From bugmaster at FreeBSD.org Mon Nov 2 11:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 2 11:08:37 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200911021106.nA2B6v2L033636@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 64 problems total. From jakub.bednar at avg.com Wed Nov 4 16:50:03 2009 From: jakub.bednar at avg.com (jakub) Date: Wed Nov 4 16:50:18 2009 Subject: Diverting sockets and streams Message-ID: <1257352643.7731.8.camel@dell> Hi list, I have a newbie question about divert sockets but I can't find a direct answer. I have a rule like this: ipfw add divert 5555 tcp from me to any 80 keep-state If I understand it correctly, in order to check the data stream properly I have to deal with: 1. packet reordering 2. packet duplication so basically I have to implement part of the TCP stack in my app. I don't have to bother with fragmentation (according to man pages). I won't be able to understand IPSec packets as I will get encrypted IP frames. Am I correct? Or can you please tell me how it really works? Thanks a lot, Jakub From julian at elischer.org Wed Nov 4 17:44:47 2009 From: julian at elischer.org (Julian Elischer) Date: Wed Nov 4 17:44:54 2009 Subject: Diverting sockets and streams In-Reply-To: <1257352643.7731.8.camel@dell> References: <1257352643.7731.8.camel@dell> Message-ID: <4AF1BD8E.207@elischer.org> jakub wrote: > Hi list, > > I have a newbie question about divert sockets but I can't find a direct > answer. > > I have a rule like this: > > ipfw add divert 5555 tcp from me to any 80 keep-state > > If I understand it correctly, in order to check the data stream properly > I have to deal with: > > 1. packet reordering > 2. packet duplication yes, divert treats each packet individually with the exception of frags which it reassembles. > > so basically I have to implement part of the TCP stack in my app. yes, though there may be other ways to do what you want.. what DO you want to do? > > I don't have to bother with fragmentation (according to man pages). > I won't be able to understand IPSec packets as I will get encrypted IP > frames. yes > > Am I correct? Or can you please tell me how it really works? packets enter the system and are run through the IP stack where the first thing they hit is ipfw. in ipfw the divert rule forces them to the divert code (which does reassembly but that's all) and passes the result to a divert socket. there is apossibilty that done correctly with ESP one migh tb eab;e to get to the unencrypted packet but you'd have to read the code starting at ip_input() in ip_input.c to check for sure. > > Thanks a lot, > > Jakub > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From jakub.bednar at avg.com Thu Nov 5 08:46:25 2009 From: jakub.bednar at avg.com (Jakub Bednar) Date: Thu Nov 5 08:46:31 2009 Subject: Diverting sockets and streams In-Reply-To: <4AF1BD8E.207@elischer.org> References: <1257352643.7731.8.camel@dell> <4AF1BD8E.207@elischer.org> Message-ID: Hi Julian, thanks for making this clear to me. > >> >> so basically I have to implement part of the TCP stack in my app. > > yes, > though there may be other ways to do what you want.. > what DO you want to do? > I need to make a transparent proxy e.g. HTTP proxy, that will be able to scan the data stream for some security problems (exploits or whatever). I had a solution based on packet forwarding and packet UID matching rather then divert sockets. This solution works fine on FreeBSD, Linux and Mac OS X Leopard. Hovewer in the new Mac OS X Snow Leopard, forwarding outgoing packets to local port does not work. So I'm looking for another solution. Jakub From julian at elischer.org Thu Nov 5 08:56:26 2009 From: julian at elischer.org (Julian Elischer) Date: Thu Nov 5 08:56:33 2009 Subject: Diverting sockets and streams In-Reply-To: References: <1257352643.7731.8.camel@dell> <4AF1BD8E.207@elischer.org> Message-ID: <4AF29339.3050102@elischer.org> Jakub Bednar wrote: > Hi Julian, > > thanks for making this clear to me. > >> >>> >>> so basically I have to implement part of the TCP stack in my app. >> >> yes, >> though there may be other ways to do what you want.. >> what DO you want to do? >> > > I need to make a transparent proxy e.g. HTTP proxy, that will be able to > scan the data stream for some security problems (exploits or whatever). > > I had a solution based on packet forwarding and packet UID matching > rather then divert sockets. This solution works fine on