fromme) Date: Mon Feb 16 06:28:48 2009 Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE In-Reply-To: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> Message-ID: <200902161428.n1GESLvL015103@lurza.secnetix.de> Hello, Unfortunately I can't help you with your actual problem, but I have a few remarks that might be helpful. ?zkan KIRIK wrote: > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via > if_vlan) . > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > interface which uses bge driver. > > My rule set is below: > > wan_intf="bge1" > ipfw nat 100 config ip X.X.X.1 reset same_ports > ipfw nat 101 config ip X.X.X.2 reset same_ports > ipfw nat 102 config ip X.X.X.3 reset same_ports > ... > ... > ipfw add 5 allow all from any to any layer2 > ipfw add 50 checkstate Note: It is spelled "check-state". Please verify that you have it correctly in your ipfw script. > ... > ... Other port forwarding and static nat rules without keep-state > ... > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via > $wan_intf > ... > ... > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > ... > ... > > About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly without > problems. I suspect about stateful inpection code. If you don't have an explicit check-state rule, then there's an implicit check-state rule at the first keep-state. If you don't want any check-state at all, you musr remove all stateful rules (i.e. all "keep-state" rules). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Gesch?ftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M?n- chen, HRB 125758, Gesch?ftsf?hrer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd $ dd if=/dev/urandom of=test.pl count=1 $ file test.pl test.pl: perl script text executable From ozkan at mersin.edu.tr Mon Feb 16 14:38:18 2009 From: ozkan at mersin.edu.tr (=?ISO-8859-1?Q?=D6zkan_KIRIK?=) Date: Mon Feb 16 14:38:25 2009 Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE In-Reply-To: <200902161428.n1GESLvL015103@lurza.secnetix.de> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> Message-ID: <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> Thanks for you reply, it is only a typo. at real rule set it is correctly written. i wanna use stateful inspection. On Mon, Feb 16, 2009 at 4:28 PM, Oliver Fromme wrote: > Hello, > > Unfortunately I can't help you with your actual problem, > but I have a few remarks that might be helpful. > > ?zkan KIRIK wrote: > > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans > via > > if_vlan) . > > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > > interface which uses bge driver. > > > > My rule set is below: > > > > wan_intf="bge1" > > ipfw nat 100 config ip X.X.X.1 reset same_ports > > ipfw nat 101 config ip X.X.X.2 reset same_ports > > ipfw nat 102 config ip X.X.X.3 reset same_ports > > ... > > ... > > ipfw add 5 allow all from any to any layer2 > > ipfw add 50 checkstate > > Note: It is spelled "check-state". Please verify that you > have it correctly in your ipfw script. > > > ... > > ... Other port forwarding and static nat rules without keep-state > > ... > > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via > > $wan_intf > > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via > > $wan_intf > > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via > > $wan_intf > > ... > > ... > > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > > ... > > ... > > > > About 2 Minutes later after apply this rule set, system writes that bge1 > > watchdog timeout --- resetting and then system hangs, keyboard doesnt > > response. No logs can be observed. > > > > When i remove all skipto and checkstate rules, system work properly > without > > problems. I suspect about stateful inpection code. > > If you don't have an explicit check-state rule, then there's > an implicit check-state rule at the first keep-state. > If you don't want any check-state at all, you musr remove > all stateful rules (i.e. all "keep-state" rules). > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. > Handelsregister: Registergericht Muenchen, HRA 74606, Gesch?ftsfuehrung: > secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M?n- > chen, HRB 125758, Gesch?ftsf?hrer: Maik Bachmann, Olaf Erb, Ralf Gebhart > > FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd > > $ dd if=/dev/urandom of=test.pl count=1 > $ file test.pl > test.pl: perl script text executable > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From blogtiengviet at yahoo.com Tue Feb 17 06:51:03 2009 From: blogtiengviet at yahoo.com (Blog Tieng Viet) Date: Tue Feb 17 06:51:14 2009 Subject: How to protect FreeBSD from IP spoofing ? In-Reply-To: <200902131430.n1DEUED7040530@freefall.freebsd.org> Message-ID: <292159.62731.qm@web57103.mail.re3.yahoo.com> Dear all. I am a newbie of FreeBSD, would like to get alot of information about FreeBSD such as IPFW. I am annoyed by IP spoofing but dont have any way to prevent it. Can any one tell me how to do ? Thanks in advance. PS: I am using 6.4-PRERELEASE FreeBSD 6.4-PRERELEASE. The FreeBSD box is used for web server, and