From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 29 09:31:34 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 584CE1065686; Mon, 29 Sep 2008 09:31:34 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 301158FC29; Mon, 29 Sep 2008 09:31:34 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8T9VYYW032447; Mon, 29 Sep 2008 09:31:34 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8T9VYxO032443; Mon, 29 Sep 2008 09:31:34 GMT (envelope-from linimon) Date: Mon, 29 Sep 2008 09:31:34 GMT Message-Id: <200809290931.m8T9VYxO032443@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: bin/127707: ipfw(8): ipfw add 10 count ip from any to 172.16.0.1, me does not work X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 09:31:34 -0000 Old Synopsis: ipfw add 10 count ip from any to 172.16.0.1,me New Synopsis: ipfw(8): ipfw add 10 count ip from any to 172.16.0.1,me does not work Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Sep 29 09:30:46 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127707 From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 29 11:06:52 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95BB610656B5 for ; Mon, 29 Sep 2008 11:06:52 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 844A18FC26 for ; Mon, 29 Sep 2008 11:06:52 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8TB6q9j040832 for ; Mon, 29 Sep 2008 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8TB6q8W040828 for freebsd-ipfw@FreeBSD.org; Mon, 29 Sep 2008 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Sep 2008 11:06:52 GMT Message-Id: <200809291106.m8TB6q8W040828@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 11:06:52 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/127707 ipfw ipfw(8): ipfw add 10 count ip from any to 172.16.0.1,m o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o kern/126980 ipfw ipfw(8) hangs system o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 49 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 29 20:57:52 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5469106568B for ; Mon, 29 Sep 2008 20:57:52 +0000 (UTC) (envelope-from kerbzo@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.178]) by mx1.freebsd.org (Postfix) with ESMTP id 680A58FC35 for ; Mon, 29 Sep 2008 20:57:51 +0000 (UTC) (envelope-from kerbzo@gmail.com) Received: by ik-out-1112.google.com with SMTP id c29so1337593ika.3 for ; Mon, 29 Sep 2008 13:57:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:mime-version:content-type:content-transfer-encoding :content-disposition; bh=6TxHhCCxggXROA/2N+7HVxCD5/KwycdmCF+bLoSDzAo=; b=KjENyx+OwfNb/YNqcklUhopxnWewO0UcgeEzJEuwGwB98fAu/VhNfbCLZnCdaAJ1yi TomJjpQAlYYPGdwtG8UifS0QJW6QJ/K/Ml1qJS+AEZLUlZ/7E+EVKcjKdCZ1M1a54v6n PlyXcLlfj/CFfremUioL1giZHSLsdPGyhTXRM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type :content-transfer-encoding:content-disposition; b=RIbpK7nadcE65BM4SQQ66C3LCFw2T557yK3ZnUZW5vH6HYdE4VdLsyvnTlH3jbRf9H 2NXC+uN6iS1FKqkhdl3ctAJxCgwFLhUcRAGvbpoMF68UB1xLqVfEjQnsOFqodn1i/8Mi AMjd7Okvvt50rDQJI6ft3CBwtWQYupn6w9AB4= Received: by 10.210.67.20 with SMTP id p20mr3591386eba.164.1222719954125; Mon, 29 Sep 2008 13:25:54 -0700 (PDT) Received: by 10.210.26.18 with HTTP; Mon, 29 Sep 2008 13:25:54 -0700 (PDT) Message-ID: <917decf00809291325idec9e2an7a86215f8c16f307@mail.gmail.com> Date: Mon, 29 Sep 2008 22:25:54 +0200 From: kerbzo To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: rwatson@freebsd.org Subject: pr kern/126980 fixed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 20:57:52 -0000 Hi, this patch: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=152621+0+current/cvs-src fixed kern/126980 . Thank you very much, best regards, KS From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 29 21:10:03 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB4601065689 for ; Mon, 29 Sep 2008 21:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 908A68FC25 for ; Mon, 29 Sep 2008 21:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8TLA3Qr093584 for ; Mon, 29 Sep 2008 21:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8TLA3dS093583; Mon, 29 Sep 2008 21:10:03 GMT (envelope-from gnats) Date: Mon, 29 Sep 2008 21:10:03 GMT Message-Id: <200809292110.m8TLA3dS093583@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: kerbzo Cc: Subject: Re: kern/126980: ipfw(8) hangs system X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: kerbzo List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 21:10:03 -0000 The following reply was made to PR kern/126980; it has been noted by GNATS. From: kerbzo To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/126980: ipfw(8) hangs system Date: Mon, 29 Sep 2008 22:39:14 +0200 fixed by http://docs.freebsd.org/cgi/getmsg.cgi?fetch=152621+0+current/cvs-src From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 29 21:15:47 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 033981065694; Mon, 29 Sep 2008 21:15:47 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CDF318FC14; Mon, 29 Sep 2008 21:15:46 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from freefall.freebsd.org (rwatson@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8TLFkGd095222; Mon, 29 Sep 2008 21:15:46 GMT (envelope-from rwatson@freefall.freebsd.org) Received: (from rwatson@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8TLFkRj095218; Mon, 29 Sep 2008 21:15:46 GMT (envelope-from rwatson) Date: Mon, 29 Sep 2008 21:15:46 GMT Message-Id: <200809292115.m8TLFkRj095218@freefall.freebsd.org> To: tinotom@gmail.com, rwatson@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: rwatson@FreeBSD.org Cc: Subject: Re: kern/126980: ipfw(8) hangs system X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2008 21:15:47 -0000 Synopsis: ipfw(8) hangs system State-Changed-From-To: open->closed State-Changed-By: rwatson State-Changed-When: Mon Sep 29 21:14:14 UTC 2008 State-Changed-Why: Close at request of submitter - believed fixed by ip_fw2.c:1.175.2.12. If you epxerience further problems, please let me know, and thanks for the bug report and followup! http://www.freebsd.org/cgi/query-pr.cgi?pr=126980 From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 30 16:17:48 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D9DD106568B for ; Tue, 30 Sep 2008 16:17:48 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 08BEC8FC1A for ; Tue, 30 Sep 2008 16:17:48 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTP id 6D16B46B03; Tue, 30 Sep 2008 12:17:47 -0400 (EDT) Date: Tue, 30 Sep 2008 17:17:47 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: kerbzo In-Reply-To: <917decf00809291325idec9e2an7a86215f8c16f307@mail.gmail.com> Message-ID: References: <917decf00809291325idec9e2an7a86215f8c16f307@mail.gmail.com> User-Agent: Alpine 1.10 (BSF 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-ipfw@freebsd.org Subject: Re: pr kern/126980 fixed X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 16:17:48 -0000 On Mon, 29 Sep 2008, kerbzo wrote: > this patch: > > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=152621+0+current/cvs-src > > fixed kern/126980 . I've gone ahead and closed the PR; thanks for the bug report! Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-ipfw@FreeBSD.ORG Wed Oct 1 21:19:32 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07106106568E; Wed, 1 Oct 2008 21:19:32 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D21D08FC0A; Wed, 1 Oct 2008 21:19:31 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m91LJVgh009275; Wed, 1 Oct 2008 21:19:31 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m91LJVDi009271; Wed, 1 Oct 2008 21:19:31 GMT (envelope-from vwe) Date: Wed, 1 Oct 2008 21:19:31 GMT Message-Id: <200810012119.m91LJVDi009271@freefall.freebsd.org> To: goffredo@gmail.com, vwe@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: bin/127707: ipfw(8): ipfw add 10 count ip from any to 172.16.0.1, me does not work X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Oct 2008 21:19:32 -0000 Synopsis: ipfw(8): ipfw add 10 count ip from any to 172.16.0.1,me does not work State-Changed-From-To: open->closed State-Changed-By: vwe State-Changed-When: Wed Oct 1 21:16:31 UTC 2008 State-Changed-Why: Joao, ipfw does support ``me'' in combination with other addresses: # ipfw add 10 count ip from any to \( 172.16.0.1 or me \) 00010 count ip from any to { 172.16.0.1 or dst-ip me } Please note the different syntax being used here. This has been checked on 7.1-PRERELEASE and should work the same way on other releases. I'm closing this report for now. If you disagree (does not work for you) please report back and we'll reopen this PR. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=127707 From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 2 22:41:48 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB8611065686 for ; Thu, 2 Oct 2008 22:41:48 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: from mail-gx0-f21.google.com (mail-gx0-f21.google.com [209.85.217.21]) by mx1.freebsd.org (Postfix) with ESMTP id 737CC8FC1B for ; Thu, 2 Oct 2008 22:41:48 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: by gxk14 with SMTP id 14so2012562gxk.19 for ; Thu, 02 Oct 2008 15:41:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:x-google-sender-auth; bh=z84iDMLcvcX63l+6AXBmZ0JpBkAJOewcjlyBcaWDESU=; b=Pc9/I5PUh0aHjZZBDwq+p7BRN79MJYTqwuSKn/Q9O5DZEbCUE0kDJdfW0p9dXqC6a6 x5P89mSoXAWnOIbUe/PmhhXf/dwXPiFXWf0rM6gqCo84w6buDezmiau7faM8h8B/b+Te x/CH7zfZGOFzx4Dmfv9dhPqRG0Ss6RsptkaYw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :x-google-sender-auth; b=r4/NFriBOqv4Zp1hJmyjtlxqoJJYAGNuRSHZ8ed8PlxrikqI+pCR0gCkZobHxfdNm/ j8tM6U7z+rD4fzSx7WJ5ZlKKoKS/C7FtEKOs54eNHSpkbwdXg2rfsbZftW7sdnilDUsY h82vqTjETrnWQPrF8g2G+jxNWmTS64HJVkmpc= Received: by 10.151.155.9 with SMTP id h9mr315705ybo.8.1222985557251; Thu, 02 Oct 2008 15:12:37 -0700 (PDT) Received: by 10.150.182.2 with HTTP; Thu, 2 Oct 2008 15:12:37 -0700 (PDT) Message-ID: Date: Thu, 2 Oct 2008 18:12:37 -0400 From: "Dan Johnson" Sender: boinger69@gmail.com To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 X-Google-Sender-Auth: 97e862d9cc55e453 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW fwd issue. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 22:41:49 -0000 After beating my head against this for days I ran out of places to look for information, and almost sent this as a help request instead of an observation. So excuse the present tense. All I am actually trying to accomplish is a simple (This worked flawless last i tried under 4.5) squid transparent proxy. I'm using this rule before the nat rule: 00100 fwd 127.0.0.1,3128 log ip from any to any 80 out When I attempt to hit port 80 on an external server, the security log shows the rule was processed, and claims it was forwarded to 127.0.0.1,3128. OK Watching tcpdump -nnvvei lo0 shows no relevant activity. BUT, watching tcpdump -nnvvei xl1 (external iface) shows the port 80 SYN being sent to the remote web server with the original source ip address from 192.168.0.0/24, still using the destination MAC of my default gateway. This is with or without the squid daemon running. And when i do have it running i have it on the local console with debugging enabled (incase a stray packet actually makes it in.) The same holds true if i setup the fwd to my xl1 interface ip address, or another host ex 192.168.0.30. Running tcpdump (Linux) eth0 in promisc on 192.168.0.30 also doesn't show any traffic being forwarded its way when configured to do so. So I'm inclined to beleive this isn't just an error on tcpdumps part (as there is an open issue reported with tcpdump and ipfw fwd) but that the traffic really isn't being modified. The only thing I was doing that is unique is I recompiled the ipfw module to include -DIPFIREWALL_NAT and -DIPFIREWALL_FORWARD instead of adding the whole mess to the base kernel. After noting that I was using a module, I said screw it, and compiled IPFW into the base kernel, viola now it works fine. From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 3 