Re: IPFW NAT behaviour different on 10-Stable versus 11-Stable

On Sat, 2 Sep 2017 11:44:51 +1000, Graham Menhennitt wrote: > I have a problem that seems to be a difference between ipfw/NAT > behaviour in 10-Stable versus 11-Stable. I have two servers: one running > 10-Stable and one running 11-Stable. I'm using the same rule set on both > (see below).

Re: ipfw kernel NAT performance much worse in 11-Stable than 10-Stable

On Thu, 31 Aug 2017 15:27:47 +0300, Andrey V. Elsukov wrote: > On 31.08.2017 15:10, Graham Menhennitt wrote: > > On 10-Stable, the interface is re1. The output of 'ifconfig re1 | grep > > options' is: > > options=8209b > >

Re: Unable to set rule using service name

, perhaps some sort of proxy? cheers, Ian > *With best Regards,* > > Kulamani Sethi, > Bangalore, India > Mob: 9686190111 > > On Fri, Jul 14, 2017 at 10:31 PM, Ian Smith <smi...@nimnet.asn.au> wrote: > > > On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani

Re: Unable to set rule using service name

On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani Sethi wrote: > Hi, > I want to set a rule for a particular service URL which running on a remote > server. > I know the IP but don't know the port number where that service is running. > If i set rule for IP then it will applied for entire services

Re: equivalent for pf's max-src-conn-rate in ipfw

On Thu, 4 May 2017 23:46:21 +0200, Marco van Tol wrote: > Possibly this questions pops up regularly. I have tried to find the > answer myself and have been unable to so far. > > My current way to drastically slow-down ssh brute force attacks is by > using the pf feature

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote: > On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote: > > > https://reviews.freebsd.org/D9920 > > > > I've always used these rules from 'client' and 'simple' rulesets: > >${fwcmd} add pass all from any to

Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains

On Tue, 7 Mar 2017 13:49:25 +, bugzilla-nore...@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 > > Mark Felder changed: > >What|Removed |Added >

Re: How to use IPFW to filter routing

On Sun, 29 Jan 2017 18:52:58 +0100, Rakor wrote: > Hi and thanks for your reply! Just a couple of points in addition to Thomás' recent reply, which well covers most aspects .. quoting here went totally weird, so excuse any strangeness there; I'm just plucking out and reformatting a few bits.

Re: Reload rules

On Thu, 2 Feb 2017 12:08:31 -0200, Francisco Ramon wrote: > Hello! > I´m trying to biuld a IPFW script and i´m using some dynamic rules > (with keep-state). The problem occur when I need to restart the > script, to reload new or eddited rules... When I execute the "ipfw -f > flush", off

Re: [Bug 214419] ipfw coredump when try to add rule with table of IPv6 addresses

On Mon, 14 Nov 2016 13:43:15 +, wo0x wrote: > Hi there, > >I just subscribed to this list due to the subjected bug--and I am quite > happy to find this trouble has yet been noted by others: > > # fwcmd=/sbin/ipfw > # ${fwcmd} -f table dnssrv flush > # ${fwcmd}table dnssrv

Re: change packets with IPFW divert

On Tue, 18 Oct 2016 14:21:50 +, Shawn Bakhtiar wrote: > On Oct 18, 2016, at 6:49 AM, Samira Nazari > > wrote: > > Hello every one, > > When we diverte packets to the specified port with "IPFW divert" , > > we can change it and re-sent to

Re: ipfw table expiry.. how to do it..?

On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote: > Unfortunately we don't have any timers on table entries, so it's not possible > to see how long an entry has been in use, or idle. > > > If I were to ha ve a captive portal, which placed the address of 'allowed' > hosts into a

Re: Named states in ipfw (and old rulesets)

On Mon, 15 Aug 2016 02:20:19 +0300, Lev Serebryakov wrote: > > Please, change this to some prefix to state name (:name, @name or > > something > > like this) or to "state-action(name)" format. It will be much better: less > > error-prone and will work without ugly warnings on old rulesets.

Re: your thoughts on a particualar ipfw action.

On Fri, 12 Aug 2016 16:49:36 +1000, grenville armitage wrote: > On 08/12/2016 14:56, Julian Elischer wrote: > > On 11/08/2016 9:02 AM, Dr. Rolf Jansen wrote: > >> > [...] > >> > >> I needed to change the name of the geoip tool, because GeoIP® is a > registered trademark of MaxMind,

Re: your thoughts on a particualar ipfw action.

