From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 6 14:55:16 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63AAF106566B; Sun, 6 Mar 2011 14:55:16 +0000 (UTC) (envelope-from ctfreebsd@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0E7268FC0A; Sun, 6 Mar 2011 14:55:15 +0000 (UTC) Received: by gyh4 with SMTP id 4so1559405gyh.13 for ; Sun, 06 Mar 2011 06:55:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=gZvJ1FFEtWs2Uaj9Ub2TISF1SdZJZcvujNDq/8G4o9k=; b=HeGOfU+os9ohHP86mcmB6FMBSJNnu4ox7i1at5zyNxnnbI1BgKrWGBedP+L7+SBteu UpHjRe8+45duefGqboNR4+3f0oJC6GujIuhLcxe668bY1pL1MQa7JBiqi+BB4pjgK0Fu msEqx4vD05lA33C/CXVSpM9GKULqCPmmc22iQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=JObVC8iOUX5P7U4ugGjcb61Ia7xiD1mj0nwYISM7HgCUNeaEBMd1ToXlR6hFlFlvAI G/DF7N++zIfVpBTOjQf3cRO5AbPOYr15tZebk7KFla4gUXfNUFprZLNltmMTruBLLM2k Ntn/wq8ER9vfUFST9WMYHJ7rRpWzCFwxYVQGc= MIME-Version: 1.0 Received: by 10.151.122.3 with SMTP id z3mr3310894ybm.89.1299421432647; Sun, 06 Mar 2011 06:23:52 -0800 (PST) Received: by 10.147.171.19 with HTTP; Sun, 6 Mar 2011 06:23:52 -0800 (PST) Date: Sun, 6 Mar 2011 16:23:52 +0200 Message-ID: From: Dave Johnson To: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Kernel Update / IPFW not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2011 14:55:16 -0000 Hi all An IPFW problem when going from release to stable on 8.2 An help gladly accepted LOG ON Flushed all rules. 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00030 divert 8668 ip from any to any via bge0 ipfw: getsockopt(IP_FW_ADD): Invalid argument 50000 allow ip from any to any Firewall rules loaded. Starting natd. rc.conf defaultrouter="192.168.0.1" gateway_enable="YES" hostname="xxx.xxx.xxx" ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0" ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" keymap="us.iso" moused_enable="YES" sshd_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" natd_program="/sbin/natd" natd_enable="YES" natd_interface="bge0" natd_flags="-f /etc/natd.conf" dhcpd_enable="NO" dhcpd_flags="-q" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_ifaces="em0" dhcpd_withumask="022" natd.conf interface bge0 use_sockets yes same_ports yes log #redirect_port tcp 192.168.1.189:3389 3389 #redirect_port tcp 192.168.1.53:5500 5500 #!/bin/sh /sbin/ipfw -f flush /sbin/ipfw -f pipe flush #Nat Rules /sbin/ipfw add 10 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 /sbin/ipfw add 30 divert natd all from any to any via bge0 #Forward to Transparent Proxy Server #/sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 #/sbin/ipfw add 10010 fwd 127.0.0.1,3128 tcp from 10.0.21.2 to any 80 /sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 /sbin/ipfw add 50000 allow ip from any to any KERNEL options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=5 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options DUMMYNET Regards From owner-freebsd-ipfw@FreeBSD.ORG Sun Mar 6 15:12:50 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E98C1065679 for ; Sun, 6 Mar 2011 15:12:50 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id 58C0F8FC16 for ; Sun, 6 Mar 2011 15:12:50 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id AFC732B7C8C; Sun, 6 Mar 2011 10:12:49 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.com; h= mime-version:content-transfer-encoding:content-id:content-type :content-type:content-language:accept-language:in-reply-to :references:message-id:date:date:subject:subject:from:from; s= dkim; t=1299424368; x=1301238768; bh=vz1Ttd+qSnDlu47Eg5ZYs4/j7Lz twJE/98A3Y5+JYTI=; b=bztoAoQbvCNpl18CzashKy1YYmdrQxsbJDNbbiKAQIV pTy/Kc8MNPk/A/AObipSxWQ3Ts5x/iK6LzGM1CZK8WD59Xd0HlnbfHEN79e6xG2Q QRugMeMINvhEn7bLVhZE/RfCpS0O9EtMZwXrR4jWJoFquxRGf4BHMZYJJZdJG9Dg = X-Amavis-Modified: Mail body modified (using disclaimer) - mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.14 at mx1.secnap.com.ionspam.net Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id C97822B7C6D; Sun, 6 Mar 2011 10:12:48 -0500 (EST) Received: from USBCTDC001.secnap.com ([10.70.1.1]) by USBCTDC001 ([10.70.1.1]) with mapi; Sun, 6 Mar 2011 10:12:48 -0500 From: Michael Scheidell To: Dave Johnson , "freebsd-ipfw@freebsd.org" , "freebsd-stable@freebsd.org" Thread-Topic: Kernel Update / IPFW not working Thread-Index: AcvcEPQgWRyJqaJTeUWP2HLfQh1VTA== Date: Sun, 6 Mar 2011 15:13:02 +0000 Message-ID: <0466161e-77f8-48a5-a540-67d7683a23ef@blur> References: <473bf4dd-bac3-4678-8eac-0f8d438775b6@blur> In-Reply-To: <473bf4dd-bac3-4678-8eac-0f8d438775b6@blur> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: Subject: Re: Kernel Update / IPFW not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2011 15:12:50 -0000 TWlnaHQgYmUgYW4gaXB2NiBpc3N1ZS4gIFRyeSBkaXZlcnQgaXB2NCBub3QgaXAuDQoNCi0tDQpN