On Sat, 2 Sep 2017 11:44:51 +1000, Graham Menhennitt wrote:
> I have a problem that seems to be a difference between ipfw/NAT
> behaviour in 10-Stable versus 11-Stable. I have two servers: one running
> 10-Stable and one running 11-Stable. I'm using the same rule set on both
> (see below).
On Thu, 31 Aug 2017 15:27:47 +0300, Andrey V. Elsukov wrote:
> On 31.08.2017 15:10, Graham Menhennitt wrote:
> > On 10-Stable, the interface is re1. The output of 'ifconfig re1 | grep
> > options' is:
> > options=8209b
> >
> > nd6 options=29
> >
> > On 11-Stable (the one with the prob
a higher level, perhaps some sort of proxy?
cheers, Ian
> *With best Regards,*
>
> Kulamani Sethi,
> Bangalore, India
> Mob: 9686190111
>
> On Fri, Jul 14, 2017 at 10:31 PM, Ian Smith wrote:
>
> > On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani Sethi wrote:
On Fri, 14 Jul 2017 16:43:56 +0530, Kulamani Sethi wrote:
> Hi,
> I want to set a rule for a particular service URL which running on a remote
> server.
> I know the IP but don't know the port number where that service is running.
> If i set rule for IP then it will applied for entire services
On Thu, 4 May 2017 23:46:21 +0200, Marco van Tol wrote:
> Possibly this questions pops up regularly. I have tried to find the
> answer myself and have been unable to so far.
>
> My current way to drastically slow-down ssh brute force attacks is by
> using the pf feature "max-src-conn-rate
On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote:
> On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote:
> > > https://reviews.freebsd.org/D9920
> >
> > I've always used these rules from 'client' and 'simple' rulesets:
> >${fwcmd}
On Tue, 7 Mar 2017 13:49:25 +, bugzilla-nore...@freebsd.org wrote:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867
>
> Mark Felder changed:
>
>What|Removed |Added
> --
On Sun, 29 Jan 2017 18:52:58 +0100, Rakor wrote:
> Hi and thanks for your reply!
Just a couple of points in addition to Thomás' recent reply, which well
covers most aspects .. quoting here went totally weird, so excuse any
strangeness there; I'm just plucking out and reformatting a few bits.
>
On Thu, 2 Feb 2017 12:08:31 -0200, Francisco Ramon wrote:
> Hello!
> I´m trying to biuld a IPFW script and i´m using some dynamic rules
> (with keep-state). The problem occur when I need to restart the
> script, to reload new or eddited rules... When I execute the "ipfw -f
> flush", off c
On Mon, 14 Nov 2016 13:43:15 +, wo0x wrote:
> Hi there,
>
>I just subscribed to this list due to the subjected bug--and I am quite
> happy to find this trouble has yet been noted by others:
>
> # fwcmd=/sbin/ipfw
> # ${fwcmd} -f table dnssrv flush
> # ${fwcmd}table dnssrv crea
On Tue, 18 Oct 2016 14:21:50 +, Shawn Bakhtiar wrote:
> On Oct 18, 2016, at 6:49 AM, Samira Nazari
> mailto:nazari@gmail.com>> wrote:
> > Hello every one,
> > When we diverte packets to the specified port with "IPFW divert" ,
> > we can change it and re-sent to the kernel?
> Not sur
On Mon, 12 Sep 2016 11:04:26 +0800, Julian Elischer wrote:
> Unfortunately we don't have any timers on table entries, so it's not possible
> to see how long an entry has been in use, or idle.
>
>
> If I were to ha ve a captive portal, which placed the address of 'allowed'
> hosts into a ta
On Mon, 15 Aug 2016 02:20:19 +0300, Lev Serebryakov wrote:
> > Please, change this to some prefix to state name (:name, @name or
> > something
> > like this) or to "state-action(name)" format. It will be much better: less
> > error-prone and will work without ugly warnings on old rulesets.
On Fri, 12 Aug 2016 16:49:36 +1000, grenville armitage wrote:
> On 08/12/2016 14:56, Julian Elischer wrote:
> > On 11/08/2016 9:02 AM, Dr. Rolf Jansen wrote:
> >>
> [...]
