From owner-freebsd-ipfw Tue Apr 4 18:41:43 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id CE87537B96F for ; Tue, 4 Apr 2000 18:41:38 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.92] (mheffner@mailandnews.com); Tue, 4 Apr 2000 21:41:37 -0400 X-WM-Posted-At: MailAndNews.com; Tue, 4 Apr 00 21:41:37 -0400 Content-Length: 1923 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Tue, 04 Apr 2000 21:41:05 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: freebsd-ipfw@freebsd.org Subject: Problems with natd Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I recently upgraded my router from about a month old current. I have noticed that natd (or something related) has stopped working though. On my system I have ed0 - outside interface to cable modem ep0 - inside to private network Using the following three ipfw entries: allow ip from any to any via ep0 divert natd from any to any via ed0 allow ip from any to any I am unable to use TCP,UDP services out of the ed0 line ( like telneting to a server on the internet ). I am also unable to telnet or ftp into the box from the private lan (it should be passed with the first ipfw rule). NOW, if I remove the "divert natd" line I can use TCP,UDP services out of the server on ed0 and I'm also able to connect to the box from the internal network. Strangely, I am able to send ICMP requests with and without natd running. If I run natd with the verbose flag and also do some tcpdump-ing, I notice that when I have natd running the packets seem to be going out the ed0 line fine, but there are no response packets returning (unless they are being silentely dropped). Since I had recently replaced my "ed1" (internal network) card, with the "ep0" I thought that maybe it was a bad card, but when I turn off natd, everything works fine. Other than the card switch, I haven't changed any other settings or anything, and I believe I have made all ed1->ep0 changes that are necessary in config files and such. Has anyone else noticed these problems, or is this just a dumb user problem :| ? Is there anything that I missed that could be causing these problems? Thanks, let me know if there is any more information I can provide /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 04-Apr-2000 -- 21:21:32 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 4 20:17:22 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 77D9337B6E1 for ; Tue, 4 Apr 2000 20:17:19 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA41669; Tue, 4 Apr 2000 23:17:11 -0400 (EDT) (envelope-from cjc) Date: Tue, 4 Apr 2000 23:17:11 -0400 From: "Crist J. Clark" To: Mike Heffner Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Problems with natd Message-ID: <20000404231711.A40889@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mheffner@mailandnews.com on Tue, Apr 04, 2000 at 09:41:05PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Apr 04, 2000 at 09:41:05PM -0400, Mike Heffner wrote: > Hi, > > I recently upgraded my router from about a month old current. I have noticed > that natd (or something related) has stopped working though. On my system I > have > ed0 - outside interface to cable modem > ep0 - inside to private network > > Using the following three ipfw entries: > > allow ip from any to any via ep0 > divert natd from any to any via ed0 ITYM, "divert natd ip from any to any via ed0" > allow ip from any to any [snip] > Has anyone else noticed these problems, or is this just > a dumb user problem :| ? Is there anything that I missed that could be causing > these problems? I assume you upgraded to 4.0-STABLE? No, I have not noticed anything like this. > Thanks, let me know if there is any more information I can provide Let's get it all, % grep natd /etc/rc.conf % if [ -f /etc/natd.conf ]; then cat natd.conf; fi % cat /etc/rc.firewall % ifconfig -a % netstat -rn If you're feeling a bit paraniod, feel free to mask IP addresses, but other than that, try to make the output as raw as possible. I think that covers most everything. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 4 23: 4: 8 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id CDB9737BC6C for ; Tue, 4 Apr 2000 23:04:03 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.92] (mheffner@mailandnews.com); Wed, 5 Apr 2000 02:04:01 -0400 X-WM-Posted-At: MailAndNews.com; Wed, 5 Apr 00 02:04:01 -0400 Content-Length: 3822 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000404231711.A40889@cc942873-a.ewndsr1.nj.home.com> Date: Wed, 05 Apr 2000 02:03:39 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: cjclark@home.com Subject: Re: Problems with natd Cc: freebsd-ipfw@FreeBSD.ORG, Mike Heffner Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 05-Apr-2000 Crist J. Clark wrote: |> |> Using the following three ipfw entries: |> |> allow ip from any to any via ep0 |> divert natd from any to any via ed0 | | ITYM, "divert natd ip from any to any via ed0" Yep, that's what I meant....human translating problem ;) | | I assume you upgraded to 4.0-STABLE? No, I have not noticed anything | like this. | No, like I said I've been tracking current on the box, and I was just about a month behind on my builds, so from about an early March current to an early April current. |> Thanks, let me know if there is any more information I can provide | | Let's get it all, | This is not my full firewall, network setup, but I have tested it with these simplified settings ( and it still doesn't seem to work ): natd.conf file: interface ed0 same_ports yes dynamic yes ipfw rules: 00010 176 14949 count log ip from any to any 00015 24 2634 allow ip from any to any via lo0 00100 0 0 allow ip from any to any via ep0 00200 6 248 divert 8668 ip from any to any via ed0 00300 57 6332 allow ip from any to any 65535 1 28 deny ip from any to any $ ifconfig -a ed0: flags=8843 mtu 1500 inet a.b.c.d netmask 0xffffff00 broadcast 255.255.255.255 ether 00:40:05:63:46:3d ep0: flags=8843 mtu 1500 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:20:af:a1:05:8b media: 10baseT/UTP supported media: 10baseT/UTP lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 [a.b.c.d == outside, real, ip] $ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default a.b.c.d UGSc 19 94 ed0 10/24 link#2 UC 0 0 ep0 => 127.0.0.1 127.0.0.1 UH 1 20 lo0 a.b.c link#1 UC 0 0 ed0 => a.b.c.d 0:d0:58:c7:98:38 UHLW 19 0 ed0 1200 [a.b.c.d == my cable modem router] also, here is part of a natd verbose output log, first part is successful ICMP'ing, second is an unsuccessful ftp connect attempt: Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to [ICMP] a.b.c.d -> e.f.g.h 8(0) In [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to [ICMP] e.f.g.h -> a.b.c.d 0(0) Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to [ICMP] a.b.c.d -> e.f.g.h 8(0) Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to [ICMP] a.b.c.d -> e.f.g.h 8(0) Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to [ICMP] a.b.c.d -> e.f.g.h 8(0) In [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to [ICMP] e.f.g.h -> a.b.c.d 0(0) Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to [TCP] a.b.c.d:1026 -> e.f.g.h:21 Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to [TCP] a.b.c.d:1026 -> e.f.g.h:21 Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to [TCP] a.b.c.d:1026 -> e.f.g.h:21 Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to [TCP] a.b.c.d:1026 -> e.f.g.h:21 [ a.b.c.d == my ip address e.f.g.h == an internet server ip ] Hope that helps, ...I will probably have more free time later in the week to try some other combinations and what not, and maybe take alook at the natd code or something /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 05-Apr-2000 -- 00:23:56 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 5 16:15:39 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from linkexpress.com.br (mail.linkexpress.com.br [200.252.88.90]) by hub.freebsd.org (Postfix) with ESMTP id 58F9437BAAD for ; Wed, 5 Apr 2000 16:15:34 -0700 (PDT) (envelope-from valmir@linkexpress.com.br) Received: from linkexpress.com.br (wm.linkexpress.com.br [200.252.88.88] (may be forged)) by linkexpress.com.br (8.9.3/8.9.3) with ESMTP id UAA22821 for ; Wed, 5 Apr 2000 20:13:20 -0300 Message-Id: <200004052313.UAA22821@linkexpress.com.br> Date: Wed, 05 Apr 2000 20:11:33 -0300 From: "Valmir Filho" To: freebsd-ipfw@freebsd.org Subject: MAC Address Restriction MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Mailer: WorldClient Pro 2.0.2 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Does anyone knows any way, or product, to have some kind of filtering using the client´s ethernet MAC Address ? Thanks in advance, Valmir To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 5 17:11:36 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id D418137B9FB for ; Wed, 5 Apr 2000 17:11:30 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id SAA75607; Wed, 5 Apr 2000 18:11:03 -0600 (MDT) Date: Wed, 5 Apr 2000 18:11:03 -0600 (MDT) From: Nick Rogness To: Valmir Filho Cc: freebsd-ipfw@freebsd.org Subject: Re: MAC Address Restriction In-Reply-To: <200004052313.UAA22821@linkexpress.