From owner-freebsd-ipfw Sun Aug 4 2:47:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C068C37B400 for ; Sun, 4 Aug 2002 02:47:10 -0700 (PDT) Received: from mail.duncanyoung.com (pc-62-30-170-113-ca.blueyonder.co.uk [62.30.170.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B0C043E3B for ; Sun, 4 Aug 2002 02:47:10 -0700 (PDT) (envelope-from duncan.young@pobox.com) Received: from toyo.int.duncanyoung.com (toyo-ext.int.duncanyoung.com [192.168.200.2]) by mail.duncanyoung.com (Postfix) with ESMTP id 89DD5CA8 for ; Sun, 4 Aug 2002 10:47:04 +0100 (BST) Content-Type: text/plain; charset="us-ascii" From: Duncan Young To: Subject: divert not working in 4.6.1-RELEASE-p7 ??? Date: Sun, 4 Aug 2002 10:47:04 +0100 User-Agent: KMail/1.4.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208041047.04043.duncan.young@pobox.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi all, I did have ipfw working fine, but since a recent patch upgrade I am getting the following error when I add my divert rules: i.e. from the command line: toyo# ipfw 2000 add divert natd all from any to any in via sis0 ipfw: getsockopt(IP_FW_ADD): Invalid argument Has anyone any idea's on why it's occurring? Any suggestions would be appreciated. Duncan PS I do have "options IPDIVERT" in my kernel config. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Aug 4 3:29:57 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E86AE37B401 for ; Sun, 4 Aug 2002 03:29:50 -0700 (PDT) Received: from moscow.plug-it.com (moscow.plug-it.com [62.212.108.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7C0843E65 for ; Sun, 4 Aug 2002 03:29:49 -0700 (PDT) (envelope-from eberkut@minithins.net) Received: from funel (ACA38AA1.ipt.aol.com [172.163.138.161]) (authenticated bits=0) by moscow.plug-it.com (8.12.5/8.12.5) with ESMTP id g74AI1Qv013469 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for ; Sun, 4 Aug 2002 12:18:07 +0200 Reply-To: From: "eberkut" To: Subject: RE: timeout Date: Sun, 4 Aug 2002 12:13:25 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020804011900.A1711@rfc-networks.ie> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG yep, that may be useful for state table tuning against unresponsive/slow/congested connections, thank you. I suppose these sysctl variables apply to any entry in the state table, not just TCP ? btw, the set timeout options for pf are on the -current man pages. And for information, I join some configuration examples for the CBAC global timeouts. ! timeouts and thresholds ! time to wait for a connection to reach established state ip inspect tcp synwait-time 20 ! time the session will be still watched after detection of fin exchange ip inspect tcp finwait-time 10 ! TCP idle time (10min because of keepalive) ip inspect tcp idle-time 600 ! UDP idle time ip inspect udp idle-time 60 ! like fin-wait for dns name lookup ip inspect dns-timeout 5 ! half-open nb before start/stop deleting ip inspect max-incomplete high 400 ip inspect max-incomplete low number 300 ! half-open nb per minute start/stop deleting ip inspect one-minute high 200 ip inspect one-minute low 150 ! half-open nb to same dest and block time (minutes) ip inspect tcp max-incomplete host 50 block-time 15 > Without reading the detailed description of CBAC, from what you > mention there aren't, the sysctl variables: > > - net.inet.ip.fw.dyn_ack_lifetime > - net.inet.ip.fw.dyn_syn_lifetime > etc. etc. > > What you're looking for? > > -- > Philip Reynolds | Technical Director > philip.reynolds@rfc-networks.ie | RFC Networks Ltd. > http://www.rfc-networks.ie | +353 (0)1 8832063 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Aug 4 5:17:15 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA72037B400 for ; Sun, 4 Aug 2002 05:17:13 -0700 (PDT) Received: from relay02.esat.net (relay02.esat.net [192.111.39.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF08143E65 for ; Sun, 4 Aug 2002 05:17:12 -0700 (PDT) (envelope-from phil@ipac.ie) Received: from ipac-gw.cr001.ddm.esat.net (mail.rfc-networks.ie) [193.95.188.30] by relay02.esat.net with esmtp id 17bKJm-0006yC-00; Sun, 04 Aug 2002 13:17:06 +0100 Received: from tear.domain (unknown [10.0.1.254]) by mail.rfc-networks.ie (Postfix) with ESMTP id 1C08F54834 for ; Sun, 4 Aug 2002 12:21:04 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id 631E121146; Sun, 4 Aug 2002 13:18:09 +0000 (GMT) Date: Sun, 4 Aug 2002 13:18:09 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Subject: Re: divert not working in 4.6.1-RELEASE-p7 ??? Message-ID: <20020804131809.B3361@rfc-networks.ie> Reply-To: philip.reynolds@rfc-networks.ie References: <200208041047.04043.duncan.young@pobox.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200208041047.04043.duncan.young@pobox.com>; from duncan.young@pobox.com on Sun, Aug 04, 2002 at 10:47:04AM +0100 X-Operating-System: FreeBSD 4.6-STABLE X-URL: http://www.rfc-networks.ie Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Duncan Young 21 lines of wisdom included: > Hi all, > > I did have ipfw working fine, but since a recent patch upgrade I am getting > the following error when I add my divert rules: > > i.e. from the command line: > > toyo# ipfw 2000 add divert natd all from any to any in via sis0 > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > Has anyone any idea's on why it's occurring? > > Any suggestions would be appreciated. Are you sure you are not using the loadable module of IPFW which does not support divert sockets. Just in case, double check that kldstat does _not_ show ipfw.ko -- Philip Reynolds | Technical Director philip.reynolds@rfc-networks.ie | RFC Networks Ltd. http://www.rfc-networks.ie | +353 (0)1 8832063 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Aug 4 5:20:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E6DC37B400 for ; Sun, 4 Aug 2002 05:20:12 -0700 (PDT) Received: from relay02.esat.net (relay02.esat.net [192.111.39.