> >>
> >> I needed to change the name of the geoip tool, because GeoIP® is a
> registered trademark of MaxMind, Inc.
On Thu, 11 Aug 2016 10:09:24 -0300, Dr. Rolf Jansen wrote:
> > Am 11.08.2016 um 08:06 schrieb Ian Smith :
> > On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
> >
> > (just curious: whereabouts is -0300? Brazil?)
>
> Yes, I am a German living in Brazil f
On Wed, 10 Aug 2016 -0300, Dr. Rolf Jansen wrote:
(just curious: whereabouts is -0300? Brazil?)
> > Am 08.08.2016 um 18:46 schrieb Dr. Rolf Jansen :
>> I am almost finished with preparing the tools for geo-blocking and
>> geo-routing at the firewall for submission to the FreeBSD ports.
>> I c
On Fri, 5 Aug 2016 13:22:50 +0800, Julian Elischer wrote:
> On 5/08/2016 12:15 PM, Michael Sierchio wrote:
> > Wouldn't it make sense to use the ISO Numeric Code / UN M49 Numerical Code?
> actually it doesn't make sense. the source of data doesn't have that
> information in it so it would req
On Fri, 5 Aug 2016 00:12:37 +0800, Julian Elischer wrote:
> On 4/08/2016 6:50 PM, Andrey V. Elsukov wrote:
> > On 04.08.16 06:42, Julian Elischer wrote:
> > > so it's a combination of #1 and #2 in my list. I think I originally
> > > thought of having just #1.
> > >
> > > A combination is le
On Fri, 5 Aug 2016 01:38:45 +1000, Ian Smith wrote:
> <<< No Message Collected >>>
Yeah, sorry about that .. this got stuck in mailq somehow in 'locked'
EHLO state .. never seen that before in many years; had to kill and
resend it from sent-mail as a fwd, los
<<< No Message Collected >>>
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
On Wed, 3 Aug 2016 18:53:38 -0300, Dr. Rolf Jansen wrote:
> > Am 03.08.2016 um 11:13 schrieb Julian Elischer :
>
> On 2/08/2016 8:50 PM, Dr. Rolf Jansen wrote:
>>> Am 02.08.2016 um 05:08 schrieb Julian Elischer :
'scuse savage reformatting, but I had to wrap it to read it .. and pine
has comple
On Mon, 1 Aug 2016 18:47:37 +0300, Andrey V. Elsukov wrote:
> On 01.08.16 18:43, Ian Smith wrote:
> > Fast work Andrey, and sorry for rushing in. I ASSumed, after reading
> > the new tables section in 11.0-R ipfw(8), that Kevin had run into:
> >
> >Tables re
On Mon, 1 Aug 2016 16:39:45 +0300, Andrey V. Elsukov wrote:
> On 31.07.16 22:28, Kevin Oberman wrote:
> > I assumed that I had missed this in the release notes, but I can find no
> > reference to this significant change that simultaneously greatly enhanced
> > ipfw table functionality, but also
On Sun, 31 Jul 2016 12:28:06 -0700, Kevin Oberman wrote:
> This morning I updated my min user system from 10.3-Stable to 11.0-BETA3.
> In general, things went well, but I had two issues that prevented the
> network from operating. the first is a lack of documentation in the Release
> Notes and
On Sat, 30 Jul 2016 11:17:13 -0300, Dr. Rolf Jansen wrote:
> I finished the work on CIDR conformity of the IP ranges tables
> generated by the tool geoip. The main constraint is that the start
> and end address of an IP block given by the delegation files MUST BE
> PRESERVED during the tran
On Thu, 28 Jul 2016 23:21:01 -0300, Dr. Rolf Jansen wrote: > Am
27.07.2016 um 12:31 schrieb Julian Elischer :
[..]
>> wow, wonderful!
>> with that tool, and ipfw tables we have a fully functional geo
>> blocking/munging solution in about 4 lines of shell script.
