From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 13 13:34:40 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 64D4EC24 for ; Sat, 13 Apr 2013 13:34:40 +0000 (UTC) (envelope-from spil.oss@gmail.com) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by mx1.freebsd.org (Postfix) with ESMTP id 3D59E3E5 for ; Sat, 13 Apr 2013 13:34:40 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id qd14so1596097ieb.24 for ; Sat, 13 Apr 2013 06:34:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:reply-to:date:message-id:subject:from:to :content-type; bh=63lyQ5xJQHsYIsRs4HEG8HM2KhUWsczuOX8IfhltqJ0=; b=cQgovuBW4WCjJRnJV9Ko+RX5h3viMummhcykpqoBmg4WRLZp2AoL/h6U4l5RRP3j1S O3OQuiMUZ+3FsjJSz07+0wQed9hYsjwBnCcY+wDv1kOrHf2etFtaQCFoNSc87SJw+l1a iYdk4e0exp+6mMRjPArlVVNGiWaT9hcrMHA6c40kLffna0fwzhvctVjVI8IUQ/Tvoz0r NuFPQDSXe9HNimBzC+aagxpJxI595stNFGe+Xzmsa8kSQai4aZ+q8hYo1859iKZLi22E bUZW7g/mxhVOAWhzrtTKvLq5CafIEpPSQf9CHgvRSyS0fZyTWOrLWcV4B1mUDHS2AUHw 6DeQ== MIME-Version: 1.0 X-Received: by 10.50.50.40 with SMTP id z8mr1536298ign.59.1365860079862; Sat, 13 Apr 2013 06:34:39 -0700 (PDT) Received: by 10.42.189.4 with HTTP; Sat, 13 Apr 2013 06:34:39 -0700 (PDT) Date: Sat, 13 Apr 2013 15:34:39 +0200 Message-ID: Subject: Problems with ipfw/natd and axe(4) From: Spil Oss To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: spil.oss@gmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Apr 2013 13:34:40 -0000 Hi All, I can't use ipfw with natd with my ASIX AX88772B USB NIC ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) 00010 allow ip from any to me dst-port 22 recv ue0 00010 allow tcp from me 22 to any xmit ue0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 01100 deny ip from 10.16.2.1 to any in via ue0 01200 deny ip from 172.17.2.111 to any in via re0 01300 deny ip from any to 10.0.0.0/8 via ue0 01500 deny ip from any to 192.168.0.0/16 via ue0 01600 deny ip from any to 0.0.0.0/8 via ue0 01700 deny ip from any to 169.254.0.0/16 via ue0 01800 deny ip from any to 192.0.2.0/24 via ue0 01900 deny ip from any to 224.0.0.0/4 via ue0 02000 deny ip from any to 240.0.0.0/4 via ue0 02100 divert 8668 ip4 from any to any via ue0 02200 deny ip from 10.0.0.0/8 to any via ue0 02400 deny ip from 192.168.0.0/16 to any via ue0 02500 deny ip from 0.0.0.0/8 to any via ue0 02600 deny ip from 169.254.0.0/16 to any via ue0 02700 deny ip from 192.0.2.0/24 to any via ue0 02800 deny ip from 224.0.0.0/4 to any via ue0 02900 deny ip from 240.0.0.0/4 to any via ue0 03000 allow tcp from any to any established 03100 allow ip from any to any frag 03200 allow tcp from any to me dst-port 22 setup 03300 allow tcp from any to me dst-port 25 setup 03400 allow tcp from any to me dst-port 465 setup 03500 allow tcp from any to me dst-port 587 setup 03600 allow tcp from any to me dst-port 80 setup 03700 allow tcp from any to me dst-port 443 setup 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp 03900 allow tcp from any to any setup 04000 allow udp from me to any dst-port 53 keep-state 04100 allow udp from me to any dst-port 123 keep-state 04200 allow ip from any to any dst-port 22 recv ue0 65535 deny ip from any to any If I remove rule 10 it will NOT work with ue0, the same ruleset without rule 10 DOES work with re0 on the same machine (re0 as external and ue0 as internal NIC). If I connect from the gateway on 172.17.2.1 to the ssh server on this machine, I can see the ACK and SYN+ACK but there's no ACK from the client to the server to establish the tcp session. Only difference I could find was that the checksum was incorrect. Found an older PR kern/170081 about fxp having trouble with nat when rxcsum/txcsum was enabled, that is why I started fiddling with rxcsum/txcsum and found that the NIC is unusable/dead without rxcsum/txcsum enabled so this was not an option. # ifconfig ue0 ue0: flags=8843 metric 0 mtu 1500 options=8000b ether 00:60:6e:42:5b:53 inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 nd6 options=21 media: Ethernet autoselect (100baseTX ) status: active Any suggestions or pointers? Kind regards, Spil.