it is forwarded every parket of port 80 from LAN router. From ady at freebsd.ady.ro Tue Feb 17 09:20:56 2009 From: ady at freebsd.ady.ro (Adrian Penisoara) Date: Tue Feb 17 09:21:10 2009 Subject: How to protect FreeBSD from IP spoofing ? In-Reply-To: <292159.62731.qm@web57103.mail.re3.yahoo.com> References: <200902131430.n1DEUED7040530@freefall.freebsd.org> <292159.62731.qm@web57103.mail.re3.yahoo.com> Message-ID: <78cb3d3f0902170855p70047aa0r655d8ba846d2458d@mail.gmail.com> Hi, Check the ipfw(8) manual (includes examples) or rather go for pf (packetfilter) and check the pf.conf(5) manual. For pf you just need to add something like "antispoof for lo0". Regards, Adrian. On Tue, Feb 17, 2009 at 3:24 PM, Blog Tieng Viet wrote: > Dear all. > I am a newbie of FreeBSD, would like to get alot of information about > FreeBSD such as IPFW. > I am annoyed by IP spoofing but dont have any way to prevent it. > Can any one tell me how to do ? > Thanks in advance. > > PS: > I am using 6.4-PRERELEASE FreeBSD 6.4-PRERELEASE. > The FreeBSD box is used for web server, and it is forwarded every parket of > port 80 from LAN router. > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From nino80 at gmail.com Tue Feb 17 09:36:11 2009 From: nino80 at gmail.com (n j) Date: Tue Feb 17 09:36:17 2009 Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE In-Reply-To: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> Message-ID: <92bcbda50902170928gd0fc74bs7b7836fe92c4609b@mail.gmail.com> Sorry, hit the wrong key combo and message went before I finished it :( ... > Here is the rule that after a short while (probably the first packet > to match the rule) freezes the machine: > ipfw -q flush ipfw -q nat 123 config ip a.b.c.d log ipfw -q disable one_pass ... > ipfw add 00003 nat 123 log ip from x.x.x.0/24 to > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > ... further down the chain... ipfw add 00900 check-state If anyone else experienced similar cases, I invite them to share. Regards, -- nino From nino80 at gmail.com Tue Feb 17 09:52:11 2009 From: nino80 at gmail.com (n j) Date: Tue Feb 17 09:52:18 2009 Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE In-Reply-To: <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> Message-ID: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> > About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly > without problems. I suspect about stateful inpection code. Just to add a "me too" message to this thread, I also experienced system freezes (keyboard not working => hardware reset necessary) with in-kernel NAT and stateful rules. I had a repeatable case on a production server and hoped to replicate the bug on a different machine as the production server needed to go in, well, production; however thanks to complex setup of original machine (in-kernel NAT, vlans, openvpn...), lack of time and virtual environment, test scenario failed to produce a sensible bug report and I gave up until I saw OP reporting the same issue. Here is the rule that after a short while (probably the first packet to match the rule) freezes the machine: ipfw 00003 nat 123 log ip from x.x.x.0/24 to a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze ... further down the chain... ipfw I know this is far from a good bug report, but stateful inspection code/in-kernel NAT mix might be worth looking into. From rik at inse.ru Tue Feb 17 15:16:47 2009 From: rik at inse.ru (Roman Kurakin) Date: Tue Feb 17 15:16:55 2009 Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE In-Reply-To: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> Message-ID: <499B4019.4060203@localhost.inse.ru> n j wrote: >> About 2 Minutes later after apply this rule set, system writes that bge1 >> watchdog timeout --- resetting and then system hangs, keyboard doesnt >> response. No logs can be observed. >> >> When i remove all skipto and checkstate rules, system work properly >> without problems. I suspect about stateful inpection code. >> > > Just to add a "me too" message to this thread, I also experienced > system freezes (keyboard not working => hardware reset necessary) with > in-kernel NAT and stateful rules. I had a repeatable case on a > production server and hoped to replicate the bug on a different > machine as the production server needed to go in, well, production; > however thanks to complex setup of original machine (in-kernel NAT, > vlans, openvpn...), lack of time and virtual environment, test > scenario failed to produce a sensible bug report and I gave up until I > saw OP reporting the same issue. > > Here is the rule that after a short while (probably the first packet > to match the rule) freezes the machine: > > ipfw 00003 nat 123 log ip from x.x.x.0/24 to > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > ... further down the chain... > ipfw > I know this is far from a good bug report, but stateful inspection > code/in-kernel NAT mix might be worth looking into. > IIRC both natd and in-kernel nat do not support stateful rules. rik > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From smithi at nimnet.asn.au Tue Feb 17 20:12:47 2009 From: smithi at nimnet.asn.au (Ian Smith) Date: Tue Feb 17 20:12:54 2009 Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE In-Reply-To: <499B4019.4060203@localhost.inse.ru> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> <499B4019.4060203@localhost.inse.ru> Message-ID: <20090218142336.U38905@sola.nimnet.asn.au> On Wed, 18 Feb 2009, Roman Kurakin wrote: > n j wrote: > > > About 2 Minutes later after apply this rule set, system writes that bge1 > > > watchdog timeout --- resetting and then system hangs, keyboard doesnt > > > response. No logs can be observed. > > > > > > When i remove all skipto and checkstate rules, system work properly > > > without problems. I suspect about stateful inpection code. > > > > > > > Just to add a "me too" message to this thread, I also experienced > > system freezes (keyboard not working => hardware reset necessary) with > > in-kernel NAT and stateful rules. I had a repeatable case on a > > production server and hoped to replicate the bug on a different > > machine as the production server needed to go in, well, production; > > however thanks to complex setup of original machine (in-kernel NAT, > > vlans, openvpn...), lack of time and virtual environment, test > > scenario failed to produce a sensible bug report and I gave up until I > > saw OP reporting the same issue. > > > > Here is the rule that after a short while (probably the first packet > > to match the rule) freezes the machine: > > > > ipfw 00003 nat 123 log ip from x.x.x.0/24 to > > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > > ... further down the chain... > > ipfw > > I know this is far from a good bug report, but stateful inspection > > code/in-kernel NAT mix might be worth looking into. > > > IIRC both natd and in-kernel nat do not support stateful rules. > > rik I'm not sure what sense '[nat|divert] .. keep-state' would make anyway. At least with divert, so I assume with nat, you can test for 'diverted' packets afterwards, so maybe the workaround would be to do keep-state on an allow or skipto for diverted packets (out) just after the nat? cheers, Ian From gavin at FreeBSD.org Wed Feb 18 13:10:59 2009 From: gavin at FreeBSD.org (gavin@FreeBSD.org) Date: Wed Feb 18 13:11:05 2009 Subject: kern/131817: ipfw blocks layer2 packets that should not be blocked Message-ID: <200902182110.n1ILAw7t085805@freefall.freebsd.org> Synopsis: ipfw blocks layer2 packets that should not be blocked Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: gavin Responsible-Changed-When: Wed Feb 18 21:01:17 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). To submitter: FWIW, I agree that this does seem like incorrect behaviour. I usually work around it with the following additional rule: ipfw add 10 allow ip from any to any layer2 mac-type arp http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 From vk at kbb.ru Wed Feb 18 19:30:05 2009 From: vk at kbb.ru (Vladimir Kurtukov) Date: Wed Feb 18 19:30:12 2009 Subject: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) Message-ID: <200902190330.n1J3U4G4063058@freefall.freebsd.org> The following reply was made to PR kern/131601; it has been noted by GNATS. From: Vladimir Kurtukov To: bug-followup@FreeBSD.org Cc: Subject: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) Date: Thu, 19 Feb 2009 10:22:45 +0700 Quick fix, tested, no panic. apply in /sys/contrib/ipfilter/netinet --- ip_nat.c.std 2007-10-31 12:00:38.000000000 +0700 +++ ip_nat.c 2009-02-19 10:20:05.000000000 +0700 @@ -2552,6 +2552,10 @@ { frentry_t *fr; ipnat_t *np; + + if (fin->fin_p == IPPROTO_TCP && tcp == NULL) { + return -1; + } np = ni->nai_np; --- Best regards, Vladimir From bugmaster at FreeBSD.org Mon Feb 23 03:06:55 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 23 03:08:15 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200902231106.n1NB6rGx055537@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 55 problems total. From steve at ibctech.ca Fri Feb 27 10:14:03 2009 From: steve at ibctech.ca (Steve Bertrand) Date: Fri Feb 27 10:14:09 2009 Subject: Saving runtime created rules Message-ID: <49A82D61.4060509@ibctech.ca> I am frequently adding/changing/deleting IPFW rules on my FBSD powered Quagga edge routers, and often neglect to update the start up script. Fearing the disaster that would result if one of my routers reboots without a saved IPFW config, I went about creating a method to save runtime lists to be used at startup. I thought I'd share my experience. First, I deleted all of the actual rules from my startup sh script (/etc/ipfw.rules). I left all script variables and tables in this file. I then added ". /etc/ipfw.include" to the bottom of the script. Then: # ipfw list | \ # perl -nle 's/table\((\d+)\)/\"table($1)"/g; print "\$cmd $_";' \ # > /etc/ipfw.include # chown root:wheel /etc/ipfw.include && chmod 400 /etc/ipfw.include Now any time that I run that command pipeline, all rules are saved in the include file. This could be cronned, but I'm hesitant to go that far at this point, because there is no syntax checking at all. Cheers! Steve