> Unfortunately, I finally d
On Wed, 27 Jul 2016 10:03:01 +0800, Julian Elischer wrote:
> On 27/07/2016 3:06 AM, Dr. Rolf Jansen wrote:
> > > Am 26.07.2016 um 13:23 schrieb Julian Elischer :
> > > On 26/07/2016 1:41 AM, Dr. Rolf Jansen wrote:
> > > > Once a week, the IP ranges are compiled from original sources into a
> >
On Mon, 13 Jun 2016 23:18:24 +0800, Julian Elischer wrote:
> On 10/06/2016 5:11 AM, Lev Serebryakov wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > On 07.06.2016 00:53, Andrey V. Elsukov wrote:
> >
> > > looking at provided description and examples, seems the main ta
On Mon, 13 Jun 2016 22:59:19 +0800, Julian Elischer wrote:
> On 7/06/2016 10:31 PM, Ian Smith wrote:
> > On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote:
> > > On 06.06.16 22:41, Lev Serebryakov wrote:
> > > >
> > > > I still hop
On Tue, 7 Jun 2016 00:53:23 +0300, Andrey V. Elsukov wrote:
> On 06.06.16 22:41, Lev Serebryakov wrote:
> >
> > I still hope to see https://reviews.freebsd.org/D1776 committed before
> > 11-RELEASE.
> >
> > It seems to me, that I does everything what was requested by reviewers.
>
> Hi
On Mon, 14 Mar 2016 19:24:21 +0800, Bill Yuan wrote:
> On Monday, March 14, 2016, Ian Smith wrote:
>
> > On Mon, 14 Mar 2016 07:39:36 +0800, Julian Elischer wrote:
> > > On 14/03/2016 7:37 AM, Julian Elischer wrote:
> > > > On 11/03/2016 8:46 PM, Kulamani
On Mon, 14 Mar 2016 07:39:36 +0800, Julian Elischer wrote:
> On 14/03/2016 7:37 AM, Julian Elischer wrote:
> > On 11/03/2016 8:46 PM, Kulamani Sethi wrote:
> > > Dear all,
> > >
> > > I am using ipfw3. When i am installing ipfw driver in windows-7
> > > machine the network goes down. I
On Thu, 10 Mar 2016 13:35:41 -0600, Mark Felder wrote:
> On Thu, Mar 10, 2016, at 00:53, Ian Smith wrote:
> > On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
> > > On 9 Mar, Don Lewis wrote:
> > > > On 9 Mar, Don Lewis wrote:
> > > >> On
On Wed, 9 Mar 2016 15:02:18 -0800, Don Lewis wrote:
> On 9 Mar, Don Lewis wrote:
> > On 9 Mar, Don Lewis wrote:
> >> On 9 Mar, Don Lewis wrote:
> >>> On 9 Mar, Freddie Cash wrote:
>
> ?Do you have the sysctl net.inet.ip.fw.one_pass set to 0 or 1?
> >>>
> >>> Aha, I've got it
On Wed, 23 Dec 2015 10:08:05 +0800, bycn82 wrote:
> Cc: "freebsd-ipfw@freebsd.org" ,
> Ganbold Tsagaankhuu
> Subject: Re: layer2 ipfw fwd
>
> Interesting, that means in order to filter the layer2 traffic with layer3
> filters. it will unpack the ether frame and get the packets. at least
On Mon, 30 Nov 2015 16:48:49 +0530, Kulamani Sethi wrote:
> Hi all,
>I am using ipfw3, can i block a URL by its domain name? When i am
> setting rules in IPFW by its domain name, it simple set rule by its
> corresponding IP.
> Here example how i set
>
> C:>ipfw add 1002 deny log ip fro
On Sun, 29 Nov 2015 12:03:21 +1100, Graham Menhennitt wrote:
> On 28/11/2015 20:47, Thomás S. Bregolin wrote:
> > Besides the redirect_port option, you still need rules allowing traffic
> > in to those ports. Excuse-me if you've done that already (I have no way
> > of knowing).
> >
> >
> > S
On Sat, 28 Nov 2015 15:19:09 +1100, Graham Menhennitt wrote:
> On 28/11/2015 05:03, Thomas wrote:
> > Aren't your regular NAT rules in NAT instance 1? That command will
> > overwrite those and leave just the new ones.