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 5 Apr 2000, Valmir Filho wrote: > Hi, >=20 > Does anyone knows any way, or product, to have some kind of filtering=20 > using the client=B4s ethernet MAC Address ? =09What do you mean by filtering? Firewalling or what? Cisco routers =09have the ability to use access lists on MAC addresses. =09 Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Apr 5 20:48:34 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 8BEFE37B6A3 for ; Wed, 5 Apr 2000 20:48:29 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA02491; Wed, 5 Apr 2000 23:48:14 -0400 (EDT) (envelope-from cjc) Date: Wed, 5 Apr 2000 23:48:14 -0400 From: "Crist J. Clark" To: Valmir Filho Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: MAC Address Restriction Message-ID: <20000405234814.B2346@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <200004052313.UAA22821@linkexpress.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0i In-Reply-To: <200004052313.UAA22821@linkexpress.com.br>; from valmir@linkexpress.com.br on Wed, Apr 05, 2000 at 08:11:33PM -0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Apr 05, 2000 at 08:11:33PM -0300, Valmir Filho wrote: > Hi, > > Does anyone knows any way, or product, to have some kind of filtering > using the client´s ethernet MAC Address ? I believe you can use manually added permanent entries in the ARP table (using arp(8)) and then turn off ARP on an interface (see ifconfig(8)) to get a very basic level of filtering. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 6 13:56:43 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 1166637C196 for ; Thu, 6 Apr 2000 13:56:38 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id QAA04883; Thu, 6 Apr 2000 16:56:29 -0400 (EDT) (envelope-from cjc) Date: Thu, 6 Apr 2000 16:56:28 -0400 From: "Crist J. Clark" To: Mike Heffner Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Problems with natd Message-ID: <20000406165628.C4198@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000404231711.A40889@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from mheffner@mailandnews.com on Wed, Apr 05, 2000 at 02:03:39AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Apr 05, 2000 at 02:03:39AM -0400, Mike Heffner wrote: [snip] > natd.conf file: > > interface ed0 > same_ports yes > dynamic yes Seems OK. I always like to add "unregistered_only." > ipfw rules: > > 00010 176 14949 count log ip from any to any > 00015 24 2634 allow ip from any to any via lo0 > 00100 0 0 allow ip from any to any via ep0 > 00200 6 248 divert 8668 ip from any to any via ed0 > 00300 57 6332 allow ip from any to any > 65535 1 28 deny ip from any to any Wide open for testing, good. One thing I'm curious about, and I really don't know if this has anything to do with the problem, is why the 'count' rule does not sum up to all of the rules below it. > $ ifconfig -a > ed0: flags=8843 mtu 1500 > inet a.b.c.d netmask 0xffffff00 broadcast 255.255.255.255 ^^^^^^^^^^^^^^^ Is that the real value or did you mask that? > ether 00:40:05:63:46:3d > ep0: flags=8843 mtu 1500 > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether 00:20:af:a1:05:8b > media: 10baseT/UTP > supported media: 10baseT/UTP > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > [a.b.c.d == outside, real, ip] > > $ netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default a.b.c.d UGSc 19 94 ed0 > 10/24 link#2 UC 0 0 ep0 => > 127.0.0.1 127.0.0.1 UH 1 20 lo0 > a.b.c link#1 UC 0 0 ed0 => > a.b.c.d 0:d0:58:c7:98:38 UHLW 19 0 ed0 1200 Looks OK provided a.b.c.0 is an historic C Class net. > also, here is part of a natd verbose output log, first part is successful > ICMP'ing, second is an unsuccessful ftp connect attempt: > > Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to > [ICMP] a.b.c.d -> e.f.g.h 8(0) > In [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to > [ICMP] e.f.g.h -> a.b.c.d 0(0) > Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to > [ICMP] a.b.c.d -> e.f.g.h 8(0) > Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to > [ICMP] a.b.c.d -> e.f.g.h 8(0) > Out [ICMP] [ICMP] a.b.c.d -> e.f.g.h 8(0) aliased to > [ICMP] a.b.c.d -> e.f.g.h 8(0) > In [ICMP] [ICMP] e.f.g.h -> a.b.c.d 0(0) aliased to > [ICMP] e.f.g.h -> a.b.c.d 0(0) What one expects when pinging