--On 29 July 2013 17:04 +0300 Konstantin Belousov
wrote:
kenv net.inet.ip.fw.default_to_accept=1
should have the same effect after the usermode is booted. Kenv must
be set before the module is loaded.
Great - thanks! - I'll give that a go in the test environment,
Thanks,
-Karl
On Mon, Jul 29, 2013 at 12:27:40PM +0100, Karl Pielorz wrote:
>
>
> --On 29 July 2013 13:02 +0200 Stefan Esser wrote:
>
> > I guess you were looking for:
> >
> > net.inet.ip.fw.default_to_accept="1"
> >
> > which is a tunable to be set in /boot/loader.conf ...
>
> Very probably - but that'
--On 29 July 2013 12:30 +0100 Simon Dick wrote:
My normal way is to run the kldload in screen and manually run an allow
all right afterwards
e.g.
kldload ipfw && ipfw ... :)
Yeah, that would probably work - I'm more concerned what impact it would
have on the CARP interfac
ces)?
>
>
My normal way is to run the kldload in screen and manually run an allow all
right afterwards
e.g.
kldload ipfw && ipfw ... :)
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
--On 29 July 2013 13:02 +0200 Stefan Esser wrote:
I guess you were looking for:
net.inet.ip.fw.default_to_accept="1"
which is a tunable to be set in /boot/loader.conf ...
Very probably - but that's at boot time :( - Is there nothing I can do at
kldload time to have the initial kl
Am 29.07.2013 12:45, schrieb Karl Pielorz:
> I've got a number of 9.1 boxes, where we need to enable ipfw (by
> kldload'ing it).
>
> I'm sure I saw a while ago a sysctl that would change the default ipfw
> config from 'deny all' to 'allow all' -
Hi,
I've got a number of 9.1 boxes, where we need to enable ipfw (by
kldload'ing it).
I'm sure I saw a while ago a sysctl that would change the default ipfw
config from 'deny all' to 'allow all' - even for a kldload? But I can't
find it now.
The b
when building the list. You compute
> > > the length under rlock, release the lock, malloc(), then fill the
> > > list without checking if the total size is still correct.
> > > This kind of code is terribly boring to write, but essentially
> > > you n
ect.
> > This kind of code is terribly boring to write, but essentially
> > you need a bound check in the second loop and possibly
> > retry if you notice that you need more memory.
> > "ipfw show" addresses the problem by failing and requesting the
>
On Mon, Jun 10, 2013 at 5:01 PM, Luigi Rizzo wrote:
>
>
>
> On Mon, Jun 10, 2013 at 3:30 PM, Ermal Luçi wrote:
>
>> Hello,
>>
>> reviving this old thread since i had time to bring the patch to FreeBSD 10
>> and unified the whole controlling under ipfw(8
On Mon, Jun 10, 2013 at 3:30 PM, Ermal Luçi wrote:
> Hello,
>
> reviving this old thread since i had time to bring the patch to FreeBSD 10
> and unified the whole controlling under ipfw(8) binary.
>
> For reminder, the patch located at [1] provides multiple instances for
>
Hello,
reviving this old thread since i had time to bring the patch to FreeBSD 10
and unified the whole controlling under ipfw(8) binary.
For reminder, the patch located at [1] provides multiple instances for
ipfw(4).
Basically you can control which interfaces belong to which context/ruleset
to
> L> able to hook ipfw instances to specific interfaces/sets of
interfaces,
E> > L> as it permits the writing of more readable rulesets. Right now the
E> > L> workaround is start the ruleset with skipto rules matching on
E> > L> interface names, and th
On Wed, Feb 08, 2012 at 03:04:09PM +0100, Ermal Lu?i wrote:
E> 2012/2/8 Gleb Smirnoff :
E> > On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote:
E> > L> if i understand what the patch does, i think it makes sense to be
E> > L> able to hook ipfw instances to
2012/2/8 Gleb Smirnoff :
> On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote:
> L> if i understand what the patch does, i think it makes sense to be
> L> able to hook ipfw instances to specific interfaces/sets of interfaces,
> L> as it permits the writing of more rea
On Tue, Jan 31, 2012 at 12:02:04PM +0100, Luigi Rizzo wrote:
L> if i understand what the patch does, i think it makes sense to be
L> able to hook ipfw instances to specific interfaces/sets of interfaces,
L> as it permits the writing of more readable rulesets. Right now the
L> workaro
On 2/4/12 9:05 AM, Poul-Henning Kamp wrote:
Natd(8) knows how to deal with multiple NAT instances for different
interfaces, which is useful when you have multiple ISPs.