> >
> > If that's the case, you can put those rules in a different NAT insta
On Wed, 18 Nov 2015 22:17:29 +0800, Julian Elischer wrote:
> On 11/18/15 8:40 AM, Nathan Aherne wrote:
> > For some reason hairpin (loopback nat or nat reflection) does not seem to
> > be working, which is why I chose IPFW in the first place.
> it would be good to see a diagram of what this ac
On Tue, 13 Oct 2015 13:50:04 +1000, Nathan Aherne wrote:
> Hi Ian,
>
> Thank you for your response.
>
> I didnÿÿt post my ruleset because I should be able to fix the issue
> myself but I see now that my request to explain ÿÿhow NAT worksÿÿ was
> incorrect.
>
> I have now included my r
On Tue, 13 Oct 2015 12:33:52 +1000, Nathan Aherne wrote:
> I sent through a question to this list a little while ago and have
> been trying to get IPFW NAT working since then. I have had some
> success but not the success I need, everything is working correctly
> except NAT rules for my par
On Tue, 15 Sep 2015 07:51:11 -0600 (MDT), Warren Block wrote:
> On Tue, 15 Sep 2015, Ian Smith wrote:
>
O. Hartmann wrote:
> > > But that is an other issue and it is most likely
> > > due to the outdated documentation (that doc still uses port 37 for NTP
> >
Argh, fluffed freebsd-ipfw@ address, checked everything else :(
-- Forwarded message --
Date: Fri, 21 Aug 2015 01:14:58 +1000 (EST)
From: Ian Smith
To: andreas scherrer
Cc: freebsd-questi...@freebsd.org, freeb-i...@freebsd.org
Subject: Re: ipfw's "via" rule optio
On Thu, 13 Aug 2015 16:30:15 +0200, Luigi Rizzo wrote:
> On Thu, Aug 13, 2015 at 4:00 PM, Ian Smith wrote:
> > On Thu, 13 Aug 2015 12:24:31 +0800, Julian Elischer wrote:
> > > BTW, any ideas as to what causes this?
> > > # ipfw show
> > > [...]
>
On Thu, 13 Aug 2015 12:24:31 +0800, Julian Elischer wrote:
> BTW, any ideas as to what causes this?
> # ipfw show
> [...]
> 00400 00 deny ip from 10.12.1.0/24 to any in recv
> xn0
> 00500 0 16045693110842147038 deny ip from 204.109.63.0/25 to any in recv
> xn1
On Mon, 3 Aug 2015 17:38:18 +0800, Julian Elischer wrote:
> my reading of the code I can see that 'ipfw delete 100-300' doesn't
> work (well I know it doesn't work, but I had thought it was a bug),
> Now I see that its just 'not supported'
>
> It may be my imagination but (distant) past?
I w
On Fri, 31 Jul 2015 09:43:25 -0700, Michael Sierchio wrote:
> On Jul 31, 2015 3:23 AM, "Ian Smith" wrote:
> >
>
> > firewall_enable=YES
> > firewall_type=OPEN # permit all, regardless of default_to_accept
> > dummynet_anable=YES
> >
>
On Thu, 30 Jul 2015 11:25:51 -0700, hiren panchasara wrote:
> (For various reason's I didn't get/see Ian's message. Trying to do the
> right thing by setting "In-Reply-To".)
No problem, thanks.
> On 07/27/15 at 01:07P, Ian Smith wrote:
> > On Sun, 19 J
Way back on Wed, 1 Jul 2015 22:02:53 +0300, Lev Serebryakov wrote:
> On 30.06.2015 22:20, Georgios Amanakis via freebsd-ipfw wrote:
>
> It is good example for my changes :) All this "skipto / keep-state"
> magic is not understandable.
Indeed. So all we're waiting for, Lev, is some simple u
On Sun, 19 Jul 2015 21:05:53 -0700, hiren panchasara wrote:
> Bah.
>
> So I removed ipfw and dummynet from kernconf and loaded them manually
> after machine came up and it worked as expected.
