From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 16 09:31:00 2009 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDCD31065678 for ; Mon, 16 Feb 2009 09:31:00 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.153]) by mx1.freebsd.org (Postfix) with ESMTP id 716A08FC1B for ; Mon, 16 Feb 2009 09:30:59 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so255034fgb.35 for ; Mon, 16 Feb 2009 01:30:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=cJDbudN+EGmL+HvXfHQ3DBC0ihX3aUZWh9GcQycgq7Y=; b=czUm3LGo2hMfQrVdMJZSWwKGcFqyh0Mcuz9GRir4Cta/2VkK5VGpjKOdclS7/Zs249 4dPnNmzIxtVKL3YC80JYm3wk44ZHHTlV56ib6ZfhrJBu+YIwqZiTvUGrsxdZ2N8fdirc ngUcHg0HRLtFPRgsRys4Vn3Hk0Q+P2c1bMoJI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=GEytHb4MCl9axLaCzh0+rEznlHEsPhZkG3gPOC9OzpIa+awzALMQxUZYa5ykZugLr/ ysg9eGNx2vQ8WowtyoPrFpMs47Axs2H0KmtY7zsf1ePjYEAE3X0RBxjNHOyhgU1t8ro0 B/Hmw9bjfTezW/VRJiJdO6sKWAf3KNb9WwW08= MIME-Version: 1.0 Sender: ozkan.kirik@gmail.com Received: by 10.86.70.3 with SMTP id s3mr1276174fga.78.1234775307060; Mon, 16 Feb 2009 01:08:27 -0800 (PST) Date: Mon, 16 Feb 2009 11:08:27 +0200 X-Google-Sender-Auth: d8740b80c72237cd Message-ID: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 09:31:02 -0000 Hi, i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via if_vlan) . My Server is HP DL380 G4. I am using the on board gigabit nic as wan interface which uses bge driver. My rule set is below: wan_intf="bge1" ipfw nat 100 config ip X.X.X.1 reset same_ports ipfw nat 101 config ip X.X.X.2 reset same_ports ipfw nat 102 config ip X.X.X.3 reset same_ports ... ... ipfw add 5 allow all from any to any layer2 ipfw add 50 checkstate ... ... Other port forwarding and static nat rules without keep-state ... ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via $wan_intf ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via $wan_intf ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via $wan_intf ... ... ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf ... ... About 2 Minutes later after apply this rule set, system writes that bge1 watchdog timeout --- resetting and then system hangs, keyboard doesnt response. No logs can be observed. When i remove all skipto and checkstate rules, system work properly without problems. I suspect about stateful inpection code. some sysctl variables are below: net.inet.ip.fw.dyn_max=32768 net.inet.ip.fw.dyn_ack_lifetime=100 net.inet.ip.fw.dyn_short_lifetime=10 net.inet.ip.fw.one_pass=0 net.inet.ip.dummynet.hash_size=256 kern.maxfiles=32000 kern.ipc.somaxconn=1024 net.inet.ip.process_options=0 net.inet.ip.fastforwarding=1 net.link.ether.ipfw=1 thanks for your interests From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 16 11:06:53 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA7461065670 for ; Mon, 16 Feb 2009 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B4F0C8FC08 for ; Mon, 16 Feb 2009 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1GB6r7L096163 for ; Mon, 16 Feb 2009 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1GB6rIo096159 for freebsd-ipfw@FreeBSD.org; Mon, 16 Feb 2009 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Feb 2009 11:06:53 GMT Message-Id: <200902161106.n1GB6rIo096159@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 54 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 16 14:28:38 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 042F01065687 for ; Mon, 16 Feb 2009 14:28:37 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 702AA8FC2B for ; Mon, 16 Feb 2009 14:28:37 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id n1GESVNF015104; Mon, 16 Feb 2009 15:28:31 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id n1GESLvL015103; Mon, 16 Feb 2009 15:28:21 +0100 (CET) (envelope-from olli) Date: Mon, 16 Feb 2009 15:28:21 +0100 (CET) Message-Id: <200902161428.n1GESLvL015103@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG, ozkan@mersin.edu.tr In-Reply-To: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 16 Feb 2009 15:28:35 +0100 (CET) Cc: Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG, ozkan@mersin.edu.tr List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 