The problem with it, is that it becomes incredibly hairy to configure
your IPFW rules, in particular if you have other policy
Natd(8) knows how to deal with multiple NAT instances for different
interfaces, which is useful when you have multiple ISPs.
The problem with it, is that it becomes incredibly hairy to configure
your IPFW rules, in particular if you have other policy to implement
too.
I spent some quality time
On Tue, Jan 31, 2012 at 12:02 PM, Luigi Rizzo wrote:
> On Mon, Jan 30, 2012 at 01:01:13PM +0100, Ermal Lu?i wrote:
>> Hello,
>>
>> from needs on pfSense a patch for allowing multiple intances of
>> ipfw(4) in kernel to co-exist was developed.
>> It can be fou
Hi Ermal Lu?i!
On Tue, 31 Jan 2012 09:53:30 +0100; Ermal Lu?i wrote about 'Re: [PATCH]
multiple instances of ipfw(4)':
>>> It is used in conjuction with this tool
>>> https://raw.github.com/bsdperimeter/pfsense-tools/master/pfPorts/ipfw_context/files/ipfw_context
On Mon, Jan 30, 2012 at 01:01:13PM +0100, Ermal Lu?i wrote:
> Hello,
>
> from needs on pfSense a patch for allowing multiple intances of
> ipfw(4) in kernel to co-exist was developed.
> It can be found here
> https://raw.github.com/bsdperimeter/pfsense-tools/master/
On 1/31/12 12:53 AM, Ermal Luçi wrote:
On Mon, Jan 30, 2012 at 10:08 PM, Vadim Goncharov
wrote:
Hi Ermal Lu?i!
On Mon, 30 Jan 2012 13:01:13 +0100; Ermal Lu?i wrote about '[PATCH] multiple
instances of ipfw(4)':
from needs on pfSense a patch for allowing multiple intances of
On Mon, Jan 30, 2012 at 10:08 PM, Vadim Goncharov
wrote:
> Hi Ermal Lu?i!
>
> On Mon, 30 Jan 2012 13:01:13 +0100; Ermal Lu?i wrote about '[PATCH] multiple
> instances of ipfw(4)':
>
>> from needs on pfSense a patch for allowing multiple intances of
>> ipfw(4
On 1/30/12 4:01 AM, Ermal Luçi wrote:
Hello,
from needs on pfSense a patch for allowing multiple intances of
ipfw(4) in kernel to co-exist was developed.
It can be found here
https://raw.github.com/bsdperimeter/pfsense-tools/master/patches/RELENG_9_0/CP_multi_instance_ipfw.diff
It is used in
gt;> feature, needed or not!
>> If interest is shown i will transform the patch to allow:
>> - ipfw(8) to manage the contextes create/destroy
>> - ipfw(8) to manage interface membership. Closing the race of two
>> parallell clients modifying different contextes.
>
&
Hello,
from needs on pfSense a patch for allowing multiple intances of
ipfw(4) in kernel to co-exist was developed.
It can be found here
https://raw.github.com/bsdperimeter/pfsense-tools/master/patches/RELENG_9_0/CP_multi_instance_ipfw.diff
It is used in conjuction with this tool
https
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 14 May 2009 15:33:27 +0400
Олег Петрачёв mentioned:
> Hello!
>
> I am using FreeBSD 7.2-RELEASE.
>
> I am trying to restrict connections to local smtp daemon to limited
> number of users. But when I create rules for ipf
Hello!
I am using FreeBSD 7.2-RELEASE.
I am trying to restrict connections to local smtp daemon to limited
number of users. But when I create rules for ipfw with uid pattern, I
don't get the desired result: all connections on 25 port are blocked and
it is impossible to allow it for a
Hello,
my name is Marta Carbone, I am at the first year of my PhD program in
Information Engineering at the University of Pisa.
As part of the Google SoC I will work on FreeBSD ipfw and dummynet.
My mentor is Luigi Rizzo. The main goal of the project is to revise
and improve the ipfw and
Thanks a lot!
That was really very helpful!!!
On Wed, Jan 14, 2009 at 1:42 PM, Max Laier wrote:
> On Wednesday 14 January 2009 18:32:07 Biks N wrote:
>> Hi,
>>
>> Can anyone please help me understand how the IPFW firewall is
>> implemented in the kernel.
>>
>
On Wednesday 14 January 2009 18:32:07 Biks N wrote:
> Hi,
>
> Can anyone please help me understand how the IPFW firewall is
> implemented in the kernel.
>
> I have created new ACTIONS in ipfw. I have already implemented in the
> userland.
>
> Now i need to check the IP
Hi,
Can anyone please help me understand how the IPFW firewall is
implemented in the kernel.
I have created new ACTIONS in ipfw. I have already implemented in the userland.
Now i need to check the IPFW rule list (in ip_input.c and in
ip_output.c) and call a custom routine if there is a match to
On Tue, 9 Sep 2008, Daan Vreeken wrote:
Which is to say, they don't include the UID -- and I have several hundred
sites, each with its own UID.
Yes, I could go ahead and set up a thousand "deny" rules, one for each
UID -- but being able to log this info (since it IS being checked) would
be g
Dan Mahoney, System Admin said:
> > > >> I have the following rule set up in ipfw to limit the exposure
> > > >> of bad php scripts and trojans that try to send mail directly.
> > > >>
> > > >> allow tcp from any to any dst-port 25 uid roo
In the last episode (Sep 09), Daan Vreeken said:
> On Monday 08 September 2008 22:03:29 Dan Mahoney, System Admin wrote:
> > On Mon, 8 Sep 2008, Dan Nelson wrote:
> > > In the last episode (Sep 08), Dan Mahoney, System Admin said:
> > >> I have the following ru
Hi Dan, Dan and the list,
On Monday 08 September 2008 22:03:29 Dan Mahoney, System Admin wrote:
> On Mon, 8 Sep 2008, Dan Nelson wrote:
> > In the last episode (Sep 08), Dan Mahoney, System Admin said:
> >> I have the following rule set up in ipfw to limit the exposure of bad
&g
On Mon, Sep 08, 2008 at 04:03:29PM -0400, Dan Mahoney, System Admin wrote:
> On Mon, 8 Sep 2008, Dan Nelson wrote:
>
>> In the last episode (Sep 08), Dan Mahoney, System Admin said:
>>> I have the following rule set up in ipfw to limit the exposure of bad
>>> php s
On Mon, 8 Sep 2008, Dan Nelson wrote:
In the last episode (Sep 08), Dan Mahoney, System Admin said:
I have the following rule set up in ipfw to limit the exposure of bad
php scripts and trojans that try to send mail directly.
allow tcp from any to any dst-port 25 uid root
deny log tcp from
In the last episode (Sep 08), Dan Mahoney, System Admin said:
> I have the following rule set up in ipfw to limit the exposure of bad
> php scripts and trojans that try to send mail directly.
>
> allow tcp from any to any dst-port 25 uid root
> deny log tcp from any to any
Hey all,
I have the following rule set up in ipfw to limit the exposure of bad php
scripts and trojans that try to send mail directly.
allow tcp from any to any dst-port 25 uid root
deny log tcp from any to any dst-port 25 out
However, the log messages I get look like this:
Sep 8 13:21:11
Robert Watson wrote:
On Tue, 25 Mar 2008, Sepherosa Ziehau wrote:
On Tue, Mar 25, 2008 at 1:53 AM, Julian Elischer <[EMAIL PROTECTED]>
wrote:
3/ possibly keeping per CPU stats..
This probably is the trickest part, not difficult for non-fastforward
case. But if fastforward is enabled, I
On Wed, 26 Mar 2008, Julian Elischer wrote:
it wouldn't.. you'd add them together before presenting them. but every time
a packet changes a counter that is shared, there is a chance that it is
being altered by another processor, so if you have fine grained locking in
ipfw, you rea
Hi Julian Elischer!
On Wed, 26 Mar 2008 10:31:12 -0700; Julian Elischer wrote about 'Re: [HEADS
UP!] IPFW Ideas: possible SoC 2008 candidate':
>>> here are some of my ideas for ipfw changes:
>>
>>> 1/ redo locking so that packets do not have to get loc
Vadim Goncharov wrote:
Hi Julian Elischer!
On Mon, 24 Mar 2008 10:53:44 -0700; Julian Elischer wrote about 'Re: [HEADS
UP!] IPFW Ideas: possible SoC 2008 candidate':
here are some of my ideas for ipfw changes:
1/ redo locking so that packets do not have to get locks on the
stru
free to re-work the patch. Just like the really the most
important thing is the *modip*, I'm happy that you work within this idea.
I'd like to see *modip* committed.
I continue to my research and if I've some time to work with ipfw or
another mechanism that have some relation wi
Hi Julian Elischer!
On Mon, 24 Mar 2008 10:53:44 -0700; Julian Elischer wrote about 'Re: [HEADS
UP!] IPFW Ideas: possible SoC 2008 candidate':
> here are some of my ideas for ipfw changes:
> 1/ redo locking so that packets do not have to get locks on the
> structure... I
Hi Marcelo Araujo!
On Mon, 24 Mar 2008 08:53:26 -0300; Marcelo Araujo wrote about 'Re: [HEADS UP!]
IPFW Ideas: possible SoC 2008 candidate':
>> 2.5. Just to mention: modip, counter limits, fragments.
>>
>> These patches are already currently discussed in ipfw@, but
On Tue, 25 Mar 2008, Sepherosa Ziehau wrote:
On Tue, Mar 25, 2008 at 1:53 AM, Julian Elischer <[EMAIL PROTECTED]> wrote:
3/ possibly keeping per CPU stats..
This probably is the trickest part, not difficult for non-fastforward case.
But if fastforward is enabled, I could only imagine full
On Tue, Mar 25, 2008 at 1:53 AM, Julian Elischer <[EMAIL PROTECTED]> wrote:
> 3/ possibly keeping per CPU stats..
This probably is the trickest part, not difficult for non-fastforward
case. But if fastforward is enabled, I could only imagine full
cross-cpu states duplication.
Best Regards,
seph
here are some of my ideas for ipfw changes:
1/ redo locking so that packets do not have to get locks on the
structure... I have several ideas on this
2/ allow separate firewalls to be used at different parts of the
network stack (i.e allow multiple taboe sto co-exist)
3/ possibly keeping
Vadim Goncharov wrote:
>
> 2.5. Just to mention: modip, counter limits, fragments.
>
> These patches are already currently discussed in ipfw@, but included
> here just to not forget. These are "modip" action, allowing to modify IP
> header (DSCP, ToS, TTL) and correspon
Hi!
[Sorry if it is too late for SoC, but I was unexpectedly busy last 3 days
and couldn't finish this text earlier.]
This is a proposal for ipfw improving ideas and architectural changes.
Some of them are independent of each other and could be implemented
without ABI breaking in STABLE
, allowing only 1024
192Kbit/s clients. Additional clients were simply blocked. I am using
a very simple firewall config:
ipfw pipe 1 config bw 192Kbits/s mask all
ipfw add 00051 skipto 99 ip from 192.168.0.0/16 to 192.168.0.0/16
ipfw add 00052 skipto 1000 ip from any to any
ipfw add 00100 pipe 1
[EMAIL PROTECTED] wrote:
Now i =ave tried the likes of "ipfw add divert natd all from
10.150.200.= 35 to 196.25.211.150 via tun0"
And that does not work. Ive tried many examples. And cannot come right
That is fine, but you need to make sure the packets for both directio
On Wed, May 10, 2006 at 02:26:45PM +0200, [EMAIL PROTECTED] wrote:
>I am still having huge troubles with using natd with the "divert natd"
>= in ipfw.
>I can only nat all my traffic or none.
>What i would = like to do is simply nat accoring to box or service
I am still having huge troubles with using natd with the "divert natd"
= in ipfw.
I can only nat all my traffic or none.
What i would = like to do is simply nat accoring to box or service for
a particular bo= x.
This is a example of what works for natting all traffic
On 5/6/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I cant seem to get something working and would really appreciate some
h elp.
I use IPFW and have used NAT in the past through the ipfw "divert"
rules.
But what i need to get right is simply nat for a
I cant seem to get something working and would really appreciate some
h= elp.
I use IPFW and have used NAT in the past through the ipfw= "divert"
rules.
But what i need to get right is simply nat for a = particular host
internally to a external mail server.