FreeBSD, Linux > and Mac OS X Leopard. Hovewer in the new Mac OS X Snow Leopard, > forwarding outgoing packets to local port does not work. So I'm looking > for another solution. sounds like the broke it.. maybe they inherited a change from FreeBSD that was reverted out but existed for one release, that broke exactly that :-) ipfw fwd along with fwd uid is the way to do this on FreeBSD but snow leopard IS a problem. doing it with divert is going to be a real pain. you can also do this with nat in some cases I think.. > > Jakub From gavin at FreeBSD.org Sun Nov 8 15:34:38 2009 From: gavin at FreeBSD.org (gavin@FreeBSD.org) Date: Sun Nov 8 15:34:44 2009 Subject: kern/115755: [ipfw] [patch] unify message and add a rule number where limit was reached Message-ID: <200911081534.nA8FYbDC037039@freefall.freebsd.org> Synopsis: [ipfw] [patch] unify message and add a rule number where limit was reached State-Changed-From-To: patched->closed State-Changed-By: gavin State-Changed-When: Sun Nov 8 15:33:49 UTC 2009 State-Changed-Why: I can't see this ever being merged to 6.x now as it changes the format of the log file. http://www.freebsd.org/cgi/query-pr.cgi?pr=115755 From bugmaster at FreeBSD.org Mon Nov 9 11:06:56 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 9 11:08:31 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200911091106.nA9B6tRt079030@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 63 problems total. From it at hastigasht.com Tue Nov 10 13:10:17 2009 From: it at hastigasht.com (Nima Mohammadi) Date: Tue Nov 10 14:27:50 2009 Subject: HELP ME Message-ID: <20091110131017.A2A98106568D@hub.freebsd.org> Hi i have a freebsd 7.1 with ipfw and dummynet and natd and all the things is good. but the i can not limite the upload to the internet with dummynet. the download limit works fine . when change the pipe2 (to me in ) to ( to any in) the internet connection of my client will be down vr0 : internal net : 192.168.10.0/24 nfe0: out net : 212.80.13.1 ,2 ,3 the upload is very high . HELP ME here is my ipfw config : pfw -q -f flush #Dedicate internet user and non internet user ############################################################################ # #charter 55 for ali shirali movaghat share with andishgar iuser="192.168.10.0/24{1,3,25, 27,31,42,48,50,53,54,55,63,69,81,84,88,92,98,100,105,118,128,131,134,135,137 ,140,155,165,171}" noiuser="192.168.10.0/24{44, 46}" ############################################################################ ## ##########################dummynet########################################## # #recive ipfw -q add pipe 1 ip from any to ${iuser} out via vr0 ipfw pipe 1 config bw 9KByte/s # queue 11 delay 100ms #send ipfw -q add pipe 2 ip from ${iuser} to me in via vr0 ipfw pipe 2 config bw 7KByte/s # queue 11 delay 100ms ############################################################################ # ##################################NAT####################################### ## ipfw -q add divert natd all from any to any via nfe0 ipfw -q add check-state ############################################################################ #block any to loopback ipfw -q add allow ip from any to any via lo0 ipfw -q add deny ip from any to 127.0.0.0/8 #########################END internet users################################## #web & ssl & yahoo messenger ###################WEB Accsess############################## ipfw -q add allow tcp from ${iuser} to any 80,443,5050 keep-state #allow all http to internal ipfw -q add allow tcp from any to any 80 in via nfe0 keep-state #charter 10 access on ghd24.net #ipfw -q add allow tcp from 192.168.10.64 to 66.49.211.210,94.182.197.230 80 keep-state ######################END Web Access######################### #aseman ipfw -q add allow tcp from any to any 7769 keep-state #amadeus ipfw -q add allow tcp from any to any 9876,10000 keep-state #air tour ipfw -q add allow tcp from any to any 1770 keep-state #ftp ipfw -q add allow ip from any to any 21 keep-state #ipfw -q add allow ip from any to any 1024-65535 keep-state ipfw -q add allow tcp from 192.168.10.69,192.168.10.1,192.168.10.9 to any 1024-65535 keep-state ipfw -q add allow tcp from any 1024-65535 to 192.168.10.1 keep-state #ipfw -q add check-state #DNS ipfw -q add allow ip from any to any 53 keep-state ipfw -q add allow ip from any 53 to any keep-state #remote ipfw -q add allow ip from any to any 35252,12114,3389 keep-state #mysql remote #ipfw -q add allow ip from