from the NAT machine, good. > Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to > [TCP] a.b.c.d:1026 -> e.f.g.h:21 > Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to > [TCP] a.b.c.d:1026 -> e.f.g.h:21 > Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to > [TCP] a.b.c.d:1026 -> e.f.g.h:21 > Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to > [TCP] a.b.c.d:1026 -> e.f.g.h:21 > > > [ a.b.c.d == my ip address > e.f.g.h == an internet server ip ] Hmmm... NOT what one expects. It does not look like anything is ever coming back. My first inclination would be to guess that there is a firewall rule blocking setups on port 21 in front of natd's divert rule, but if your output above is accurate, this is not the case. If you were not getting ICMP packets back, I would guess that something at or behind your coax modem was not routing properly. Does a tcpdump show the same thing as the natd log for the TCP connection attempt? Of course, there is always the question, maybe e.f.g.h is dropping attempts at 21? -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 6 14:25: 9 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id EDF5C37BAC0 for ; Thu, 6 Apr 2000 14:25:01 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.92] (mheffner@mailandnews.com); Thu, 6 Apr 2000 17:24:48 -0400 X-WM-Posted-At: MailAndNews.com; Thu, 6 Apr 00 17:24:48 -0400 Content-Length: 3756 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000406165628.C4198@cc942873-a.ewndsr1.nj.home.com> Date: Thu, 06 Apr 2000 17:24:23 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: cjclark@home.com Subject: Re: Problems with natd Cc: freebsd-ipfw@FreeBSD.ORG, Mike Heffner Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 06-Apr-2000 Crist J. Clark wrote: | |> ipfw rules: |> |> 00010 176 14949 count log ip from any to any |> 00015 24 2634 allow ip from any to any via lo0 |> 00100 0 0 allow ip from any to any via ep0 |> 00200 6 248 divert 8668 ip from any to any via ed0 |> 00300 57 6332 allow ip from any to any |> 65535 1 28 deny ip from any to any | | Wide open for testing, good. One thing I'm curious about, and I really | don't know if this has anything to do with the problem, is why the | 'count' rule does not sum up to all of the rules below it. Hrm, not quite sure. I had just added the count so that I could see what packets were being passed through ipfw (it was the only rule i could think of to just log the packet but pass it to the next rule...). I never usually use count at all, so I've never noticed that problem... | |> $ ifconfig -a |> ed0: flags=8843 mtu 1500 |> inet a.b.c.d netmask 0xffffff00 broadcast 255.255.255.255 | ^^^^^^^^^^^^^^^ | Is that the real value or did you mask that? | Well, I use dhcp (dhclient) to get the address for the cable modem line, looks like the dhcp server is returning that as the broadcast, or that dhclient is screwing up somehow. It's especially strange since the netmask doesn't go with that broadcast address. I've tried manually changing the broadcast back to the proper a.b.c.255, but it doesn't seem to change anything. | |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> |> |> [ a.b.c.d == my ip address |> e.f.g.h == an internet server ip ] | | Hmmm... NOT what one expects. It does not look like anything is ever | coming back. My first inclination would be to guess that there is a | firewall rule blocking setups on port 21 in front of natd's divert | rule, but if your output above is accurate, this is not the case. | | If you were not getting ICMP packets back, I would guess that | something at or behind your coax modem was not routing properly. Does | a tcpdump show the same thing as the natd log for the TCP connection | attempt? Of course, there is always the question, maybe e.f.g.h is | dropping attempts at 21? Yes, that's why I'm nearly 100% sure this is natd related. Tcpdump shows the same output, packets are going out but never returning. And no, e.f.g.h isn't dropping ftp traffic, because when I remove the natd divert rule, I can ftp, telnet, etc into e.f.g.h perfectly. This is also not restricted to just e.f.g.h and ftp, it occurs with all hosts and all traffic except ICMP (ftp, telnet, dns, ...). My only guess is that somehow natd, or something related, is shitting on the packet causing it to be dropped by a router as an invalid packet. Although, looking at tcpdump output everything seems to be fine on the surface, haven't done a full packet dump yet though. I am going