On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote: > > Am 11.08.2016 um 08:06 schrieb Ian Smith <smi...@nimnet.asn.au>: > > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: > > > > (just curious: whereabouts is -0300? Brazil?) > > Yes, I am a G

Re: your thoughts on a particualar ipfw action.

On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote: (just curious: whereabouts is -0300? Brazil?) > > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen : >> I am almost finished with preparing the tools for geo-blocking and >> geo-routing at the firewall for submission to the

Re: IPFW: more "orthogonal? state operations, push into 11?

On Fri, 5 Aug 2016 00:12:37 +0800, Julian Elischer wrote: > On 4/08/2016 6:50 PM, Andrey V. Elsukov wrote: > > On 04.08.16 06:42, Julian Elischer wrote: > > > so it's a combination of #1 and #2 in my list. I think I originally > > > thought of having just #1. > > > > > > A combination is

Re: your thoughts on a particualar ipfw action.

On Fri, 5 Aug 2016 01:38:45 +1000, Ian Smith wrote: > <<< No Message Collected >>> Yeah, sorry about that .. this got stuck in mailq somehow in 'locked' EHLO state .. never seen that before in many years; had to kill and resend it from sent-mail as a fwd, losing 'Refer

Re: your thoughts on a particualar ipfw action.

<<< No Message Collected >>> ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: Significant missing item in 11.0 release notes

On Mon, 1 Aug 2016 18:47:37 +0300, Andrey V. Elsukov wrote: > On 01.08.16 18:43, Ian Smith wrote: > > Fast work Andrey, and sorry for rushing in. I ASSumed, after reading > > the new tables section in 11.0-R ipfw(8), that Kevin had run into: > > > >Tables re

Re: Significant missing item in 11.0 release notes

On Mon, 1 Aug 2016 16:39:45 +0300, Andrey V. Elsukov wrote: > On 31.07.16 22:28, Kevin Oberman wrote: > > I assumed that I had missed this in the release notes, but I can find no > > reference to this significant change that simultaneously greatly enhanced > > ipfw table functionality, but

Re: Significant missing item in 11.0 release notes

On Sun, 31 Jul 2016 12:28:06 -0700, Kevin Oberman wrote: > This morning I updated my min user system from 10.3-Stable to 11.0-BETA3. > In general, things went well, but I had two issues that prevented the > network from operating. the first is a lack of documentation in the Release > Notes

Re: ipfw divert filter for IPv4 geo-blocking

On Sat, 30 Jul 2016 11:17:13 -0300, Dr. Rolf Jansen wrote: > I finished the work on CIDR conformity of the IP ranges tables > generated by the tool geoip. The main constraint is that the start > and end address of an IP block given by the delegation files MUST BE > PRESERVED during the

Re: ipfw divert filter for IPv4 geo-blocking

On Thu, 28 Jul 2016 23:21:01 -0300, Dr. Rolf Jansen wrote: > Am 27.07.2016 um 12:31 schrieb Julian Elischer : [..] >> wow, wonderful! >> with that tool, and ipfw tables we have a fully functional geo >> blocking/munging solution in about 4 lines of shell script. >

Re: ipfw divert filter for IPv4 geo-blocking

On Wed, 27 Jul 2016 10:03:01 +0800, Julian Elischer wrote: > On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote: > > > Am 26.07.2016 um 13:23 schrieb Julian Elischer : > > > On 26/07/2016 1:41 AM, Dr. Rolf Jansen wrote: > > > > Once a week, the IP ranges are compiled from

Re: IPFW: more "orthogonal? state operations, push into 11?

On Mon, 13 Jun 2016 23:18:24 +0800, Julian Elischer wrote: > On 10/06/2016 5:11 AM, Lev Serebryakov wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > On 07.06.2016 00:53, Andrey V. Elsukov wrote: > > > > > looking at provided description and examples, seems the main

Re: IPFW: more "orthogonal? state operations, push into 11?

On Mon, 13 Jun 2016 22:59:19 +0800, Julian Elischer wrote: > On 7/06/2016 10:31 PM, Ian Smith wrote: > > On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote: > > > On 06.06.16 22:41, Lev Serebryakov wrote: > > > > > > > > I still hop

Re: IPFW: more "orthogonal? state operations, push into 11?

On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote: > On 06.06.16 22:41, Lev Serebryakov wrote: > > > > I still hope to see https://reviews.freebsd.org/D1776 committed before > > 11-RELEASE. > > > > It seems to me, that I does everything what was requested by reviewers. > > Hi

Re: Network goes down when installing ipfw

On Mon, 14 Mar 2016 19:24:21 +0800, Bill Yuan wrote: > On Monday, March 14, 2016, Ian Smith <smi...@nimnet.asn.au> wrote: > > > On Mon, 14 Mar 2016 07:39:36 +0800, Julian Elischer wrote: > > > On 14/03/2016 7:37 AM, Julian Elischer wrote: > > > > On 1

Re: Network goes down when installing ipfw

On Mon, 14 Mar 2016 07:39:36 +0800, Julian Elischer wrote: > On 14/03/2016 7:37 AM, Julian Elischer wrote: > > On 11/03/2016 8:46 PM, Kulamani Sethi wrote: > > > Dear all, > > > > > > I am using ipfw3. When i am installing ipfw driver in windows-7 > > > machine the network goes down.

Re: ipwf dummynet vs. kernel NAT and firewall rules

On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote: > On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote: > > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > > > On 9 Mar, Don Lewis wrote: > > > > On 9 Mar, Don Lewis wrote: > > > >> On

Re: ipwf dummynet vs. kernel NAT and firewall rules

On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote: > On 9 Mar, Don Lewis wrote: > > On 9 Mar, Don Lewis wrote: > >> On 9 Mar, Don Lewis wrote: > >>> On 9 Mar, Freddie Cash wrote: > > ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1? > >>> > >>> Aha, I've got

Re: layer2 ipfw fwd

On Wed, 23 Dec 2015 10:08:05 +0800, bycn82 wrote: > Cc: "freebsd-ipfw@freebsd.org" , > Ganbold Tsagaankhuu > Subject: Re: layer2 ipfw fwd > > Interesting, that means in order to filter the layer2 traffic with layer3 > filters. it will unpack

Re: Set a deny rule for a URL in IPFW by its domain name

On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote: > Hi all, >I am using ipfw3, can i block a URL by its domain name? When i am > setting rules in IPFW by its domain name, it simple set rule by its > corresponding IP. > Here example how i set > > C:>ipfw add 1002 deny log ip

Re: connecting a PS4 via IPFW

On Sun, 29 Nov 2015 12:03:21 +1100, Graham Menhennitt wrote: > On 28/11/2015 20:47, Thomás S. Bregolin wrote: > > Besides the redirect_port option, you still need rules allowing traffic > > in to those ports. Excuse-me if you've done that already (I have no way > > of knowing). > > > > > >

Re: Kernel NAT issues

On Wed, 18 Nov 2015 22:17:29 +0800, Julian Elischer wrote: > On 11/18/15 8:40 AM, Nathan Aherne wrote: > > For some reason hairpin (loopback nat or nat reflection) does not seem to > > be working, which is why I chose IPFW in the first place. > it would be good to see a diagram of what this

Re: Kernel NAT issues

On Tue, 13 Oct 2015 13:50:04 +1000, Nathan Aherne wrote: > Hi Ian, > > Thank you for your response. > > I didnÿÿt post my ruleset because I should be able to fix the issue > myself but I see now that my request to explain ÿÿhow NAT worksÿÿ was > incorrect. > > I have now included my

Re: Kernel NAT issues

On Tue, 13 Oct 2015 12:33:52 +1000, Nathan Aherne wrote: > I sent through a question to this list a little while ago and have > been trying to get IPFW NAT working since then. I have had some > success but not the success I need, everything is working correctly > except NAT rules for my

Re: HELP! Mysterious socket 843/tcp listening on CURRENT system

On Tue, 15 Sep 2015 07:51:11 -0600 (MDT), Warren Block wrote: > On Tue, 15 Sep 2015, Ian Smith wrote: > O. Hartmann wrote: > > > But that is an other issue and it is most likely > > > due to the outdated documentation (that doc still uses port 37 for NTP &g