aWNoYWVsIFNjaGVpZGVsbA0KQ1RPIFNFQ05BUCBOZXR3b3JrIFNlY3VyaXR5DQo1NjEtOTQ4LTIy NTk8dGVsOjU2MTk0ODIyNTk+DQoNCg0KLS0tLS1PcmlnaW5hbCBtZXNzYWdlLS0tLS0NCkZyb206 IERhdmUgSm9obnNvbiA8Y3RmcmVlYnNkQGdtYWlsLmNvbT4NClRvOiAiZnJlZWJzZC1pcGZ3QGZy ZWVic2Qub3JnIiA8ZnJlZWJzZC1pcGZ3QGZyZWVic2Qub3JnPiwgImZyZWVic2Qtc3RhYmxlQGZy ZWVic2Qub3JnIiA8ZnJlZWJzZC1zdGFibGVAZnJlZWJzZC5vcmc+DQpTZW50OiBTdW4sIE1hciA2 LCAyMDExIDE0OjU2OjEyIEdNVCswMDowMA0KU3ViamVjdDogS2VybmVsIFVwZGF0ZSAvIElQRlcg bm90IHdvcmtpbmcNCg0KSGkgYWxsDQoNCg0KQW4gSVBGVyBwcm9ibGVtIHdoZW4gZ29pbmcgZnJv bSByZWxlYXNlIHRvIHN0YWJsZSBvbiA4LjINCg0KQW4gaGVscCBnbGFkbHkgYWNjZXB0ZWQNCg0K TE9HIE9ODQoNCkZsdXNoZWQgYWxsIHJ1bGVzLg0KMDAwMTAgYWxsb3cgaXAgZnJvbSAxMjcuMC4w LjEgdG8gMTI3LjAuMC4xIHZpYSBsbzANCjAwMDMwIGRpdmVydCA4NjY4IGlwIGZyb20gYW55IHRv IGFueSB2aWEgYmdlMA0KaXBmdzogZ2V0c29ja29wdChJUF9GV19BREQpOiBJbnZhbGlkIGFyZ3Vt ZW50DQo1MDAwMCBhbGxvdyBpcCBmcm9tIGFueSB0byBhbnkNCkZpcmV3YWxsIHJ1bGVzIGxvYWRl ZC4NClN0YXJ0aW5nIG5hdGQuDQoNCnJjLmNvbmYNCmRlZmF1bHRyb3V0ZXI9IjE5Mi4xNjguMC4x Ig0KZ2F0ZXdheV9lbmFibGU9IllFUyINCmhvc3RuYW1lPSJ4eHgueHh4Lnh4eCINCmlmY29uZmln X2JnZTA9ImluZXQgMTkyLjE2OC4wLjExIG5ldG1hc2sgMjU1LjI1NS4yNTUuMCINCmlmY29uZmln X2VtMD0iaW5ldCAxOTIuMTY4LjEuMiBuZXRtYXNrIDI1NS4yNTUuMjU1LjAiDQprZXltYXA9InVz LmlzbyINCm1vdXNlZF9lbmFibGU9IllFUyINCnNzaGRfZW5hYmxlPSJZRVMiDQpmaXJld2FsbF9l bmFibGU9IllFUyINCmZpcmV3YWxsX3NjcmlwdD0iL2V0Yy9yYy5maXJld2FsbCINCm5hdGRfcHJv Z3JhbT0iL3NiaW4vbmF0ZCINCm5hdGRfZW5hYmxlPSJZRVMiDQpuYXRkX2ludGVyZmFjZT0iYmdl MCINCm5hdGRfZmxhZ3M9Ii1mIC9ldGMvbmF0ZC5jb25mIg0KZGhjcGRfZW5hYmxlPSJOTyINCmRo Y3BkX2ZsYWdzPSItcSINCmRoY3BkX2NvbmY9Ii91c3IvbG9jYWwvZXRjL2RoY3BkLmNvbmYiDQpk aGNwZF9pZmFjZXM9ImVtMCINCmRoY3BkX3dpdGh1bWFzaz0iMDIyIg0KDQpuYXRkLmNvbmYNCg0K aW50ZXJmYWNlIGJnZTANCnVzZV9zb2NrZXRzIHllcw0Kc2FtZV9wb3J0cyB5ZXMNCmxvZw0KI3Jl ZGlyZWN0X3BvcnQgdGNwIDE5Mi4xNjguMS4xODk6MzM4OSAzMzg5DQojcmVkaXJlY3RfcG9ydCB0 Y3AgMTkyLjE2OC4xLjUzOjU1MDAgNTUwMA0KDQojIS9iaW4vc2gNCg0KL3NiaW4vaXBmdyAtZiBm bHVzaA0KL3NiaW4vaXBmdyAtZiBwaXBlIGZsdXNoDQoNCg0KDQojTmF0IFJ1bGVzDQovc2Jpbi9p cGZ3IGFkZCAxMCBhbGxvdyBpcCBmcm9tIDEyNy4wLjAuMSB0byAxMjcuMC4wLjEgdmlhIGxvMA0K L3NiaW4vaXBmdyBhZGQgMzAgZGl2ZXJ0IG5hdGQgYWxsIGZyb20gYW55IHRvIGFueSB2aWEgYmdl MA0KDQoNCiNGb3J3YXJkIHRvIFRyYW5zcGFyZW50IFByb3h5IFNlcnZlcg0KIy9zYmluL2lwZncg YWRkIDEwMDAxIGZ3ZCAxMjcuMC4wLjEsMzEyOCB0Y3AgZnJvbSBhbnkgdG8gYW55IDgwDQojL3Ni aW4vaXBmdyBhZGQgMTAwMTAgZndkIDEyNy4wLjAuMSwzMTI4IHRjcCBmcm9tIDEwLjAuMjEuMiB0 byBhbnkgODANCg0KL3NiaW4vaXBmdyBhZGQgMTAwMDEgZndkIDEyNy4wLjAuMSwzMTI4IHRjcCBm cm9tIGFueSB0byBhbnkgODANCg0KDQovc2Jpbi9pcGZ3IGFkZCA1MDAwMCBhbGxvdyBpcCBmcm9t IGFueSB0byBhbnkNCg0KS0VSTkVMDQoNCm9wdGlvbnMgSVBGSVJFV0FMTA0Kb3B0aW9ucyBJUEZJ UkVXQUxMX1ZFUkJPU0UNCm9wdGlvbnMgSVBGSVJFV0FMTF9WRVJCT1NFX0xJTUlUPTUNCm9wdGlv bnMgSVBGSVJFV0FMTF9ERUZBVUxUX1RPX0FDQ0VQVA0Kb3B0aW9ucyBJUERJVkVSVA0Kb3B0aW9u cyBEVU1NWU5FVA0KDQpSZWdhcmRzDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXw0KZnJlZWJzZC1pcGZ3QGZyZWVic2Qub3JnIG1haWxpbmcgbGlzdA0KaHR0 cDovL2xpc3RzLmZyZWVic2Qub3JnL21haWxtYW4vbGlzdGluZm8vZnJlZWJzZC1pcGZ3DQpUbyB1 bnN1YnNjcmliZSwgc2VuZCBhbnkgbWFpbCB0byAiZnJlZWJzZC1pcGZ3LXVuc3Vic2NyaWJlQGZy ZWVic2Qub3JnIg0K From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 7 03:30:25 2011 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB577106566B; Mon, 7 Mar 2011 03:30:25 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0A51E8FC08; Mon, 7 Mar 2011 03:30:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p272uogx035954; Mon, 7 Mar 2011 13:56:50 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 7 Mar 2011 13:56:49 +1100 (EST) From: Ian Smith To: Dave Johnson Message-ID: <20110307135057.C84485@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: stable@freebsd.org, ipfw@freebsd.org Subject: Re: An IPFW problem when going from release to stable on 8.2/ Maybe bge0 network card? (fwd) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 03:30:25 -0000 Oh, I see this one was to net@, whereas your earlier message was to ipfw@ and stable@ with different subject, a bit confusing .. Ian ---------- Forwarded message ---------- Date: Mon, 7 Mar 2011 13:49:20 +1100 (EST) From: Ian Smith To: Dave Johnson Cc: freebsd-net@freebsd.org Subject: Re: An IPFW problem when going from release to stable on 8.2/ Maybe bge0 network card? On Sun, 6 Mar 2011, Dave Johnson wrote: > Hi all > > > An IPFW problem when going from release to stable on 8.2 > > An help gladly accepted > > LOG ON > > Flushed all rules. > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > 00030 divert 8668 ip from any to any via bge0 > ipfw: getsockopt(IP_FW_ADD): Invalid argument > 50000 allow ip from any to any > Firewall rules loaded. > Starting natd. That error occured when attempting to install the fwd rule below. Checking with 'ipfw list' should show that rule as missing. > rc.conf > defaultrouter="192.168.0.1" > gateway_enable="YES" > hostname="xxx.xxx.xxx" > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" > keymap="us.iso" > moused_enable="YES" > sshd_enable="YES" > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > natd_program="/sbin/natd" > natd_enable="YES" > natd_interface="bge0" > natd_flags="-f /etc/natd.conf" > dhcpd_enable="NO" > dhcpd_flags="-q" > dhcpd_conf="/usr/local/etc/dhcpd.conf" > dhcpd_ifaces="em0" > dhcpd_withumask="022" > > natd.conf > > interface bge0 > use_sockets yes > same_ports yes > log > #redirect_port tcp 192.168.1.189:3389 3389 > #redirect_port tcp 192.168.1.53:5500 5500 > > #!