search for: ipfilt

hi all i'm trying to get ipfilter set up on my new 5.1-RELEASE box. ipfilter seems to be working fine. i just have a couple of issues that are probably not very serious... one thing is that during network startup at boot, i get the message IPFilter: already initialized repeated 4 times. i think i have everything configured prop...

Hi. On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: - IPFW - traffic accounting, shaping, balancing and filtering; - IPFilter - policy routing; - IPNAT - masquerading. I want to know, how IP-packets flow through all of this components? What's the path? incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? Is t...

Hello all, I want to learn about requirements if I want to protect gigabit network with ipfilter as transparent firewall. Which type of hardware is required to install FreeBSD + ipf (as transparancy ) . We use 3 gigabit ethernet to protection which type of gigabit ethernet carts are powerfull. Also, what about the NMBCLUSTERS , IPSTATE_SIZE and IPSTATE_MAX in ip_state.h. I want to collect a...

...x only: spdadd 172.17.0.0/24 $REDHAT/32 any -P out ipsec esp/tunnel/$MYADDR-$REDHAT/unique; spdadd $REDHAT/32 172.17.0.0/24 any -P in ipsec esp/tunnel/$REDHAT-$MYADDR/unique; What I want to do is prohibit traffic from $REDHAT to 172.17.0.7, the internal address of this FreeBSD box. I'm using IPFilter, so I inserted a rule like this: block in log quick from any to 172.17.0.7 It is not attached to any interface, so it should supposedly work even for tunnelled traffic. Only it doesn't. I tried using GIF devices, but could not get them to work with FreeS/WAN 1.95. Did anybody accompl...

...nable-time-hack CONFIGURE_ARGS+= --enable-forw-via-db CONFIGURE_ARGS+= --enable-ipf-transparent CONFIGURE_ARGS+= --disable-ident-lookups CONFIGURE_ARGS+= --enable-underscores The configure script does not locate IPF's header files. I had to manually copy them over: # cp -p /usr/src/sys/contrib/ipfilter/netinet/*.h /usr/include/netinet/ Squid then built fine. Should these header files be installed with the world? Or should squid's port be modified to include /usr/src/sys/include/ipfilter ? --------------------------------------- Robin P. Blanchard Systems Integration Specialist Georgia C...

I've found out from two different kernel configs that after properly compling kernel with IPFILTER support it causes the system not to boot. Its hard to say, what exactly it does, cause its not a local system. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to &...

Hello I am trying to set up a backup server running Solaris 8 with rsync 2.5.5 and ipfilter the latest version. The problem i have is i have about 16 different interfaces that are secured via ipfilter , and i tried running rsync via rsh but ipfilter would not set up a keepstate with rsh which meant i had to open up and that is not acceptable. So what i tried then was via ssh and that wo...

Hi all. I didn't find any thread discussing it, sorry if I am re-posting the same subject. Is there a way to check the ipfilter/ipfw out-flow with bridge? Is it implemented? I've heard its not done due a performance issue (it's writen in ipf-howto), but performance is not the main goal for me in this single situation. I would like to have the stateful firewall and the bridge _fully_ working together. Best regard...

...about some parts of the subject. I have seen older messages in archives. Regularly the same questions seem to come up. I have not found an all-including description of the answer to s.th. like: "Can anybody tell me the order packets get processed in kernel related to IPSec, NAT/divert, ipfw, ipfilter, ... for incoming, outgoing, forwarding... ?". What about bpf, ... ? Is there any chance that some of the gurus can draw one or more ascii arts or xfig or whatever images that show the in kernel packet flow/processing ? Perhaps the doc project would also be happy to include it in the handb...