Re: ipfw delete 100-300

On Thu, 13 Aug 2015 12:24:31 +0800, Julian Elischer wrote: BTW, any ideas as to what causes this? # ipfw show [...] 00400 00 deny ip from 10.12.1.0/24 to any in recv xn0 00500 0 16045693110842147038 deny ip from 204.109.63.0/25 to any in recv xn1 00600

Re: ipfw delete 100-300

On Thu, 13 Aug 2015 16:30:15 +0200, Luigi Rizzo wrote: On Thu, Aug 13, 2015 at 4:00 PM, Ian Smith smi...@nimnet.asn.au wrote: On Thu, 13 Aug 2015 12:24:31 +0800, Julian Elischer wrote: BTW, any ideas as to what causes this? # ipfw show [...] 00400 0

Re: ipfw delete 100-300

On Mon, 3 Aug 2015 17:38:18 +0800, Julian Elischer wrote: my reading of the code I can see that 'ipfw delete 100-300' doesn't work (well I know it doesn't work, but I had thought it was a bug), Now I see that its just 'not supported' It may be my imagination but (distant) past? I was

Re: Traffic not going through dummynet

On Fri, 31 Jul 2015 09:43:25 -0700, Michael Sierchio wrote: On Jul 31, 2015 3:23 AM, Ian Smith smi...@nimnet.asn.au wrote: firewall_enable=YES firewall_type=OPEN # permit all, regardless of default_to_accept dummynet_anable=YES which would at least load those modules

Re: keep-state and in-kernel NAT exposes local ip on external interface

Way back on Wed, 1 Jul 2015 22:02:53 +0300, Lev Serebryakov wrote: On 30.06.2015 22:20, Georgios Amanakis via freebsd-ipfw wrote: It is good example for my changes :) All this skipto / keep-state magic is not understandable. Indeed. So all we're waiting for, Lev, is some simple usage

Re: Traffic not going through dummynet

On Sun, 19 Jul 2015 21:05:53 -0700, hiren panchasara wrote: Bah. So I removed ipfw and dummynet from kernconf and loaded them manually after machine came up and it worked as expected. In your previous post, you'd said you were using 11-current, and: And GENERIC has: options

Re: Please, review my change to ipfw, I want to commit it :)

On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote: *Hello,* *Can you please explain what is going one again,* *Sorry I did not follow the emails, I am not checking the FB email for a while, * *I think I missed some emails.* *e.g * *what is the purpose of the *skip-immediate-action

Re: Please, review my change to ipfw, I want to commit it :)

Lev, a further thought. I've seen melifaro's new comments, but can't comment on those except that we are agreed on really needing some usage examples. On Tue, 2 Jun 2015 22:39:40 +1000, Ian Smith wrote: It would be nice if skip-immediate-action could be shortened, especially where printed

Re: Please, review my change to ipfw, I want to commit it :)

On Mon, 1 Jun 2015 17:31:23 +0300, Lev Serebryakov wrote: https://reviews.freebsd.org/D1776 It was discussed in this list some time ago, but looks like everything stuck. Any comments/objections? This patch works on my router since first patch version without problems and

Re: ipfw on just inbound and not outbound

On Sun, 24 May 2015 11:24:45 +0300, Alexander V. Chernikov wrote: 23.05.2015, 03:58, hiren panchasara hi...@strugglingcoder.info: On 05/21/15 at 02:05P, hiren panchasara wrote:  On 05/21/15 at 12:42P, hiren panchasara wrote:  Getting back to this now to see if I can avoid ipfw on

Re: ipfw on just inbound and not outbound

On Thu, 16 Apr 2015 11:41:54 +0800, Julian Elischer wrote: On 4/15/15 5:09 AM, hiren panchasara wrote: Apologies if this is something silly but I want to completely eliminate ipfw from outgoing traffic perspective. I just want to have it on incoming. I can always add allow ip from any

Re: [RFC][patch] Two new actions: state-allow and state-deny

On Wed, 4 Feb 2015 19:121:46 +, Julian Elischer wrote: On 2/4/15 5:22 PM, Lev Serebryakov wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04.02.2015 08:13, Julian Elischer wrote: yes I think keep-state should be deprecated and replaced or supplemented by

Re: does nat redirect_port tcp works for you on -CURRENT?