Now i
Hi,
as a continuation of my Summer of Code project "Improve libalias"
i just decided to release a new version with:
1) dinamyc address support via interface name
(ipfw nat 111 config if tun0)
2) redirect and LSNAT support in ipfw following closely the natd syntax.
The only
gt; it works well with datapipe, however i don't want to set up dozens of
> datapipes :)
>
> natd is enabled, do i need it? or ipfw divert?
> i have the following related in kernel conf:
>
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
>
"OxY" <[EMAIL PROTECTED]> wrote:
> how can i make it to redirect packages from x.x.x.x/32 port 223 to
> another public ip on
> the internet?
> if i use this:
> rdr em0 x.x.x.x/32 port 223 -> public.ip.on.the.internet port 80 tcp
> it hangs for a while, then operation timeout...
> thanks!
If publi
hi!
after i can't get it work with ipfw i tried ipnat..
i am satisfied, it's much more easier..
now, i can redirect packages from my public ip to localhost...
for example:
rdr em0 x.x.x.x/32 port 223 -> 127.0.0.1 port 2233 tcp
how can i make it to redirect packages from x.x.x.x/3
dozens of
datapipes :)
natd is enabled, do i need it? or ipfw divert?
i have the following related in kernel conf:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FO
whatever i give to ipfw rule after fwd it forwards me to my box: port
for example...
fwd 10.254.64.10,22 tcp from any to 195.70.x.x
it is forwarding me to 195.70.x.x port 22
what's wrong?
- Original Message -
From: "OxY" <[EMAIL PROTECTED]>
To: "Julian Elisch
yeah, it's 10.254.64.14 is the other machine in my vpn...
so not the machine, and 22 port is enabled,
i can use it by 'ssh 10.254.64.14 '
options IPFIREWALL_FORWARD is in my kernel
root# ipfw show 310
00310 4 204 fwd 10.254.64.10,2233 tcp from any to 195.70.x.x
OxY wrote:
hi!
i have two lame questions, one about ipfw port forwarding, and
an other about keyboard driver...
1, i have a box with public ip 195.70.x.x and openvpn 10.254.0.14 ip..
i'd like to accept connections on my public ip's y port and forward it
to my 10.254.64.14 port 22.
hi!
i have two lame questions, one about ipfw port forwarding, and
an other about keyboard driver...
1, i have a box with public ip 195.70.x.x and openvpn 10.254.0.14 ip..
i'd like to accept connections on my public ip's y port and forward it to my
10.254.64.14 port 22..
is thi
thanks, it works!
On Tue, Dec 13, 2005 at 06:27:43PM +0100, OxY wrote:
hi!
i have a probably dumb question, can't get through it..
i have some ips on my server (x.x.x.28 and x.x.x.204 is important)..
tried to forward packets from one ip to the other and ipfw doesn't do
anything.
i
On Tue, Dec 13, 2005 at 06:27:43PM +0100, OxY wrote:
> hi!
>
> i have a probably dumb question, can't get through it..
>
> i have some ips on my server (x.x.x.28 and x.x.x.204 is important)..
>
> tried to forward packets from one ip to the other and ipfw doesn'
both addresses are on the same box, just 2 public ips..
.28 is the jail, .204 is one of the hosts alias
- Original Message -
From: "Peter Jeremy" <[EMAIL PROTECTED]>
To: "OxY" <[EMAIL PROTECTED]>
Cc:
Sent: Tuesday, December 13, 2005 7:20 PM
Subject: Re:
system can be useful)
but there are two issues you may not have considered.
1) Have you considered what will happen to packets being returned from
the server on .28 to the client?
2) ipfw(8) states:
The fwd action does not change the contents of the packet at all.
In particular, the de
hi!
i have a probably dumb question, can't get through it..
i have some ips on my server (x.x.x.28 and x.x.x.204 is important)..
tried to forward packets from one ip to the other and ipfw doesn't do
anything.
i'd like to catch the packets on .204 port 80 and send them to on
At 08:38 PM 10/5/2005, Daniel Dias Gonçalves wrote:
I have the following rules:
$fwcmd add 600 pipe 602 src-ip 192.168.0.0/24 out
$fwcmd add 601 pipe 603 dst-ip 192.168.0.0/24 in
$fwcmd pipe 602 config mask src-ip 0x00ff bw 128Kbit/s queue 10KBytes
$fwcmd pipe 603 config mask dst-ip 0x00
From: "Daniel Dias Gonçalves" <[EMAIL PROTECTED]>
I have the following rules:
$fwcmd add 600 pipe 602 src-ip 192.168.0.0/24 out
$fwcmd add 601 pipe 603 dst-ip 192.168.0.0/24 in
$fwcmd pipe 602 config mask src-ip 0x00ff bw 128Kbit/s queue
10KBytes
$fwcmd pipe 603 config mask dst-ip 0x00
128Kbit/s queue 10KBytes
And my test speed from ip 192.168.0.5 is:
Down 123.66kbps
Up 766.24kbps
What's the output of
% ipfw show 600 601
Regards,
# ipfw show 600 601
00600 2 210 pipe 602 ip from any to any src-ip 192.168.0.0/24 out
0060126 9301 pipe 603 ip from a
bw 128Kbit/s queue 10KBytes
>
> And my test speed from ip 192.168.0.5 is:
> Down 123.66kbps
> Up 766.24kbps
What's the output of
% ipfw show 600 601
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
_
I have the following rules:
$fwcmd add 600 pipe 602 src-ip 192.168.0.0/24 out
$fwcmd add 601 pipe 603 dst-ip 192.168.0.0/24 in
$fwcmd pipe 602 config mask src-ip 0x00ff bw 128Kbit/s queue 10KBytes
$fwcmd pipe 603 config mask dst-ip 0x00ff bw 128Kbit/s queue 10KBytes
And my test speed fr
I have the following rules:
$fwcmd add 600 pipe 602 src-ip 192.168.0.0/24 out
$fwcmd add 601 pipe 603 dst-ip 192.168.0.0/24 in
$fwcmd pipe 602 config mask src-ip 0x00ff bw 128Kbit/s queue 10KBytes
$fwcmd pipe 603 config mask dst-ip 0x00ff bw 128Kbit/s queue 10KBytes
And my test speed fr
Andrey V. Elsukov wrote:
I want a nonprivileged access to ipfw (without sudo, suid and etc..).
But RAW sockets restrict this. I have an one idea - a pseudo device
/dev/ipfw. I think that realisation of this feature is not
difficult task. Now i have some questions.
Thanks for more answers :)
I
Hi All!
I want a nonprivileged access to ipfw (without sudo, suid and etc..).
But RAW sockets restrict this. I have an one idea - a pseudo device
/dev/ipfw. I think that realisation of this feature is not
difficult task. Now i have some questions.
1. I think correctly about following?
* adding
Nice work!
Is possible to implement a "port address forwarding" (aka PAT) using some
ipfw rules? (or with any other way)
Something similar to "-redirect_port" option of natd(8).
TIA,
Chris.
Paolo Pisati wrote:
On Thu, Sep 22, 2005 at 08:41:16AM +, Nate Nielsen wr
On Thu, Sep 22, 2005 at 08:41:16AM +, Nate Nielsen wrote:
> No. I think each instance of natd (at least last time I looked at it)
> could only use one IP address as it's public address.
FYI you can use nat inside ipfw[*]:
ipfw nat 1 config ip 192.168.0.123
ipfw nat 2 config ip 19
Nate Nielsen (nielsen-list) writes:
> No. I think each instance of natd (at least last time I looked at it)
> could only use one IP address as it's public address.
One could use probability rules to divert to different natds with
different NAT addresses, and use choparp / aliases t
No. I think each instance of natd (at least last time I looked at it)
could only use one IP address as it's public address.
Cheers,
Nate
Daniel Dias Gonçalves wrote:
> Exists the possibility to make NAT POOL with IPFW + NATD ?
>
___
free
Exists the possibility to make NAT POOL with IPFW + NATD ?
-- daniel
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
;t seem to choke on the extra
frames.
I'd personally just be happy if ipfw was smart enough to know that if I
was using ip-type rules on something that's not ip...that it would
handle the demuxing automagically.
i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan via em1
urse it would be nice to rearrange the code to
reduce duplication).
By doing this you can do something like
ipfw add skipto 1000 vlan-decap 1-50
and then process vlans 1 to 50 at line 1000.
Maybe it is a good idea to split the vlan-id matching and the decapsulation.
Isn't it
t's not a lot of code, in the worst case you can just cut&paste
> > the relevant 50-60 lines from the beginning of the code
> > (though of course it would be nice to rearrange the code to
> > reduce duplication).
> >
> > By doing this you can do something like
> &g
e nice to rearrange the code to
> reduce duplication).
>
> By doing this you can do something like
>
> ipfw add skipto 1000 vlan-decap 1-50
>
> and then process vlans 1 to 50 at line 1000.
> Maybe it is a good idea to split the vlan-id matching and the decapsulatio
faster matching.
*/
and then continues.
It's not a lot of code, in the worst case you can just cut&paste
the relevant 50-60 lines from the beginning of the code
(though of course it would be nice to rearrange the code to
reduce duplication).
By doing this you can do something like
g) aren't working
at all. Not even logging counts.
Setting the "bridged" flag doesn't seem to help.
My only guess is that ipfw doesn't have the brains to look beyond the VLAN
tags. Is this the case? Is this supported under 4.x (I'm using 5, but
can downgrade), or is
ve corrected this.
* ipfw_bound.diff - the patch with smallest changes, with only bound option.
* ipfw_bound2.diff - bound and check-bound option.
Examples:
We can limit incoming traffic (internet is external interface):
# ipfw add allow ip from any to 10.0.0.20 in recv internet bound 10MB
# ipfw
PM
To: Imri Zvik
Cc: freebsd-hackers@freebsd.org
Subject: Re: ipfw causing panic 4.11-RELEASE-p4
On Mon, 2 May 2005, 13:20+0300, Imri Zvik wrote:
> Hi,
>
> I was playing around with ipfw, and when I tried something like:
>
> /sbin/ipfw disable firewall
>
>
8:09 MSD 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
> i386
> shy# /sbin/ipfw disable firewall
> shy# /sbin/ipfw flush && sysctl net.inet.ip.fw.dyn_buckets=600
> Are you sure? [yn] y
>
> Flushed all rules.
> net.inet.ip.fw.dyn_buckets: 256 -> 600
> s
On Mon, 2 May 2005, 13:20+0300, Imri Zvik wrote:
> Hi,
>
> I was playing around with ipfw, and when I tried something like:
>
> /sbin/ipfw disable firewall
>
> /sbin/ipfw flush && sysctl net.inet.ip.fw.dyn_buckets=600
>
>
>
> /sbin/ipfw enable firewall
&
Hi,
I was playing around with ipfw, and when I tried something like:
/sbin/ipfw disable firewall
/sbin/ipfw flush && sysctl net.inet.ip.fw.dyn_buckets=600
/sbin/ipfw enable firewall
The machine paniced:
#0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1 0xc02
t;
To: "Dmitry A. Bondareff" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, December 15, 2004 6:42 PM
Subject: Re: 5.3 IPFW bug
On Wed, 15 Dec 2004, 17:00+0500, Dmitry A. Bondareff wrote:
Hello hackers!
Today I upgraded my 5.2.1-p11 box up to 5.3-p2.
My firewa
day, December 15, 2004 6:42 PM
Subject: Re: 5.3 IPFW bug
> On Wed, 15 Dec 2004, 17:00+0500, Dmitry A. Bondareff wrote:
>
> > Hello hackers!
> >
> > Today I upgraded my 5.2.1-p11 box up to 5.3-p2.
> > My firewall rules includes like this:
> > ...
> > /sbin
On Wed, 15 Dec 2004, 17:00+0500, Dmitry A. Bondareff wrote:
> Hello hackers!
>
> Today I upgraded my 5.2.1-p11 box up to 5.3-p2.
> My firewall rules includes like this:
> ...
> /sbin/ipfw add tee 1 ip from 1.2.3.4 to 4.3.2.1
> ...
> On 5.2.1-FreeBSD it's works f
Dmitry A. Bondareff wrote:
Hello hackers!
Today I upgraded my 5.2.1-p11 box up to 5.3-p2.
My firewall rules includes like this:
...
/sbin/ipfw add tee 1 ip from 1.2.3.4 to 4.3.2.1
...
On 5.2.1-FreeBSD it's works fine.
But FreeBSD 5.3 halted each time!!!
After changed "tee 1&
1 - 100 of 437 matches
Mail list logo