any to any 3306,1433 keep-state #share #ipfw -q add allow tcp from any to me 139 #ipfw -q add allow tcp from any 139 to any #ping ipfw -q add allow icmp from any to any #cpanel #ipfw -q add allow ip from any to any 2082,2083,2095 keep-state #ssh ipfw -q add allow tcp from any to me 5432 keep-state ipfw -q add allow tcp from any 5432 to any keep-state #Out look pop3 ######################POP3 Access##################### ipfw -q add allow tcp from ${iuser},${noiuser} to any 25 keep-state ipfw -q add allow tcp from ${iuser},${noiuser} to any 110 keep-state ######################END POP3 Access################# #gmail #ipfw -q add allow tcp from any to any 995,465 keep-state #Ghost Surf ipfw -q add allow tcp from any to any 8888 keep-state #VPN TO EXTRENAL ipfw -q add allow gre from any to any keep-state ipfw -q add allow tcp from any to any 1723 keep-state #allow all to external ipfw -q add allow ip from any to any out via nfe0 #deny all in from external ipfw -q add deny all from any to any in via nfe0 From chrishome at austin.rr.com Tue Nov 10 18:18:41 2009 From: chrishome at austin.rr.com (Chris Bowman) Date: Tue Nov 10 18:18:49 2009 Subject: HELP ME In-Reply-To: <20091110131017.A2A98106568D@hub.freebsd.org> References: <20091110131017.A2A98106568D@hub.freebsd.org> Message-ID: <5382554a0911100956p30224cc9n765c6207eb12348@mail.gmail.com> On Tue, Nov 10, 2009 at 6:40 AM, Nima Mohammadi wrote: > Hi > i have a freebsd 7.1 with ipfw and dummynet and natd and all the things is > good. > but the i can not limite the upload to the internet with dummynet. > the download limit works fine . > > > > when change the pipe2 (to me in ) to ( to any in) the internet connection > of > my client will be down > vr0 : internal net : 192.168.10.0/24 > nfe0: out net : 212.80.13.1 ,2 ,3 > > the upload is very high . > HELP ME > > here is my ipfw config : > pfw -q -f flush > > #Dedicate internet user and non internet user > > ############################################################################ > # > #charter 55 for ali shirali movaghat share with andishgar > > iuser="192.168.10.0/24{1,3,25, > < > http://192.168.10.0/24%7B1,3,25,27,31,42,48,50,53,54,55,63,69,81,84,88,92,9 > 8,100,105,118,128,131,134,135,137,140,155,165,171%7D> > > 27,31,42,48,50,53,54,55,63,69,81,84,88,92,98,100,105,118,128,131,134,135,137 > ,140,155,165,171}" > > noiuser="192.168.10.0/24{44, 46}" > > ############################################################################ > ## > > > ##########################dummynet########################################## > # > #recive > ipfw -q add pipe 1 ip from any to ${iuser} out via vr0 > ipfw pipe 1 config bw 9KByte/s # queue 11 delay 100ms > > #send > ipfw -q add pipe 2 ip from ${iuser} to me in via vr0 > ipfw pipe 2 config bw 7KByte/s # queue 11 delay 100ms > > ############################################################################ > # > > > ##################################NAT####################################### > ## > ipfw -q add divert natd all from any to any via nfe0 > ipfw -q add check-state > > ############################################################################ > > #block any to loopback > ipfw -q add allow ip from any to any via lo0 > ipfw -q add deny ip from any to 127.0.0.0/8 > > #########################END internet > users################################## > > #web & ssl & yahoo messenger > ###################WEB Accsess############################## > ipfw -q add allow tcp from ${iuser} to any 80,443,5050 keep-state > > #allow all http to internal > ipfw -q add allow tcp from any to any 80 in via nfe0 keep-state > > #charter 10 access on ghd24.net > #ipfw -q add allow tcp from 192.168.10.64 to 66.49.211.210,94.182.197.230 > 80 > keep-state > ######################END Web Access######################### > > #aseman > ipfw -q add allow tcp from any to any 7769 keep-state > > #amadeus > ipfw -q add allow tcp from any to any 9876,10000 keep-state > > #air tour > ipfw -q add allow tcp from any to any 1770 keep-state > > #ftp > ipfw -q add allow ip from any to any 21 keep-state > #ipfw -q add allow ip from any to any 1024-65535 keep-state > ipfw -q add allow tcp from 192.168.10.69,192.168.10.1,192.168.10.9 to any > 1024-65535 keep-state > ipfw -q add allow tcp from any 1024-65535 to 192.168.10.1 keep-state > > #ipfw -q add check-state > > #DNS > ipfw -q add allow ip from any to any 53 keep-state > ipfw -q add allow ip from any 53 to any keep-state > > #remote > ipfw -q add allow ip from any to any 35252,12114,3389 keep-state > > #mysql remote > #ipfw -q add allow ip from any to any 3306,1433 keep-state > > #share > #ipfw -q add allow tcp from any to me 139 > #ipfw -q add allow tcp from any 139 to any > > #ping > ipfw -q add allow icmp from any to any > > #cpanel > #ipfw -q add allow ip from any to any 2082,2083,2095 keep-state > > #ssh > ipfw -q add allow tcp from any to me 5432 keep-state > ipfw -q add allow tcp from any 5432 to any keep-state > > #Out look pop3 > ######################POP3 Access##################### > > ipfw -q add allow tcp from ${iuser},${noiuser} to any 25 keep-state > ipfw -q add allow tcp from ${iuser},${noiuser} to any 110 keep-state > > ######################END POP3 Access################# > #gmail > #ipfw -q add allow tcp from any to any 995,465 keep-state > > #Ghost Surf > ipfw -q add allow tcp from any to any 8888 keep-state > > #VPN TO EXTRENAL > ipfw -q add allow gre from any to any keep-state > ipfw -q add allow tcp from any to any 1723 keep-state > > #allow all to external > ipfw -q add allow ip from any to any out via nfe0 > > #deny all in from external > ipfw -q add deny all from any to any in via nfe0 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > Currently your IPFW rule for pipe 2 is only matching traffic sourced from 192.168.10.0/24 with a destination of "me", me being any IP interface on your box, so your rule would work only if traffic is destined to an IP on your box. Your IPFW rule for pipe 1 is matching on any and works, I'd look at applying the same logic to your pipe 2 rule :) From cswiger at mac.com Tue Nov 10 18:22:07 2009 From: cswiger at mac.com (Chuck Swiger) Date: Tue Nov 10 18:22:13 2009 Subject: HELP ME In-Reply-To: <20091110131017.A2A98106568D@hub.freebsd.org> References: <20091110131017.A2A98106568D@hub.freebsd.org> Message-ID: <52FBC52C-5733-4CD1-996F-5E48189ECE12@mac.com> Hi-- On Nov 10, 2009, at 4:40 AM, Nima Mohammadi wrote: > i have a freebsd 7.1 with ipfw and dummynet and natd and all the > things is > good. but the i can not limite the upload to the internet with > dummynet. > the download limit works fine . > > when change the pipe2 (to me in ) to ( to any in) the internet > connection of > my client will be down Try something like: ipfw add pipe 2 ip from ${iuser} to any out via nfe0 Regards, -- -Chuck From it at hastigasht.com Thu Nov 12 18:09:52 2009 From: it at hastigasht.com (Nima Mohammadi) Date: Thu Nov 12 18:14:02 2009 Subject: FW: HELP ME Message-ID: <20091112180952.8BCEC106566B@hub.freebsd.org> Hi Me again Sorry my good friend . I can`t config my ipfw very well . If you can send a sample ipfw config which is works fine you will give me a great help. Sample config with this type of pipe rule , and my ipfw deny everythin by default. $cmdfw pipe 30 config mask dst-ip 0x000000ff bw 1024Kbit/s queue 10KBytes $cmdfw pipe 31 config mask src-ip 0x000000ff bw 256Kbit/s queue 10KBytes $cmdfw add 1100 pipe 30 all from any to 192.168.6.0/24 in via $ext_if1 $cmdfw add 900 pipe 31 all from 192.168.6.0/24 to any out via $ext_if1 $cmdfw add 1000 divert natd ip from any to any via $ext_if1 Thanx a lot Regard From bugmaster at FreeBSD.org Mon Nov 16 11:06:55 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 16 11:08:33 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200911161106.nAGB6tcc011202@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 63 problems total. From rakort at charter.net Tue Nov 17 05:06:27 2009 From: rakort at charter.net (Rakort) Date: Tue Nov 17 05:06:33 2009 Subject: dansguardian, ipfw, nat question Message-ID: <000501ca6742$1874a300$495de900$@net> Hello all Trying to configure my gateway box running FBSD 7.2 to provide content filtering services for some or all clients on a my network. The box is configured with natd and running IPFW. I like this combination and have been using it successfully for years. Not real interested to changing to squid or pf or whatever else may be known (or better documented) to work with dansguardian. Dansguardian seems to be the preferred option for content filtering as near as I can tell. There is lots of documentation out there for configuring dans with squid. I can't find much of anything for IPFW / NAT So, the question is, can this be done? I've seen one or two suggestions out there giving a brief description of how to use the fwd command to send packets to dans but unfortunately I am not smart enough to implement that here. Any help, thoughts, or references would be appreciated thanks Brian here is a boiled down set of rules that I use: #!