On Sat, 2 Sep 2017 11:44:51 +1000, Graham Menhennitt wrote:
> I have a problem that seems to be a difference between ipfw/NAT
> behaviour in 10-Stable versus 11-Stable. I have two servers: one running
> 10-Stable and one running 11-Stable. I'm using the same rule set on both
> (see below).
On Thu, 31 Aug 2017 15:27:47 +0300, Andrey V. Elsukov wrote:
> On 31.08.2017 15:10, Graham Menhennitt wrote:
> > On 10-Stable, the interface is re1. The output of 'ifconfig re1 | grep
> > options' is:
> > options=8209b
> >
, perhaps some sort of proxy?
cheers, Ian
> *With best Regards,*
>
> Kulamani Sethi,
> Bangalore, India
> Mob: 9686190111
>
> On Fri, Jul 14, 2017 at 10:31 PM, Ian Smith <smi...@nimnet.asn.au> wrote:
>
> > On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani
On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani Sethi wrote:
> Hi,
> I want to set a rule for a particular service URL which running on a remote
> server.
> I know the IP but don't know the port number where that service is running.
> If i set rule for IP then it will applied for entire services
On Thu, 4 May 2017 23:46:21 +0200, Marco van Tol wrote:
> Possibly this questions pops up regularly. I have tried to find the
> answer myself and have been unable to so far.
>
> My current way to drastically slow-down ssh brute force attacks is by
> using the pf feature
On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote:
> On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:
> > > https://reviews.freebsd.org/D9920
> >
> > I've always used these rules from 'client' and 'simple' rulesets:
> >${fwcmd} add pass all from any to
On Tue, 7 Mar 2017 13:49:25 +, bugzilla-nore...@freebsd.org wrote:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
>
> Mark Felder changed:
>
>What|Removed |Added
>
On Sun, 29 Jan 2017 18:52:58 +0100, Rakor wrote:
> Hi and thanks for your reply!
Just a couple of points in addition to Thomás' recent reply, which well
covers most aspects .. quoting here went totally weird, so excuse any
strangeness there; I'm just plucking out and reformatting a few bits.
On Thu, 2 Feb 2017 12:08:31 -0200, Francisco Ramon wrote:
> Hello!
> I´m trying to biuld a IPFW script and i´m using some dynamic rules
> (with keep-state). The problem occur when I need to restart the
> script, to reload new or eddited rules... When I execute the "ipfw -f
> flush", off
On Mon, 14 Nov 2016 13:43:15 +, wo0x wrote:
> Hi there,
>
>I just subscribed to this list due to the subjected bug--and I am quite
> happy to find this trouble has yet been noted by others:
>
> # fwcmd=/sbin/ipfw
> # ${fwcmd} -f table dnssrv flush
> # ${fwcmd}table dnssrv
On Tue, 18 Oct 2016 14:21:50 +, Shawn Bakhtiar wrote:
> On Oct 18, 2016, at 6:49 AM, Samira Nazari
> > wrote:
> > Hello every one,
> > When we diverte packets to the specified port with "IPFW divert" ,
> > we can change it and re-sent to
On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote:
> Unfortunately we don't have any timers on table entries, so it's not possible
> to see how long an entry has been in use, or idle.
>
>
> If I were to ha ve a captive portal, which placed the address of 'allowed'
> hosts into a
On Mon, 15 Aug 2016 02:20:19 +0300, Lev Serebryakov wrote:
> > Please, change this to some prefix to state name (:name, @name or
> > something
> > like this) or to "state-action(name)" format. It will be much better: less
> > error-prone and will work without ugly warnings on old rulesets.
On Fri, 12 Aug 2016 16:49:36 +1000, grenville armitage wrote:
> On 08/12/2016 14:56, Julian Elischer wrote:
> > On 11/08/2016 9:02 AM, Dr. Rolf Jansen wrote:
> >>
> [...]
> >>
> >> I needed to change the name of the geoip tool, because GeoIP® is a
> registered trademark of MaxMind,
On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote:
> > Am 11.08.2016 um 08:06 schrieb Ian Smith <smi...@nimnet.asn.au>:
> > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
> >
> > (just curious: whereabouts is -0300? Brazil?)
>
> Yes, I am a G
On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
(just curious: whereabouts is -0300? Brazil?)
> > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen :
>> I am almost finished with preparing the tools for geo-blocking and
>> geo-routing at the firewall for submission to the
On Fri, 5 Aug 2016 00:12:37 +0800, Julian Elischer wrote:
> On 4/08/2016 6:50 PM, Andrey V. Elsukov wrote:
> > On 04.08.16 06:42, Julian Elischer wrote:
> > > so it's a combination of #1 and #2 in my list. I think I originally
> > > thought of having just #1.
> > >
> > > A combination is
On Fri, 5 Aug 2016 01:38:45 +1000, Ian Smith wrote:
> <<< No Message Collected >>>
Yeah, sorry about that .. this got stuck in mailq somehow in 'locked'
EHLO state .. never seen that before in many years; had to kill and
resend it from sent-mail as a fwd, losing 'Refer
<<< No Message Collected >>>
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
On Mon, 1 Aug 2016 18:47:37 +0300, Andrey V. Elsukov wrote:
> On 01.08.16 18:43, Ian Smith wrote:
> > Fast work Andrey, and sorry for rushing in. I ASSumed, after reading
> > the new tables section in 11.0-R ipfw(8), that Kevin had run into:
> >
> >Tables re
On Mon, 1 Aug 2016 16:39:45 +0300, Andrey V. Elsukov wrote:
> On 31.07.16 22:28, Kevin Oberman wrote:
> > I assumed that I had missed this in the release notes, but I can find no
> > reference to this significant change that simultaneously greatly enhanced
> > ipfw table functionality, but
On Sun, 31 Jul 2016 12:28:06 -0700, Kevin Oberman wrote:
> This morning I updated my min user system from 10.3-Stable to 11.0-BETA3.
> In general, things went well, but I had two issues that prevented the
> network from operating. the first is a lack of documentation in the Release
> Notes
On Sat, 30 Jul 2016 11:17:13 -0300, Dr. Rolf Jansen wrote:
> I finished the work on CIDR conformity of the IP ranges tables
> generated by the tool geoip. The main constraint is that the start
> and end address of an IP block given by the delegation files MUST BE
> PRESERVED during the
On Thu, 28 Jul 2016 23:21:01 -0300, Dr. Rolf Jansen wrote: > Am
27.07.2016 um 12:31 schrieb Julian Elischer :
[..]
>> wow, wonderful!
>> with that tool, and ipfw tables we have a fully functional geo
>> blocking/munging solution in about 4 lines of shell script.
>
On Wed, 27 Jul 2016 10:03:01 +0800, Julian Elischer wrote:
> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote:
> > > Am 26.07.2016 um 13:23 schrieb Julian Elischer :
> > > On 26/07/2016 1:41 AM, Dr. Rolf Jansen wrote:
> > > > Once a week, the IP ranges are compiled from
On Mon, 13 Jun 2016 23:18:24 +0800, Julian Elischer wrote:
> On 10/06/2016 5:11 AM, Lev Serebryakov wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > On 07.06.2016 00:53, Andrey V. Elsukov wrote:
> >
> > > looking at provided description and examples, seems the main
On Mon, 13 Jun 2016 22:59:19 +0800, Julian Elischer wrote:
> On 7/06/2016 10:31 PM, Ian Smith wrote:
> > On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote:
> > > On 06.06.16 22:41, Lev Serebryakov wrote:
> > > >
> > > > I still hop
On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote:
> On 06.06.16 22:41, Lev Serebryakov wrote:
> >
> > I still hope to see https://reviews.freebsd.org/D1776 committed before
> > 11-RELEASE.
> >
> > It seems to me, that I does everything what was requested by reviewers.
>
> Hi
On Mon, 14 Mar 2016 19:24:21 +0800, Bill Yuan wrote:
> On Monday, March 14, 2016, Ian Smith <smi...@nimnet.asn.au> wrote:
>
> > On Mon, 14 Mar 2016 07:39:36 +0800, Julian Elischer wrote:
> > > On 14/03/2016 7:37 AM, Julian Elischer wrote:
> > > > On 1
On Mon, 14 Mar 2016 07:39:36 +0800, Julian Elischer wrote:
> On 14/03/2016 7:37 AM, Julian Elischer wrote:
> > On 11/03/2016 8:46 PM, Kulamani Sethi wrote:
> > > Dear all,
> > >
> > > I am using ipfw3. When i am installing ipfw driver in windows-7
> > > machine the network goes down.
