Re: ipfw: switching sets does stall the machine

ci0 uhci1] > > > It there a known workaround? > > Details: > Machine : i386 > OS : FreeBSD 11.2-RELEASE-p10 > Command : ipfw set disable 1 2 3 4 5 6 7 8 9 10 11 12 13 14 enable 16 > 17 18 19 20 21 22 23 24 25 26 27 28 29 > Can't speak to this spec

Re: ipfw managing rules - best practice?

.) ipfw -f set 1 flush ipfw set 1 disable ... all your normal rules, prepended by "set 1" ipfw set enable 1 ipfw set swap 1 0 ipfw set disable 1 ipfw -f set 1 flush -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: Matching rules on ip4/ip6 with udp/tcp

rule (what goes after the interface). You can do just about anything within that section, including a lot of what could be done in the "protocol" and "source address" and "destination address" sections. ​-- Freddie Cash fjwc...@gmail.com

Re: Question that has dogged me for a while.

d allow tcp from any to $PRV_NET out xmit $IIF ​ ​# Block the rest ipfw add deny log ip from any to any in recv $EIF ipfw add deny log ip from any to any in recv $IIF ​ -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list htt

Re: Question that has dogged me for a while.

On Thu, May 4, 2017 at 9:22 AM, Karl Denninger wrote: > Consider the following network configuration. > > > Internet --- Gateway/Firewall -- Inside network (including a > web host) > 70.16.10.1/28 192.168.0.0/24 > > The address of the outside is

High intr CPU % and slow throughput

any /boot/loader.conf or /etc/sysctl.conf entries to see if my optimisations are actually pessimisations. -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe

Re: High intr CPU % and slow throughput

public IPs only). Optimisation work is just now beginning. :) -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr

Re: IPFW rule sets and automatic rule numbering

allows you to load updated rules without disconnecting anyone or dropping any packets: disable set 1 load rules into set 1 enable set 1 swap set 1 0 disable set 1 I understand how everything works a little bit better now. Thanks for all the help and pointers and discussion. -- Freddie

Re: IPFW rule sets and automatic rule numbering

On Sep 14, 2014 3:37 AM, Willem Jan Withagen w...@digiware.nl wrote: On 13-9-2014 21:51, Freddie Cash wrote: You can replicate it using 3 rules, loaded into two sets: ipfw set disable 1 ipfw add allow ip from any to any ipfw add 65524 allow ip from any to any ipfw add allow ip from

Re: IPFW rule sets and automatic rule numbering

You can replicate it using 3 rules, loaded into two sets: ipfw set disable 1 ipfw add allow ip from any to any ipfw add 65524 allow ip from any to any ipfw add allow ip from any to any ipfw set swap 1 0 Run that two or 3 times. Every rule will be numbered 65534 after the 2nd or 3rd run. I

IPFW rule sets and automatic rule numbering

in recv igb0 Then swap the rules at the end using: ipfw set swap 1 0 Is there anything I could be doing differently to get the numbering to work the way I expect it to? Or am I going to have to manually number every rule in my scripts? -- Freddie Cash fjwc...@gmail.com

Re: IPFW rule sets and automatic rule numbering

Forgot to mention, this is 64-bit FreeBSD 10.0-RELEASE-p7, using Intel i350-T4 (igb) NICs. -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail

Re: feature of `packet per second`

want to use dummynet(4). -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: IPFW Table Size

the difference between: ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup src-ip $table_number ipfw add 05000 skipto tablearge ip from table\($table_number\) to my in recv $if_wan -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw

Re: IPFW Table Size

the packet to it. Interesting. This would cleanup the syntax of my rules-creation scripts and make it easier to manually type rules at the CLI. Anyone feel like updating the man page to make the syntax easier to understand, and to provide some usage examples? ;) -- Freddie Cash fjwc...@gmail.com

Re: Problem with passive ftp in IPFW!

like FTP connections. It's a much smaller range. There's also FTP NAT tracking modules for IPFW, but I've never personally used any of them. -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman

Re: soft-cap,

set hard limits on the bandwidth. And queues provide minimum guarantees for bandwidth inside of that pipe. -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe

Re: Problems with ipfw in FreeBSD 8.0 / amd64

the problem, or will the problem still be there? Also, I know this a volunteer effort so I have no right to be pushy, but is there any ETR on this so that I can start tracking RELENG_8 again? Use RELENG_8_0. That's the security branch for 8.0-RELEASE. -- Freddie Cash fjwc...@gmail.com

Re: rule 00000.

. IOW, nothing to worry about unless you have plans to upgrade to 8-STABLE. :) -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw

Re: Unified rc.firewall ipfw me/me6 issue

version. me4 should be any IPv4 address configured on any interface. me6 should be any IPv6 address configured on any interface. Having just me and me6 is inconsistent and illogical, Jim. ;) -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org

Re: Dansguardian, nat, ipfw

will forward the requests to, and receive the responses from. -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr

Re: ipfw: install_state: entry already present, done

? -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: Rules processing in ipfw: processing ends with rule 65535 or first match?

Okay, so my understanding was (mostly) correct. Thanks for the extra info. -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw

Re: Does ipfw support interface groups?

this. :) Thanks again, Luigi!! -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: Does ipfw support interface groups?

different is the incoming interface has been a pain ... Thanks for the info!! -- Freddie Cash fjwc...@gmail.com ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd

Re: Does ipfw support interface groups?

On Thu, May 21, 2009 at 9:41 AM, Steve Bertrand st...@ibctech.ca wrote: Freddie Cash wrote: On Thu, May 21, 2009 at 8:01 AM, Luigi Rizzo ri...@iet.unipi.it wrote: On Thu, May 21, 2009 at 04:20:48PM +0200, Ermal Lu?i wrote: can ipfw use somehow interface groups as pf(4) can? From a quick

Re: ipfw (dummynet) adds delay, but not configured to do so

On March 4, 2009 1:14 pm Luigi Rizzo wrote: On Wed, Mar 04, 2009 at 10:05:53PM +0100, Sebastian Mellmann wrote: On Wed, Mar 04, 2009 at 08:17:05PM +0100, Sebastian Mellmann wrote: the delay that a packet experiences corresponds to len/bandwidth, often rounded up to the next clock tick

Re: IPFW / if_bridge / NAT

restricting your rules to only the vr1 interfaces, with public IP configured directly on vr1: divert natd ip from 192.168.1.0/24 to any out xmit vr1 divert natd ip from any to public IP in recv vr1 -- Freddie Cash [EMAIL PROTECTED] ___ freebsd-ipfw

Re: IPFW update frequency

troubleshooting connection issues, the rules could be reloaded several times over 10 minutes. We've moved away from adding rules dynamically, preferring to add rules to the script and reload them all. Keeps the rules in memory in sync with the rules on disk. Otherwise, no. :) -- Freddie Cash