14:28:40 -0000 Hello, Unfortunately I can't help you with your actual problem, but I have a few remarks that might be helpful. Özkan KIRIK wrote: > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via > if_vlan) . > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > interface which uses bge driver. > > My rule set is below: > > wan_intf="bge1" > ipfw nat 100 config ip X.X.X.1 reset same_ports > ipfw nat 101 config ip X.X.X.2 reset same_ports > ipfw nat 102 config ip X.X.X.3 reset same_ports > ... > ... > ipfw add 5 allow all from any to any layer2 > ipfw add 50 checkstate Note: It is spelled "check-state". Please verify that you have it correctly in your ipfw script. > ... > ... Other port forwarding and static nat rules without keep-state > ... > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via > $wan_intf > ... > ... > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > ... > ... > > About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly without > problems. I suspect about stateful inpection code. If you don't have an explicit check-state rule, then there's an implicit check-state rule at the first keep-state. If you don't want any check-state at all, you musr remove all stateful rules (i.e. all "keep-state" rules). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd $ dd if=/dev/urandom of=test.pl count=1 $ file test.pl test.pl: perl script text executable From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 16 22:38:12 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8762106582A for ; Mon, 16 Feb 2009 22:38:12 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 11D078FC0A for ; Mon, 16 Feb 2009 22:38:11 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so360643fgb.35 for ; Mon, 16 Feb 2009 14:38:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=CbsLOe0nv7XwVwGIbqGJQM2LJuM5oup3NKeG/QWXeLc=; b=Amj+t4RBUpuL3iI7QRw2p4sE6FkoRDcssR4Uwl5Md+2A6rs64aoEqCnCQ5W5H3owho vdiP3DJoDvZXc6ZNwqyU/AAD+fe/V9BAqqm6DI+R2Td1PPVoBaZW0K97dZxXaUGaOT8y LWW+m8st0laIrI4CrOIBQH7t1TE1J+FDvi6T0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=vOAosRPK7a/3ErxC00ME3pOshmueF+f+ZskOANli5HwYjj5kPGoi521xpLd31O3BDQ LFI9dxXlGyqA703TUqWNpe0d3yeyYw5cWYx8N2V9r7+2JZEEeR3rfyyzvJMpvj6WULHM NDg+4UIwe4E846Ym6QCbt520bzHmeBXtjjZS4= MIME-Version: 1.0 Sender: ozkan.kirik@gmail.com Received: by 10.86.74.4 with SMTP id w4mr245441fga.69.1234822375614; Mon, 16 Feb 2009 14:12:55 -0800 (PST) In-Reply-To: <200902161428.n1GESLvL015103@lurza.secnetix.de> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> Date: Tue, 17 Feb 2009 00:12:55 +0200 X-Google-Sender-Auth: 1597164782959ca1 Message-ID: <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 22:38:18 -0000 Thanks for you reply, it is only a typo. at real rule set it is correctly written. i wanna use stateful inspection. On Mon, Feb 16, 2009 at 4:28 PM, Oliver Fromme wrot= e: > Hello, > > Unfortunately I can't help you with your actual problem, > but I have a few remarks that might be helpful. > > =D6zkan KIRIK wrote: > > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans > via > > if_vlan) . > > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > > interface which uses bge driver. > > > > My rule set is below: > > > > wan_intf=3D"bge1" > > ipfw nat 100 config ip X.X.X.1 reset same_ports > > ipfw nat 101 config ip X.X.X.2 reset same_ports > > ipfw nat 102 config ip X.X.X.3 reset same_ports > > ... > > ... > > ipfw add 5 allow all from any to any layer2 > > ipfw add 50 checkstate > > Note: It is spelled "check-state". Please verify that you > have it correctly in your ipfw script. > > > ... > > ... Other port forwarding and static nat rules without keep-state > > ... > > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state v= ia > > $wan_intf > > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state v= ia > > $wan_intf > > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state v= ia > > $wan_intf > > ... > > ... > > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > > ... > > ... > > > > About 2 Minutes later after apply this rule set, system writes that bg= e1 > > watchdog timeout --- resetting and then system hangs, keyboard doesnt > > response. No logs can be observed. > > > > When i remove all skipto and checkstate rules, system work properly > without > > problems. I suspect about stateful inpection code. > > If you don't have an explicit check-state rule, then there's > an implicit check-state rule at the first keep-state. > If you don't want any check-state at all, you musr remove > all stateful rules (i.e. all "keep-state" rules). > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. > Handelsregister: Registergericht Muenchen, HRA 74606, Gesch=E4ftsfuehrun= g: > secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M=FC= n- > chen, HRB 125758, Gesch=E4ftsf=FChrer: Maik Bachmann, Olaf Erb, Ralf Geb= hart > > FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd > > $ dd if=3D/dev/urandom of=3Dtest.pl count=3D1 > $ file test.pl > test.pl: perl script text executable > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 14:50:58 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0C5E1065723 for ; Tue, 17 Feb 2009 14:50:58 +0000 (UTC) (envelope-from blogtiengviet@yahoo.com) Received: from web57103.mail.re3.yahoo.com (web57103.mail.re3.yahoo.com [216.252.111.116]) by mx1.freebsd.org (Postfix) with SMTP id 5F1328FC16 for ; Tue, 17 Feb 2009 14:50:58 +0000 (UTC) (envelope-from blogtiengviet@yahoo.com) Received: (qmail 62968 invoked by uid 60001); 17 Feb 2009 14:24:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1234880656; bh=w4GLYkC0Rr636wPVsuIyWFWCxHzQsO2nZbiG6wf0cm0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=UlyG65aCYZKIa7M9hNCKcOtx5N4nzkQO7PDXbxCySUarxjCgqea65ITZGakFm8eq1fhMolETIVkBFQHZM231RFDigcQ5nJS6lepHX4VC2ynQjfjCa0rqIyiJ2mDsP9m5NkacqvLO5JQGK+u/oULp/Jql39R65QhvnfIYvfNbomc= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=lUb52jO/KZaYgZuPp1+c1RAvxD9O5JtjKokYjybFS7GKhNnWcvmX4Gq4pVNdQxThUQ9hjj3u/wqZbGSdsJQIH+nrE5GTMKW9YRGGEsuNtm9f5KAoULuzo+wt1+nwqhjM9/5ruZi26JLKH5jxs9TnJdcQIldJhJehMasxaZ49xAI=; Message-ID: <292159.62731.qm@web57103.mail.re3.yahoo.com> X-YMail-OSG: OgWtrAQVM1nkv9d8HNm9Ac5hcpZ5atiisgUDaqeIIP7W0TPae6rr6_XsIfggs7Qac3vSFRjbmzgkyOA7Pckj11w_veXr24kON3AkdkJaGHOttYTVuMhdti41q05DhQ.8pexdxEPNW9ilQT6qrcozDRvi4Z4- Received: from [222.226.245.101] by web57103.mail.re3.yahoo.com via HTTP; Tue, 17 Feb 2009 06:24:16 PST X-Mailer: YahooMailWebService/0.7.289.1 Date: Tue, 17 Feb 2009 06:24:16 -0800 (PST) From: Blog Tieng Viet To: linimon@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-ipfw@FreeBSD.org In-Reply-To: <200902131430.n1DEUED7040530@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: How to protect FreeBSD from IP spoofing ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: blogtiengviet@yahoo.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 14:51:03 -0000 Dear all. I am a newbie of FreeBSD, would like to get alot of information about FreeBSD such as IPFW. I am annoyed by IP spoofing but dont have any way to prevent it. Can any one tell me how to do ? Thanks in advance. PS: I am using 6.4-PRERELEASE FreeBSD 6.4-PRERELEASE. The FreeBSD box is used for web server, and it is forwarded every parket of port 80 from LAN router. From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 17:20:56 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2257A1065716 for ; Tue, 17 Feb 2009 17:20:56 +0000 (UTC) (envelope-from ady@ady.ro) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id B000D8FC1B for ; Tue, 17 Feb 2009 17:20:55 +0000 (UTC) (envelope-from ady@ady.ro) Received: by ey-out-2122.google.com with SMTP id d26so220534eyd.7 for ; Tue, 17 Feb 2009 09:20:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.210.59.14 with SMTP id h14mr1880592eba.36.1234889737793; Tue, 17 Feb 2009 08:55:37 -0800 (PST) In-Reply-To: <292159.62731.qm@web57103.mail.re3.yahoo.com> References: <200902131430.n1DEUED7040530@freefall.freebsd.org> <292159.62731.qm@web57103.mail.re3.yahoo.com> Date: Tue, 17 Feb 2009 17:55:37 +0100 Message-ID: <78cb3d3f0902170855p70047aa0r655d8ba846d2458d@mail.gmail.com> From: Adrian Penisoara To: blogtiengviet@yahoo.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: How to protect FreeBSD from IP spoofing ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 17:20:56 -0000 Hi, Check the ipfw(8) manual (includes examples) or rather go for pf (packetfilter) and check the pf.conf(5) manual. For pf you just need to add something like "antispoof for lo0". Regards, Adrian. On Tue, Feb 17, 2009 at 3:24 PM, Blog Tieng Viet wrote: > Dear all. > I am a newbie of FreeBSD, would like to get alot of information about > FreeBSD such as IPFW. > I am annoyed by IP spoofing but dont have any way to prevent it. > Can any one tell me how to do ? > Thanks in advance. > > PS: > I am using 6.4-PRERELEASE FreeBSD 6.4-PRERELEASE. > The FreeBSD box is used for web server, and it is forwarded every parket of > port 80 from LAN router. > > > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 17:36:11 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC142106564A for ; Tue, 17 Feb 2009 17:36:11 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 3B6128FC0C for ; Tue, 17 Feb 2009 17:36:11 +0000 (UTC) (envelope-from nino80@gmail.com) Received: by ug-out-1314.google.com with SMTP id j40so156906ugd.39 for ; Tue, 17 Feb 2009 09:36:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=SJXaxIR574lRxuen+WbPa4ZxdSozDlVILvTUTACLdn8=; b=Ra6SOKAsvHe1PeG1Vp1ghXKGDLOJmIwy12ZvmBFoeBQYauZX4+6ZpcqVsJVFzZAZiP 6uELCi7zxMt4nx25y6YajFtGa0K5VxOaMLlxC2qc0lm+igSXDNhn56jKJy5LQFpTSSGk 11rN/Abwq3Y6QldpyvW5HoC9IpSp89eo6l2tM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=dUXsdoSyBi45jYE+3ZzRA4xKG/wCOQCNyGWKWv09U3LYPlpaYhf2xlb0m3bAgTBnnc DFeYjrDDMQPzutijAFzmZdU5yFKxP+Pi59cFm+d+f4djJD1j6Czcizf0qX/DrAgErppM 0rd5XZURDfT7KhUyQeZG/AlTlBChAhx14Wtos= MIME-Version: 1.0 Received: by 10.210.76.4 with SMTP id y4mr5498919eba.11.1234891715947; Tue, 17 Feb 2009 09:28:35 -0800 (PST) In-Reply-To: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> Date: Tue, 17 Feb 2009 18:28:35 +0100 Message-ID: <92bcbda50902170928gd0fc74bs7b7836fe92c4609b@mail.gmail.com> From: n j To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 17:36:11 -0000 Sorry, hit the wrong key combo and message went before I finished it :( ... > Here is the rule that after a short while (probably the first packet > to match the rule) freezes the machine: > ipfw -q flush ipfw -q nat 123 config ip a.b.c.d log ipfw -q disable one_pass ... > ipfw add 00003 nat 123 log ip from x.x.x.0/24 to > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > ... further down the chain... ipfw add 00900 check-state If anyone else experienced similar cases, I invite them to share. Regards, -- nino From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 17:52:09 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A2F2106592D for ; Tue, 17 Feb 2009 17:52:09 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id C94E08FC1C for ; Tue, 17 Feb 2009 17:52:08 +0000 (UTC) (envelope-from nino80@gmail.com) Received: by ey-out-2122.google.com with SMTP id d26so221536eyd.7 for ; Tue, 17 Feb 2009 09:52:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=4LLQrAdQZVqrb+sa8XII9+6tpvLgUGZtuDoyfXaqgOc=; b=Q5lHbS4Y6iflhhVu/3WRA3DtDMcVupOTFItwqWuJyTa6Nwv8RzSeLa7RWs/vJs6L/G fTpFbCi2i5Pb2IyY091tcIHugFkWae3ySNWlrVhojYrX9jsNTnqq7XFgjOyDWCKl+Xy4 9zTtxCWJTktxf9So5tJB51KeBo1rLhYpvraWU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=ohe2A1aesuqveoyDXIiAkAzexcn4N6f4zjPxakzEVVV2FNauZCI/QBVoV19oK7OGkd KE02fOQcATFkcBDgp3aN1z/oEVUE2eqVq290rL5xQx7MI+p/5YCUu9IvKvfVQjKXG6bU z0KOV7Npt0XIew8HOXSGN5Z+CwKbvEvHtsRRQ= MIME-Version: 1.0 Received: by 10.210.90.20 with SMTP id n20mr298976ebb.72.1234891479731; Tue, 17 Feb 2009 09:24:39 -0800 (PST) In-Reply-To: <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> Date: Tue, 17 Feb 2009 18:24:39 +0100 Message-ID: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> From: n j To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 17:52:11 -0000 > About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly > without problems. I suspect about stateful inpection code. Just to add a "me too" message to this thread, I also experienced system freezes (keyboard not working => hardware reset necessary) with in-kernel NAT and stateful rules. I had a repeatable