to see if I can get root (with permission =) on someone's box and run tcpdump to see if the packets are even getting to their machine AT ALL. -Later /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 06-Apr-2000 -- 17:02:50 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 6 18:17:18 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail1.registeredsite.com (mail1.registeredsite.com [209.35.159.6]) by hub.freebsd.org (Postfix) with ESMTP id 96A9C37B795 for ; Thu, 6 Apr 2000 18:17:05 -0700 (PDT) (envelope-from fathermatthew@michelangelo.net) Received: from mail.michelangelo.net ([209.35.19.238]) by mail1.registeredsite.com (8.9.3/8.9.3) with ESMTP id UAA01450 for ; Thu, 6 Apr 2000 20:19:34 -0400 Received: from deepblue [209.83.132.181] by mail.michelangelo.net (SMTPD32-6.00) id A6B75B6700B0; Thu, 06 Apr 2000 21:15:35 -0400 Message-ID: <200004062016180180.00179052@mail.michelangelo.net> X-Mailer: Calypso Version 2.40.41.08 Date: Thu, 06 Apr 2000 20:16:18 -0500 Reply-To: fathermatthew@michelangelo.net From: "Father Matthew" To: freebsd-ipfw@FreeBSD.ORG Subject: stateful firewalls Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Could someone take the time to explain to me exactily what a stateful= firewall is or point me in the right direction to find the information I= need. Thanx Fathew Matthew fathermatthew@michelangelo.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Apr 6 20:14:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id B9D5637B62A for ; Thu, 6 Apr 2000 20:14:37 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.92] (mheffner@mailandnews.com); Thu, 6 Apr 2000 23:14:36 -0400 X-WM-Posted-At: MailAndNews.com; Thu, 6 Apr 00 23:14:36 -0400 Content-Length: 1835 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000406182957.E4198@cc942873-a.ewndsr1.nj.home.com> Date: Thu, 06 Apr 2000 23:14:20 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: cjclark@home.com Subject: Re: Problems with natd Cc: FreeBSD-ipfw Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 06-Apr-2000 Crist J. Clark wrote: | Feel free to ... [snip] Well, I have examined the problem some more, and well, haven't achieved much other than to confuse myself more... _With_ natd running and divert ipfw rule: the packets seem to be going out the line fine and were reaching your host, because I was getting the ICMP "admin blocked..." off of the auth port. But, when i try 25, 23, whatever, there are no response packets at all, it will just keep sending syns. _Without_ natd running and without divert rule: i still get the ICMP packets off of auth, like expected, but I'm ALSO able to connect to 23, 25,..., and get a response, (ie. everything works just like it should). It seems that FBSD sets the IP "type of service" field now, compared to about 2 months ago when it was never used. My box was setting it to 0x10, is there a reason that it is now used? This doesn't seem to matter though, because it's set with and without natd running. Hrm, this is all very strange because it looks like the packets are arriving at a host (since your host was sending the icmp admin blocked stuff) but for some reason UDP and TCP replies aren't coming back. At first I thought maybe natd was somehow dropping the incoming packets, but I've logged everything coming in _before_ diverting to natd and the packets still aren't there. I have even put printf's in ipfw kernel code to see if maybe the packets were being silently dropped in ipfw before it checks the rules, but they still don't appear. anyone have any other approach to the problem i can attempt? /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 06-Apr-2000 -- 22:39:01 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 7 0:59:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gemini.bnc.net (gemini.bnc.net [195.247.233.33]) by hub.freebsd.org (Postfix) with ESMTP id A5FB437B8BB for ; Fri, 7 Apr 2000 00:59:44 -0700 (PDT) (envelope-from ap@bnc.net) Received: (from ap@localhost) by gemini.bnc.net (8.9.3/8.9.3) id JAA34136; Fri, 7 Apr 2000 09:59:06 +0200 (CEST) (envelope-from ap) Date: Fri, 7 Apr 2000 09:59:06 +0200 From: Achim Patzner To: Father Matthew Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: stateful firewalls Message-ID: <20000407095906.F29186@bnc.net> References: <200004062016180180.00179052@mail.michelangelo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200004062016180180.00179052@mail.michelangelo.net>; from fathermatthew@michelangelo.net on Thu, Apr 