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A79E943E42 for ; Sun, 4 Aug 2002 05:20:11 -0700 (PDT) (envelope-from phil@ipac.ie) Received: from ipac-gw.cr001.ddm.esat.net (mail.rfc-networks.ie) [193.95.188.30] by relay02.esat.net with esmtp id 17bKMk-00072B-00; Sun, 04 Aug 2002 13:20:10 +0100 Received: from tear.domain (unknown [10.0.1.254]) by mail.rfc-networks.ie (Postfix) with ESMTP id 3BF4E54834 for ; Sun, 4 Aug 2002 12:24:08 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id AA83221146; Sun, 4 Aug 2002 13:21:13 +0000 (GMT) Date: Sun, 4 Aug 2002 13:21:13 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Subject: Re: divert not working in 4.6.1-RELEASE-p7 ??? Message-ID: <20020804132113.C3361@rfc-networks.ie> Reply-To: philip.reynolds@rfc-networks.ie References: <200208041047.04043.duncan.young@pobox.com> <20020804131809.B3361@rfc-networks.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020804131809.B3361@rfc-networks.ie>; from philip.reynolds@rfc-networks.ie on Sun, Aug 04, 2002 at 01:18:09PM +0000 X-Operating-System: FreeBSD 4.6-STABLE X-URL: http://www.rfc-networks.ie Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Philip Reynolds 27 lines of wisdom included: > Duncan Young 21 lines of wisdom included: > > Hi all, > > > > I did have ipfw working fine, but since a recent patch upgrade I am getting > > the following error when I add my divert rules: > > > > i.e. from the command line: > > > > toyo# ipfw 2000 add divert natd all from any to any in via sis0 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > > > Has anyone any idea's on why it's occurring? > > > > Any suggestions would be appreciated. > > Are you sure you are not using the loadable module of IPFW which > does not support divert sockets. > > Just in case, double check that kldstat does _not_ show ipfw.ko Sorry for replying to my own mail, but the two lines you should have in your configuration for divert sockets are: options IPFIREWALL options IPDIVERT Make sure you are running your custom kernel and not GENERIC (``uname -v'') Is it purely the divert lines which are failing. Also, what patch upgrade did you do, and what version of FreeBSD are you running? -- Philip Reynolds | Technical Director philip.reynolds@rfc-networks.ie | RFC Networks Ltd. http://www.rfc-networks.ie | +353 (0)1 8832063 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 5 0:45:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52A4037B400 for ; Mon, 5 Aug 2002 00:45:17 -0700 (PDT) Received: from mail.duncanyoung.com (pc-62-30-170-113-ca.blueyonder.co.uk [62.30.170.113]) by mx1.FreeBSD.org (Postfix) with ESMTP id B4AE843E6A for ; Mon, 5 Aug 2002 00:45:11 -0700 (PDT) (envelope-from duncan.young@pobox.com) Received: from toyo.int.duncanyoung.com (toyo-ext.int.duncanyoung.com [192.168.200.2]) by mail.duncanyoung.com (Postfix) with ESMTP id 7D346EF7 for ; Mon, 5 Aug 2002 08:44:59 +0100 (BST) Content-Type: text/plain; charset="iso-8859-1" From: Duncan Young Subject: Fwd: Re: divert not working in 4.6.1-RELEASE-p7 ??? Date: Mon, 5 Aug 2002 08:44:59 +0100 User-Agent: KMail/1.4.2 To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208050844.59243.dunk@pobox.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG uname -v: FreeBSD 4.6.1-RELEASE-p7 #1: Sat Aug 3 13:55:03 BST 2002 root@toyo.int.duncanyoung.com:/usr/obj/usr/src/sys/GENERIC My apologies, I feel a little foolish :-( Thanks for the help Duncan PS I've been using BSD only for a couple of months and think most of it is execelent. I'm used to ipfilter (on solaris). I think ipfw, except for the natd stuff/divert, seems easier to use. On Sunday 04 Aug 2002 2:21 pm, Philip Reynolds wrote: > Philip Reynolds 27 lines of wisdom included: > > Duncan Young 21 lines of wisdom included: > > > Hi all, > > > > > > I did have ipfw working fine, but since a recent patch upgrade I am > > > getting the following error when I add my divert rules: > > > > > > i.e. from the command line: > > > > > > toyo# ipfw 2000 add divert natd all from any to any in via sis0 > > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > > > > > Has anyone any idea's on why it's occurring? > > > > > > Any suggestions would be appreciated. > > > > Are you sure you are not using the loadable module of IPFW which > > does not support divert sockets. > > > > Just in case, double check that kldstat does _not_ show ipfw.ko > > Sorry for replying to my own mail, but the two lines you should have > in your configuration for divert sockets are: > > options IPFIREWALL > options IPDIVERT > > Make sure you are running your custom kernel and not GENERIC > (``uname -v'') > > Is it purely the divert lines which are failing. > > Also, what patch upgrade did you do, and what version of FreeBSD are > you running? ------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 5 9:12:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D9C437B400 for ; Mon, 5 Aug 2002 09:12:33 -0700 (PDT) Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D094643E65 for ; Mon, 5 Aug 2002 09:12:32 -0700 (PDT) (envelope-from agifford@infowest.com) Received: from tambler.infowest.com (Tambler.infowest.com [216.190.25.202]) by ns1.infowest.com (Postfix) with ESMTP id BBE0023E8B for ; Mon, 5 Aug 2002 10:11:59 -0600 (MDT) Content-Type: text/plain; charset="us-ascii" From: "Aaron D. Gifford" Reply-To: agifford@infowest.com To: ipfw@freebsd.org Subject: keep-state lifetime patches - now for IPFW2 Date: Mon, 5 Aug 2002 10:12:13 -0600 User-Agent: KMail/1.4.2 Organization: InfoWest, Inc. MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200208051012.13680.agifford@infowest.