From owner-freebsd-current@FreeBSD.ORG Thu Nov 11 13:25:30 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA09E16A4CE for ; Thu, 11 Nov 2004 13:25:30 +0000 (GMT) Received: from mail.mcneil.com (mcneil.com [24.199.45.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 951C643D53 for ; Thu, 11 Nov 2004 13:25:30 +0000 (GMT) (envelope-from sean@mcneil.com) Received: from localhost (localhost.mcneil.com [127.0.0.1]) by mail.mcneil.com (Postfix) with ESMTP id 45D6CF1A11 for ; Thu, 11 Nov 2004 05:25:28 -0800 (PST) Received: from mail.mcneil.com ([127.0.0.1]) by localhost (server.mcneil.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00811-05 for ; Thu, 11 Nov 2004 05:25:24 -0800 (PST) Received: from mcneil.com (mcneil.com [24.199.45.54]) by mail.mcneil.com (Postfix) with ESMTP id 17C2FF18DB for ; Thu, 11 Nov 2004 05:25:24 -0800 (PST) From: Sean McNeil To: current@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-GAbuw+Q4mYgtXQDWxyh1" Date: Thu, 11 Nov 2004 05:25:23 -0800 Message-Id: <1100179523.21180.8.camel@server.mcneil.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd-new at mcneil.com Subject: natd broken for days X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 13:25:31 -0000 --=-GAbuw+Q4mYgtXQDWxyh1 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable It has been reported that both amd64 and i386 architectures will panic in natd by jumping to address 0. There has been no discussion since the reports, however, and I was wondering if anyone is looking into it. Should I file a bug report? I have nothing special, just turned on some options in the kernel and some things in rc.conf... config file: options BRIDGE # bridge ethernet adapters options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT /etc/rc.conf: firewall_enable=3D"YES" firewall_type=3D"/etc/fw/rc.firewall.rules" firewall_quiet=3D"NO" natd_enable=3D"YES" natd_flags=3D"-f /etc/fw/natd.conf" natd_interface=3D"dc0" /etc/fw/rc.firewall.rules: #set and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow all from any to any via lo0 add 00110 deny all from any to 127.0.0.0/8 add 00120 deny all from any to any not verrevpath in add 00301 allow all from me to 192.168.1.0/24 via dc0 add 00302 deny all from any to 10.0.0.0/8 via dc0 add 00303 deny all from any to 172.16.0.0/12 via dc0 add 00304 deny all from any to 192.168.0.0/16 via dc0 # check if incoming packets belong to a natted session, allow through if ye= s add 01000 divert natd all from any to me in via dc0 add 01001 check-state add 03001 allow all from 192.168.1.0/24 to me via dc0 add 03002 deny all from 10.0.0.0/8 to any via dc0 add 03003 deny all from 172.16.0.0/12 to any via dc0 add 03004 deny all from 192.168.0.0/16 to any via dc0 add 03005 deny all from 66.159.66.56/29 to any via dc0 # Allow TCP through if setup succeeded add 04000 pass tcp from any to any established # Allow IP fragments to pass through add 04010 pass all from any to any frag # allow all traffic from the local net to the router add 04100 allow all from 192.168.10.0/24 to me in via re0 # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 all from 192.168.10.0/24 to any in via re0 keep-stat= e # allow all outgoing traffic from the router add 05000 allow all from me to any out via re0 add 05010 allow all from me to any out keep-state add 60000 skipto 62000 all from any to any # this is the NAT rule. Only outgoing packets from the local net will come = here. # First, nat them, then pass them on (again, you may choose to be more rest= rictive) add 61000 divert natd all from 192.168.10.0/24 to any out via dc0 # this is a good packet add 62000 allow all from any to any /etc/fw/natd.conf: unregistered_only use_sockets # dyamically open fw for ftp, irc punch_fw 2000:50 --=-GAbuw+Q4mYgtXQDWxyh1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBk2hDyQsGN30uGE4RApCuAJ4rq+BeYmKblexNryP2A8hzTWZlBwCdG1WS eH7/HT3xrJFZrEvY9rXV5PM= =jiCy -----END PGP SIGNATURE----- --=-GAbuw+Q4mYgtXQDWxyh1--