In your previous post, you'd said you were using 11-current, and:
> And GENERIC has:
> options
On Sat, 6 Jun 2015 19:52:35 +0800, bycn82 wrote:
> *Hello,*
> *Can you please explain what is going one again,*
> *Sorry I did not follow the emails, I am not checking the FB email for a
> while, *
> *I think I missed some emails.*
> *e.g *
> *what is the purpose of the "*skip-immediate-act
Lev, a further thought.
I've seen melifaro's new comments, but can't comment on those except
that we are agreed on really needing some usage examples.
On Tue, 2 Jun 2015 22:39:40 +1000, Ian Smith wrote:
> It would be nice if skip-immediate-action could be shortened, es
On Mon, 1 Jun 2015 17:31:23 +0300, Lev Serebryakov wrote:
> https://reviews.freebsd.org/D1776
>
> It was discussed in this list some time ago, but looks like
> everything stuck.
>
> Any comments/objections?
>
> This patch works on my router since first patch version without
> probl
On Sun, 24 May 2015 11:24:45 +0300, Alexander V. Chernikov wrote:
> 23.05.2015, 03:58, "hiren panchasara" :
> > On 05/21/15 at 02:05P, hiren panchasara wrote:
> >> On 05/21/15 at 12:42P, hiren panchasara wrote:
> >>> Getting back to this now to see if I can avoid ipfw on outgoing packets.
>
On Thu, 16 Apr 2015 11:41:54 +0800, Julian Elischer wrote:
> On 4/15/15 5:09 AM, hiren panchasara wrote:
> > Apologies if this is something silly but I want to completely eliminate
> > ipfw from outgoing traffic perspective. I just want to have it on
> > incoming. I can always add "allow ip fro
On Thu, 5 Feb 2015 02:14:41 +0300, Lev Serebryakov wrote:
> On 05.02.2015 01:16, Lev Serebryakov wrote:
>
> > I have such rules in my firewall:
> >
> > nat 9 config redirect_port tcp 192.168.134.2:16881 16881
> > redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp
> > 192.168.134
On Wed, 4 Feb 2015 19:121:46 +, Julian Elischer wrote:
> On 2/4/15 5:22 PM, Lev Serebryakov wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > On 04.02.2015 08:13, Julian Elischer wrote:
> >
> > > yes I think "keep-state" should be deprecated and replaced or
> > >
On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote:
> On 03.02.2015 13:04, Ian Smith wrote:
>
> >> Now to make stateful firewall with NAT you need to make some not
> >> very "readable" tricks to record state ("allow") of outbound
> >>
On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote:
> Now to make stateful firewall with NAT you need to make some not very
> "readable" tricks to record state ("allow") of outbound connection
> before NAT, but pass packet to NAT after that. I know two:
>
> (a) skipto-nat-allow patte
On Thu, 11 Dec 2014 10:58:18 +0200, Ahmed Kamal wrote:
> I am trying to debug this over ssh (freebsd shell) .. While I'm quite
> experienced with Linux, I'm new to BSDs .. Can someone guide me into
> running a few commands to discover what's wrong .. Thanks a lot folks
For me at least, there a
On Fri, 31 Oct 2014 18:28:28 -0700, Freddie Cash wrote:
> On Oct 31, 2014 12:12 PM, "John-Mark Gurney" wrote:
> >
> > Can any one think of a good reason not to enable IPDIVERT sockets in
> > the ipfw module?
Yes, two. Nowadays people are just as or perhaps more likely to use
in-kernel NAT,
On Sun, 12 Oct 2014 05:02:11 +0900, Hiroki Sato wrote:
> Ian Smith wrote
> in <20141003025830.d48...@sola.nimnet.asn.au>:
>
> sm> which rules will be flushed when /etc/rc.d/ipfw runs, but should enable
> sm> DHCP to work? I'm not sure whether those ru
On Wed, 1 Oct 2014 15:54:57 +1000, Ian Smith wrote:
> On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote:
> > On 09/30/2014 01:29 AM, Ian Smith wrote:
> > > On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
> > > > We are having trouble getting ipfw to
On Thu, 2 Oct 2014 16:39:13 +0900, Hiroki Sato wrote:
> Julian Elischer wrote
> in <542155fb.9020...@freebsd.org>:
>
> ju> On 9/23/14, 2:01 AM, Andrey V. Elsukov wrote:
> ju> > On 21.09.2014 09:58, Hiroki Sato wrote:
> ju> >> Hi,
> ju> >>
> ju> >> I would like your comments about the
On Tue, 30 Sep 2014 18:54:29 -0400, Jack Barber wrote:
> On 09/30/2014 01:29 AM, Ian Smith wrote:
> > On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
> > > We are having trouble getting ipfw to work over a bridged interface.