06, 2000 at 08:16:18PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Apr 06, 2000 at 08:16:18PM -0500, Father Matthew wrote: > Could someone take the time to explain to me exactily what a > stateful firewall is or point me in the right direction to > find the information I need. Thanx Take a look at Checkpoint's product description for Firewall-1. Achim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Apr 7 7:47:40 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from web1005.mail.yahoo.com (web1005.mail.yahoo.com [128.11.23.95]) by hub.freebsd.org (Postfix) with SMTP id 3951C37BB4E for ; Fri, 7 Apr 2000 07:47:38 -0700 (PDT) (envelope-from binxist@yahoo.com) Received: (qmail 12576 invoked by uid 60001); 7 Apr 2000 14:47:33 -0000 Message-ID: <20000407144733.12575.qmail@web1005.mail.yahoo.com> Received: from [216.165.144.20] by web1005.mail.yahoo.com; Fri, 07 Apr 2000 07:47:33 PDT Date: Fri, 7 Apr 2000 07:47:33 -0700 (PDT) From: "Russell C. Frame" Subject: Re: stateful firewalls To: fathermatthew@michelangelo.net, freebsd-ipfw@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Some of the most descriptive documentation you can find on the nature of firewalls and especially the idea of maintaining stateful connections can be found in the IPF documentation. This explains the concepts, along with an analysis of some products implementations of stateful connections. Take a look at http://coombs.anu.edu.au/~avalon/. Russell C. Frame --- Father Matthew wrote: > Could someone take the time to explain to me exactily what a > stateful firewall is or point me in the right direction to find the > information I need. > Thanx > > Fathew Matthew > > fathermatthew@michelangelo.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 8 8:41:16 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id 8E10E37BAAB for ; Sat, 8 Apr 2000 08:40:47 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.92] (mheffner@mailandnews.com); Sat, 8 Apr 2000 11:40:45 -0400 X-WM-Posted-At: MailAndNews.com; Sat, 8 Apr 00 11:40:45 -0400 Content-Length: 5933 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20000408014522.B8928@cc942873-a.ewndsr1.nj.home.com> Date: Sat, 08 Apr 2000 11:40:21 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: cjclark@home.com, FreeBSD-ipfw Subject: Re: Problems with natd Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [ re-added -ipfw ] On 08-Apr-2000 Crist J. Clark wrote: | | I'm going crazy. Me too! ;) | | I've been dissecting individual packets for the last two | hours... unwrap the TCP from the IP from the Ethernet... and I think | I've had enough for now. | | But I'm getting ahead of myself. It looks like your packets all get | here, but my machine decides to stop responding to them. Here is a | successfully initiated telnet followed by an unsuccessful, | [ packets snipped to hide addresses ] | | When I diff the packets, the only things changing are sequence numbers, | ids, and checksums. I can't figure out why my, and aparently others | too, will not respond to the second one. | | I was about to start checking the cksums by hand, but that is the path | to insanity. Attached are the raw tcpdump'ed data. Well, I have done some rewiring of my network so that I can test it on my home network, and yes the problem is still occuring. My setup is simple, I have the box (I'll call it A) that was giving me problems connected to the same segment as another box (B). When I have a completely open firewall on A, *without* natd, I can successfully telnet, ftp, etc into B. When I start natd and add the divert rule, I can not telnet, ftp, etc into B. Now the strange part, as you mentioned, the packets are going out on the wire when running natd and they are arriving at B, and they are being read/accepted by B as viewed by netstat, and no, they aren't being dropped at all. Box B just does not respond at all to the packets when natd is running on A. I've spent several hours trying to pick apart the packets, and so far I cannot see anything that is significantly different between them. At first I thought maybe the checksum was bad in the TCP header, but I don't think it's that, since they don't seem to be dropped. I plan to spend several hours tonight and basically backtrace the packet from inetd and through the kernel. Hopefully I'll be able to tell where it's being lost. Below are the packet dumps of testing on my home network ( all the tests were an attempted telnet from A to B). Is there something simple here that I'm not seeing? 