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello, Just a little note to let anyone interest know I've got the keep-state "lifetime " patch set ported to IPFW2 for FreeBSD 4.6-STABLE. With IPFW2, a major reason to use the patch set is greatly diminished by Luigi Rizzo's excellent automatic TCP keepalive feature. The patches remain useful for tighter control over non-TCP traffic, or for cases where one still wants finer grained dynamic rule expiration control, even with keepalives. The patch set for IPFW2 is definitely experimental, as is IPFW2 in 4.6-STABLE. Read Luigi's post for information about IPFW2 and how to use it in 4.6-STABLE. I'm using it for my home computer network (with my patches applied) and really appreciate Luigi's work. The patch set can be had at: http://www.aarongifford.com/computers/ipfwpatch.html Thanks, Luigi Rizzo, for your excellent IPFW2 addition to FreeBSD, and for bringing it to -STABLE! An IPFW2 gotcha: For anyone using IPFW2 with a complex ruleset like me you will need to be aware that IPFW2's dynamic TCP rule keepalive packets originate from the loopback "lo0" interface, so make sure your ruleset allows these packets to pass. Most rule sets probably won't have to worry about this at all. If you get Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 5 11: 5:50 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BD9037B400; Mon, 5 Aug 2002 11:05:47 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C22843E4A; Mon, 5 Aug 2002 11:05:46 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020805180545.DIQ221.sccrmhc02.attbi.com@blossom.cjclark.org>; Mon, 5 Aug 2002 18:05:45 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g75I5iJK063301; Mon, 5 Aug 2002 11:05:44 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g75I5ahQ063300; Mon, 5 Aug 2002 11:05:36 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 5 Aug 2002 11:05:36 -0700 From: "Crist J. Clark" To: Nick Rogness Cc: Joe & Fhe Barbish , FBIPFW , archie@whistle.com, cmott@scientech.com, perhaps@yes.no, suutari@iki.fi, dnelson@redwoodsoft.com, brian@awfulhak.org, ru@FreeBSD.ORG, rizzo@icir.org Subject: Re: natd & keep-state Message-ID: <20020805180536.GA63145@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020803212854.GA55652@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Aug 03, 2002 at 08:53:10PM -0500, Nick Rogness wrote: > On Sat, 3 Aug 2002, Crist J. Clark wrote: > > [SNIP] > > Fine, whatever. But the ipfw(8) and natd(8) developers seem to hold > > the same opinion. Maybe if you proposed some possible way for natd(8) > > and 'keep-state' rules to work well together someone could do it. > > FWIW, you can modify the behavior of "check-state" to "JUMP TO > RULE NUMBER XXX on stateful match" and solve most of the problems > associated with natd & stateful inspection. Right now, > if check-state finds a match it stops...we need it to optionally > JUMP_TO RULE XXX. Kinda like "skipto" functionality. > > I talked to Luigi about this and he didn't understand what I > meant (which is my fault). But I believe the concept is still > sound. Well, I'm not sure I understand exactly what you mean either, but I would note, ipfw 1000 add skipto 5000 ip from $src to $dst keep-state _Does_ work. 'keep-state' rules need not be only 'pass' actions. I just tested to make sure. I started with the ruleset, 00100 0 0 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 34 4158 allow ip from any to any 02000 0 0 allow ip from any to any 65535 0 0 deny ip from any to any And started a TCP connection, 00100 18 3895 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 54 5362 allow ip from any to any 02000 18 3895 allow ip from any to any 65535 0 0 deny ip from any to any Then I added some rules to make sure that it was really working, and after passing some more data over the existing channel, 00090 0 0 check-state 00095 0 0 allow ip from me to 192.168.64.70 00096 0 0 allow ip from 192.168.64.70 to me 00100 141 15076 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 877 89158 allow ip from any to any 02000 141 15076 allow ip from any to any 65535 0 0 deny ip from any to any Notice that rules 95 and 96 do not get hit. The 'skipto' is being done at the 'check-state' rule. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 5 16: 5:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 298D037B400; Mon, 5 Aug 2002 16:05:09 -0700 (PDT) Received: from smtp.a1poweruser.com (oh-chardon6a-62.clvhoh.adelphia.net [68.65.175.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97DA843E3B; Mon, 5 Aug 2002 16:05:02 -0700 (PDT) (envelope-from barbish@a1poweruser.com) Received: from barbish (lanwin1 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id E8CA22E; Mon, 5 Aug 2002 18:39:14 -0400 (EDT) Reply-To: From: "Joe & Fhe Barbish" To: , "Nick Rogness" Cc: "FBIPFW" , , , , , , , , Subject: RE: natd & keep-state Date: Mon, 5 Aug 2002 18:35:25 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020805180536.GA63145@blossom.cjclark.