/bin/sh cmd="ipfw add" skip="skipto 700" oif=dc0 iif=re0 log="log logamount 1000" ks="keep-state" ipfw -f flush $cmd 098 allow all from any to any via $iif # Allow LAN traffic $cmd 099 allow all from any to any via lo0 # Allow loopback traffic $cmd 105 divert natd all from any to any in via $oif # check if packet is inbound and nat address if it is $cmd 110 check-state # Allow packet if it has previous been added to the "dynamic" rules table ### Authorized icmp / udp outbound packets $cmd 200 $skip icmp from any to any out via $oif $ks # ping $cmd 201 $skip udp from any to any 123 out via $oif $ks # time $cmd 203 $skip $log udp from any to xx.xxx.xx.1 67 out via $oif $ks # DHCP $cmd 205 $skip udp from any to any 53 out via $oif $ks # DNS ### Authorized tcp outbound packets $cmd 301 $skip tcp from any to any 25 out via $oif setup $ks # mail $cmd 303 $skip $log tcp from any to any 43 out via $oif setup $ks # whois $cmd 305 $skip tcp from any to any 80 out via $oif setup $ks # http $cmd 306 $skip tcp from any to any 110 out via $oif setup $ks # mail $cmd 307 $skip tcp from any to any 119 out via $oif setup $ks # USENET $cmd 308 $skip tcp from any to any 443 out via $oif setup $ks # Secure http $cmd 310 $skip $log tcp from any to any 23 out via $oif setup $ks # telnet ### Everything else outbound is dropped and logged $cmd 351 deny log logamount 10000 all from any to any out via $oif # everything else ### Allow these incoming connections $cmd 360 allow $log udp from xx.xxx.xxx.x to any 68 in via $oif $ks # DHCP $cmd 363 allow tcp from any to me 80 in via $oif setup $ks # Incoming http connections ### May Consider Allowing these incoming connections $cmd 396 allow $log tcp from any to any 113 in via $oif limit src-addr 4 # Ident packets. $cmd 398 allow $log icmp from any to any icmptype 3,11 in via $oif limit src-addr 2 # Allow out & in console traceroot command ### deny various incoming packets $cmd 401 deny $log all from 192.168.0.0/16 to any in via $oif # RFC 1918 private IP $cmd 402 deny $log all from 172.16.0.0/12 to any in via $oif # RFC 1918 private IP $cmd 403 deny $log all from 10.0.0.0/8 to any in via $oif # RFC 1918 private IP $cmd 404 deny $log all from 127.0.0.0/8 to any in via $oif # loopback $cmd 405 deny $log all from 0.0.0.0/8 to any in via $oif # loopback $cmd 406 deny $log all from 169.254.0.0/16 to any in via $oif # DHCP auto-config $cmd 407 deny $log all from 192.0.2.0/24 to any in via $oif # reserved for docs $cmd 408 deny $log all from 204.152.64.0/23 to any in via $oif # Sun cluster $cmd 409 deny $log all from 224.0.0.0/3 to any in via $oif # Class D & E multicast ### deny various incoming packets $cmd 448 reset $log tcp from any to me 113 in via $oif limit src-addr 4 # This sends a RESET to all ident packets. $cmd 449 deny $log tcp from any to any 113 in via $oif # Deny ident $cmd 450 deny $log icmp from any to any icmptype 5 in via $oif # Stop & log external redirect requests. $cmd 451 deny $log icmp from any to any in via $oif # Deny pings from the world $cmd 452 deny $log all from any to any in frag # Fragmented Packets $cmd 453 deny $log all from any to any 137,138,139,81 in via $oif # Deny all Netbios service & MS/Windows hosts2 name server $cmd 454 deny $log all from any to any frag in via $oif # Deny any late arriving packets $cmd 455 deny $log tcp from any to any established in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 456 deny $log all from me to me in via $oif # Stop & log spoofing Attack attempts. $cmd 457 deny all from any to any 1024-1030 in via $oif # MS Messenger spam ### Reject & Log all the rest of the incoming connections $cmd 600 deny log logamount 10000 all from any to any in via $oif ### deny and log all packets that fell through to see what they are ### Nothing should ever get to this rule!!! $cmd 601 deny log logamount 10000 all from any to any ### This is skipto location for outbound stateful rules $cmd 700 divert natd all from any to any out via $oif $cmd 800 allow all from any to any From bbayorgeon at charter.net Tue Nov 17 05:18:57 2009 From: bbayorgeon at charter.net (Brian) Date: Tue Nov 17 05:19:03 2009 Subject: Dansguardian, nat, & ipfw Message-ID: <000001ca6741$b1316520$13942f60$@net> Hello all Trying to configure my gateway box running FBSD 7.2 to provide content