10.0.0.1 == A 10.0.0.2 == B Dump on A of an unsuccessfull attempt: 02:00:14.274828 10.0.0.1.1036 > 10.0.0.2.23: S 336217990:336217990(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0336 4000 4006 2384 0a00 0001 E..,.6@.@.#..... 0x0010 0a00 0002 040c 0017 140a 4786 0000 0000 ..........G..... 0x0020 6002 4000 1421 0000 0204 05b4 `.@..!...... 02:00:17.274087 10.0.0.1.1036 > 10.0.0.2.23: S 336217990:336217990(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0337 4000 4006 2383 0a00 0001 E..,.7@.@.#..... 0x0010 0a00 0002 040c 0017 140a 4786 0000 0000 ..........G..... 0x0020 6002 4000 1421 0000 0204 05b4 `.@..!...... 02:00:23.274233 10.0.0.1.1036 > 10.0.0.2.23: S 336217990:336217990(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0338 4000 4006 2382 0a00 0001 E..,.8@.@.#..... 0x0010 0a00 0002 040c 0017 140a 4786 0000 0000 ..........G..... 0x0020 6002 4000 1421 0000 0204 05b4 `.@..!...... Dump on B of same packets above : 02:02:14.803644 10.0.0.1.1036 > 10.0.0.2.23: S 336217990:336217990(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0336 4000 4006 2384 0a00 0001 E..,.6@.@.#..... 0x0010 0a00 0002 040c 0017 140a 4786 0000 0000 ..........G..... 0x0020 6002 4000 1421 0000 0204 05b4 fc24 `.@..!.......$ 02:02:17.803411 10.0.0.1.1036 > 10.0.0.2.23: S 336217990:336217990(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0337 4000 4006 2383 0a00 0001 E..,.7@.@.#..... 0x0010 0a00 0002 040c 0017 140a 4786 0000 0000 ..........G..... 0x0020 6002 4000 1421 0000 0204 05b4 fc22 `.@..!......." 02:02:23.804566 10.0.0.1.1036 > 10.0.0.2.23: S 336217990:336217990(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0338 4000 4006 2382 0a00 0001 E..,.8@.@.#..... 0x0010 0a00 0002 040c 0017 140a 4786 0000 0000 ..........G..... 0x0020 6002 4000 1421 0000 0204 05b4 fc24 `.@..!.......$ Dump on A of succesfull attempt (natd not running): (first two packets in negotiation) 02:01:38.215986 10.0.0.1.1037 > 10.0.0.2.23: S 352566635:352566635(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0362 4000 4006 2358 0a00 0001 E..,.b@.@.#X.... 0x0010 0a00 0002 040d 0017 1503 bd6b 0000 0000 ...........k.... 0x0020 6002 4000 6d91 0000 0204 05b4 `.@.m....... 02:01:38.216357 10.0.0.2.23 > 10.0.0.1.1037: S 2686710328:2686710328(0) ack 352566636 win 17520 (DF) 0x0000 4500 002c 4535 4000 4006 e194 0a00 0002 E..,E5@.@....... 0x0010 0a00 0001 0017 040d a023 f238 1503 bd6c .........#.8...l 0x0020 6012 4470 d6b3 0000 0204 05b4 0100 `.Dp.......... Dump on B of same two packets above: 02:03:38.758954 10.0.0.1.1037 > 10.0.0.2.23: S 352566635:352566635(0) win 16384 (DF) [tos 0x10] 0x0000 4510 002c 0362 4000 4006 2358 0a00 0001 E..,.b@.@.#X.... 0x0010 0a00 0002 040d 0017 1503 bd6b 0000 0000 ...........k.... 0x0020 6002 4000 6d91 0000 0204 05b4 fc22 `.@.m........" 02:03:38.759083 10.0.0.2.23 > 10.0.0.1.1037: S 2686710328:2686710328(0) ack 352566636 win 17520 (DF) 0x0000 4500 002c 4535 4000 4006 e194 0a00 0002 E..,E5@.@....... 0x0010 0a00 0001 0017 040d a023 f238 1503 bd6c .........#.8...l 0x0020 6012 4470 d6b3 0000 0204 05b4 `.Dp........ /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 08-Apr-2000 -- 11:12:12 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Apr 8 20:40:45 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id 7AA4037B72C for ; Sat, 8 Apr 2000 20:40:43 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Sat, 8 Apr 2000 23:40:34 -0400 X-WM-Posted-At: MailAndNews.com; Sat, 8 Apr 00 23:40:34 -0400 Content-Length: 833 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Sat, 08 Apr 2000 23:40:05 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: Mike Heffner Subject: Problem solved? -- RE: Problems with natd Cc: freebsd-ipfw@freebsd.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 05-Apr-2000 Mike Heffner wrote: | Hi, | | I recently upgraded my router from about a month old current. I have | noticed | that natd (or something related) has stopped working though. ... Well, after updating from this morning's source (kernel and make world) the problem seems to have gone away. I would like to know what the problem was, and what fixed it; in case we have just re-hid the problem for another time. Unfortunately, I don't have enough time to track this down any further. Thanks to all who provided assistance in this matter. (Crist J. Clark) /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 08-Apr-2000 -- 23:33:24 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message