/bin/sh > > /sbin/ipfw -f flush > /sbin/ipfw -f pipe flush > > > > #Nat Rules > /sbin/ipfw add 10 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > /sbin/ipfw add 30 divert natd all from any to any via bge0 Don't use 'all' or 'ip' with divert, specify ip4 instead; divert can't handle ip6 packets yet, panics have been reported. See /etc/rc.firewall > #Forward to Transparent Proxy Server > #/sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 > #/sbin/ipfw add 10010 fwd 127.0.0.1,3128 tcp from 10.0.21.2 to any 80 > > /sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 > > > /sbin/ipfw add 50000 allow ip from any to any > > KERNEL > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=5 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT > options DUMMYNET But ipfw(8) sayeth: To enable fwd a custom kernel needs to be compiled with the option options IPFIREWALL_FORWARD. cheers, Ian [ aside: man.cgi is currently broken for 8.2-RELEASE, at least for ipfw. http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE&format=html reports "Sorry, no data found for `ipfw'. Please try a keyword search." Selecting 8.1-stable instead works correctly ] From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 7 11:07:01 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3CA0106564A for ; Mon, 7 Mar 2011 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 60C2C8FC29 for ; Mon, 7 Mar 2011 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p27B715t096970 for ; Mon, 7 Mar 2011 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p27B70B3096968 for freebsd-ipfw@FreeBSD.org; Mon, 7 Mar 2011 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Mar 2011 11:07:00 GMT Message-Id: <201103071107.p27B70B3096968@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153415 ipfw [ipfw] [patch] Port numbers always zero in dynamic IPF o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152887 ipfw [ipfw] Can not set more then 1024 buckets with buckets o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/150798 ipfw [ipfw] ipfw2 fwd rule matches packets but does not do o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 77 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 7 12:12:27 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 936671065708; Mon, 7 Mar 2011 12:12:27 +0000 (UTC) (envelope-from freebsduser@paradisegreen.co.uk) Received: from mail.paradisegreen.co.uk (almaz.paradisegreen.co.uk [81.187.228.2]) by mx1.freebsd.org (Postfix) with ESMTP id 1D8A68FC19; Mon, 7 Mar 2011 12:12:26 +0000 (UTC) Received: from [10.0.0.17] (vaio2.paradise [10.0.0.17]) by mail.paradisegreen.co.uk (8.13.3/8.13.3) with ESMTP id p27BXpIK017071; Mon, 7 Mar 2011 11:33:52 GMT (envelope-from freebsduser@paradisegreen.co.uk) DomainKey-Signature: a=rsa-sha1; s=default; d=paradisegreen.co.uk; c=nofws; q=dns; h=message-id:date:from:user-agent:mime-version:to:cc:subject: references:in-reply-to:content-type:content-transfer-encoding; b=Xm1bix8OFDPSEXtPtTFMluMdu1ETBSKcvRY7DvmkX7Fms3ha4shKQg7Vmr9jbNeAH uHR6xQiYXaW4k8jSftQiw== Message-ID: <4D74C296.70204@paradisegreen.co.uk> Date: Mon, 07 Mar 2011 11:33:42 +0000 From: Thomas Sandford User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.14) Gecko/20110221 Thunderbird/3.1.8 MIME-Version: 1.0 To: Dave Johnson References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.1 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VERIFIED autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on almaz.paradisegreen.co.uk Cc: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Kernel Update / IPFW not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 12:12:27 -0000 On 06/03/2011 14:23, Dave Johnson wrote: > An IPFW problem when going from release to stable on 8.2 > > An help gladly accepted > > LOG ON > > Flushed all rules. > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > 00030 divert 8668 ip from any to any via bge0 > ipfw: getsockopt(IP_FW_ADD): Invalid argument > 50000 allow ip from any to any > Firewall rules loaded. > Starting