...ault disabled svc:/network/routing/route:default disabled svc:/network/routing/rdisc:default disabled svc:/network/routing/legacy-routing:ipv6 disabled svc:/network/routing/legacy-routing:ipv4 tim at ghost:~# svcs ipfilter bridge route STATE STIME FMRI disabled 18:43:07 svc:/network/routing/route:default online 18:43:36 svc:/network/bridge:bridge online 19:19:31 svc:/network/ipfilter:default Am I missing something here? -- This message posted from opensolaris.org

...o such file or directory^M In file included from /usr/obj/usr/src/i386/usr/include/dev/firewire/@/i386/include/i4b_isppp.h:43,^M from :49:^M /usr/obj/usr/src/i386/usr/include/netinet/ip.h:68: warning: `IP_MF' redefined^M /usr/obj/usr/src/i386/usr/include/dev/firewire/@/contrib/ipfilter/netinet/ip_compat.h:835: warning: this is the locati on of the previous definition^M /usr/obj/usr/src/i386/usr/include/netinet/ip.h:170: warning: `IPOPT_SECUR_UNCLASS' redefined^M /usr/obj/usr/src/i386/usr/include/dev/firewire/@/contrib/ipfilter/netinet/ip_compat.h:883: warning: this is the l...

...3:22 UTC > > FreeBSD src repository > > Modified files: (Branch: RELENG_7) > contrib/pf/pfctl parse.y > lib/libc/sys Symbol.map getsockopt.2 > sbin/ipfw ipfw.8 ipfw2.c > sys/conf NOTES options > sys/contrib/ipfilter/netinet ip_fil_freebsd.c > sys/contrib/pf/net pf.c pf_ioctl.c > sys/kern init_sysent.c sys_socket.c syscalls.c > syscalls.master systrace_args.c > uipc_socket.c vfs_export.c > sys/net if.c if_a...

In http://docs.freebsd.org/cgi/mid.cgi?200402260743.IAA18903 it seems RELENG_4 is vulnerable. Is there any work around to a system that has to have ports open ? Version: 1 2/18/2004@03:47:29 GMT >Initial report > <<https://ialert.idefense.com/KODetails.jhtml?irId=207650>https://ialert.idefense.com/KODetails.jhtml?irId=207650; >ID#207650: >FreeBSD Memory Buffer

I want to run a non-global zone as a virtual router and run ipnat inside the non-global zone, however, when I try to enable routing it can''t find route:default or network/ipfilter. I''m using exclusive IP inside the zones and using OpenSolaris 2008.11 build 110. I''ve tried sparse root and whole root zones without success. I''ve read blogs and posts and documentation where it states you can run a virtual router in a non-global zone and run ipnat i...

Hi, After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. In addition, the machine cannot ping itself. ping localhost (or 127.0.0.1) -> no route to host ping itself with its own ip addres...

Hi, After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. In addition, the machine cannot ping itself. ping localhost (or 127.0.0.1) -> no route to host ping itself with its own ip addres...

We're supposed to provide redundant firewall service. I'm wondering if anyone has ever tried to do this and if it's realistic. Basically 2 firewall machines hooked up so if one fails the other will transparently step in. I've googled it to death without much luck. The security issue here lies in that the 2 firewalls can't talk to each other. So if I'm keeping state on

Hi all, Link protection is a new feature we are planning to introduce to Solaris and we would like to solicit your feedback on it. Please see attached document for details.

...-Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I/vol/vol0/users/des/tinderbox/RELENG_4/i386/pc98/src/sys -I/vol/vol0/users/des/tinderbox/RELENG_4/i386/pc98/src/sys/../include -I/vol/vol0/users/des/tinderbox/RELENG_4/i386/pc98/src/sys/contrib/ipfilter -D_KERNEL -include opt_global.h -mpreferred-stack-boundary=2 /vol/vol0/users/des/tinderbox/RELENG_4/i386/pc98/src/sys/kern/tty_tty.c cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ans...

...ing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I/vol/vol0/users/des/tinderbox/RELENG_4/alpha/alpha/src/sys -I/vol/vol0/users/des/tinderbox/RELENG_4/alpha/alpha/src/sys/../include -I/vol/vol0/users/des/tinderbox/RELENG_4/alpha/alpha/src/sys/contrib/ipfilter -D_KERNEL -include opt_global.h -mno-fp-regs -Wa,-mev56 /vol/vol0/users/des/tinderbox/RELENG_4/alpha/alpha/src/sys/vm/vm_glue.c cc -c -O -pipe -mcpu=ev4 -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions...