From owner-freebsd-ipfw Sun Jun 30 9:47:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3635037B400 for ; Sun, 30 Jun 2002 09:47:10 -0700 (PDT) Received: from mail.k12us.com (mail.k12us.com [65.112.222.15]) by mx1.FreeBSD.org (Postfix) with SMTP id 6BB8243E1A for ; Sun, 30 Jun 2002 09:47:09 -0700 (PDT) (envelope-from cweimann@k12hq.com) Received: (qmail 82738 invoked by uid 1001); 30 Jun 2002 16:47:03 -0000 Date: Sun, 30 Jun 2002 12:47:03 -0400 From: Christopher Weimann To: freebsd-ipfw@freebsd.org Subject: divert/natd/redirect_address/localnet don't get along. Message-ID: <20020630124703.A80995@mail.k12us.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/) Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have a webserver setup on a private address and am fowarding port a public address to it. I have two addresses on dc0 ( public nic ) one for the firewall itself and the other is forwarded with natd's redirect_address to the inside server. This works fine for users outside my network. Inside my network however access to the webserver ( at its public ip ) results in a connection refused. This seems to be a problem with my diver rule. I have managed to get this to work by adding a second rule like /sbin/ipfw add 00050 divert 8668 ip from any to any via dc0 /sbin/ipfw add 00051 divert 8668 ip from any to any via dc1 I don't like this but it works. Now I change my browser to go through squid ( running on the firewall ) and it doesn't work anymore... I guess the packets are no longer coming in via either of the dc interfaces so I drop the via bit altogether and am back to a single rule. /sbin/ipfw add 00050 divert 8668 ip from any to any I like this even less AND it doesn't fix the problem... Do I have other choices? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jul 1 9:21:47 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B84BE37B400 for ; Mon, 1 Jul 2002 09:21:44 -0700 (PDT) Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB3DB43E0A for ; Mon, 1 Jul 2002 09:21:43 -0700 (PDT) (envelope-from rick.norman@lmco.com) Received: from emss01g01.ems.lmco.com ([129.197.181.54]) by mailgw2a.lmco.com (8.11.6/8.11.6) with ESMTP id g61GLg500299 for ; Mon, 1 Jul 2002 12:21:42 -0400 (EDT) Received: from CONVERSION-DAEMON.lmco.com by lmco.com (PMDF V6.1-1 #40643) id <0GYK00G01W46D4@lmco.com> for freebsd-ipfw@freebsd.org; Mon, 01 Jul 2002 09:21:42 -0700 (PDT) Received: from lmco.com ([129.197.20.43]) by lmco.com (PMDF V6.1-1 #40643) with ESMTP id <0GYK0062HW45OI@lmco.com> for freebsd-ipfw@freebsd.org; Mon, 01 Jul 2002 09:21:41 -0700 (PDT) Date: Mon, 01 Jul 2002 09:17:14 -0700 From: rick norman Subject: subnet aliases To: freebsd-ipfw@freebsd.org Message-id: <3D20808A.AB4993E@lmco.com> MIME-version: 1.0 X-Mailer: Mozilla 4.79 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In 4.5 there is a limitation in ipfw that won't allow pkts routed out on different subnets to be treated separately if those subnets are aliases on the same physical interface. Since the information is available it should be a simple matter for ipfw to support this ability. Can this feature be supported or is there some reason not to support it ? Thanks, Rick Norman rick.norman@lmco.com rnorman@ikaika.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 4 4:34:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 653D637B40D for ; Thu, 4 Jul 2002 04:34:10 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 157A243E09 for ; Thu, 4 Jul 2002 04:34:10 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g64BY9l26905; Thu, 4 Jul 2002 04:34:09 -0700 (PDT) (envelope-from rizzo) Date: Thu, 4 Jul 2002 04:34:09 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020704043409.A26837@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, i was looking at the implementation of ipfw rules which generate a feedback packet back to the source (reset, reject and unreach) and i realised that there is a potential problem here... Some ICMP packets generated by the host bypass the firewall, but TCP RST do not, so they can be blocked themselves (this is the way the old ipfw works, and there is code to prevent loops). I think policies should be consistent -- either all packets (including icmps generated by the firewal) should go through the firewall again (with proper countermeasures to avoid loops), or