From owner-freebsd-ipfw Tue May 21 2: 7:27 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mirapoint.inter.net.il (mirapoint.inter.net.il [192.114.186.20]) by hub.freebsd.org (Postfix) with ESMTP id 26A1637B400 for ; Tue, 21 May 2002 02:07:23 -0700 (PDT) Received: from noused ([80.230.140.102]) by mirapoint.inter.net.il (Mirapoint Messaging Server MOS 3.1.0.58-GA) with SMTP id AEN39030; Tue, 21 May 2002 12:07:17 +0300 (IDT) Message-ID: <00b701c200af$0a01c480$668ce650@noused> From: "Retal" To: Subject: Ipfw + IPF Date: Tue, 21 May 2002 12:05:27 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00B4_01C200BF.CBDBAC00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_00B4_01C200BF.CBDBAC00 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Well.. i have a allways wondered if its possible to use both ipfw and ipf at the same time.. and if it is.. is it effective? Retal (lirandb@netvision.net.il, retal@retal.co.il) ------=_NextPart_000_00B4_01C200BF.CBDBAC00 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable

Well.. i have a allways wondered if its = possible to=20 use both

ipfw and ipf at the same time.. and if = it=20 is..

is it effective?

Retal (lirandb@netvision.net.il, = retal@retal.co.il)