> > >
> > > for
On Mon, 29 Sep 2014 20:21:58 -0400, Jack Barber wrote:
> We are having trouble getting ipfw to work over a bridged interface.
>
> for example:
>
> machine 1 -> Bridged interface FreeBSD 10 -> machine 2.
>
> machine 1 - 192.168.20.20
> machine 2 - 192.168.20.25
>
> now I set something
On Sun, 21 Sep 2014 14:58:12 +0900, Hiroki Sato wrote:
> Hi,
>
> I would like your comments about the attached patch to /etc/rc.
>
> The problem I want to fix by this patch is as follows.
> net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
> kernel module is loaded or
On Sun, 14 Sep 2014 12:36:43 +0200, Willem Jan Withagen wrote:
> On 13-9-2014 21:51, Freddie Cash wrote:
> > You can replicate it using 3 rules, loaded into two sets:
> >
> > ipfw set disable 1
> > ipfw add allow ip from any to any
> > ipfw add 65524 allow ip from any to any
> > ipfw add al
On Mon, 12 May 2014 13:41:12 -0700, Ronald F. Guilmette wrote:
> In message <20140512152327.a11...@sola.nimnet.asn.au>,
> Ian Smith wrote:
>
> >... and scrolling back
> >the VT0 root console should reveal it/them.
>
> Thank you!
>
> I'm
On Sun, 11 May 2014 21:44:26 -0700, Chris H wrote:
[Ronald F. Guilmette wrote:]
> > In my /etc/rc.conf file, I have the following (among other things):
> >
> > firewall_enable="YES"
> > firewall_type="/etc/fw.rules"
> > firewall_logging="YES"
> >
> > And of course, on my system, the /etc/fw
On Fri, 9 May 2014 11:00:55 +0800, Bill Yuan wrote:
> OK then I will submit it as a patch in this weekend.
[..]
> > > Man page patch for PPS
> > >
> > > .It Cm pps Ar limit duration
> > > Rule with the
> > > .Cm pps
> > > keyword will allow the first
> > > .Ar limit
> > > packets in each
ule sets.
> >
> On 3/22/14, 1:34 AM, Ian Smith wrote:
> > Firstly, that's the one page in the handbook (that I know of) that needs
> > completely nuking. It contains many factual errors as well as weird
> > notions, and will only tend to mislead you; co
On Mon, 10 Mar 2014 20:53:39 -0700, Julian Elischer wrote:
> It has annoyed me for some time that icmp packets refering ot an ongoing
> session can not be matched by a dynamic rule that goversn that session.
>
> For example, if you have a dynamic rule for tcp 1.2.3.4 port
> 80 from 5.6.7.8 po
The following reply was made to PR kern/177948; it has been noted by GNATS.
From: Ian Smith
To: bug-follo...@freebsd.org, j...@oxit.fi
Cc:
Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for
udp
Date: Tue, 18 Feb 2014 02:43:21 +1100
Having been determined not to be
On Tue, 26 Nov 2013 12:48:01 +, Ben Morrow wrote:
> To: freebsd-sta...@freebsd.org
Restoring cc ipfw@ and others after the inet_pton side?thread in
stable@. grepping /usr/src for inet_pton suggests that a behavioural
change in inet_pton at this stage seems rather unlikely :)
> Quoth Mic
On Sun, 24 Nov 2013 23:56:14 +0400, Alexander V. Chernikov wrote:
> On 24.11.2013 19:43, Özkan KIRIK wrote:
> > Hi,
> >
> > I tested patch. This patch solves, ipfw table 1 add 4899
> Ok. So I'll commit this fix soon.