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What I believe the original poster was referring to is skipto 2000 check-state so all packets that have matches in the dynamic table will go to the skipto rule instead of exiting the rules file. At that skipto rule would be a divert nated rule via $xif followed by Allow all from any to any that would exit the rules file. This sure would simplify the rule gymnastics for keep-state logic using natd. # Jump direct to outbound section. $cmd 130 skipto 600 all from any to any out via $xif $cmd 210 divert natd all from any to any in via $xif $cmd 212 skipto 500 check-state $cmd 215 allow tcp from any to any 80 in via $xif setup keep-state $cmd 291 deny log logamount 500 all from any to any $cmd 500 allow all from any to any $cmd 600 skipto 690 check-state $cmd 609 skipto 690 tcp from any to any 80 out via $xif setup keep-state $cmd 610 skipto 690 tcp from any to $odns1 53 out via $xif setup keep-state $cmd 611 skipto 690 udp from any to $odns1 53 out via $xif keep-state $cmd 630 skipto 690 tcp from any to any 25,110 out via $xif setup keep-state $cmd 690 divert natd all from any to any out via $xif $cmd 692 allow all from any to any out via $xif -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Crist J. Clark Sent: Monday, August 05, 2002 2:06 PM To: Nick Rogness Cc: Joe & Fhe Barbish; FBIPFW; archie@whistle.com; cmott@scientech.com; perhaps@yes.no; suutari@iki.fi; dnelson@redwoodsoft.com; brian@awfulhak.org; ru@FreeBSD.ORG; rizzo@icir.org Subject: Re: natd & keep-state On Sat, Aug 03, 2002 at 08:53:10PM -0500, Nick Rogness wrote: > On Sat, 3 Aug 2002, Crist J. Clark wrote: > > [SNIP] > > Fine, whatever. But the ipfw(8) and natd(8) developers seem to hold > > the same opinion. Maybe if you proposed some possible way for natd(8) > > and 'keep-state' rules to work well together someone could do it. > > FWIW, you can modify the behavior of "check-state" to "JUMP TO > RULE NUMBER XXX on stateful match" and solve most of the problems > associated with natd & stateful inspection. Right now, > if check-state finds a match it stops...we need it to optionally > JUMP_TO RULE XXX. Kinda like "skipto" functionality. > > I talked to Luigi about this and he didn't understand what I > meant (which is my fault). But I believe the concept is still > sound. Well, I'm not sure I understand exactly what you mean either, but I would note, ipfw 1000 add skipto 5000 ip from $src to $dst keep-state _Does_ work. 'keep-state' rules need not be only 'pass' actions. I just tested to make sure. I started with the ruleset, 00100 0 0 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 34 4158 allow ip from any to any 02000 0 0 allow ip from any to any 65535 0 0 deny ip from any to any And started a TCP connection, 00100 18 3895 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 54 5362 allow ip from any to any 02000 18 3895 allow ip from any to any 65535 0 0 deny ip from any to any Then I added some rules to make sure that it was really working, and after passing some more data over the existing channel, 00090 0 0 check-state 00095 0 0 allow ip from me to 192.168.64.70 00096 0 0 allow ip from 192.168.64.70 to me 00100 141 15076 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 877 89158 allow ip from any to any 02000 141 15076 allow ip from any to any 65535 0 0 deny ip from any to any Notice that rules 95 and 96 do not get hit. The 'skipto' is being done at the 'check-state' rule. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Aug 5 18:21:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDCBF37B400 for ; Mon, 5 Aug 2002 18:21:28 -0700 (PDT) Received: from gw.pelleg.org (dpelleg.dsl.telerama.com [205.201.13.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1055543E4A for ; Mon, 5 Aug 2002 18:21:28 -0700 (PDT) (envelope-from dpelleg@cs.cmu.edu) Received: from lank.auton.cs.cmu.edu (lank.wburn [192.168.3.41]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "dpelleg.dsl.telerama.com", Issuer "Dan Pelleg" (verified OK)) by gw.pelleg.org (Postfix) with ESMTP id 2F96C57E0; Mon, 5 Aug 2002 21:21:25 -0400 (EDT) Received: by lank.auton.cs.cmu.edu (Postfix, from userid 7675) id 2742C118; Mon, 5 Aug 2002 21:21:24 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15695.9363.277821.568101@gargle.gargle.HOWL> Date: Mon, 5 Aug 2002 21:21:23 -0400 To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: IPFW2 keep-alive In-Reply-To: <20020731152806.B69266@iguana.icir.org> References: <20020731152806.B69266@iguana.icir.org> X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ok, my problem was that I had net.inet.ip.fw.dyn_rst_lifetime set to 10 (I don't even remember why I did that). This would explain all that we've seen (so you can disregard the personal mail I just sent you). The remote server does send a RST, which (in my case) bumps the timeout on the rule *up*. The next question is if it's worth fixing somehow or is it just another feature :) Luigi Rizzo writes: > The logic works as follows: > when a O_LIMIT or O_KEEP_STATE rule has less than 20 seconds left, > the firewall will send a keepalive packet to both sides every 5 seconds. > > If any of the two responds, then the timeout will be updated > accordingly -- i.e. a regular data packet will reset it up > to 300 seconds or whatever the default is, a RST will put it > down to 1 which is below the threshold for generating a > new keepalive. > > If none responds, the timeout will be left untouched. > > Now i wonder if in your case what happens is that the > remote server is not sending RST for invalid packets, and > you do have a socket in some closing state (or even a mozilla > about to close) still handling the keepalives and replying to them. > > cheers > luigi > > On Sun, Jul 28, 2002 at 10:25:25AM -0400, Dan Pelleg wrote: > > > > What's the exact mechanism to expire dynamic rules under IPFW2? I > > understand it's sending keep-alive packets as the rule is about to > > expire. Is there any way for these to result in the rule being removed? The > > behaviour I'm seeing is this: > > > > During a network partition, the application program (Mozilla) retried to > > connect to remote hosts and opened many connections, eventually hitting the > > LIMIT count. > > > > Now the network is back up. However there is no way to open new > > connections since the appropriate rule's LIMIT is met. Repeated ipfw -d > > show that the rules are refreshed when they have 5-6 seconds to live (and > > go back to 10 seconds or so). I'm not sure what's doing that - the local > > application is long terminated. The only workaround I found was to flush > > the ruleset (I guess replacing just that rule would have also worked). > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 4:48:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEFEB37B400 for ; Tue, 6 Aug 2002 04:48:36 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0661B43E77 for ; Tue, 6 Aug 2002 04:45:51 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020806002453.TMSA221.sccrmhc02.attbi.com@blossom.cjclark.org>; Tue, 6 Aug 2002 00:24:53 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g760OqJK064608; Mon, 5 Aug 2002 17:24:52 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g760Ok0A064607; Mon, 5 Aug 2002 17:24:46 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 5 Aug 2002 17:24:45 -0700 From: "Crist J. Clark" To: Joe & Fhe Barbish Cc: Nick Rogness , FBIPFW Subject: Re: natd & keep-state Message-ID: <20020806002445.GB63528@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020805180536.GA63145@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [CC list trimmed _way_ down.] On Mon, Aug 05, 2002 at 06:35:25PM -0400, Joe & Fhe Barbish wrote: > What I believe the original poster was referring to is > skipto 2000 check-state I see. Eww. > so all packets that have matches in the dynamic table will > go to the skipto rule instead of exiting the rules file. That makes some assumptions about the actions associated with each dynamic rule. A dynamic rule is just like any other rule, match and do the action specified in the rule. This would scan through the dynamic rules, match, ignore the action in the rule and do some other action. Obviously it could be done, but you're starting to treat dynamic rules differently than other rules which makes things even more confusing and complicated, IMHO. > At that skipto rule would be a divert nated rule via $xif followed by > Allow all from any to any that would exit the rules file. > This sure would simplify the rule gymnastics for keep-state > logic using natd. > > > > # Jump direct to outbound section. > $cmd 130 skipto 600 all from any to any out via $xif > > $cmd 210 divert natd all from any to any in via $xif > $cmd 212 skipto 500 check-state > $cmd 215 allow tcp from any to any 80 in via $xif setup keep-state > $cmd 291 deny log logamount 500 all from any to any > $cmd 500 allow all from any to any > > $cmd 600 skipto 690 check-state > $cmd 609 skipto 690 tcp from any to any 80 out via $xif setup keep-state > $cmd 610 skipto 690 tcp from any to $odns1 53 out via $xif setup keep-state > $cmd 611 skipto 690 udp from any to $odns1 53 out via $xif keep-state > $cmd 630 skipto 690 tcp from any to any 25,110 out via $xif setup keep-state > > $cmd 690 divert natd all from any to any out via $xif > $cmd 692 allow all from any to any out via $xif I still don't see why you would want to do that when, # We seem to have an internal interface with no restrictions $cmd pass ip from any to any via $iif # No spoofing! $cmd drop log ip from any to $internal_net in via $xif # Go to natd(8) and rewrite the addresses. $cmd divert natd all from any to any via $xif # Allow stateful TCP connections to carry on. $cmd pass tcp from any to $internal_net established via $xif # TCP services we allow out. $cmd pass tcp from me to any 80 out via $xif setup $cmd pass tcp from me to $odns1 53 out via $xif setup $cmd pass tcp from me to any 25,110 out via $xif setup # Allow stateful UDP "connections" to carry on. $cmd pass udp from $odns1 to $internal_net in via $xif # UDP services we allow out. $cmd pass udp from me to $odns1 53 out via $xif # Services offered on the internal network (must be a # redirect_{port|address} given to natd(8)). $cmd pass tcp from any to $internal_net 80 in via $xif $cmd pass tcp from $internal_net 80 to any out via $xif # Catch the rest and log. (Should almost all be stuff that # (a) tried to go out of $xif that was not on one of the # ports we allow, (b) an incoming connection from outside # $xif that is not allowed, or (b) anything else that came into # $xif from the outside which was not part of a "live connection" # known to natd(8). $cmd drop log ip from any to any Applies the same policy with the same protections (actually, I tightened them a tad assuming the firewall itself was actually supposed to be locked down a bit more), is less complicated, and uses fewer system resources. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 9:24: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBBBF37B400 for ; Tue, 6 Aug 2002 09:24:02 -0700 (PDT) Received: from novaconnect.net (ns.novaconnect.net [205.150.191.