On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote:
> On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote:
> > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
> > > On 9 Mar, Don Lewis wrote:
> > > > On 9 Mar, Don Lewis wrote:
> > > >> On
On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
> On 9 Mar, Don Lewis wrote:
> > On 9 Mar, Don Lewis wrote:
> >> On 9 Mar, Don Lewis wrote:
> >>> On 9 Mar, Freddie Cash wrote:
>
> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1?
> >>>
> >>> Aha, I've got
On Wed, 23 Dec 2015 10:08:05 +0800, bycn82 wrote:
> Cc: "freebsd-ipfw@freebsd.org" ,
> Ganbold Tsagaankhuu
> Subject: Re: layer2 ipfw fwd
>
> Interesting, that means in order to filter the layer2 traffic with layer3
> filters. it will unpack
On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote:
> Hi all,
>I am using ipfw3, can i block a URL by its domain name? When i am
> setting rules in IPFW by its domain name, it simple set rule by its
> corresponding IP.
> Here example how i set
>
> C:>ipfw add 1002 deny log ip
On Sun, 29 Nov 2015 12:03:21 +1100, Graham Menhennitt wrote:
> On 28/11/2015 20:47, Thomás S. Bregolin wrote:
> > Besides the redirect_port option, you still need rules allowing traffic
> > in to those ports. Excuse-me if you've done that already (I have no way
> > of knowing).
> >
> >
> >
On Wed, 18 Nov 2015 22:17:29 +0800, Julian Elischer wrote:
> On 11/18/15 8:40 AM, Nathan Aherne wrote:
> > For some reason hairpin (loopback nat or nat reflection) does not seem to
> > be working, which is why I chose IPFW in the first place.
> it would be good to see a diagram of what this
On Tue, 13 Oct 2015 13:50:04 +1000, Nathan Aherne wrote:
> Hi Ian,
>
> Thank you for your response.
>
> I didnÿÿt post my ruleset because I should be able to fix the issue
> myself but I see now that my request to explain ÿÿhow NAT worksÿÿ was
> incorrect.
>
> I have now included my
On Tue, 13 Oct 2015 12:33:52 +1000, Nathan Aherne wrote:
> I sent through a question to this list a little while ago and have
> been trying to get IPFW NAT working since then. I have had some
> success but not the success I need, everything is working correctly
> except NAT rules for my
On Tue, 15 Sep 2015 07:51:11 -0600 (MDT), Warren Block wrote:
> On Tue, 15 Sep 2015, Ian Smith wrote:
>
O. Hartmann wrote:
> > > But that is an other issue and it is most likely
> > > due to the outdated documentation (that doc still uses port 37 for NTP
&g
On Thu, 13 Aug 2015 12:24:31 +0800, Julian Elischer wrote:
BTW, any ideas as to what causes this?
# ipfw show
[...]
00400 00 deny ip from 10.12.1.0/24 to any in recv
xn0
00500 0 16045693110842147038 deny ip from 204.109.63.0/25 to any in recv
xn1
00600
On Thu, 13 Aug 2015 16:30:15 +0200, Luigi Rizzo wrote:
On Thu, Aug 13, 2015 at 4:00 PM, Ian Smith smi...@nimnet.asn.au wrote:
On Thu, 13 Aug 2015 12:24:31 +0800, Julian Elischer wrote:
BTW, any ideas as to what causes this?
# ipfw show
[...]
00400 0
On Mon, 3 Aug 2015 17:38:18 +0800, Julian Elischer wrote:
my reading of the code I can see that 'ipfw delete 100-300' doesn't
work (well I know it doesn't work, but I had thought it was a bug),
Now I see that its just 'not supported'
It may be my imagination but (distant) past?
I was
On Fri, 31 Jul 2015 09:43:25 -0700, Michael Sierchio wrote:
On Jul 31, 2015 3:23 AM, Ian Smith smi...@nimnet.asn.au wrote:
firewall_enable=YES
firewall_type=OPEN # permit all, regardless of default_to_accept
dummynet_anable=YES
which would at least load those modules
Way back on Wed, 1 Jul 2015 22:02:53 +0300, Lev Serebryakov wrote:
On 30.06.2015 22:20, Georgios Amanakis via freebsd-ipfw wrote:
It is good example for my changes :) All this skipto / keep-state
magic is not understandable.