filtering services for some or all clients on a my network. The box is configured with natd and running IPFW. I like this combination and have been using it successfully for years. Not real interested to changing to squid or pf or whatever else may be known (or better documented) to work with dansguardian. Dansguardian seems to be the preferred option for content filtering as near as I can tell. There is lots of documentation out there for configuring dans with squid. I can't find much of anything for IPFW / NAT So, the question is, can this be done? I've seen one or two suggestions out there giving a brief description of how to use the fwd command to send packets to dans but unfortunately I am not smart enough to implement that here. Any help, thoughts, or references would be appreciated thanks Brian here is a boiled down set of rules that I use: #!/bin/sh cmd="ipfw add" skip="skipto 700" oif=dc0 iif=re0 log="log logamount 1000" ks="keep-state" ipfw -f flush $cmd 098 allow all from any to any via $iif # Allow LAN traffic $cmd 099 allow all from any to any via lo0 # Allow loopback traffic $cmd 105 divert natd all from any to any in via $oif # check if packet is inbound and nat address if it is $cmd 110 check-state # Allow packet if it has previous been added to the "dynamic" rules table ### Authorized icmp / udp outbound packets $cmd 200 $skip icmp from any to any out via $oif $ks # ping $cmd 201 $skip udp from any to any 123 out via $oif $ks # time $cmd 203 $skip $log udp from any to xx.xxx.xx.1 67 out via $oif $ks # DHCP $cmd 205 $skip udp from any to any 53 out via $oif $ks # DNS ### Authorized tcp outbound packets $cmd 301 $skip tcp from any to any 25 out via $oif setup $ks # mail $cmd 303 $skip $log tcp from any to any 43 out via $oif setup $ks # whois $cmd 305 $skip tcp from any to any 80 out via $oif setup $ks # http $cmd 306 $skip tcp from any to any 110 out via $oif setup $ks # mail $cmd 307 $skip tcp from any to any 119 out via $oif setup $ks # USENET $cmd 308 $skip tcp from any to any 443 out via $oif setup $ks # Secure http $cmd 310 $skip $log tcp from any to any 23 out via $oif setup $ks # telnet ### Everything else outbound is dropped and logged $cmd 351 deny log logamount 10000 all from any to any out via $oif # everything else ### Allow these incoming connections $cmd 360 allow $log udp from xx.xxx.xxx.x to any 68 in via $oif $ks # DHCP $cmd 363 allow tcp from any to me 80 in via $oif setup $ks # Incoming http connections ### May Consider Allowing these incoming connections $cmd 396 allow $log tcp from any to any 113 in via $oif limit src-addr 4 # Ident packets. $cmd 398 allow $log icmp from any to any icmptype 3,11 in via $oif limit src-addr 2 # Allow out & in console traceroot command ### deny various incoming packets $cmd 401 deny $log all from 192.168.0.0/16 to any in via $oif # RFC 1918 private IP $cmd 402 deny $log all from 172.16.0.0/12 to any in via $oif # RFC 1918 private IP $cmd 403 deny $log all from 10.0.0.0/8 to any in via $oif # RFC 1918 private IP $cmd 404 deny $log all from 127.0.0.0/8 to any in via $oif # loopback $cmd 405 deny $log all from 0.0.0.0/8 to any in via $oif # loopback $cmd 406 deny $log all from 169.254.0.0/16 to any in via $oif # DHCP auto-config $cmd 407 deny $log all from 192.0.2.0/24 to any in via $oif # reserved for docs $cmd 408 deny $log all from 204.152.64.0/23 to any in via $oif # Sun cluster $cmd 409 deny $log all from 224.0.0.0/3 to any in via $oif # Class D & E multicast ### deny various incoming packets $cmd 448 reset $log tcp from any to me 113 in via $oif limit src-addr 4 # This sends a RESET to all ident packets. $cmd 449 deny $log tcp from any to any 113 in via $oif # Deny ident $cmd 450 deny $log icmp from any to any icmptype 5 in via $oif # Stop & log external redirect requests. $cmd 451 deny $log icmp from any to any in via $oif # Deny pings from the world $cmd 452 deny $log all from any to any in frag # Fragmented Packets $cmd 453 deny $log all from any to any 137,138,139,81 in via $oif # Deny all Netbios service & MS/Windows hosts2 name server $cmd 454 deny $log all from any to any frag in via $oif # Deny any late arriving packets $cmd 455 deny $log tcp from any to any established in via $oif # Deny ACK packets that did not match the dynamic rule table $cmd 456 deny $log all from me to me in via $oif # Stop & log spoofing Attack attempts. $cmd 457 deny all from any to any 1024-1030 in via $oif # MS Messenger