case on a production server and hoped to replicate the bug on a different machine as the production server needed to go in, well, production; however thanks to complex setup of original machine (in-kernel NAT, vlans, openvpn...), lack of time and virtual environment, test scenario failed to produce a sensible bug report and I gave up until I saw OP reporting the same issue. Here is the rule that after a short while (probably the first packet to match the rule) freezes the machine: ipfw 00003 nat 123 log ip from x.x.x.0/24 to a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze ... further down the chain... ipfw I know this is far from a good bug report, but stateful inspection code/in-kernel NAT mix might be worth looking into. From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 23:16:46 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D591106566C for ; Tue, 17 Feb 2009 23:16:46 +0000 (UTC) (envelope-from rik@inse.ru) Received: from mail.inse.ru (mail.inse.ru [144.206.128.1]) by mx1.freebsd.org (Postfix) with ESMTP id 283348FC08 for ; Tue, 17 Feb 2009 23:16:45 +0000 (UTC) (envelope-from rik@inse.ru) Received: from www.inse.ru (www.inse.ru [144.206.128.1]) by mail.inse.ru (Postfix) with ESMTPSA id 5D30D33C53; Wed, 18 Feb 2009 01:58:53 +0300 (MSK) Message-ID: <499B4019.4060203@localhost.inse.ru> Date: Wed, 18 Feb 2009 01:54:17 +0300 From: Roman Kurakin User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: n j References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> In-Reply-To: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 23:16:47 -0000 n j wrote: >> About 2 Minutes later after apply this rule set, system writes that bge1 >> watchdog timeout --- resetting and then system hangs, keyboard doesnt >> response. No logs can be observed. >> >> When i remove all skipto and checkstate rules, system work properly >> without problems. I suspect about stateful inpection code. >> > > Just to add a "me too" message to this thread, I also experienced > system freezes (keyboard not working => hardware reset necessary) with > in-kernel NAT and stateful rules. I had a repeatable case on a > production server and hoped to replicate the bug on a different > machine as the production server needed to go in, well, production; > however thanks to complex setup of original machine (in-kernel NAT, > vlans, openvpn...), lack of time and virtual environment, test > scenario failed to produce a sensible bug report and I gave up until I > saw OP reporting the same issue. > > Here is the rule that after a short while (probably the first packet > to match the rule) freezes the machine: > > ipfw 00003 nat 123 log ip from x.x.x.0/24 to > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > ... further down the chain... > ipfw > I know this is far from a good bug report, but stateful inspection > code/in-kernel NAT mix might be worth looking into. > IIRC both natd and in-kernel nat do not support stateful rules. rik > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 18 04:12:47 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17CDD106566C for ; Wed, 18 Feb 2009 04:12:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 7A1B68FC14 for ; Wed, 18 Feb 2009 04:12:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id n1I3X8S3029149; Wed, 18 Feb 2009 14:33:08 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 18 Feb 2009 14:33:07 +1100 (EST) From: Ian Smith To: Roman Kurakin In-Reply-To: <499B4019.4060203@localhost.inse.ru> Message-ID: <20090218142336.U38905@sola.nimnet.asn.au> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> <499B4019.4060203@localhost.inse.