Indeed. So all we're waiting for, Lev, is some simple usage
On Sun, 19 Jul 2015 21:05:53 -0700, hiren panchasara wrote:
Bah.
So I removed ipfw and dummynet from kernconf and loaded them manually
after machine came up and it worked as expected.
In your previous post, you'd said you were using 11-current, and:
And GENERIC has:
options
On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote:
*Hello,*
*Can you please explain what is going one again,*
*Sorry I did not follow the emails, I am not checking the FB email for a
while, *
*I think I missed some emails.*
*e.g *
*what is the purpose of the *skip-immediate-action
Lev, a further thought.
I've seen melifaro's new comments, but can't comment on those except
that we are agreed on really needing some usage examples.
On Tue, 2 Jun 2015 22:39:40 +1000, Ian Smith wrote:
It would be nice if skip-immediate-action could be shortened, especially
where printed
On Mon, 1 Jun 2015 17:31:23 +0300, Lev Serebryakov wrote:
https://reviews.freebsd.org/D1776
It was discussed in this list some time ago, but looks like
everything stuck.
Any comments/objections?
This patch works on my router since first patch version without
problems and
On Sun, 24 May 2015 11:24:45 +0300, Alexander V. Chernikov wrote:
23.05.2015, 03:58, hiren panchasara hi...@strugglingcoder.info:
On 05/21/15 at 02:05P, hiren panchasara wrote:
On 05/21/15 at 12:42P, hiren panchasara wrote:
Getting back to this now to see if I can avoid ipfw on
On Thu, 16 Apr 2015 11:41:54 +0800, Julian Elischer wrote:
On 4/15/15 5:09 AM, hiren panchasara wrote:
Apologies if this is something silly but I want to completely eliminate
ipfw from outgoing traffic perspective. I just want to have it on
incoming. I can always add allow ip from any
On Wed, 4 Feb 2015 19:121:46 +, Julian Elischer wrote:
On 2/4/15 5:22 PM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04.02.2015 08:13, Julian Elischer wrote:
yes I think keep-state should be deprecated and replaced or
supplemented by
On Thu, 5 Feb 2015 02:14:41 +0300, Lev Serebryakov wrote:
On 05.02.2015 01:16, Lev Serebryakov wrote:
I have such rules in my firewall:
nat 9 config redirect_port tcp 192.168.134.2:16881 16881
redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp
192.168.134.2:22 2
On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote:
On 03.02.2015 13:04, Ian Smith wrote:
Now to make stateful firewall with NAT you need to make some not
very readable tricks to record state (allow) of outbound
connection before NAT, but pass packet to NAT after that. I know
On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote:
Now to make stateful firewall with NAT you need to make some not very
readable tricks to record state (allow) of outbound connection
before NAT, but pass packet to NAT after that. I know two:
(a) skipto-nat-allow pattern from
On Fri, 31 Oct 2014 18:28:28 -0700, Freddie Cash wrote:
On Oct 31, 2014 12:12 PM, John-Mark Gurney j...@funkthat.com wrote:
Can any one think of a good reason not to enable IPDIVERT sockets in
the ipfw module?
Yes, two. Nowadays people are just as or perhaps more likely to use
On Sun, 12 Oct 2014 05:02:11 +0900, Hiroki Sato wrote:
Ian Smith smi...@nimnet.asn.au wrote
in 20141003025830.d48...@sola.nimnet.asn.au:
sm which rules will be flushed when /etc/rc.d/ipfw runs, but should enable
sm DHCP to work? I'm not sure whether those rules are exactly correct
On Wed, 1 Oct 2014 15:54:57 +1000, Ian Smith wrote:
On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote:
On 09/30/2014 01:29 AM, Ian Smith wrote:
On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
We are having trouble getting ipfw to work over a bridged interface
On Thu, 2 Oct 2014 16:39:13 +0900, Hiroki Sato wrote:
Julian Elischer jul...@freebsd.org wrote
in 542155fb.9020...@freebsd.org:
ju On 9/23/14, 2:01 AM, Andrey V. Elsukov wrote:
ju On 21.09.2014 09:58, Hiroki Sato wrote:
ju Hi,
ju
juI would like your comments about the
On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote:
On 09/30/2014 01:29 AM, Ian Smith wrote:
On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
We are having trouble getting ipfw to work over a bridged interface.
for example:
machine 1 - Bridged interface
On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
We are having trouble getting ipfw to work over a bridged interface.
for example:
machine 1 - Bridged interface FreeBSD 10 - machine 2.
machine 1 - 192.168.20.20
machine 2 - 192.168.20.25
now I set something like this
On Sun, 21 Sep 2014 14:58:12 +0900, Hiroki Sato wrote:
Hi,
I would like your comments about the attached patch to /etc/rc.
The problem I want to fix by this patch is as follows.
net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
kernel module is loaded or
On Sun, 14 Sep 2014 12:36:43 +0200, Willem Jan Withagen wrote:
On 13-9-2014 21:51, Freddie Cash wrote:
You can replicate it using 3 rules, loaded into two sets:
ipfw set disable 1
ipfw add allow ip from any to any
ipfw add 65524 allow ip from any to any
ipfw add allow ip from
On Sun, 11 May 2014 21:44:26 -0700, Chris H wrote:
[Ronald F. Guilmette wrote:]
In my /etc/rc.conf file, I have the following (among other things):
firewall_enable=YES
firewall_type=/etc/fw.rules
firewall_logging=YES
And of course, on my system, the /etc/fw.rules file is full
On Mon, 10 Mar 2014 20:53:39 -0700, Julian Elischer wrote:
It has annoyed me for some time that icmp packets refering ot an ongoing
session can not be matched by a dynamic rule that goversn that session.
For example, if you have a dynamic rule for tcp 1.2.3.4 port
80 from 5.6.7.8 port
The following reply was made to PR kern/177948; it has been noted by GNATS.
From: Ian Smith smi...@nimnet.asn.au
To: bug-follo...@freebsd.org, j...@oxit.fi
Cc:
Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for
udp
Date: Tue, 18 Feb 2014 02:43:21 +1100
Having been
On Sun, 24 Nov 2013 23:56:14 +0400, Alexander V. Chernikov wrote:
On 24.11.2013 19:43, Özkan KIRIK wrote:
Hi,
I tested patch. This patch solves, ipfw table 1 add 4899
Ok. So I'll commit this fix soon.
But, ipfw table 1 add 10.2.3.01 works incorrectly.
output is below.
#
On Thu, 31 Oct 2013 13:10:42 -0700, Casey Scott wrote:
Hello,
My NAT and ipfw ruleset follow almost exactly what is given at
http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
Almost, but perhaps not quite near enough. Firstly, I'd normally advise
largely ignoring the handbook
On Sat, 6 Jul 2013 18:37:55 +0700, Eugene Grosbein wrote:
On 06.07.2013 14:47, Sami Halabi wrote:
Hi,
Any hope?
Have you used intedmediate ipfw count log rules between ipfw nat rules
I recommended? If yes, why have not you show that logs yet?
Include tcpdump output from external
The following reply was made to PR kern/176503; it has been noted by GNATS.
From: Ian Smith smi...@nimnet.asn.au
To: bug-follo...@freebsd.org, free...@heron.pl
Cc:
Subject: Re: kern/176503: [ipfw] ipfw layer2 problem
Date: Wed, 19 Jun 2013 01:34:58 +1000
net.link.ether.ipfw=1
1000
The following reply was made to PR kern/178482; it has been noted by GNATS.
From: Ian Smith smi...@nimnet.asn.au
To: bug-follo...@freebsd.org, fb...@a1poweruser.com
Cc:
Subject: Re: kern/178482: [ipfw] logging problem from vnet jail
Date: Wed, 22 May 2013 23:44:40 +1000
9.1-RELEASE kernel
The following reply was made to PR kern/177948; it has been noted by GNATS.
From: Ian Smith smi...@nimnet.asn.au
To: Jukka Ukkonen j...@oxit.fi
Cc: bug-follo...@freebsd.org
Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for
udp
Date: Sun, 21 Apr 2013 22:21:06 +1000 (EST
The following reply was made to PR kern/177948; it has been noted by GNATS.
From: Ian Smith smi...@nimnet.asn.au
To: bug-follo...@freebsd.org, j...@oxit.fi
Cc:
Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for
udp
Date: Sun, 21 Apr 2013 12:17:12 +1000
I can't
On Tue, 16 Apr 2013 20:52:05 +0200, Spil Oss wrote:
Hi all,
If I disable checksum offloading on the NIC I do the tcpdump on, then I
assume that the checksum-check will provide accurate results?
It certainly should.