On Thu, 5 Feb 2015 02:14:41 +0300, Lev Serebryakov wrote: On 05.02.2015 01:16, Lev Serebryakov wrote: I have such rules in my firewall: nat 9 config redirect_port tcp 192.168.134.2:16881 16881 redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp 192.168.134.2:22 2

Re: [RFC][patch] Two new actions: state-allow and state-deny

On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote: On 03.02.2015 13:04, Ian Smith wrote: Now to make stateful firewall with NAT you need to make some not very readable tricks to record state (allow) of outbound connection before NAT, but pass packet to NAT after that. I know

Re: [RFC][patch] Two new actions: state-allow and state-deny

On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote: Now to make stateful firewall with NAT you need to make some not very readable tricks to record state (allow) of outbound connection before NAT, but pass packet to NAT after that. I know two: (a) skipto-nat-allow pattern from

Re: any reason not to enable IPDIVERT for ipfw module?

On Fri, 31 Oct 2014 18:28:28 -0700, Freddie Cash wrote: On Oct 31, 2014 12:12 PM, John-Mark Gurney j...@funkthat.com wrote: Can any one think of a good reason not to enable IPDIVERT sockets in the ipfw module? Yes, two. Nowadays people are just as or perhaps more likely to use

Re: net.inet{,6}.fw.enable in /etc/rc

On Sun, 12 Oct 2014 05:02:11 +0900, Hiroki Sato wrote: Ian Smith smi...@nimnet.asn.au wrote in 20141003025830.d48...@sola.nimnet.asn.au: sm which rules will be flushed when /etc/rc.d/ipfw runs, but should enable sm DHCP to work? I'm not sure whether those rules are exactly correct

Re: trouble with ipfw on FreeBSD 10

On Wed, 1 Oct 2014 15:54:57 +1000, Ian Smith wrote: On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote: On 09/30/2014 01:29 AM, Ian Smith wrote: On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote: We are having trouble getting ipfw to work over a bridged interface

Re: net.inet{,6}.fw.enable in /etc/rc

On Thu, 2 Oct 2014 16:39:13 +0900, Hiroki Sato wrote: Julian Elischer jul...@freebsd.org wrote in 542155fb.9020...@freebsd.org: ju On 9/23/14, 2:01 AM, Andrey V. Elsukov wrote: ju On 21.09.2014 09:58, Hiroki Sato wrote: ju Hi, ju juI would like your comments about the

Re: trouble with ipfw on FreeBSD 10

On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote: On 09/30/2014 01:29 AM, Ian Smith wrote: On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote: We are having trouble getting ipfw to work over a bridged interface. for example: machine 1 - Bridged interface

Re: trouble with ipfw on FreeBSD 10

On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote: We are having trouble getting ipfw to work over a bridged interface. for example: machine 1 - Bridged interface FreeBSD 10 - machine 2. machine 1 - 192.168.20.20 machine 2 - 192.168.20.25 now I set something like this

Re: net.inet{,6}.fw.enable in /etc/rc

On Sun, 21 Sep 2014 14:58:12 +0900, Hiroki Sato wrote: Hi, I would like your comments about the attached patch to /etc/rc. The problem I want to fix by this patch is as follows. net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW kernel module is loaded or

Re: IPFW rule sets and automatic rule numbering

On Sun, 14 Sep 2014 12:36:43 +0200, Willem Jan Withagen wrote: On 13-9-2014 21:51, Freddie Cash wrote: You can replicate it using 3 rules, loaded into two sets: ipfw set disable 1 ipfw add allow ip from any to any ipfw add 65524 allow ip from any to any ipfw add allow ip from

Re: Where do the boot time messages go?

On Sun, 11 May 2014 21:44:26 -0700, Chris H wrote: [Ronald F. Guilmette wrote:] In my /etc/rc.conf file, I have the following (among other things): firewall_enable=YES firewall_type=/etc/fw.rules firewall_logging=YES And of course, on my system, the /etc/fw.rules file is full

Re: ipfw stateful and ICMP

On Mon, 10 Mar 2014 20:53:39 -0700, Julian Elischer wrote: It has annoyed me for some time that icmp packets refering ot an ongoing session can not be matched by a dynamic rule that goversn that session. For example, if you have a dynamic rule for tcp 1.2.3.4 port 80 from 5.6.7.8 port

Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for udp

The following reply was made to PR kern/177948; it has been noted by GNATS. From: Ian Smith smi...@nimnet.asn.au To: bug-follo...@freebsd.org, j...@oxit.fi Cc: Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for udp Date: Tue, 18 Feb 2014 02:43:21 +1100 Having been

Re: ipfw table add problem

On Sun, 24 Nov 2013 23:56:14 +0400, Alexander V. Chernikov wrote: On 24.11.2013 19:43, Özkan KIRIK wrote: Hi, I tested patch. This patch solves, ipfw table 1 add 4899 Ok. So I'll commit this fix soon. But, ipfw table 1 add 10.2.3.01 works incorrectly. output is below. #

Re: NAT/ipfw blocking internal traffic

On Thu, 31 Oct 2013 13:10:42 -0700, Casey Scott wrote: Hello, My NAT and ipfw ruleset follow almost exactly what is given at http://www.freebsd.org/doc/handbook/firewalls-ipfw.html Almost, but perhaps not quite near enough. Firstly, I'd normally advise largely ignoring the handbook

Re: DNAT in freebsd

On Sat, 6 Jul 2013 18:37:55 +0700, Eugene Grosbein wrote: On 06.07.2013 14:47, Sami Halabi wrote: Hi, Any hope? Have you used intedmediate ipfw count log rules between ipfw nat rules I recommended? If yes, why have not you show that logs yet? Include tcpdump output from external

Re: kern/176503: [ipfw] ipfw layer2 problem

The following reply was made to PR kern/176503; it has been noted by GNATS. From: Ian Smith smi...@nimnet.asn.au To: bug-follo...@freebsd.org, free...@heron.pl Cc: Subject: Re: kern/176503: [ipfw] ipfw layer2 problem Date: Wed, 19 Jun 2013 01:34:58 +1000 net.link.ether.ipfw=1 1000

Re: kern/178482: [ipfw] logging problem from vnet jail

The following reply was made to PR kern/178482; it has been noted by GNATS. From: Ian Smith smi...@nimnet.asn.au To: bug-follo...@freebsd.org, fb...@a1poweruser.com Cc: Subject: Re: kern/178482: [ipfw] logging problem from vnet jail Date: Wed, 22 May 2013 23:44:40 +1000 9.1-RELEASE kernel

Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for udp

The following reply was made to PR kern/177948; it has been noted by GNATS. From: Ian Smith smi...@nimnet.asn.au To: Jukka Ukkonen j...@oxit.fi Cc: bug-follo...@freebsd.org Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for udp Date: Sun, 21 Apr 2013 22:21:06 +1000 (EST

Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for udp

The following reply was made to PR kern/177948; it has been noted by GNATS. From: Ian Smith smi...@nimnet.asn.au To: bug-follo...@freebsd.org, j...@oxit.fi Cc: Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for udp Date: Sun, 21 Apr 2013 12:17:12 +1000 I can't

Re: Problems with ipfw/natd and axe(4)

On Tue, 16 Apr 2013 20:52:05 +0200, Spil Oss wrote: Hi all, If I disable checksum offloading on the NIC I do the tcpdump on, then I assume that the checksum-check will provide accurate results? It certainly should. With checksum disabled, I see that the checksum is incorrect when the

Re: Problems with ipfw/natd and axe(4)

On Sat, 13 Apr 2013 15:34:39 +0200, Spil Oss wrote: Hi All, I can't use ipfw with natd with my ASIX AX88772B USB NIC ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) I see you omitted the 2 anti-spoofing rules for 172.16.0.0/12 either side of the divert rule, as you

Re: kern/174749: Unexpected change of default route

The following reply was made to PR kern/174749; it has been noted by GNATS. From: Ian Smith smi...@nimnet.asn.au To: bug-follo...@freebsd.org, radek.kre...@starnet.cz Cc: Subject: Re: kern/174749: Unexpected change of default route Date: Mon, 11 Feb 2013 23:50:56 +1100 It seems clear

Re: high cpu usage on natd / dhcpd

On Thu, 7 Feb 2013 12:50:51 +, Eggert, Lars wrote: Hi, On Feb 7, 2013, at 13:40, Ian Smith smi...@nimnet.asn.au wrote: On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote: On Jan 31, 2013, at 16:03, Matthew Luckie m...@luckie.org.nz wrote: 00510 allow ip from me to not me