natd. > > rc.conf > defaultrouter="192.168.0.1" > gateway_enable="YES" > hostname="xxx.xxx.xxx" > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" > keymap="us.iso" > moused_enable="YES" > sshd_enable="YES" > firewall_enable="YES" > firewall_script="/etc/rc.firewall" > natd_program="/sbin/natd" > natd_enable="YES" > natd_interface="bge0" > natd_flags="-f /etc/natd.conf" > dhcpd_enable="NO" > dhcpd_flags="-q" > dhcpd_conf="/usr/local/etc/dhcpd.conf" > dhcpd_ifaces="em0" > dhcpd_withumask="022" > > ... [additional config which doesn't further isolate the problem snipped] ... It's a bug with the ipfw / natd startup scripts. See: http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928 http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/153155 The latter has a patch to fix the problem. From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 7 14:30:28 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FB71106564A; Mon, 7 Mar 2011 14:30:28 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id E0D978FC12; Mon, 7 Mar 2011 14:30:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p27E06DL071408; Tue, 8 Mar 2011 01:00:06 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 8 Mar 2011 01:00:05 +1100 (EST) From: Ian Smith To: Thomas Sandford In-Reply-To: <4D74C296.70204@paradisegreen.co.uk> Message-ID: <20110308001102.W68517@sola.nimnet.asn.au> References: <4D74C296.70204@paradisegreen.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org, Dave Johnson Subject: Re: Kernel Update / IPFW not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 14:30:28 -0000 On Mon, 7 Mar 2011, Thomas Sandford wrote: > On 06/03/2011 14:23, Dave Johnson wrote: > > An IPFW problem when going from release to stable on 8.2 > > > > An help gladly accepted > > > > LOG ON > > > > Flushed all rules. > > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > > 00030 divert 8668 ip from any to any via bge0 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > 50000 allow ip from any to any > > Firewall rules loaded. > > Starting natd. > > > > rc.conf > > defaultrouter="192.168.0.1" > > gateway_enable="YES" > > hostname="xxx.xxx.xxx" > > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0" > > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" > > keymap="us.iso" > > moused_enable="YES" > > sshd_enable="YES" > > firewall_enable="YES" > > firewall_script="/etc/rc.firewall" > > natd_program="/sbin/natd" > > natd_enable="YES" > > natd_interface="bge0" > > natd_flags="-f /etc/natd.conf" > > dhcpd_enable="NO" > > dhcpd_flags="-q" > > dhcpd_conf="/usr/local/etc/dhcpd.conf" > > dhcpd_ifaces="em0" > > dhcpd_withumask="022" > > > > ... [additional config which doesn't further isolate the problem snipped] > > ... Beg to differ. 'ipfw fwd' still requires building a custom kernel with options IPFIREWALL_FORWARD last I heard. Julian's explained a few times that it's not compiled in by default for performance reasons, and can't be isolated to modules as it adds code in multiple parts of the stack. > It's a bug with the ipfw / natd startup scripts. > > See: > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928 > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/153155 > > The latter has a patch to fix the problem. It's a similar but not quite the same issue, albeit the same message. Quoting your conf/153155: : /etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled. : : This causes the divert rules that /etc/rc.firewall adds in this case to : fail on system boot, with the following error message displayed during : ipfw rule load: : ipfw: getsockopt(IP_FW_ADD): Invalid argument : : Restarting ipfw works around the problem as /etc/rc.d/natd (which is run : _after_ ipfw is intialised) DOES load ipdivert. And requoting Dave's: : > KERNEL : > : > options IPFIREWALL : > options IPFIREWALL_VERBOSE : > options IPFIREWALL_VERBOSE_LIMIT=5 : > options IPFIREWALL_DEFAULT_TO_ACCEPT : > options IPDIVERT : > options DUMMYNET In this case ipfw was built into kernel, including IPDIVERT, so it's not a failure to load that module but lack of IPFIREWALL_FORWARD, I believe. Hopefully hrs@ is still looking into patches including yours and mine re /etc/rc.d script module loading order and natd vs kernel nat issues .. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 8 19:11:18 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02410106566C for ; Tue, 8 Mar 2011 19:11:18 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id B9E208FC14 for ; Tue, 8 Mar 2011 19:11:17 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id BA096730A4; Tue, 8 Mar 2011 20:25:09 +0100 (CET) Date: Tue, 8 Mar 2011 20:25:09 +0100 From: Luigi Rizzo To: freebsd-ipfw@freebsd.org Message-ID: <20110308192509.GA6558@onelab2.iet.unipi.it> References: <20110304035538.GA54753@traktor.dnepro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110304035538.GA54753@traktor.dnepro.net> User-Agent: Mutt/1.4.2.3i Subject: Re: ipfw fwd and multicast mac address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2011 19:11:18 -0000 On Fri, Mar 04, 2011 at 05:55:38AM +0200, Eugene Perevyazko wrote: > Hi > > I've stumbled on a pretty strange issue in combination of ipfw fwd rules > with multicast. > The system is 7-Stable. > It runs ospf, that uses MC groups 224.0.0.5 and 224.0.0.6. Normally those groups use dst mac addresses of 01:00:5e:00:00:05 and 01:00:5e:00:00:06 respectively > where last 4 bytes are taken from group's IP. > Then I needed to add some fwd rules like this: > fwd 192.168.31.14 out xmit em0 > (em0 is the interface on which ospf is running) > Somehow after that MC dst mac has got 2 bytes changed: > 224.0.0.5 got 01:00:5e:a8:1f:05 and 224.0.0.6 got 01:00:5e:a8:1f:06 > "a8:1f" clearly is "168.31" from fwd destination. > Of course this means no ospf anymore. > I've fixed this by adding "pass dst-ip 224.0.0.0/8" before "fwd" but > it has made my evening much more lively until I figured what's happening. > > The question is if this is intended consequence and if yes then why change > only two bytes instead of four (irony intended)? i am unclear whether the 224/8 packets are expected to match your "fwd" rule (fwd works by overwriting the dst-mac address, though you should see the one corresponding to 192.168.31.14), or they are not expected to match, in which case of course the packet should not be modified at all. In any case it is really weird that the final byte (05, 06) is intact -- ipfw manages IP addresses as uint32 so i would have expected the final byte to be modified as well. cheers luigi > -- > Eugene Perevyazko > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 8 22:52:53 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1783106566C; Tue, 8 Mar 2011 22:52:53 +0000 (UTC) (envelope-from ctfreebsd@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 479B48FC12; Tue, 8 Mar 2011 22:52:52 +0000 (UTC) Received: by yie12 with SMTP id 12so2487892yie.13 for ; Tue, 08 Mar 2011 14:52:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=gedAWUzA6rZkfYzSfRFSxJ5WvM/k/d3qmx8PaDPNouI=; b=eGF8oSGQVvxClf++VlM5L/prl0dCKX41MHVsy7k2nL/sfroKDYFp8mwOeccAylUhI0 TQWcUaG73s7i0+2VsArx5G64zM4Goa6FJsp7vPMdsSpx2dMZMyBPxnjhzmcjAS7fCxnS 3Kl7pyTy5nCOTwVqhvsN0ZcXD4bZbKWJgDvl0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=q9JeVSLbE8C4jIYWAGorKoLvw3hK8ZJV+CmrjPF4C42zYK68coDpFIH3tgIafoDpu2 C8dZoUXt6hNIC5vQqoKsDsI9Sjmt4KRmjkVyIhR5Ic6r81R5SMSB3JRYc8qzTYvS+w1K Uyy2tgp6oRAJWlBhhZaJxGWAKerT8ptE3XgUA= MIME-Version: 1.0 Received: by 10.151.122.3 with SMTP id z3mr6884957ybm.89.1299624772288; Tue, 08 Mar 2011 14:52:52 -0800 (PST) Received: by 10.147.171.19 with HTTP; Tue, 8 Mar 2011 14:52:52 -0800 (PST) Date: Wed, 9 Mar 2011 00:52:52 +0200 Message-ID: From: Dave Johnson To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org, freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Port 80 closed? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Mar 2011 22:52:53 -0000 Hi all An IPFW problem? An help gladly accepted It would appear Port 80 closed Ports 21 25 443 587 998 work well rc.conf defaultrouter="192.168.0.1" gateway_enable="YES" hostname="xxx.xxx.xxx" ifconfig_re0="inet 192.168.0.11 netmask 255.255.255.0" ifconfig_re1="inet 192.168.1.2 netmask 255.255.255.0" keymap="us.iso" moused_enable="YES" sshd_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" natd_program="/sbin/natd" natd_enable="YES" natd_interface="re0" natd_flags="-f /etc/natd.conf" dhcpd_enable="NO" dhcpd_flags="-q" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_ifaces="re1" dhcpd_withumask="022" natd.conf interface re0 use_sockets yes same_ports yes log #redirect_port tcp 192.168.1.189:3389 3389 #redirect_port tcp 192.168.1.53:5500 5500 #!/bin/sh /sbin/ipfw -f flush /sbin/ipfw -f pipe flush #Nat Rules /sbin/ipfw add 10 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 /sbin/ipfw add 30 divert natd all from any to any via re0 #Forward to Transparent Proxy Server #/sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 #/sbin/ipfw add 10010 fwd 127.0.0.1,3128 tcp from 10.0.21.2 to any 80 /sbin/ipfw add 10001 fwd 127.0.0.1,3128 tcp from any to any 80 /sbin/ipfw add 50000 allow ip from any to any Regards From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 9 11:19:30 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D48D106566C for ; Wed, 9 Mar 2011 11:19:30 +0000 (UTC) (envelope-from john@traktor.dnepro.net) Received: from smtp-out.dnepro.net (smtp-out.dnepro.net [195.24.131.41]) by mx1.freebsd.org (Postfix) with ESMTP id 054408FC19 for ; Wed, 9 Mar 2011 11:19:29 +0000 (UTC) Received: from traktor.dnepro.net (localhost [127.0.0.1]) by traktor.dnepro.net (8.14.3/8.14.3) with ESMTP id p29BJR7Y009205 for ; Wed, 9 Mar 2011 13:19:27 +0200 (EET) (envelope-from john@traktor.dnepro.net) Received: (from john@localhost) by traktor.dnepro.net (8.14.3/8.14.3/Submit) id p29BJQAL009202 for freebsd-ipfw@freebsd.org; Wed, 9 Mar 2011 13:19:26 +0200 (EET) (envelope-from john) Date: Wed, 9 Mar 2011 13:19:26 +0200 From: Eugene Perevyazko To: freebsd-ipfw@freebsd.org Message-ID: <20110309111926.GA91417@traktor.dnepro.net> Mail-Followup-To: freebsd-ipfw@freebsd.org References: <20110304035538.GA54753@traktor.dnepro.net> <20110308192509.GA6558@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110308192509.GA6558@onelab2.iet.unipi.it> User-Agent: Mutt/1.4.2.3i Subject: Re: ipfw fwd and multicast mac address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2011 11:19:30 -0000 On Tue, Mar 08, 2011 at 08:25:09PM +0100, Luigi Rizzo wrote: > On Fri, Mar 04, 2011 at 05:55:38AM +0200, Eugene Perevyazko wrote: > > Hi > > > > I've stumbled on a pretty strange issue in combination of ipfw fwd rules > > with multicast. > > The system is 7-Stable. > > It runs ospf, that uses MC groups 224.0.0.5 and 224.0.0.6. Normally those groups use dst mac addresses of 01:00:5e:00:00:05 and 01:00:5e:00:00:06 respectively > > where last 4 bytes are taken from group's IP. > > Then I needed to add some fwd rules like this: > > fwd 192.168.31.14 out xmit em0 > > (em0 is the interface on which ospf is running) > > Somehow after that MC dst mac has got 2 bytes changed: > > 224.0.0.5 got 01:00:5e:a8:1f:05 and 224.0.0.6 got 01:00:5e:a8:1f:06 > > "a8:1f" clearly is "168.31" from fwd destination. > > Of course this means no ospf anymore. > > I've fixed this by adding "pass dst-ip 224.0.0.0/8" before "fwd" but > > it has made my evening much more lively until I figured what's happening. > > > > The question is if this is intended consequence and if yes then why change > > only two bytes instead of four (irony intended)? > > i am unclear whether the 224/8 packets are expected to match > your "fwd" rule (fwd works by overwriting the dst-mac address, > though you should see the one corresponding to 192.168.31.14), > or they are not expected to match, in which case of course > the packet should not be modified at all. > > In any case it is really weird that the final byte (05, 06) is > intact -- ipfw manages IP addresses as uint32 so i would have > expected the final byte to be modified as well. > > cheers > luigi > I've repeated similar setup in lab environment with both 7 and 8 branches and must admit that final byte is modified too. Also 3rd byte is masked with 127. So dst mac is formed from fwd destination's IP in accordance to standards. (http://www.tcpipguide.com/free/t_TCPIPAddressResolutionForIPMulticastAddresses.htm being the reference) Although I can't imagine the need for such modification of multicast packet it is pretty logical and easily avoided with appropriate ruleset. May be it's just worth mentioning in man page of ipfw? Sorry for the noise. -- Eugene Perevyazko From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 9 12:44:17 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 136B2106566B for ; Wed, 9 Mar 2011 12:44:17 +0000 (UTC) (envelope-from mike@magicislandtechnologies.com) Received: from mail.magicislandtechnologies.com (mail.magicislandtechnologies.com [74.208.96.3]) by mx1.freebsd.org (Postfix) with ESMTP id AD7158FC13 for ; Wed, 9 Mar 2011 12:44:16 +0000 (UTC) Received: (qmail 28146 invoked from network); 9 Mar 2011 16:07:14 +0300 Received: from c-68-42-75-112.hsd1.mi.comcast.net (HELO ?192.168.0.103?) (68.42.75.112) by mail.magicislandtechnologies.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 9 Mar 2011 16:07:14 +0300 Message-ID: <4D778230.7040708@magicislandtechnologies.com> Date: Wed, 09 Mar 2011 16:35:44 +0300 From: Michael Spratt User-Agent: Thunderbird 2.0.0.22 (X11/20090605) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20110304035538.GA54753@traktor.dnepro.net> <20110308192509.GA6558@onelab2.iet.unipi.it> <20110309111926.GA91417@traktor.dnepro.net> In-Reply-To: <20110309111926.GA91417@traktor.dnepro.