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFC0043E6E for ; Tue, 6 Aug 2002 09:24:01 -0700 (PDT) (envelope-from mailing@novaconnect.net) Received: from [192.168.100.21] (account ) by novaconnect.net (CommuniGate Pro WebUser 3.5b5) with HTTP id 47114 for ; Tue, 06 Aug 2002 12:21:37 -0400 From: "Matt Abraham" Subject: Re: "ipfw fwd" not working without static route? To: freebsd-ipfw@freebsd.org X-Mailer: CommuniGate Pro Web Mailer v.3.5b5 Date: Tue, 06 Aug 2002 12:21:37 -0400 Message-ID: In-Reply-To: <20020804012214.B1711@rfc-networks.ie> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Crist did suggest an alternative with a ``dummy'' route. > Perhaps > more details (including interfaces, IP addresses, network > addresses, > subnets etc.) would allow us to look at the actual design > of the > network (which is where I feel the flaw is). > > -- No problem. Here's a bit of the layout: A----------C----------D----------E | | B----------| |----------F Description/IP Addresses: A:PC - 172.17.1.2 B:PC - 172.17.1.5 C:Cisco Router - 192.168.200.250,172.17.1.250 D:PC (running ipfw) - 192.168.200.240,192.168.215.240 E:Gateway - 192.168.215.10, X.X.X.X (public address) F:Gateway - 192.168.215.15, Y.Y.Y.Y (public address) Machine D, the FreeBSD box, has interfaces rl0 (192.168.200.240) and vr0 (192.168.215.240). Ultimately, I'd like traffic coming from machine A to be routed to gateway E and traffic from machine B to be routed to gateway F. I have policy-based routing configured on the Cisco router that sends traffic from both of these machines (A,B) to machine D. Right now, I've been focusing on getting machine B to work, so all the configuration I'll list for ipfw pertains predominantly to that machine. Here's what I've got in ipfw: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00620 fwd 192.168.215.10 ip from 172.17.2.10 to any in recv rl0 00625 fwd 192.168.215.10 ip from 172.17.2.10 to any out xmit vr0 00645 count ip from any to any in recv rl0 00650 fwd 192.168.215.15 log logamount 10000 ip from 172.17.1.5 to any in recv rl0 00652 allow log logamount 10000 ip from any to 192.168.215.15 out xmit vr0 00654 count ip from any to any out xmit rl0 00655 count ip from any to any out xmit vr0 00656 count ip from any to any in recv vr0 00725 deny ip from any to 255.255.255.255 10000 allow log logamount 10000 ip from any to any 65535 allow ip from any to any There's currently two "fwd" directives...that's me trying anything to make this work :) The "count" directives were a way for me to track where traffic was going. Often, I'd see this in the logs: /kernel: ipfw: 650 Forward to 192.168.215.15 TCP 172.17.1.5:1057 216.136.204.21:80 in via rl0 But the count on packets leaving vr0 wouldn't increase. I've included a default route on machine D: Destination Gateway Flags Refs Use Netif Expire default link#1 UCSc 1 0 vr0 Hopefully, this will be enough information to allow someone to see what needs to be changed... Matt Abraham mailing@novaconnect.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 11:23: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC0B737B400 for ; Tue, 6 Aug 2002 11:23:03 -0700 (PDT) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 16BCA43E3B for ; Tue, 6 Aug 2002 11:23:03 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.5/8.12.5) with ESMTP id g76IMult052992 for ; Tue, 6 Aug 2002 13:22:56 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.5/8.12.5/Submit) id g76IMuGW052991 for freebsd-ipfw@freebsd.org; Tue, 6 Aug 2002 13:22:56 -0500 (CDT) Date: Tue, 6 Aug 2002 13:22:56 -0500 From: David Kelly To: freebsd-ipfw@freebsd.org Subject: natd dies on attempt to open non-passive ftp Message-ID: <20020806182256.GA52948@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Very closely related it ipfw, natd. After the spate of ssh announcements last week I upgraded the office FreeBSD firewall/router to the latest RELENG_4 as of the morning of August 1. Is still using the default ipfw. My natd.conf file is thus: log_facility security log_denied yes dynamic yes use_sockets yes same_ports yes punch_fw 2610:90 Passive ftp has never worked for me thru IPFW/divert/natd but non-passive ftp works peachy. Until today when we dropped off the internet when I thought to visit ftp://ftp.cdrom.com/. Having tried passive and non-passive several times now I never see an entry listed in "ipfw list" when I attempt a passive connection. Then again it doesn't get thru either. And doesn't kill natd. Non-passive I can get all the way thru login. Natd dies on opening a data connection such as "ls". No rules added in ipfw between 2610 and 2699. No message in /var/log/messages. No .core files. Am going to have a go at ipfw2. Currently suspect some of the changes to support ipfw2 have inadvertantly touched ipfw1 but sniffing around I can't find them. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 11:35:46 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7FE737B400 for ; Tue, 6 Aug 2002 11:35:43 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5244243E75 for ; Tue, 6 Aug 2002 11:35:43 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17c9BH-0004OF-00; Tue, 06 Aug 2002 14:35:43 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17c9BG-000BSb-00; Tue, 06 Aug 2002 14:35:42 -0400 Date: Tue, 6 Aug 2002 14:35:42 -0400 From: "Scott M. Nolde" To: David Kelly Cc: freebsd-ipfw@freebsd.org Subject: Re: natd dies on attempt to open non-passive ftp Message-ID: <20020806143542.A43925@smnolde.com> References: <20020806182256.GA52948@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020806182256.GA52948@grumpy.dyndns.org>; from dkelly@hiwaay.net on Tue, Aug 06, 2002 at 01:22:56PM -0500 X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David Kelly(dkelly@hiwaay.net)@2002.08.06 13:22:56 +0000: > Very closely related it ipfw, natd. > > After the spate of ssh announcements last week I upgraded the office > FreeBSD firewall/router to the latest RELENG_4 as of the morning of > August 1. Is still using the default ipfw. > > My natd.conf file is thus: > > log_facility security > log_denied yes > dynamic yes > use_sockets yes > same_ports