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: n j , freebsd-ipfw@freebsd.org Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2009 04:12:47 -0000 On Wed, 18 Feb 2009, Roman Kurakin wrote: > n j wrote: > > > About 2 Minutes later after apply this rule set, system writes that bge1 > > > watchdog timeout --- resetting and then system hangs, keyboard doesnt > > > response. No logs can be observed. > > > > > > When i remove all skipto and checkstate rules, system work properly > > > without problems. I suspect about stateful inpection code. > > > > > > > Just to add a "me too" message to this thread, I also experienced > > system freezes (keyboard not working => hardware reset necessary) with > > in-kernel NAT and stateful rules. I had a repeatable case on a > > production server and hoped to replicate the bug on a different > > machine as the production server needed to go in, well, production; > > however thanks to complex setup of original machine (in-kernel NAT, > > vlans, openvpn...), lack of time and virtual environment, test > > scenario failed to produce a sensible bug report and I gave up until I > > saw OP reporting the same issue. > > > > Here is the rule that after a short while (probably the first packet > > to match the rule) freezes the machine: > > > > ipfw 00003 nat 123 log ip from x.x.x.0/24 to > > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > > ... further down the chain... > > ipfw > > I know this is far from a good bug report, but stateful inspection > > code/in-kernel NAT mix might be worth looking into. > > > IIRC both natd and in-kernel nat do not support stateful rules. > > rik I'm not sure what sense '[nat|divert] .. keep-state' would make anyway. At least with divert, so I assume with nat, you can test for 'diverted' packets afterwards, so maybe the workaround would be to do keep-state on an allow or skipto for diverted packets (out) just after the nat? cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 18 21:10:58 2009 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4A2A106566B; Wed, 18 Feb 2009 21:10:58 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 89FCE8FC08; Wed, 18 Feb 2009 21:10:58 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from freefall.freebsd.org (gavin@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1ILAwWx085809; Wed, 18 Feb 2009 21:10:58 GMT (envelope-from gavin@freefall.freebsd.org) Received: (from gavin@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1ILAw7t085805; Wed, 18 Feb 2009 21:10:58 GMT (envelope-from gavin) Date: Wed, 18 Feb 2009 21:10:58 GMT Message-Id: <200902182110.n1ILAw7t085805@freefall.freebsd.org> To: gavin@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: gavin@FreeBSD.org Cc: Subject: Re: kern/131817: ipfw blocks layer2 packets that should not be blocked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Feb 2009 21:10:59 -0000 Synopsis: ipfw blocks layer2 packets that should not be blocked Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: gavin Responsible-Changed-When: Wed Feb 18 21:01:17 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). To submitter: FWIW, I agree that this does seem like incorrect behaviour. I usually work around it with the following additional rule: ipfw add 10 allow ip from any to any layer2 mac-type arp http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 19 03:30:05 2009 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AE2A106566C for ; Thu, 19 Feb 2009 03:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F278D8FC1C for ; Thu, 19 Feb 2009 03:30:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1J3U4s1063066 for ; Thu, 19 Feb 2009 03:30:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1J3U4G4063058; Thu, 19 Feb 2009 03:30:04 GMT (envelope-from gnats) Date: Thu, 19 Feb 2009 03:30:04 GMT Message-Id: <200902190330.n1J3U4G4063058@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Vladimir Kurtukov Cc: Subject: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Kurtukov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 03:30:05 -0000 The following reply was made to PR kern/131601; it has been noted by GNATS. From: Vladimir Kurtukov To: bug-followup@FreeBSD.org Cc: Subject: kern/131601: [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) Date: Thu, 19 Feb 2009 10:22:45 +0700 Quick fix, tested, no panic. apply in /sys/contrib/ipfilter/netinet --- ip_nat.c.std 2007-10-31 12:00:38.000000000 +0700 +++ ip_nat.c 2009-02-19 10:20:05.000000000 +0700 @@ -2552,6 +2552,10 @@ { frentry_t *fr; ipnat_t *np; + + if (fin->fin_p == IPPROTO_TCP && tcp == NULL) { + return -1; + } np = ni->nai_np; --- Best regards, Vladimir