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw: queue size must be < 4B X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2011 12:44:17 -0000 Hi when I load the following rule to create the pipe I get the following error command: ipfw pipe 1 config bw 128Kbit/s queue 3Kbytes mask dst-ip 0xffffffff error: ipfw: queue size must be < 4B Can anyone tell me why? uname -a Linux - 2.6.33.4 #3 SMP Wed May 12 23:13:09 CDT 2010 x86_64 Intel(R) Xeon(R) CPU E5430 @ 2.66GHz GenuineIn NU/Linux Its working on other similar Linux machines I have. Any ideas? Thanks -Mike From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 9 14:47:45 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED3D9106564A for ; Wed, 9 Mar 2011 14:47:44 +0000 (UTC) (envelope-from f.invernizzi@libero.it) Received: from cp-out3.libero.it (cp-out3.libero.it [212.52.84.103]) by mx1.freebsd.org (Postfix) with ESMTP id 8168F8FC0C for ; Wed, 9 Mar 2011 14:47:44 +0000 (UTC) X-CTCH-Spam: Unknown X-CTCH-RefID: str=0001.0A0B020B.4D779085.0246,ss=1,re=0.000,fgs=0 X-libjamoibt: 1419 Received: from wmail21 (172.31.0.73) by cp-out3.libero.it (8.5.133) (authenticated as f.invernizzi@libero.it) id 4D10BEAD05B84C15 for freebsd-ipfw@freebsd.org; Wed, 9 Mar 2011 15:36:53 +0100 Message-ID: <9582756.65231299681413563.JavaMail.root@wmail21> Date: Wed, 9 Mar 2011 15:36:53 +0100 (CET) From: "f.invernizzi@libero.it" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain;charset="UTF-8" Content-Transfer-Encoding: 7bit X-SenderIP: 87.9.225.208 Subject: Generating a packet from IPvw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "f.invernizzi@libero.it" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2011 14:47:45 -0000 Hi all i am trying to do something quite odd with the IPfw (FreeSD 8.1@AMD64) for a particular system i am trying to build. The idea is that whenever a dynamic rule is UNLINKED from the IPfw linked list, i want a fake packet to be generated and sent by the firewall. In a quite simple configuration I had sucesfully done, using ip_output to send a on-the-fly generated packet, and added a call to my function in the UNLINK_DYN_RULE macro (ip_fw_dynamic.c ). It looks something like: #define UNLINK_DYN_RULE(prev, head, q) { \ ipfw_dyn_rule *old_q = q; \ /* Fabrizio */ \ ipfw_send_sv_pkt(q); \ where ipfw_send_sv_pkt(q) is ipfw_send_sv_pkt(struct _ipfw_dyn_rule *rule) { #ifndef __FreeBSD__ return ; #else struct mbuf *m; int len; struct ip *h = NULL; struct tcphdr *th = NULL; char *payload = NULL; /* Payload */ char buf[DATI_SV_MAX_PAYLOAD]=""; /* payload */ struct ipfw_flow_id *id = &(rule->id); /* Flow id */ // Payload sprintf(buf,"%4s%4s%12li%12li",DATI_MAGIC_STRING,DATI_SV_VERSION,rule->pcnt, rule->bcnt); /* Alloca un Mbuf, non aspetta se no c'e' spazio, di tipo dati dinamici */ MGETHDR(m, M_DONTWAIT, MT_DATA); if (m == NULL) return ; M_SETFIB(m, id->fib); len = sizeof(struct ip) + sizeof(struct tcphdr) + sizeof(buf); // To be sure it fits in mbuf data space if (len > DATI_SV_MAX_PAYLOAD){ m_freem(m); return; } m->m_data += max_linkhdr; m->m_flags |= M_SKIP_FIREWALL; m->m_pkthdr.len = m->m_len = len; m->m_pkthdr.rcvif = NULL; bzero(m->m_data, len); h = mtod(m, struct ip *); /* prepare for checksum */ h->ip_p = IPPROTO_TCP; h->ip_ttl = 1; /* per sicurezza, nel caso per errore uscisse */ h->ip_len = htons(sizeof(struct tcphdr)); h->ip_src.s_addr = htonl(id->src_ip); //h->ip_dst.s_addr = htonl(id->dst_ip); struct in_addr addr; inet_aton("10.2.2.3", &addr); h->ip_dst.s_addr = addr.s_addr; th = (struct tcphdr *)(h + 1); th->th_sport = htons(id->src_port); th->th_dport = htons(id->dst_port); th->th_off = sizeof(struct tcphdr) >> 2; th->th_seq = htonl(0); th->th_ack = htonl(0); th->th_flags = TH_ACK; /* ??? */ th->th_sum = in_cksum(m, len); /* finish the ip header */ h->ip_v = 4; h->ip_hl = sizeof(*h) >> 2; h->ip_tos = IPTOS_LOWDELAY; h->ip_off = 0; /* ip_len must be in host format for ip_output */ h->ip_len = len; h->ip_ttl = V_ip_defttl; h->ip_sum = 0; payload = (char *)(th + 1); strcpy(payload,buf); /* Invia il pacchetto */ ip_output(m, NULL, NULL, 0, NULL, NULL); #endif /* __FreeBSD__ */ } /* end of file */ As you can see it is quite bad in some assumption and a lot controls still to put in place, but the fact is: it does the work. I can see the packet coming out on the first system Now. If i try on a system with ng_ipfw and VIMAGE enabled (working on a specific jailed workspace) the code apparently does not do anything. I have done a lot of debugging, but with no luck. Can someoune help me? Thanks in advance Fabrizio From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 10 20:08:19 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E1581065679 for ; Thu, 10 Mar 2011 20:08:19 +0000 (UTC) (envelope-from leonardo@procergs.rs.gov.br) Received: from daytona.procergs.com.br (daytona.procergs.com.br [200.189.134.118]) by mx1.freebsd.org (Postfix) with ESMTP id 7A2008FC2D for ; Thu, 10 Mar 2011 20:08:18 +0000 (UTC) Received: from kehl.procergs.com.br (kehl.procergs.com.br [200.189.134.2]) by daytona.procergs.com.br (Postfix) with ESMTP id F1D7A59B4D2 for ; Thu, 10 Mar 2011 16:37:47 -0300 (BRT) Received: from [172.28.5.117] (unknown [172.28.5.117]) by kehl.procergs.com.br (Postfix) with ESMTPA id 22884630A66 for ; Thu, 10 Mar 2011 16:37:44 -0300 (BRST) X-DKIM: Sendmail DKIM Filter v2.7.2 kehl.procergs.com.br 22884630A66 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=procergs.rs.gov.br; s=estado; t=1299785865; bh=NVOr+DuGRczbfv218rH0Ea/R5y88TdjQNG6C0lp9 aMg=; h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type: Content-Transfer-Encoding; z=Message-ID:=20<4D792888.3090903@proce rgs.rs.gov.br>|Date:=20Thu,=2010=20Mar=202011=2016:37:44=20-0300|Fr om:=20Leonardo=20Reginin=20|User-Agent :=20Mozilla/5.0=20(X11=3B=20U=3B=20Linux=20i686=3B=20en-US=3B=20rv: 1.9.2.13)=20Gecko/20101207=20Thunderbird/3.1.7|MIME-Version:=201.0| To:=20freebsd-ipfw@freebsd.org|Subject:=20ipfw=20pipe=20show=20(fre ebsd=208.1)|Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B =20format=3Dflowed|Content-Transfer-Encoding:=208bit; b=QDi8OCyJPPR RtNy/zMnfkCJgS4REZMvmAHi7LNFFEtVA3DKbheAiC6Suapu+29kMCGB63am+5MvRcO RzBKYMK9IxgaRsh3H46Hv8jq6ZqMslbujci89eZ6v936IiuAhhhhkHTIRlr7lrg7Jl3 2ZQIFj49/bNV5myU5RXWd9t6Wk= Message-ID: <4D792888.3090903@procergs.rs.gov.br> Date: Thu, 10 Mar 2011 16:37:44 -0300 From: Leonardo Reginin User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: ipfw pipe show (freebsd 8.1) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 20:08:19 -0000 Hi fellows. On freebsd release 7, the 'ipfw pipe show' command shows something like that: fw# ipfw pipe show 10 00010: 1.024 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 icmp 10.105.71.246/0 10.107.255.246/0 996777 242031672 0 0 0 The same command on FreeBSD release 8.1 shows: fw# ipfw pipe show 10 00010: 1.024 Mbit/s 0 ms burst 0 q131082 50 sl. 0 flows (1 buckets) sched 65546 weight 0 lmax 0 pri 0 droptail sched 65546 type FIFO flags 0x0 0 buckets 0 active How to get the same result ( or similar ) on FreeBSD 8 ? Thanks. -- Att, Leonardo Reginin =============================================================== PROCERGS - Cia. Processamento de Dados do Estado do RS DPR/SSR - Divisão de Produção/Setor de Suporte e Projeto Redes Fone: 55(xx51)3210-3138 'A candle loses nothing by lighting another candle' Erin Majors =============================================================== From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 11 15:10:07 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F09E1065675 for ; Fri, 11 Mar 2011 15:10:07 +0000 (UTC) (envelope-from drinking.coffee@gmail.com) Received: from c3p0.reverse.net (smtp-1.out.reverse.net [69.162.163.8]) by mx1.freebsd.org (Postfix) with ESMTP id D5A678FC08 for ; Fri, 11 Mar 2011 15:10:06 +0000 (UTC) Received: from r2d2.reverse.net (localhost.reverse.net [127.0.0.1]) by c3p0.reverse.net (Postfix) with ESMTP id 7F1711D7820 for ; Fri, 11 Mar 2011 08:50:41 -0600 (CST) Received: from [192.168.2.175] (localhost.reverse.net [127.0.0.1]) by r2d2.reverse.net (Postfix) with ESMTP id 9E778CA5B7 for ; Fri, 11 Mar 2011 08:50:40 -0600 (CST) Message-ID: <4D7A36C0.8050305@gmail.com> Date: Fri, 11 Mar 2011 08:50:40 -0600 From: Matthew Walker User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: FreeBSD 7.x ipfw pipe show order X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2011 15:10:07 -0000 Since it's ipfw pipe day, might as well add another :) I have 4 dynamic pipes, and ipfw pipe show does not list them in numeric order. Instead lists them as 20,25,10,30. Has this been fixed with later version of FreeBSD? It seems mainly a cosmetic issue. For example: ipfw pipe 10 config bw 128k queue 100 mask dst-ip 0xff000000 ipfw pipe 20 config bw 1000k queue 100 mask dst-ip 0xff000000 ipfw pipe 25 config bw 2000k queue 100 mask src-ip 0xffffffff ipfw pipe 30 config bw 10000k queue 100 mask dst-ip 0xff000000 # ipfw pipe show 00020: 1.000 Mbit/s 0 ms 100 sl. 2 queues (1024 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xff000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 96.0.0.0/0 1 178 0 0 0 512 ip 0.0.0.0/0 67.0.0.0/0 2 317 0 0 0 00025: 2.000 Mbit/s 0 ms 100 sl. 251 queues (1024 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 512 ip x.x.x.209/0 0.0.0.0/0 123 5412 0 0 0 514 ip x.x.x.208/0 0.0.0.0/0 192 8855 0 0 0 516 ip x.x.x.211/0 0.0.0.0/0 570124 52014722 0 0 0 00010: 128.000 Kbit/s 0 ms 100 sl. 2 queues (1024 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xff000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 24.0.0.0/0 1 60 0 0 0 512 ip 0.0.0.0/0 79.0.0.0/0 1 52 0 0 0 00030: 10.000 Mbit/s 0 ms 100 sl. 2 queues (1024 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xff000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 72.0.0.0/0 1 296 0 0 0 512 ip 0.0.0.0/0 71.0.0.0/0 2 116 0 0 0