With checksum disabled, I see that the checksum is incorrect when the
On Sat, 13 Apr 2013 15:34:39 +0200, Spil Oss wrote:
Hi All,
I can't use ipfw with natd with my ASIX AX88772B USB NIC
ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset)
I see you omitted the 2 anti-spoofing rules for 172.16.0.0/12 either
side of the divert rule, as you
The following reply was made to PR kern/174749; it has been noted by GNATS.
From: Ian Smith smi...@nimnet.asn.au
To: bug-follo...@freebsd.org, radek.kre...@starnet.cz
Cc:
Subject: Re: kern/174749: Unexpected change of default route
Date: Mon, 11 Feb 2013 23:50:56 +1100
It seems clear
On Thu, 7 Feb 2013 12:50:51 +, Eggert, Lars wrote:
Hi,
On Feb 7, 2013, at 13:40, Ian Smith smi...@nimnet.asn.au wrote:
On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote:
On Jan 31, 2013, at 16:03, Matthew Luckie m...@luckie.org.nz wrote:
00510 allow ip from me to not me
On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote:
On Jan 31, 2013, at 16:03, Matthew Luckie m...@luckie.org.nz wrote:
00510 allow ip from me to not me out via em1
00550 divert 8668 ip from any to any via em1
Rule 510 fixes it.
Yep, it does. Can I ask someone to commit
The following reply was made to PR kern/165939; it has been noted by GNATS.
From: Ian Smith smi...@nimnet.asn.au
To: bug-follo...@freebsd.org, h...@sendmail.cz
Cc:
Subject: Re: kern/165939: [ipw] bug: incomplete firewall rules loaded if tables
are used in ipfw.conf
Date: Tue, 30 Oct 2012 00:17
On Fri, 19 Oct 2012 15:25:24 +0400, Andrey V. Elsukov wrote:
Hi All,
Many years ago i have already proposed this feature, but at that time
several people were against, because as they said, it could affect
performance. Now, when we have high speed network adapters, SMP kernel
and
if I can prevent it. :)
Fair question Soren. I've configured no VLANs; out of my depth, again!
cheers, Ian
On Fri, Sep 14, 2012 at 12:00 AM, Ian Smith smi...@nimnet.asn.au wrote:
On Thu, 13 Sep 2012 12:37:23 -0500, Soren Dreijer wrote:
[Luigi Rizzo wrote:]
i'd start
On Thu, 13 Sep 2012 0:48:01 -0500, Soren Dreijer wrote:
Definitely. Since this is a server in production, I've obfuscated some
of the IPs, etc.
First off, here's the ifconfig. Our setup consists of a private (ix0)
and a public nic (ix1) and an ip tunnel (gif0), which is what we use
in
On Thu, 13 Sep 2012 12:37:23 -0500, Soren Dreijer wrote:
[Luigi Rizzo wrote:]
i'd start by disabling all accelerations (and jumobgrams)
and then move on from the results to figure out where is the problem.
So, I went ahead and disabled TSO on ix0. That seemed to fix the
On Sat, 14 Jul 2012, cr...@freebsd.org wrote:
http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
Description
If user has tables used in /etc/ipfw.conf for example:
table 1 add 64.6.108.239
then firewall restart:
/etc/rc.d/ipfw start
fails with:
Line 8:
On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote:
On 14 Jul 2012 18:49, Ian Smith smi...@nimnet.asn.au wrote:
On Sat, 14 Jul 2012, cr...@freebsd.org wrote:
http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
[..]
Yes, to such a ruleset you'd need to add 'table all flush' too
On Sat, 28 Apr 2012 23:18:00 +0900 (JST), Hiroki Sato wrote:
A revised patch is attached. The lock around log_if should be fixed
and ipfw(8) manual page is updated. Also, an rc.conf(5) variable
$firewall_logif is added to create ipfw0 interface at boot time (NO
by default).
On Sat, 24 Mar 2012, Da Rock wrote:
On 03/18/12 02:31, Julian Elischer wrote:
On 3/17/12 1:36 AM, Da Rock wrote:
On 03/14/12 17:09, Rémy Sanchez wrote:
On Saturday 10 March 2012 00:39:24 Da Rock wrote:
I'm relatively new to IPFW, not FBSD; the last time I used IPFW (I
On Fri, 10 Feb 2012 16:12:00 +, Bjoern A. Zeeb wrote:
On 10. Feb 2012, at 15:56 , Panagiotis Christias wrote:
On 10/2/2012 15:56, Alexander Leidinger wrote:
Hi,
during some big discussions in the last monts on various lists, one of
the problems was that some people would
On Fri, 27 Jan 2012, Pavel Timofeev wrote:
Hi all!