02:35:35 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26B1C1065693 for ; Fri, 3 Oct 2008 02:35:35 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: from mail-gx0-f21.google.com (mail-gx0-f21.google.com [209.85.217.21]) by mx1.freebsd.org (Postfix) with ESMTP id BDEFB8FC16 for ; Fri, 3 Oct 2008 02:35:34 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: by gxk14 with SMTP id 14so2144609gxk.19 for ; Thu, 02 Oct 2008 19:35:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type:references :x-google-sender-auth; bh=M3N8wIM4+ygnZikK1PyQYvuhfU6EKa4GPiXFWCLDV8o=; b=jgh2wQUqPkfOb+Den7wbYYwupj2ymY/onT7uQctgfyXsWg2iRXzhwcBepn8psYnfxw 20KG+hv+SOQF6ChmmhfsFa56qH9rzUfN66yaU3w/hxS/ukOjpTabt8lwChZBd7U2sIZm /qmBvdeGGyAR4ypwwOJO3PtC3rF277PHOiauc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=wfY0OUynKqDNeMFs/S63twk8qRQ5eMibju4bpChhnx3mtGHjYT8NJmvr7V5M9jDTPQ TNA5432J5VJYFgjavRMsBv+9E777OpbYWd0ly/M7PAgQgilAiYKox634sodOTKPo7YZy Iq/x64469gSqnMt6bHUHViPAxbC8Zbwmwoc0E= Received: by 10.150.197.8 with SMTP id u8mr706972ybf.90.1223001334052; Thu, 02 Oct 2008 19:35:34 -0700 (PDT) Received: by 10.150.182.2 with HTTP; Thu, 2 Oct 2008 19:35:34 -0700 (PDT) Message-ID: Date: Thu, 2 Oct 2008 22:35:34 -0400 From: "Dan Johnson" Sender: boinger69@gmail.com To: "Jason Lewis" , freebsd-ipfw@freebsd.org In-Reply-To: <48E580D1.2050106@sharktooth.org> MIME-Version: 1.0 References: <48E580D1.2050106@sharktooth.org> X-Google-Sender-Auth: 4b2132be208d2324 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IPFW fwd issue. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 02:35:35 -0000 Correct. The issue was that watching lo0 "tcpdump -nnvvei lo0" didn't show the forwarded traffic, it was still going out xl1 unmodified, acting like the rule was a simple 'accept.' I saved this email draft then went back and recompiled my kernel to include ipfw at the core instead of as a module and that fixed everything. Apparently IPFIREWALL_FORWARD is horribly broken when compiled into ipfw as a module, I personally dont care that ipfw is a fixed part of that box's kernel now, but some might. Really the only reason I sent to the mailing list instead of discarding is so once it gets indexed, someone else banging their head against the wall will have this reference. :) On Thu, Oct 2, 2008 at 10:17 PM, Jason Lewis wrote: > 127.0.0.1 is on the interface of lo0. You will need to run tcpdump > against that interface to see the traffic. You also need to setup squid > with transparent forwarding. This means that squid will accept any packet > as another host. > > Dan Johnson wrote: > >> After beating my head against this for days I ran out of places to look >> for >> information, and almost sent this as a help request instead of an >> observation. So excuse the present tense. >> >> >> All I am actually trying to accomplish is a simple (This worked flawless >> last i tried under 4.5) squid transparent proxy. >> I'm using this rule before the nat rule: >> >> 00100 fwd 127.0.0.1,3128 log ip from any to any 80 out >> >> When I attempt to hit port 80 on an external server, the security log >> shows >> the rule was processed, and claims it was forwarded to 127.0.0.1,3128. OK >> >> Watching tcpdump -nnvvei lo0 shows no relevant activity. BUT, watching >> tcpdump -nnvvei xl1 (external iface) shows the port 80 SYN being sent to >> the >> remote web server with the original source ip address from 192.168.0.0/24 >> , >> still using the destination MAC of my default gateway. This is with or >> without the squid daemon running. And when i do have it running i have it >> on >> the local console with debugging enabled (incase a stray packet actually >> makes it in.) >> >> The same holds true if i setup the fwd to my xl1 interface ip address, or >> another host ex 192.168.0.30. >> >> Running tcpdump (Linux) eth0 in promisc on 192.168.0.30 also doesn't show >> any traffic being forwarded its way when configured to do so. So I'm >> inclined to beleive this isn't just an error on tcpdumps part (as there is >> an open issue reported with tcpdump and ipfw fwd) but that the traffic >> really isn't being modified. >> >> The only thing I was doing that is unique is I recompiled the ipfw module >> to >> include -DIPFIREWALL_NAT and -DIPFIREWALL_FORWARD instead of adding the >> whole mess to the base kernel. >> >> After noting that I was using a module, I said screw it, and compiled IPFW >> into the base kernel, viola now it works fine. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 3 04:14:44 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DD9F1065694 for ; Fri, 3 Oct 2008 04:14:44 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outW.internet-mail-service.net (outw.internet-mail-service.net [216.240.47.246]) by mx1.freebsd.org (Postfix) with ESMTP id E92378FC16 for ; Fri, 3 Oct 2008 04:14:43 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 5560E247D; Thu, 2 Oct 2008 21:01:15 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 0A83E2D6018; Thu, 2 Oct 2008 21:01:13 -0700 (PDT) Message-ID: <48E59912.10903@elischer.org> Date: Thu, 02 Oct 2008 21:01:22 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: Dan Johnson References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW fwd issue. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 04:14:44 -0000 Dan Johnson wrote: > After beating my head against this for days I ran out of places to look for > information, and almost sent this as a help request instead of an > observation. So excuse the present tense. > > > All I am actually trying to accomplish is a simple (This worked flawless > last i tried under 4.5) squid transparent proxy. so, what revision are you trying to do this on? I think in 6.1 it was disabled without an extra option. (see in LINT) > I'm using this rule before the nat rule: > > 00100 fwd 127.0.0.1,3128 log ip from any to any 80 out > > When I attempt to hit port 80 on an external server, the security log shows > the rule was processed, and claims it was forwarded to 127.0.0.1,3128. OK > > Watching tcpdump -nnvvei lo0 shows no relevant activity. BUT, watching > tcpdump -nnvvei xl1 (external iface) shows the port 80 SYN being sent to the > remote web server with the original source ip address from 192.168.0.0/24, > still using the destination MAC of my default gateway. This is with or > without the squid daemon running. And when i do have it running i have it on > the local console with debugging enabled (incase a stray packet actually > makes it in.) that sounds a bit like the problem I mention above... however, sending it to 127.0.0.1 doesn't mean it goes through lo0 so you'll never see it there. > > The same holds true if i setup the fwd to my xl1 interface ip address, or > another host ex 192.168.0.30. > > Running tcpdump (Linux) eth0 in promisc on 192.168.0.30 also doesn't show > any traffic being forwarded its way when configured to do so. So I'm > inclined to beleive this isn't just an error on tcpdumps part (as there is > an open issue reported with tcpdump and ipfw fwd) but that the traffic > really isn't being modified. > > The only thing I was doing that is unique is I recompiled the ipfw module to > include -DIPFIREWALL_NAT and -DIPFIREWALL_FORWARD instead of adding the > whole mess to the base kernel. ah that will fail because the IPFIREWALL_FORWARD option has to change things in teh tcp and Ip code too. > > After noting that I was using a module, I said screw it, and compiled IPFW > into the base kernel, viola now it works fine. yeah the whole ip stack need to be compiled with those options.. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 3 04:18:07 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2C8E1065699 for ; Fri, 3 Oct 2008 04:18:07 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.178]) by mx1.freebsd.org (Postfix) with ESMTP id 7079D8FC1A for ; Fri, 3 Oct 2008 04:18:07 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: by el-out-1112.google.com with SMTP id v27so283726ele.13 for ; Thu, 02 Oct 2008 21:18:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type:references :x-google-sender-auth; bh=fznG2N7HtJriIsH+fHt9Zcivfmu5ComZ+E1FvKETq3g=; b=eL7sTW+wIzHpGQOKVG4AkkPZKKDPa9deIGj1qs1N7b4wQnRlni+qBwTm3/sHMeYbib ok9nWcdZTlTHao4AJmVAbgUXPOo7rBn8SH73h8VmF3rcUXwHelXMNknZA+eKLb3w5e25 TGyAi+FPKYQlhP6XA8MNdZvG51ct0OY64uVgw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:references:x-google-sender-auth; b=mTmR1KnJx+cYnPwIGCMlWvSBUOTQUg/r8H4dm093I89VXdksPn6T8Vpe9EyWTJvQ6T IKsoV3qeJls/ddNGgdyA1n+wt+2OlyyVKS9BSu3BUBE/od/KaDwIQpojlH8eD2udV8Nt AlpRrG9rHuUCdSIl1H39DVP5v4M5BOx9TiAY8= Received: by 10.151.42.10 with SMTP id u10mr1059080ybj.167.1223007486378; Thu, 02 Oct 2008 21:18:06 -0700 (PDT) Received: by 10.150.182.2 with HTTP; Thu, 2 Oct 2008 21:18:06 -0700 (PDT) Message-ID: Date: Fri, 3 Oct 2008 00:18:06 -0400 From: "Dan Johnson" Sender: boinger69@gmail.com To: "Julian Elischer" , freebsd-ipfw@freebsd.org In-Reply-To: <48E59912.10903@elischer.org> MIME-Version: 1.0 References: <48E59912.10903@elischer.org> X-Google-Sender-Auth: 7ad83f73d416999d Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IPFW fwd issue. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 04:18:07 -0000 On Fri, Oct 3, 2008 at 12:01 AM, Julian Elischer wrote: > Dan Johnson wrote: > >> After beating my head against this for days I ran out of places to look >> for >> information, and almost sent this as a help request instead of an >> observation. So excuse the present tense. >> >> >> All I am actually trying to accomplish is a simple (This worked flawless >> last i tried under 4.5) squid transparent proxy. >> > > so, what revision are you trying to do this on? > I think in 6.1 it was disabled without an extra option. (see in LINT) > 7.0-Release. In my research I'd found that in 6 and I believe some point in 5.x the option IPFIREWALL_FORWARD_EXTENDED was needed for this configuration, but apparently it was switched back for 7. > > > > I'm using this rule before the nat rule: >> >> 00100 fwd 127.0.0.1,3128 log ip from any to any 80 out >> >> When I attempt to hit port 80 on an external server, the security log >> shows >> the rule was processed, and claims it was forwarded to 127.0.0.1,3128. OK >> >> Watching tcpdump -nnvvei lo0 shows no relevant activity. BUT, watching >> tcpdump -nnvvei xl1 (external iface) shows the port 80 SYN being sent to >> the >> remote web server with the original source ip address from 192.168.0.0/24 >> , >> still using the destination MAC of my default gateway. This is with or >> without the squid daemon running. And when i do have it running i have it >> on >> the local console with debugging enabled (incase a stray packet actually >> makes it in.) >> > > that sounds a bit like the problem I mention above... > however, sending it to 127.0.0.1 doesn't mean it goes through lo0 so > you'll never see it there. > > >> The same holds true if i setup the fwd to my xl1 interface ip address, or >> another host ex 192.168.0.30. >> >> Running tcpdump (Linux) eth0 in promisc on 192.168.0.30 also doesn't show >> any traffic being forwarded its way when configured to do so. So I'm >> inclined to beleive this isn't just an error on tcpdumps part (as there is >> an open issue reported with tcpdump and ipfw fwd) but that the traffic >> really isn't being modified. >> >> The only thing I was doing that is unique is I recompiled the ipfw module >> to >> include -DIPFIREWALL_NAT and -DIPFIREWALL_FORWARD instead of adding the >> whole mess to the base kernel. >> > > ah that will fail because the IPFIREWALL_FORWARD option has to change > things in teh tcp and Ip code too. > Thats what I figured might have been the case, odd that there were no errors logged in the firewall logs though. > > > >> After noting that I was using a module, I said screw it, and compiled IPFW >> into the base kernel, viola now it works fine. >> > > yeah the whole ip stack need to be compiled with those options.. Hopefully next person with this issue wont bang their head on the wall as long once this thread is