Re: One OR MORE of source and destination addresses?
Mark wrote: The goal is simple: I want to limit connections to port 25 to 32 in total, targeted at me. And of those 32, only 4 per source. Like so: ipfw add 1 check-state ... ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Please, tell me then how all wrong this is. Because I *still* get the impression that rule 12 is never reached. And, so far, ipfw show does, indeed, only show activity on rule 11. If at all possible, I would still like to hear a suggestion as to how to combine the two rules. From my pov, the first allow in rule 11 makes a packet pass, provided there are less then 32 connections in total. Thus, rule 12 never gets invoked (which, indeed, seems to be the case). Someone suggested to me I was at fault for numbering the rules. Quite frankly, that does not compute to me, as ipfw autonumbers anyway (in default steps of 100, I believe). Seriously, I do not mind hearing how all wrong my rules are; but, at the same time, I have not heard a proper way of doing this. I appreciate suggestions, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
Mark [EMAIL PROTECTED] wrote: Mark wrote: The goal is simple: I want to limit connections to port 25 to 32 in total, targeted at me. And of those 32, only 4 per source. Like so: ipfw add 1 check-state ... ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Please, tell me then how all wrong this is. Because I *still* get the impression that rule 12 is never reached. And, so far, ipfw show does, indeed, only show activity on rule 11. If at all possible, I would still like to hear a suggestion as to how to combine the two rules. From my pov, the first allow in rule 11 makes a packet pass, provided there are less then 32 connections in total. Thus, rule 12 never gets invoked (which, indeed, seems to be the case). How about using skipto instead of allow? Thus, if it passes the first one, it can just skipto the next rule to be checked. i.e.: ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Thus, if rule 11 pases, it skips to rule 12. If it fails, it should reject as always. The end result is that a packet _must_ pass both rules to be allowed. Note that I haven't tried this, so I could be wrong in how it works. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SOLVED! Re: One OR MORE of source and destination addresses?
Bill Moran wrote: Mark wrote: The goal is simple: I want to limit connections to port 25 to 32 in total, targeted at me. And of those 32, only 4 per source. Like so: ipfw add 1 check-state ... ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Please, tell me then how all wrong this is. Because I *still* get the impression that rule 12 is never reached. And, so far, ipfw show does, indeed, only show activity on rule 11. If at all possible, I would still like to hear a suggestion as to how to combine the two rules. From my pov, the first allow in rule 11 makes a packet pass, provided there are less then 32 connections in total. Thus, rule 12 never gets invoked (which, indeed, seems to be the case). How about using skipto instead of allow? Thus, if it passes the first one, it can just skipto the next rule to be checked. i.e.: ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Thus, if rule 11 pases, it skips to rule 12. If it fails, it should reject as always. The end result is that a packet _must_ pass both rules to be allowed. Thanks!! This does, indeed, exactly what I want. :) - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
Bill Moran wrote: How about using skipto instead of allow? Thus, if it passes the first one, it can just skipto the next rule to be checked. i.e.: ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Thus, if rule 11 pases, it skips to rule 12. If it fails, it should reject as always. The end result is that a packet _must_ pass both rules to be allowed. I spoke too soon. :( It seems this sort of rules evokes a bug: http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-April/001084.html My whole console is flooded with messages like these: ipfw: install_state: entry already present, done Is there a known patch? Thanks, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
Mark wrote: Bill Moran wrote: How about using skipto instead of allow? Thus, if it passes the first one, it can just skipto the next rule to be checked. i.e.: ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Thus, if rule 11 pases, it skips to rule 12. If it fails, it should reject as always. The end result is that a packet _must_ pass both rules to be allowed. I spoke too soon. :( It seems this sort of rules evokes a bug: http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-April/001084.html My whole console is flooded with messages like these: ipfw: install_state: entry already present, done Is there a known patch? I just took a look at the code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf(ipfw: install_state: entry already present, done\n); } return 0; } What if I just hack the printf ... line out of there? Would that 'solve' it? I know it's dirty; but would things still work? Thanks, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: One OR MORE of source and destination addresses?