I have a small correction for /etc/rc.firewall
My conf
[hostname]# grep firewall /etc/rc.conf
firewall_enable=YES
firewall_type=open
firewall_nat_enable=YES
firewall_nat_interface=re0
firewall_nat_flags=same_ports reset
On Sat, 7 Jan 2012, budsz wrote:
Hi folks,
I already found the mistake of my ruleset sequence on my box, for ex:
${fwcmd} add 30 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to
any dst-port ${porthttp} in via ${ifint0}
${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via
On Mon, 19 Dec 2011, alan yang wrote:
Hi Marcelo,
Thanks for the modip work!
I still haven't found any docs like the manpage patches or even a clear
description. I know such things seem obvious to the programmer :) but
a few examples really don't cut it for me, even with reference to
On Thu, 8 Dec 2011, Marcelo Araujo wrote:
2011/12/8 Ian Smith smi...@nimnet.asn.au
The PR you pointed to (kern/102471) includes some description, update to
ipfw(8) and some references. It doesn't mention any 'modip' action. I
can't guess what 'modip' is even supposed to mean
On Tue, 6 Dec 2011, alan yang wrote:
Hi Sergey,
I found from FreeBSD forum dated Aug. 2009 with the following:
vlad2005
Insufficient information to locate a forum post. URL, please?
...
Anyway, testing with improvement from patch, give desired result.
Code:
ipfw add 20 count
On Wed, 26 Oct 2011, Julian Elischer wrote:
On 10/26/11 2:39 PM, Michael Sierchio wrote:
On Wed, Oct 26, 2011 at 11:39 AM, Julian Elischerjul...@freebsd.org
wrote:
read up on all the things you can do with tablearg.. sometimes a single
table can replace dozens of rules.
On Wed, 3 Aug 2011, Zeus V Panchenko wrote:
[..]
I can't comment on your ipsec setup at all, but:
cat /etc/ipfw.conf
...
add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
add 000403 allow { esp or ipencap } from x.x.x.x to
On Mon, 13 Jun 2011, lini...@freebsd.org wrote:
http://www.freebsd.org/cgi/query-pr.cgi?pr=157796
Ozkan,
I'm not replying to your PR directly as this is purely speculative; I
have no idea about your default route changing. However your ruleset
raises a couple of possible issues:
When a
On Mon, 28 Mar 2011, Marcin Wisnicki wrote:
On Mon, 28 Mar 2011 17:51:06 +1100, Ian Smith wrote:
On Mon, 28 Mar 2011, Luigi Rizzo wrote:
On Mon, Mar 28, 2011 at 06:14:20AM +, lini...@freebsd.org wrote:
Old Synopsis: Ipfw stops to check bags for compliance
On Mon, 28 Mar 2011, Luigi Rizzo wrote:
On Mon, Mar 28, 2011 at 06:14:20AM +, lini...@freebsd.org wrote:
Old Synopsis: Ipfw stops to check bags for compliance with the rules,
letting everything Rules
New Synopsis: [ipfw] ipfw stops to check bags for compliance with the
rules,
On Sun, 16 Jan 2011, Ian Smith wrote:
On Sun, 16 Jan 2011, Hiroki Sato wrote:
Ian Smith smi...@nimnet.asn.au wrote
in 20110108220300.q15...@sola.nimnet.asn.au:
sm On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote:
sm On Fri, 7 Jan 2011, Brandon Gooch wrote:
sm
On Sun, 16 Jan 2011, Hiroki Sato wrote:
Ian Smith smi...@nimnet.asn.au wrote
in 20110108220300.q15...@sola.nimnet.asn.au:
sm On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote:
sm On Fri, 7 Jan 2011, Brandon Gooch wrote:
sm On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith smi
On Fri, 7 Jan 2011, Brandon Gooch wrote:
On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith smi...@nimnet.asn.au wrote:
Folks,
[ If someone implements an /etc/rc.d/ipfw reload command that reliably
works over a remote session without any open firewall window, great, but
I'd rather
1 - 100 of 133 matches
Mail list logo