indexed. :) > > > _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Oct 3 04:36:48 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00716106568A for ; Fri, 3 Oct 2008 04:36:48 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outV.internet-mail-service.net (outv.internet-mail-service.net [216.240.47.245]) by mx1.freebsd.org (Postfix) with ESMTP id DA0C08FC19 for ; Fri, 3 Oct 2008 04:36:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id E3A5923F1; Thu, 2 Oct 2008 21:36:47 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 40FC72D6010; Thu, 2 Oct 2008 21:36:45 -0700 (PDT) Message-ID: <48E5A166.8000806@elischer.org> Date: Thu, 02 Oct 2008 21:36:54 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: Dan Johnson References: <48E59912.10903@elischer.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW fwd issue. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2008 04:36:48 -0000 Dan Johnson wrote: > On Fri, Oct 3, 2008 at 12:01 AM, Julian Elischer wrote: > >> Dan Johnson wrote: >> >>> After beating my head against this for days I ran out of places to look >>> for >>> information, and almost sent this as a help request instead of an >>> observation. So excuse the present tense. >>> >>> >>> All I am actually trying to accomplish is a simple (This worked flawless >>> last i tried under 4.5) squid transparent proxy. >>> >> so, what revision are you trying to do this on? >> I think in 6.1 it was disabled without an extra option. (see in LINT) >> > > 7.0-Release. In my research I'd found that in 6 and I believe some point in > 5.x the option IPFIREWALL_FORWARD_EXTENDED was needed for this > configuration, but apparently it was switched back for 7. yeah that was me switching it back.. the whole feature is kinds useless without being able to do that.. man ssh > >> >> >> I'm using this rule before the nat rule: >>> 00100 fwd 127.0.0.1,3128 log ip from any to any 80 out >>> >>> When I attempt to hit port 80 on an external server, the security log >>> shows >>> the rule was processed, and claims it was forwarded to 127.0.0.1,3128. OK >>> >>> Watching tcpdump -nnvvei lo0 shows no relevant activity. BUT, watching >>> tcpdump -nnvvei xl1 (external iface) shows the port 80 SYN being sent to >>> the >>> remote web server with the original source ip address from 192.168.0.0/24 >>> , >>> still using the destination MAC of my default gateway. This is with or >>> without the squid daemon running. And when i do have it running i have it >>> on >>> the local console with debugging enabled (incase a stray packet actually >>> makes it in.) >>> >> that sounds a bit like the problem I mention above... >> however, sending it to 127.0.0.1 doesn't mean it goes through lo0 so >> you'll never see it there. > > >> >>> The same holds true if i setup the fwd to my xl1 interface ip address, or >>> another host ex 192.168.0.30. >>> >>> Running tcpdump (Linux) eth0 in promisc on 192.168.0.30 also doesn't show >>> any traffic being forwarded its way when configured to do so. So I'm >>> inclined to beleive this isn't just an error on tcpdumps part (as there is >>> an open issue reported with tcpdump and ipfw fwd) but that the traffic >>> really isn't being modified. >>> >>> The only thing I was doing that is unique is I recompiled the ipfw module >>> to >>> include -DIPFIREWALL_NAT and -DIPFIREWALL_FORWARD instead of adding the >>> whole mess to the base kernel. >>> >> ah that will fail because the IPFIREWALL_FORWARD option has to change >> things in teh tcp and Ip code too. >> > > Thats what I figured might have been the case, odd that there were no errors > logged in the firewall logs though. > >> >> >>> After noting that I was using a module, I said screw it, and compiled IPFW >>> into the base kernel, viola now it works fine. >>> >> yeah the whole ip stack need to be compiled with those options.. > > > Hopefully next person with this issue wont bang their head on the wall as > long once this thread is indexed. :) > > >> >> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"