I just took a look at the code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf(ipfw: install_state: entry already present, done\n); } return 0; } What if I just hack the printf ... line out of there? Would that 'solve' it? I know it's dirty; but would things still work? I'll jump in here as a software manager and say NO! Note, I have no idea if it will still work, but as a professional programmer, the question raises a number of issues :-) 1. First of all, the original programmer took time to comment this line: if (q != NULL) { /* should never occur */ OK. There's no indication WHY it should never occur, but still, the comment is there. 2. By adding this line: if (last_log != time_second) { He's limiting the printed errors to one every second, so you are not beeing flooded with as many messages as are actually ocurring. Is last_log used anywhere else? 3. This line: return 0; will still return 0 if the error occurs, so the program will work the same with or without the diagnostic message. I'd do some more digging and find out exactly WHY this is a should never occur case to be sure that the log is not needed. If you don't print the log, then why do the test, except to return 0 :-) Ralph ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
Mark [EMAIL PROTECTED] wrote: Mark wrote: Bill Moran wrote: How about using skipto instead of allow? Thus, if it passes the first one, it can just skipto the next rule to be checked. i.e.: ipfw add 11 skipto 12 tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Thus, if rule 11 pases, it skips to rule 12. If it fails, it should reject as always. The end result is that a packet _must_ pass both rules to be allowed. I spoke too soon. :( It seems this sort of rules evokes a bug: http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-April/001084.html My whole console is flooded with messages like these: ipfw: install_state: entry already present, done Is there a known patch? I just took a look at the code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf(ipfw: install_state: entry already present, done\n); } return 0; } What if I just hack the printf ... line out of there? Would that 'solve' it? I know it's dirty; but would things still work? Theoretically, yes (note that I'm certainly no expert on this chunk of code) My reason for saying yes is: 1) The error seems to be that IPFW is trying to add the same stateful rule twice ... which means it _did_ get successfully added once. 2) When that condition occurs, the function returns 0. The comment at the top of the file states that the function returns 1 on failure, so it would appear that this condition is still considered successful. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
Ralph Hempel [EMAIL PROTECTED] wrote: I just took a look at the code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf(ipfw: install_state: entry already present, done\n); } return 0; } What if I just hack the printf ... line out of there? Would that 'solve' it? I know it's dirty; but would things still work? I'll jump in here as a software manager and say NO! Note, I have no idea if it will still work, but as a professional programmer, the question raises a number of issues :-) 1. First of all, the original programmer took time to comment this line: if (q != NULL) { /* should never occur */ OK. There's no indication WHY it should never occur, but still, the comment is there. 2. By adding this line: if (last_log != time_second) { He's limiting the printed errors to one every second, so you are not beeing flooded with as many messages as are actually ocurring. Is last_log used anywhere else? 3. This line: return 0; will still return 0 if the error occurs, so the program will work the same with or without the diagnostic message. I'd do some more digging and find out exactly WHY this is a should never occur case to be sure that the log is not needed. If you don't print the log, then why do the test, except to return 0 :-) I was thinking about this over lunch, then I saw your post ... and the reality is that someone should really file a PR. Mark, since you have a real-world application where this problem occurs, it would be idea if you could file a PR with your description of what you're trying to do and the problem it's causing. As best I can tell, the problem is _not_ in install_state ... only the symptom is in install_state. The problem is that code that is calling install_state is calling it twice for some reason. Taking that into consideration, there's a possibility that this is fixed in -CURRENT, but I haven't found any commit entries to that tune. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: One OR MORE of source and destination addresses?
Bill, Thanks for the feedback. I've been programming embedded systems for almost 20 years, so I have a natural aversion to apparently simple changes that make things work :-) The nicest high-level code I've ever seen in the source to Tcl - if only all code looked like that. I've been playing with FreeBSD over the last two or three months trying to implement a headless server that will help dysfunctional development teams control their bugs and source code. I chose FreeBSD because Linux seems so frigging bloated, and the distros are too varied. You never know if the distro you pick will be around next year. FreeBSD gives me a much warmer and fuzzier feeling about the commitment to release quality code and making it very clear which releases are for production, and which are for testing. My work so far is documanted in these articles: http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDEmbedded.html http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDSetup.html http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDandWindows.html http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDPortsAndPerl.html http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDPostfix.html http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDApache2.html http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDGnats.html I hope to write more, including articles on customizing Gnats, using Subversion, splint, backups, and security. This developer community seems pretty friendly and knowledgable. I think I'll stick around :-) Cheers, Ralph ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
Bill Moran wrote: My whole console is flooded with messages like these: ipfw: install_state: entry already present, done Is there a known patch? I just took a look at the code: if (q != NULL) { /* should never occur */ if (last_log != time_second) { last_log = time_second; printf(ipfw: install_state: entry already present, done\n); } return 0; } What if I just hack the printf ... line out of there? Would that 'solve' it? I know it's dirty; but would things still work? Theoretically, yes (note that I'm certainly no expert on this chunk of code) My reason for saying yes is: 1) The error seems to be that IPFW is trying to add the same stateful rule twice ... which means it _did_ get successfully added once. 2) When that condition occurs, the function returns 0. The comment at the top of the file states that the function returns 1 on failure, so it would appear that this condition is still considered successful. Thank you for taking the time to look into this. Yes, my reason for thinking yes was the same. It seems there are critical errors, such as Too many dynamic rules, returning 1, and, say, unexpected errors, like when trying to create a rule that already exists, returning 0. Since the rule actually seems to be working (limiting total connection to 32, and only 4 per source), just commenting out the printf statement seems like a harmless, be it very dirty, solution. Indeed, this should probably be fixed; and I will file a PR tonight. - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: One OR MORE of source and destination addresses?