all packets generated by the firewall should bypass the firewall and go to the correct destination. So, what do we want to do ? cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 4 4:42:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AE5537B400 for ; Thu, 4 Jul 2002 04:42:43 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66A3843E3B for ; Thu, 4 Jul 2002 04:42:39 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g64BfwQ42505; Thu, 4 Jul 2002 14:41:58 +0300 (EEST) (envelope-from ru) Date: Thu, 4 Jul 2002 14:41:57 +0300 From: Ruslan Ermilov To: Luigi Rizzo Cc: ipfw@FreeBSD.org Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020704114157.GC36762@sunbay.com> References: <20020704043409.A26837@iguana.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zCKi3GIZzVBPywwA" Content-Disposition: inline In-Reply-To: <20020704043409.A26837@iguana.icir.org> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --zCKi3GIZzVBPywwA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote: > Hi, > i was looking at the implementation of ipfw rules which generate > a feedback packet back to the source (reset, reject and unreach) > and i realised that there is a potential problem here... > =20 > Some ICMP packets generated by the host bypass the firewall, but > TCP RST do not, so they can be blocked themselves (this is the way > the old ipfw works, and there is code to prevent loops). >=20 > I think policies should be consistent -- either all packets (including > icmps generated by the firewal) should go through the firewall again > (with proper countermeasures to avoid loops), or all packets generated > by the firewall should bypass the firewall and go to the correct > destination. >=20 > So, what do we want to do ? >=20 To have a sysctl knob that allows one to select the desired behavior. Not sure about the default value. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --zCKi3GIZzVBPywwA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9JDSFUkv4P6juNwoRAu8eAJ4s+9/HX4/7go4cRO6qfbaQhbhGWACfcbQv tw7Kc7rdGS/ppDIYqM92oKw= =IdsE -----END PGP SIGNATURE----- --zCKi3GIZzVBPywwA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jul 4 7:32:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E859037B400; Thu, 4 Jul 2002 07:32:15 -0700 (PDT) Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B6A843E09; Thu, 4 Jul 2002 07:32:15 -0700 (PDT) (envelope-from louie@whizzo.transsys.com) Received: from whizzo.transsys.com (#6@localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.12.5/8.12.5) with ESMTP id g64EWE0L046700; Thu, 4 Jul 2002 10:32:14 -0400 (EDT) (envelope-from louie@whizzo.transsys.com) Message-Id: <200207041432.g64EWE0L046700@whizzo.transsys.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Ruslan Ermilov Cc: Luigi Rizzo , ipfw@FreeBSD.ORG X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall References: <20020704043409.A26837@iguana.icir.org> <20020704114157.GC36762@sunbay.com> In-reply-to: Your message of "Thu, 04 Jul 2002 14:41:57 +0300." <20020704114157.GC36762@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 04 Jul 2002 10:32:14 -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote: > > Hi, > > i was looking at the implementation of ipfw rules which generate > > a feedback packet back to the source (reset, reject and unreach) > > and i realised that there is a potential problem here... > > > > Some ICMP packets generated by the host bypass the firewall, but > > TCP RST do not, so they can be blocked themselves (this is the way > > the old ipfw works, and there is code to prevent loops). > > > > I think policies should be consistent -- either all packets (including > > icmps generated by the firewal) should go through the firewall again > > (with proper countermeasures to avoid loops), or all packets generated > > by the firewall should bypass the firewall and go to the correct > > destination. > > > > So, what do we want to do ? > > > To have a sysctl knob that allows one to select the desired behavior. > Not sure about the default value. I don't know that having a knob to control all these different behaviors is necessarily a good thing. It makes it that much more difficult to debug any given set of e.g., firewall rules, when there are so many external dependencies. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message