spam ### Reject & Log all the rest of the incoming connections $cmd 600 deny log logamount 10000 all from any to any in via $oif ### deny and log all packets that fell through to see what they are ### Nothing should ever get to this rule!!! $cmd 601 deny log logamount 10000 all from any to any ### This is skipto location for outbound stateful rules $cmd 700 divert natd all from any to any out via $oif $cmd 800 allow all from any to any From fjwcash at gmail.com Tue Nov 17 05:37:12 2009 From: fjwcash at gmail.com (Freddie Cash) Date: Tue Nov 17 05:37:18 2009 Subject: Dansguardian, nat, & ipfw In-Reply-To: <000001ca6741$b1316520$13942f60$@net> References: <000001ca6741$b1316520$13942f60$@net> Message-ID: On Mon, Nov 16, 2009 at 8:51 PM, Brian wrote: > Trying to configure my gateway box running FBSD 7.2 to provide content > filtering services for some or all clients on a my network. > > The box is configured with natd and running IPFW. ?I like this combination > and have been using it successfully for years. ?Not real interested to > changing to squid or pf or whatever else may be known (or better documented) > to work with dansguardian. Dansguardian does not do any pages fetches on its own, it just scans pages returned by a proxy server. You cannot run Dansguardian without some kind of web proxy server. By default, the port will install Squid, but it has been shown to work with TinyProxy. > Dansguardian seems to be the preferred option for content filtering as near > as I can tell. ?There is lots of documentation out there for configuring > dans with squid. ?I can't find much of anything for IPFW / NAT > > So, the question is, can this be done? ?I've seen one or two suggestions out > there giving a brief description of how to use the fwd command to send > packets to dans but unfortunately I am not smart enough to implement that > here. You can use IPFW to fwd packet to Dansguardian quite easily: ipfw add fwd 127.0.0.1:8080 tcp from $local_subnet to any 80 in recv $local_nic ipfw add allow tcp from me to any 80 out xmit $public_nic ipfw add allow tcp from any 80 to me in recv $public_nic established The first rule redirects all HTTP traffic from the local subnet to Dansguardian. Dansguardian will then pass the packets off to a local install of Squid (uses 127.0.0.1:3128 by default). Squid will then connect out to the remote web server to grab the pages (the next two rules). You *MUST* have a web proxy server installed somewhere, that Dansguardian will forward the requests to, and receive the responses from. -- Freddie Cash fjwcash@gmail.com From ipfw at mayhem.sportsline.com Tue Nov 17 11:33:52 2009 From: ipfw at mayhem.sportsline.com (ipfw) Date: Tue Nov 17 11:33:59 2009 Subject: Problem Posting to League 'ipfw' Message-ID: <200911171025.nAHAPGBv022182@proxy1079.tm.cbsig.net> In order to send an e-mail to your league, the e-mail address which you are sending from must be associated with your team. You will need to update your e-mail address within the league, otherwise, your correspondence will be denied. To update your e-mail address, enter your league home page and select Options, Personal. You can enter more than one e-mail address by separating them with a comma and a space. From kudzu at tenebras.com Fri Nov 20 19:29:52 2009 From: kudzu at tenebras.com (Michael Sierchio) Date: Fri Nov 20 19:29:58 2009 Subject: ipfw nat Message-ID: <4B06E7F2.2060205@tenebras.com> Unless I'm mistaken, there appears no way to cause ipfw's internal nat mechanism to log dropped packets. This is a considerable loss of functionality from using natd. Is there a reason for this? - M -- Michael Sierchio +1 415 378 1182 PO Box 9036 Berkeley CA 94709 US kudzu@tenebras.com From bugmaster at FreeBSD.org Mon Nov 23 11:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 23 11:08:31 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200911231106.nANB6vD8070163@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 63 problems total. From ceache at gmail.com Tue Nov 24 18:01:59 2009 From: ceache at gmail.com (Charles Henri de Boysson) Date: Tue Nov 24 18:02:11 2009 Subject: Performance issue with new pipe profile feature in FreeBSD 8.0 RELEASE Message-ID: <184b04b20911240940g36621d69hf3ca160a6d122ecc@mail.gmail.com> Hi, I have a simple setup with two computer connected via a FreeBSD bridge running 8.0 RELEASE. I am trying to use dummynet to simulate a wireless network between the two and for that I wanted to use the pipe profile feature of FreeBSD 8.0. But as I was experimenting with the pipe profile feature I ran into some issues. I have setup ipfw to send traffic coming for either interface of the bridge to a respective pipe as follow: # ipfw show 00100 ? ? 