Like the manual says, you can not code both options on single rule. You have to make 2 rules out of it. state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 state ipfw add allow tcp from any to me 25 setup limit src-addr 8 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Sent: Monday, August 02, 2004 11:34 AM To: [EMAIL PROTECTED] Subject: One OR MORE of source and destination addresses? Color me confused. The ipfw manual says: limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. If One or more of source and destination addresses and ports can be specified, then I'd like to limit both the total amount of connections, as well as per-src. Something like this: ipfw check-state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 src-addr 8 The error I get is: ipfw: only one of keep-state and limit is allowed So, how can I specify One OR MORE of source and destination addresses in the rule to achieve this effect? Thanks, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
Mark wrote: Color me confused. The ipfw manual says: limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. If One or more of source and destination addresses and ports can be specified, then I'd like to limit both the total amount of connections, as well as per-src. Something like this: ipfw check-state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 src-addr 8 The error I get is: ipfw: only one of keep-state and limit is allowed So, how can I specify One OR MORE of source and destination addresses in the rule to achieve this effect? Thanks for your reply. JJB wrote: Like the manual says, you can not code both options on single rule. You have to make 2 rules out of it. state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 state ipfw add allow tcp from any to me 25 setup limit src-addr 8 Actually, that is what I had already done: ipfw add 10 check-state ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 check-state ipfw add 13 allow tcp from any to me 25 setup limit src-addr 4 But it seems I never get to rule 12/13. All ipfw show shows, is activity on rule 10/11. That is why I figured I made an error somewhere. Does not rule 11, indeed, function as an 'early-out'? (undesired). Thanks, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
[my apologies for the resent; my last reply had an unfortunate wrap] Mark wrote: Color me confused. The ipfw manual says: limit {src-addr | src-port | dst-addr | dst-port} N The firewall will only allow N connections with the same set of parameters as specified in the rule. One or more of source and destination addresses and ports can be specified. If One or more of source and destination addresses and ports can be specified, then I'd like to limit both the total amount of connections, as well as per-src. Something like this: ipfw check-state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 src-addr 8 The error I get is: ipfw: only one of keep-state and limit is allowed So, how can I specify One OR MORE of source and destination addresses in the rule to achieve this effect? Thanks for your reply. JJB wrote: Like the manual says, you can not code both options on single rule. You have to make 2 rules out of it. state ipfw add allow tcp from any to me 25 setup limit dst-addr 32 state ipfw add allow tcp from any to me 25 setup limit src-addr 8 Actually, that is what I had already done: ipfw add 10 check-state ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 check-state ipfw add 13 allow tcp from any to me 25 setup limit src-addr 4 But it seems I never get to rule 12/13. All ipfw show shows, is activity on rule 10/11. That is why I figured I made an error somewhere. Does not rule 11, indeed, function as an 'early-out'? (undesired). Thanks, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: One OR MORE of source and destination addresses?
JJB wrote: Your rules are all wrong. You really need to reread the ipfw manual page info. Only one check-state rule is used. Your other check-state rule is never matched. Ok, I got a check-state too many. To get meaningful replies you have to post complete information about your system configuration with description of your overall firewall goals. The goal is simple: I want to limit connections to port 25 to 32 in total, targeted at me. And of those 32, only 4 per source. Like so: ipfw add 1 check-state ... ipfw add 11 allow tcp from any to me 25 setup limit dst-addr 32 ipfw add 12 allow tcp from any to me 25 setup limit src-addr 4 Please, tell me then how all wrong this is. Because I *still* get the impression that rule 12 is never reached. And, so far, ipfw show does, indeed, only show activity on rule 11. Thanks, - Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]