From owner-freebsd-stable@FreeBSD.ORG  Sat Apr 25 14:34:10 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: FreeBSD-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C97CE106566B
	for <FreeBSD-stable@FreeBSD.org>; Sat, 25 Apr 2009 14:34:10 +0000 (UTC)
	(envelope-from freebsd@jongel.net)
Received: from jongel.net (c-83-233-12-113.cust.bredband2.com [83.233.12.113])
	by mx1.freebsd.org (Postfix) with ESMTP id 4F4848FC0C
	for <FreeBSD-stable@FreeBSD.org>; Sat, 25 Apr 2009 14:34:10 +0000 (UTC)
	(envelope-from freebsd@jongel.net)
Received: from [10.1.0.254] ([10.1.0.254])
	by jongel.net (8.14.3/8.14.3) with ESMTP id n3PEJZwP002759
	for <FreeBSD-stable@FreeBSD.org>; Sat, 25 Apr 2009 16:19:35 +0200 (CEST)
	(envelope-from freebsd@jongel.net)
Message-Id: <196E4005-25E9-4C46-99BD-8F717849703F@jongel.net>
From: =?ISO-8859-1?Q?Jonas_B=FClow?= <freebsd@jongel.net>
To: FreeBSD-stable@FreeBSD.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Sat, 25 Apr 2009 16:19:34 +0200
X-Mailer: Apple Mail (2.930.3)
Cc: 
Subject: ipfilter seems to be broken on 7.2-PRERELEASE as of April 25:th
	2009.
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2009 14:34:11 -0000

Hi,

Today I updated one of my servers tracking freebsd 7-stable. (7.2- 
PRERELEASE #3: Sat Apr 25 10:01:00 CEST 2009).

After reboot it was not reachable from the network. After some  
troubleshooting I found that ipfilter seems to be the problem.  
Returning traffic originating from my host  (XXX) is blocked:

Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.766972 fxp0 @0:1 b  
193.13.15.11,53 -> 10.1.0.254,62539 PR udp len 20 72 IN bad NAT
Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.804447 fxp0 @0:1 b  
193.13.15.11,53 -> 10.1.0.254,57266 PR udp len 20 534 IN bad NAT

Comparing the ipfilter-log from before the upgrade, there were no "IN  
bad NAT" log entries before the upgrade.

My active ipfilter rules are:

block in log on fxp0 all
pass out quick on fxp0 proto tcp from XXX/32 to any flags S/SAFR keep  
state
pass out quick on fxp0 proto udp from XXX/32 to any keep state
pass out quick on fxp0 proto icmp from XXX/32 to any keep state

My NAT rules are:

map fxp0 10.1.0.0/24 -> XXX/32 proxy port ftp ftp/tcp
map fxp0 10.1.0.0/24 -> XXX/32 portmap tcp/udp 1025:65500
map fxp0 10.1.0.0/24 -> XXX/32

Anyone seen this behaviour?

Regards,
  Jonas