0 ? ? ? ? 0 allow ip from any to any via lo0 00200 ? ? 0 ? ? ? ? 0 deny ip from any to 127.0.0.0/8 00300 ? ? 0 ? ? ? ? 0 deny ip from 127.0.0.0/8 to any 01000 ? ? 0 ? ? ? ? 0 pipe 1 ip from any to any via vr0 layer2 01100 ? ? 0 ? ? ? ? 0 pipe 101 ip from any to any via vr4 layer2 65000 ?7089 ? ?716987 allow ip from any to any 65535 ? ? 0 ? ? ? ? 0 deny ip from any to any When I setup my pipes as follow: # ipfw pipe 1 config bw 10Mbit delay 25 mask proto 0 # ipfw pipe 101 config bw 10Mbit delay 25 mask proto 0 # ipfw pipe show 00001: ?10.000 Mbit/s ? 25 ms ? 50 sl. 0 queues (1 buckets) droptail burst: 0 Byte 00101: ?10.000 Mbit/s ? 25 ms ? 50 sl. 0 queues (1 buckets) droptail burst: 0 Byte With this setup, when I try to pass traffic through the bridge with iperf, I obtain the desired speed: iperf reports about 9.7Mbits/sec in UDP mode and 9.5 in TCP mode (I copied and pasted the iperf runs at the end of this email). The problem arise when I setup pipe 1 (the downlink) with an equivalent profile (I tried to simplify it as much as possible). # ipfw pipe 1 config profile test.pipeconf mask proto 0 # ipfw pipe show 00001: 10.000 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail burst: 0 Byte profile: name "test" loss 1.000000 samples 2 00101: 10.000 Mbit/s 25 ms 50 sl. 0 queues (1 buckets) droptail burst: 0 Byte # cat test.pipeconf name test bw 10Mbit loss-level 1.0 samples 2 prob delay 0.0 25 1.0 25 The same iperf TCP tests then collapse to about 500Kbit/s with the same settings (copy and pasted the output of iperf bellow) I can't figure out what is going on. There is no visible load on the bridge. I have an unmodified GENERIC kernel with the following sysctl. net.link.bridge.ipfw: 1 kern.hz: 1000 The bridge configuration is as follow: bridge0: flags=8843 metric 0 mtu 1500 ether 1a:1f:2e:42:74:8d id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: vr4 flags=143 ? ? ? ?ifmaxaddr 0 port 6 priority 128 path cost 200000 member: vr0 flags=143 ? ? ? ?ifmaxaddr 0 port 2 priority 128 path cost 200000 iperf runs without the profile set: % iperf -B 10.1.0.1 -c 10.0.0.254 -t 15 ------------------------------------------------------------ Client connecting to 10.0.0.254, TCP port 5001 Binding to local address 10.1.0.1 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.1.0.1 port 5001 connected with 10.0.0.254 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-15.0 sec 17.0 MBytes 9.49 Mbits/sec % iperf -B 10.1.0.1 -c 10.0.0.254 -t 15 -u -b 10Mbit ------------------------------------------------------------ Client connecting to 10.0.0.254, UDP port 5001 Binding to local address 10.1.0.1 Sending 1470 byte datagrams UDP buffer size: 110 KByte (default) ------------------------------------------------------------ [ 3] local 10.1.0.1 port 5001 connected with 10.0.0.254 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-15.0 sec 18.8 MBytes 10.5 Mbits/sec [ 3] Sent 13382 datagrams [ 3] Server Report: [ 3] 0.0-15.1 sec 17.4 MBytes 9.72 Mbits/sec 0.822 ms 934/13381 (7%) [ 3] 0.0-15.1 sec 1 datagrams received out-of-order iperf runs with the profile set: % iperf -B 10.1.0.1 -c 10.0.0.254 -t 15 ------------------------------------------------------------ Client connecting to 10.0.0.254, TCP port 5001 Binding to local address 10.1.0.1 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.1.0.1 port 5001 connected with 10.0.0.254 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-15.7 sec 968 KBytes 505 Kbits/sec % iperf -B 10.1.0.1 -c 10.0.0.254 -t 15 -u -b 10Mbit ------------------------------------------------------------ Client connecting to 10.0.0.254, UDP port 5001 Binding to local address 10.1.0.1 Sending 1470 byte datagrams UDP buffer size: 110 KByte (default) ------------------------------------------------------------ [ 3] local 10.1.0.1 port 5001 connected with 10.0.0.254 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-15.0 sec 18.8 MBytes 10.5 Mbits/sec [ 3] Sent 13382 datagrams [ 3] Server Report: [ 3] 0.0-16.3 sec 893 KBytes 449 Kbits/sec 1.810 ms 12757/13379 (95%) Let me know what other information you would need to help me debugging this. In advance, thank you for your help -- Charles-Henri de Boysson