Re: high cpu usage on natd / dhcpd

On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote: On Jan 31, 2013, at 16:03, Matthew Luckie m...@luckie.org.nz wrote: 00510 allow ip from me to not me out via em1 00550 divert 8668 ip from any to any via em1 Rule 510 fixes it. Yep, it does. Can I ask someone to commit

Re: kern/165939: [ipw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf

The following reply was made to PR kern/165939; it has been noted by GNATS. From: Ian Smith smi...@nimnet.asn.au To: bug-follo...@freebsd.org, h...@sendmail.cz Cc: Subject: Re: kern/165939: [ipw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf Date: Tue, 30 Oct 2012 00:17

Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time

On Fri, 19 Oct 2012 15:25:24 +0400, Andrey V. Elsukov wrote: Hi All, Many years ago i have already proposed this feature, but at that time several people were against, because as they said, it could affect performance. Now, when we have high speed network adapters, SMP kernel and

Re: Significant network latency when using ipfw and in-kernel NAT

if I can prevent it. :) Fair question Soren. I've configured no VLANs; out of my depth, again! cheers, Ian On Fri, Sep 14, 2012 at 12:00 AM, Ian Smith smi...@nimnet.asn.au wrote: On Thu, 13 Sep 2012 12:37:23 -0500, Soren Dreijer wrote: [Luigi Rizzo wrote:] i'd start

Re: Significant network latency when using ipfw and in-kernel NAT

On Thu, 13 Sep 2012 0:48:01 -0500, Soren Dreijer wrote: Definitely. Since this is a server in production, I've obfuscated some of the IPs, etc. First off, here's the ifconfig. Our setup consists of a private (ix0) and a public nic (ix1) and an ip tunnel (gif0), which is what we use in

Re: Significant network latency when using ipfw and in-kernel NAT

On Thu, 13 Sep 2012 12:37:23 -0500, Soren Dreijer wrote: [Luigi Rizzo wrote:] i'd start by disabling all accelerations (and jumobgrams) and then move on from the results to figure out where is the problem. So, I went ahead and disabled TSO on ix0. That seemed to fix the

Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf

On Sat, 14 Jul 2012, cr...@freebsd.org wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 Description If user has tables used in /etc/ipfw.conf for example: table 1 add 64.6.108.239 then firewall restart: /etc/rc.d/ipfw start fails with: Line 8:

Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf

On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote: On 14 Jul 2012 18:49, Ian Smith smi...@nimnet.asn.au wrote: On Sat, 14 Jul 2012, cr...@freebsd.org wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 [..] Yes, to such a ruleset you'd need to add 'table all flush' too

Re: CFR: ipfw0 pseudo-interface clonable

On Sat, 28 Apr 2012 23:18:00 +0900 (JST), Hiroki Sato wrote: A revised patch is attached. The lock around log_if should be fixed and ipfw(8) manual page is updated. Also, an rc.conf(5) variable $firewall_logif is added to create ipfw0 interface at boot time (NO by default).

Re: newbie IPFW user - when handbook examples dont work...

On Sat, 24 Mar 2012, Da Rock wrote: On 03/18/12 02:31, Julian Elischer wrote: On 3/17/12 1:36 AM, Da Rock wrote: On 03/14/12 17:09, Rémy Sanchez wrote: On Saturday 10 March 2012 00:39:24 Da Rock wrote: I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I

Re: Reducing the need to compile a custom kernel

On Fri, 10 Feb 2012 16:12:00 +, Bjoern A. Zeeb wrote: On 10. Feb 2012, at 15:56 , Panagiotis Christias wrote: On 10/2/2012 15:56, Alexander Leidinger wrote: Hi, during some big discussions in the last monts on various lists, one of the problems was that some people would

Re: firewall_nat_enable in rc.firewall

On Fri, 27 Jan 2012, Pavel Timofeev wrote: Hi all! I have a small correction for /etc/rc.firewall My conf [hostname]# grep firewall /etc/rc.conf firewall_enable=YES firewall_type=open firewall_nat_enable=YES firewall_nat_interface=re0 firewall_nat_flags=same_ports reset