------=_NextPart_000_00B4_01C200BF.CBDBAC00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 21 2:18:52 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.pair.com (relay1.pair.com [209.68.1.20]) by hub.freebsd.org (Postfix) with SMTP id 71CEC37B406 for ; Tue, 21 May 2002 02:18:50 -0700 (PDT) Received: (qmail 96844 invoked from network); 21 May 2002 09:18:49 -0000 Received: from pd950298e.dip.t-dialin.net (HELO laptop) (217.80.41.142) by relay1.pair.com with SMTP; 21 May 2002 09:18:49 -0000 X-pair-Authenticated: 217.80.41.142 Message-ID: <002e01c200a8$74d02920$0901a8c0@system> From: "Tom Beer" To: "Retal" , References: <00b701c200af$0a01c480$668ce650@noused> Subject: Re: Ipfw + IPF Date: Tue, 21 May 2002 11:18:20 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yes & Yes! Well.. i have a allways wondered if its possible to use both ipfw and ipf at the same time.. and if it is.. is it effective? Retal (lirandb@netvision.net.il, retal@retal.co.il) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 23 0:18:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by hub.freebsd.org (Postfix) with ESMTP id 88F2C37B405 for ; Thu, 23 May 2002 00:18:46 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc03.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020523071845.QQJC20219.sccrmhc03.attbi.com@blossom.cjclark.org>; Thu, 23 May 2002 07:18:45 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g4N7Iif65333; Thu, 23 May 2002 00:18:44 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 23 May 2002 00:18:44 -0700 From: "Crist J. Clark" To: rick norman Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw and aliases Message-ID: <20020523001844.B9562@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3CDB2CED.DCC3092F@lmco.com> <20020511134633.A2824@blossom.cjclark.org> <3CE1599C.42071126@lmco.com> <20020514131100.A57077@blossom.cjclark.org> <3CE17755.12735706@lmco.com> <20020514152229.B57077@blossom.cjclark.org> <3CE3F5A7.FE02E845@lmco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3CE3F5A7.FE02E845@lmco.com>; from rick.norman@lmco.com on Thu, May 16, 2002 at 11:08:40AM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, May 16, 2002 at 11:08:40AM -0700, rick norman wrote: I've been meaning to dig into this a bit more, but haven't had the time yet. However, I wanted to make some remarks before the holiday weekend. > Here is an example (please view in fix point font) > > Src Hop1 Hop2 Dest > -+- -+- -+- -+- > | | | | > +---------+----------+----------+ > 10.0.0.1 10.0.0.2 > 10.0.1.1 10.0.1.2 > 10.0.2.1 10.0.2.2 > 10.0.3.1 10.0.3.2 > 10.0.4.2 10.0.4.3 > > Notes: > Subnet mask=255.255.255.0 for all > there is only one NIC in each computer > All the computers are connected to an ethernet switch. > We are manually manipulating the routing table on hop2 and hop3 for the destination. > > The topology above allows us to get to destination address > 10.0.4.3 from src 10.0.0.1 by going through hop1 and hop2. > > We would like to be able to setup IPFW rules and Dummynet Pipes > to vary the link quality between hop1 and hop2 > depending on which of the three routes are taken to the destination. > > We need a firewall rule that reads like this > > 0100 pipe 1 ip from any to 10.0.4.3 via 10.0.1.1 > 0200 pipe 2 ip from any to 10.0.4.3 via 10.0.2.1 > 0300 pipe 3 ip from any to 10.0.4.3 via 10.0.3.1 There are some problems with this format. As we agreed on earlier in the thread, you cannot know what alias received a packet. The interfaces gets a packet by its link-layer address, and the alias IP is no where to be found in the IP datagram. So the rules cannot work the way you want on incoming packets. It's only worthwhile to discuss outgoing packets. The next-hop IP address is _definately_ available to the firewall code. As for the "source alias" address, it _may_ be available. I've been meaning to have a closer look at he code, but it has been what has been holding up my reply. I want to see what address ends up in the ifaddr structure pointed to in the rtentry; if it's the alias address. If it is, you could filter outgoing packets in the manner you desire. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 23 4:56:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp03.wxs.nl (smtp03.wxs.nl [195.121.6.37]) by hub.freebsd.org (Postfix) with ESMTP id 4B6EB37B405 for ; Thu, 23 May 2002 04:56:20 -0700 (PDT) Received: from cybertron.kruijff ([213.10.151.186]) by smtp03.wxs.nl (Netscape Messaging Server 4.15) with ESMTP id GWKBTU01.J9V; Thu, 23 May 2002 13:56:18 +0200 Date: Thu, 23 May 2002 13:56:51 +0200 From: Alex X-Mailer: The Bat! (v1.53d) Reply-To: Alex X-Priority: 3 (Normal) Message-ID: <5011839033.20020523135651@dds.nl> To: "Tom Beer" Cc: "Retal" , ipfw@freebsd.org Subject: Re[2]: Ipfw + IPF In-Reply-To: <002e01c200a8$74d02920$0901a8c0@system> References: <00b701c200af$0a01c480$668ce650@noused> <002e01c200a8$74d02920$0901a8c0@system> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello Tom, Tuesday, May 21, 2002, 11:18:20 AM, you wrote: TB> Yes & Yes! TB> Well.. i have a allways wondered if its possible to use both TB> ipfw and ipf at the same time.. and if it is.. TB> is it effective? TB> Retal (lirandb@netvision.net.il, retal@retal.co.il) TB> To Unsubscribe: send mail to majordomo@FreeBSD.org TB> with "unsubscribe freebsd-ipfw" in the body of the message I use ipfw for traffic schaper inc. needed rules and ipf for my real firewall. -- Best regards, Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri May 24 12:35:58 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from tao.dizzy-online.org (dyn-212-129-9-78.ppp.tiscali.fr [212.129.9.78]) by hub.freebsd.org (Postfix) with ESMTP id ACD4037B40A for ; Fri, 24 May 2002 12:35:54 -0700 (PDT) Received: from dizzy-online.org (tao [192.0.1.2]) by tao.dizzy-online.org (8.11.6/8.11.6) with ESMTP id g4OJZNN18418 for ; Fri, 24 May 2002 21:35:24 +0200 (CEST) (envelope-from guest@dizzy-online.org) From: "Dizzy" To: ipfw@freebsd.org Subject: problem with ipfw Date: Fri, 24 May 2002 21:35:23 +0900 Message-Id: <20020524213523.M34448@dizzy-online.org> X-Mailer: Open WebMail 1.62 20020221 X-OriginatingIP: 192.0.1.3 (guest) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi, I run FreeBSD : FreeBSD tao.dizzy-online.org 4.5-RELEASE FreeBSD 4.5-RELEASE #2: Thu Mar 14 21:40:45 GMT 2002 ***:/usr/src/sys/compile/TAO i386 My configuration is : 01000 allow ip from 192.0.1.0/24 to 192.0.1.0/24 39999 allow tcp from any to me 80 40001 allow tcp from any to me 443 40009 pipe 1 tcp from me 80 to any limit dst-addr 1 40011 allow tcp from me 443 to any 64999 allow ip from me to any 65000 allow ip from any to any 65535 deny ip from any to any I want to limit bandwidth and number of connection on my web site. But sometime and from some domain, my website is not accessible. It seems depend on download size but not sure. Any idea ? Is my config good ? thx. -- Open WebMail Project (http://openwebmail.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message