> >
> > But, ipfw table 1 add 10.2.3.01 works incorrectly.
> > output is
On Thu, 31 Oct 2013 13:10:42 -0700, Casey Scott wrote:
> Hello,
>
> My NAT and ipfw ruleset follow almost exactly what is given at
> http://www.freebsd.org/doc/handbook/firewalls-ipfw.html
Almost, but perhaps not quite near enough. Firstly, I'd normally advise
largely ignoring the handbook
On Sun, 29 Sep 2013, lini...@freebsd.org wrote:
> Date: Sun, 29 Sep 2013 21:51:54 GMT
> From: lini...@freebsd.org
> To: lini...@freebsd.org, freebsd-...@freebsd.org, freebsd-ipfw@freebsd.org
> Subject: Re: kern/182355: [ipfw] ipf doesn't compile in 10.0-ALPHA2
>
> Old Synopsis: [ipf] ipf do
On Sat, 6 Jul 2013 18:37:55 +0700, Eugene Grosbein wrote:
> On 06.07.2013 14:47, Sami Halabi wrote:
> > Hi,
> > Any hope?
>
> Have you used intedmediate "ipfw count log" rules between "ipfw nat" rules
> I recommended? If yes, why have not you show that logs yet?
> Include tcpdump output fro
The following reply was made to PR kern/176503; it has been noted by GNATS.
From: Ian Smith
To: bug-follo...@freebsd.org, free...@heron.pl
Cc:
Subject: Re: kern/176503: [ipfw] ipfw layer2 problem
Date: Wed, 19 Jun 2013 01:34:58 +1000
> net.link.ether.ipfw=1
> 1000 allow ip from
The following reply was made to PR kern/178482; it has been noted by GNATS.
From: Ian Smith
To: Joe
Cc: bug-follo...@freebsd.org
Subject: Re: kern/178482: [ipfw] logging problem from vnet jail
Date: Thu, 23 May 2013 21:45:24 +1000 (EST)
> You have the incorrect conclusion. Let me reword w
The following reply was made to PR kern/178482; it has been noted by GNATS.
From: Ian Smith
To: bug-follo...@freebsd.org, fb...@a1poweruser.com
Cc:
Subject: Re: kern/178482: [ipfw] logging problem from vnet jail
Date: Wed, 22 May 2013 23:44:40 +1000
> 9.1-RELEASE kernel with modules
me available haven't found where log() was defined.
Am I right assuming something's missed being VNET-ed here somewhere?
cheers, Ian
-- Forwarded message --
Date: Thu, 2 May 2013 22:05:49 +0200
From: Anders Hagman
To: Ian Smith
Cc: freebsd-jail
Subject: Re: vnet jail wi
The following reply was made to PR kern/177948; it has been noted by GNATS.
From: Ian Smith
To: Jukka Ukkonen
Cc: bug-follo...@freebsd.org
Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for
udp
Date: Sun, 21 Apr 2013 22:21:06 +1000 (EST)
On Sun, 21 Apr 2013 14:33:07
The following reply was made to PR kern/177948; it has been noted by GNATS.
From: Ian Smith
To: bug-follo...@freebsd.org, j...@oxit.fi
Cc:
Subject: Re: kern/177948: [ipfw] ipfw fails to parse port ranges (p1-p2) for
udp
Date: Sun, 21 Apr 2013 12:17:12 +1000
I can't reproduce this o
On Tue, 16 Apr 2013 20:52:05 +0200, Spil Oss wrote:
> Hi all,
>
> If I disable checksum offloading on the NIC I do the tcpdump on, then I
> assume that the checksum-check will provide accurate results?
It certainly should.
> With checksum disabled, I see that the checksum is incorrect when
On Sun, 14 Apr 2013 10:34:06 -0700, Michael Sierchio wrote:
> On Sun, Apr 14, 2013 at 10:26 AM, Ian Smith wrote:
>
> > 'allow ip' aka 'allow all' doesn't usually take a port number, which
> > applies only to tcp and udp.