Re: IPFW transparent VS dummynet rules

On Sat, 7 Jan 2012, budsz wrote: Hi folks, I already found the mistake of my ruleset sequence on my box, for ex: ${fwcmd} add 30 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to any dst-port ${porthttp} in via ${ifint0} ${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via

Re: ipfw dscp support

On Mon, 19 Dec 2011, alan yang wrote: Hi Marcelo, Thanks for the modip work! I still haven't found any docs like the manpage patches or even a clear description. I know such things seem obvious to the programmer :) but a few examples really don't cut it for me, even with reference to

Re: ipfw dscp support

On Thu, 8 Dec 2011, Marcelo Araujo wrote: 2011/12/8 Ian Smith smi...@nimnet.asn.au The PR you pointed to (kern/102471) includes some description, update to ipfw(8) and some references. It doesn't mention any 'modip' action. I can't guess what 'modip' is even supposed to mean

Re: ipfw dscp support

On Tue, 6 Dec 2011, alan yang wrote: Hi Sergey, I found from FreeBSD forum dated Aug. 2009 with the following: vlad2005 Insufficient information to locate a forum post. URL, please? ... Anyway, testing with improvement from patch, give desired result. Code: ipfw add 20 count

Re: ipfw rule processing performances

On Wed, 26 Oct 2011, Julian Elischer wrote: On 10/26/11 2:39 PM, Michael Sierchio wrote: On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischerjul...@freebsd.org wrote: read up on all the things you can do with tablearg.. sometimes a single table can replace dozens of rules.

Re: weird results while ipsec + ipfv_nat (nat before vpn)

On Wed, 3 Aug 2011, Zeus V Panchenko wrote: [..] I can't comment on your ipsec setup at all, but: cat /etc/ipfw.conf ... add 000401 allow udp from x.x.x.x to y.y.y.y isakmp add 000402 allow udp from y.y.y.y to x.x.x.x isakmp add 000403 allow { esp or ipencap } from x.x.x.x to

Re: kern/157796: [ipfw] IPFW in-kernel NAT nat loopback / Default Router Changes Unexpectedly

On Mon, 13 Jun 2011, lini...@freebsd.org wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=157796 Ozkan, I'm not replying to your PR directly as this is purely speculative; I have no idea about your default route changing. However your ruleset raises a couple of possible issues: When a

Re: kern/155927: [ipfw] ipfw stops to check bags for compliance with the rules, letting everything Rules

On Mon, 28 Mar 2011, Marcin Wisnicki wrote: On Mon, 28 Mar 2011 17:51:06 +1100, Ian Smith wrote: On Mon, 28 Mar 2011, Luigi Rizzo wrote: On Mon, Mar 28, 2011 at 06:14:20AM +, lini...@freebsd.org wrote: Old Synopsis: Ipfw stops to check bags for compliance

Re: kern/155927: [ipfw] ipfw stops to check bags for compliance with the rules, letting everything Rules

On Mon, 28 Mar 2011, Luigi Rizzo wrote: On Mon, Mar 28, 2011 at 06:14:20AM +, lini...@freebsd.org wrote: Old Synopsis: Ipfw stops to check bags for compliance with the rules, letting everything Rules New Synopsis: [ipfw] ipfw stops to check bags for compliance with the rules,

Re: Request for policy decision: kernel nat vs/and/or natd

On Sun, 16 Jan 2011, Ian Smith wrote: On Sun, 16 Jan 2011, Hiroki Sato wrote: Ian Smith smi...@nimnet.asn.au wrote in 20110108220300.q15...@sola.nimnet.asn.au: sm On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote: sm On Fri, 7 Jan 2011, Brandon Gooch wrote: sm

Re: Request for policy decision: kernel nat vs/and/or natd

On Sun, 16 Jan 2011, Hiroki Sato wrote: Ian Smith smi...@nimnet.asn.au wrote in 20110108220300.q15...@sola.nimnet.asn.au: sm On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote: sm On Fri, 7 Jan 2011, Brandon Gooch wrote: sm On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith smi

Re: Request for policy decision: kernel nat vs/and/or natd

On Fri, 7 Jan 2011, Brandon Gooch wrote: On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith smi...@nimnet.asn.au wrote: Folks, [ If someone implements an /etc/rc.d/ipfw reload command that reliably works over a remote session without any open firewall window, great, but I'd rather

  1   2   >