>
> It does in ip
On Sat, 13 Apr 2013 15:34:39 +0200, Spil Oss wrote:
> Hi All,
>
> I can't use ipfw with natd with my ASIX AX88772B USB NIC
>
> ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset)
I see you omitted the 2 anti-spoofing rules for 172.16.0.0/12 either
side of the divert rule, as y
The following reply was made to PR kern/174749; it has been noted by GNATS.
From: Ian Smith
To: bug-follo...@freebsd.org, radek.kre...@starnet.cz
Cc:
Subject: Re: kern/174749: Unexpected change of default route
Date: Mon, 11 Feb 2013 23:50:56 +1100
It seems clear that this PR is
On Thu, 7 Feb 2013 12:50:51 +, Eggert, Lars wrote:
> Hi,
>
> On Feb 7, 2013, at 13:40, Ian Smith wrote:
> > On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote:
> >> On Jan 31, 2013, at 16:03, Matthew Luckie wrote:
> >>>
> >>&
On Thu, 7 Feb 2013 08:08:59 +, Eggert, Lars wrote:
> On Jan 31, 2013, at 16:03, Matthew Luckie wrote:
> >
> > 00510 allow ip from me to not me out via em1
> > 00550 divert 8668 ip from any to any via em1
> >
> > Rule 510 fixes it.
>
> Yep, it does. Can I ask someone to commit this t
The following reply was made to PR kern/165939; it has been noted by GNATS.
From: Ian Smith
To: bug-follo...@freebsd.org, h...@sendmail.cz
Cc:
Subject: Re: kern/165939: [ipw] bug: incomplete firewall rules loaded if tables
are used in ipfw.conf
Date: Tue, 30 Oct 2012 00:17:39 +1100
This is
On Fri, 19 Oct 2012 15:25:24 +0400, Andrey V. Elsukov wrote:
> Hi All,
>
> Many years ago i have already proposed this feature, but at that time
> several people were against, because as they said, it could affect
> performance. Now, when we have high speed network adapters, SMP kernel
> and
;d rather not cause an outage if I can prevent it. :)
Fair question Soren. I've configured no VLANs; out of my depth, again!
cheers, Ian
> On Fri, Sep 14, 2012 at 12:00 AM, Ian Smith wrote:
> > On Thu, 13 Sep 2012 12:37:23 -0500, Soren Dreijer wrote:
> > [Luigi Rizzo wr
On Thu, 13 Sep 2012 12:37:23 -0500, Soren Dreijer wrote:
[Luigi Rizzo wrote:]
> > i'd start by disabling all accelerations (and jumobgrams)
> > and then move on from the results to figure out where is the problem.
>
> So, I went ahead and disabled TSO on ix0. That seemed to fix the
> int
On Thu, 13 Sep 2012 0:48:01 -0500, Soren Dreijer wrote:
> Definitely. Since this is a server in production, I've obfuscated some
> of the IPs, etc.
>
> First off, here's the ifconfig. Our setup consists of a private (ix0)
> and a public nic (ix1) and an ip tunnel (gif0), which is what we use
On Wed, 12 Sep 2012 23:09:27 -0500, Soren Dreijer wrote:
> Hi there,
>
> We're running freebsd 9.0-RELEASE on a box whose primary purpose is to
> act as a firewall and a gateway. Up until today, we've been using ipfw
> in conjunction with natd and the divert action in ipfw to forward
> packe
On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote:
> On 14 Jul 2012 18:49, "Ian Smith" wrote:
> >
> > On Sat, 14 Jul 2012, cr...@freebsd.org wrote:
> > > http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
[..]
> > > Description
> >
On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote:
> On 14 Jul 2012 18:49, "Ian Smith" wrote:
> >
> > On Sat, 14 Jul 2012, cr...@freebsd.org wrote:
> > > http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
[..]
> > Yes, to such a ruleset
On Sat, 14 Jul 2012, cr...@freebsd.org wrote:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
> Description
> If user has tables used in /etc/ipfw.conf for example:
>
> table 1 add 64.6.108.239
>
> then firewall restart:
>
> /etc/rc.d/ipfw start
>
> fails with:
> Line 8: setsockopt
1 - 100 of 170 matches
Mail list logo