yes > punch_fw 2610:90 > > Passive ftp has never worked for me thru IPFW/divert/natd but > non-passive ftp works peachy. Until today when we dropped off the > internet when I thought to visit ftp://ftp.cdrom.com/. > > Having tried passive and non-passive several times now I never see an > entry listed in "ipfw list" when I attempt a passive connection. Then > again it doesn't get thru either. And doesn't kill natd. > > Non-passive I can get all the way thru login. Natd dies on opening a > data connection such as "ls". No rules added in ipfw between 2610 and > 2699. > > No message in /var/log/messages. No .core files. > > Am going to have a go at ipfw2. Currently suspect some of the changes to > support ipfw2 have inadvertantly touched ipfw1 but sniffing around I > can't find them. > I've had passive ftp working for a long time on my firewall. The basic rule is ipfw add allow tcp from any 20 to any 1024-65535 setup and allow established connections from another rule. -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 11:41:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9129637B401 for ; Tue, 6 Aug 2002 11:41:29 -0700 (PDT) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C69E43E86 for ; Tue, 6 Aug 2002 11:41:28 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.5/8.12.5) with ESMTP id g76IfRlt053133 for ; Tue, 6 Aug 2002 13:41:27 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.5/8.12.5/Submit) id g76IfRhp053132 for freebsd-ipfw@FreeBSD.ORG; Tue, 6 Aug 2002 13:41:27 -0500 (CDT) Date: Tue, 6 Aug 2002 13:41:26 -0500 From: David Kelly To: freebsd-ipfw@FreeBSD.ORG Subject: Re: natd dies on attempt to open non-passive ftp Message-ID: <20020806184126.GA53108@grumpy.dyndns.org> References: <20020806182256.GA52948@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020806182256.GA52948@grumpy.dyndns.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 06, 2002 at 01:22:56PM -0500, David Kelly wrote: > Very closely related it ipfw, natd. > > After the spate of ssh announcements last week I upgraded the office > FreeBSD firewall/router to the latest RELENG_4 as of the morning of > August 1. Is still using the default ipfw. A touch tacky of me to reply to my own posting but the first time thru the PR's I missed misc/40331, which I believe to be the same thing I'm reporting here. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 11:45:22 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 346F837B400 for ; Tue, 6 Aug 2002 11:45:20 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id E642343E5E for ; Tue, 6 Aug 2002 11:45:19 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g76IjGm33627; Tue, 6 Aug 2002 11:45:16 -0700 (PDT) (envelope-from rizzo) Date: Tue, 6 Aug 2002 11:45:16 -0700 From: Luigi Rizzo To: David Kelly Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: natd dies on attempt to open non-passive ftp Message-ID: <20020806114516.A33595@iguana.icir.org> References: <20020806182256.GA52948@grumpy.dyndns.org> <20020806184126.GA53108@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020806184126.GA53108@grumpy.dyndns.org>; from dkelly@hiwaay.net on Tue, Aug 06, 2002 at 01:41:26PM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 06, 2002 at 01:41:26PM -0500, David Kelly wrote: ... > A touch tacky of me to reply to my own posting but the first time thru > the PR's I missed misc/40331, which I believe to be the same thing I'm > reporting here. that one was fixed long ago. It is probably the same section of code, but a different bug (plus, the PR was for -current whereas you are using -stable) cheers luigi > -- > David Kelly N4HHE, dkelly@hiwaay.net > ===================================================================== > The human mind ordinarily operates at only ten percent of its > capacity -- the rest is overhead for the operating system. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 12:20:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1FAE37B400 for ; Tue, 6 Aug 2002 12:20:51 -0700 (PDT) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 966DC43E42 for ; Tue, 6 Aug 2002 12:20:50 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.5/8.12.5) with ESMTP id g76JKnlt053267; Tue, 6 Aug 2002 14:20:49 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.5/8.12.5/Submit) id g76JKmQN053266; Tue, 6 Aug 2002 14:20:48 -0500 (CDT) Date: Tue, 6 Aug 2002 14:20:48 -0500 From: David Kelly To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: natd dies on attempt to open non-passive ftp Message-ID: <20020806192048.GA53166@grumpy.dyndns.org> References: <20020806182256.GA52948@grumpy.dyndns.org> <20020806184126.GA53108@grumpy.dyndns.org> <20020806114516.A33595@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020806114516.A33595@iguana.icir.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 06, 2002 at 11:45:16AM -0700, Luigi Rizzo wrote: > On Tue, Aug 06, 2002 at 01:41:26PM -0500, David Kelly wrote: > ... > > A touch tacky of me to reply to my own posting but the first time thru > > the PR's I missed misc/40331, which I believe to be the same thing I'm > > reporting here. > > that one was fixed long ago. http://www.FreeBSD.org/cgi/query-pr.cgi?pr=misc/40331 still lists it as open. But I did notice in the CVS logs you had effected a repair the very day the PR was logged. Didn't name the PR but did name the symptoms. > It is probably the same section of code, but a different bug > (plus, the PR was for -current whereas you are using -stable) Even more egg on my face as somehow I had HEAD in /usr/src/lib/libalias/ while (I think) everything else was RELENG_4. Not knowing were other such a gaffes may be lurking I'm RELENG_4'ing right now: "cd /usr ; cvs checkout -r RELENG_4 src" Hmm. Looks like natd was also HEAD. Probably did this a year or so ago trying to make passive ftp work thru punch_fw. If anyone has any hints as to how to get started debugging libalias, I'm listening. Building a debuggable natd stymied me when I tried last year. Zeroth step: maybe punch_fw works with ipfw2 for passive ftp? First step: Repeat the problem. I can not passive ftp thru it. IIRC a pair of ipfw rules get written but only non-passive works. Second step: get non-passive working once again and snag a list of the added rules and think about whether one is the right rule for passive. Third step: look deep into natd with gdb and figure out how it got there from here. Will report back success or failure, after I clean up my own mess. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 12:36:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 379D337B405 for ; Tue, 6 Aug 2002 12:36:40 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 680B143E6A for ; Tue, 6 Aug 2002 12:36:39 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17cA8F-0004jP-00 for freebsd-ipfw@freebsd.org; Tue, 06 Aug 2002 15:36:39 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17cA8F-000BVe-00 for freebsd-ipfw@freebsd.org; Tue, 06 Aug 2002 15:36:39 -0400 Date: Tue, 6 Aug 2002 15:36:39 -0400 From: "Scott M. Nolde" To: freebsd-ipfw@freebsd.org Subject: reboots with IPFW2 Message-ID: <20020806153639.B43925@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've recently isntalled a few new kernels with IPFW2 enabled on my firewall machine and have been experiencing reboots every 4-16 hours. This has only been happening since the ipfw2 code was compiled in. I don't have any debugging symbols in the kernel (yet) and there's nothing very suspicious in /var/log/messages except "+++ send reject". I don't do any type of coding, but skimming through the source, this shouldn't be the problem. The last five reboots are listed here: reboot ~ Tue Aug 6 13:04 reboot ~ Mon Aug 5 17:59 reboot ~ Mon Aug 5 08:37 reboot ~ Sun Aug 4 14:04 reboot ~ Sun Aug 4 09:28 I like the speed enhancement with IPFW2, but something about the reboots scares me. Out of curiosity, before we go into great detail, has anyone else experienced mysterious reboots with IPFW2? -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 15:36:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC61D37B400 for ; Tue, 6 Aug 2002 15:36:54 -0700 (PDT) Received: from grumpy.dyndns.org (user-24-214-34-52.knology.net [24.214.34.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0040743E4A for ; Tue, 6 Aug 2002 15:36:53 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from grumpy.dyndns.org (localhost [127.0.0.1]) by grumpy.dyndns.org (8.12.5/8.12.5) with ESMTP id g76Maklt053787; Tue, 6 Aug 2002 17:36:46 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Received: (from dkelly@localhost) by grumpy.dyndns.org (8.12.5/8.12.5/Submit) id g76MakcC053786; Tue, 6 Aug 2002 17:36:46 -0500 (CDT) Date: Tue, 6 Aug 2002 17:36:44 -0500 From: David Kelly To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: natd dies on attempt to open non-passive ftp Message-ID: <20020806223644.GA53755@grumpy.dyndns.org> References: <20020806182256.GA52948@grumpy.dyndns.org> <20020806184126.GA53108@grumpy.dyndns.org> <20020806114516.A33595@iguana.icir.org> <20020806192048.GA53166@grumpy.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020806192048.GA53166@grumpy.dyndns.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Aug 06, 2002 at 02:20:48PM -0500, David Kelly wrote: > On Tue, Aug 06, 2002 at 11:45:16AM -0700, Luigi Rizzo wrote: > > Will report back success or failure, after I clean up my own mess. Mostly false alarm. Problem mixing HEAD and RELENG_4 as of last week. Pure RELENG_4 as of this morning works as correct as it ever did. No IPFW2 features enabled. Playing with passive and non-passive ftp, natd/libalias does not see passive ftp attempts from MacOS X/Darwin's CLI ftp client. Non-passive ftp works fine as this snapshot of transient rules show: 02500 3 180 allow log tcp from any 1024-65535 to any 21 in recv fxp0 setup 02600 3 180 allow log tcp from any 1024-65535 to any 21 out xmit fxp1 setup 02615 0 0 allow tcp from 10.0.0.22 49193 to 62.243.72.50 20 02615 2 120 allow tcp from 62.243.72.50 20 to 10.0.0.22 49193 02617 0 0 allow tcp from 10.0.0.22 49194 to 62.243.72.50 20 02617 2 120 allow tcp from 62.243.72.50 20 to 10.0.0.22 49194 As I understand rules 2615 and 2617 would support passive ftp, if that is what was happening? -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 17:59:15 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A44637B401; Tue, 6 Aug 2002 17:59:01 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DB1E43E70; Tue, 6 Aug 2002 17:59:01 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17cFAD-0000gg-00; Tue, 06 Aug 2002 20:59:01 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17cFAC-0000HT-00; Tue, 06 Aug 2002 20:59:00 -0400 Date: Tue, 6 Aug 2002 20:59:00 -0400 From: "Scott M. Nolde" To: freebsd-ipfw@freebsd.org, freebsd-hackers@freebsd.org Subject: kernel backtrace after panic - dummynet? Message-ID: <20020806205900.D370@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've just had a 4.6-stable box (my firewall reboot) and I've been able to capture a backtrace with gdb. If someone would please offer some assistance I'd appreciate this. Sorry about the crossposts. Disclaimer: I'm not a coder, but I hope to learn something from this. I've added debugging symbols into the kernel in hopes of catching just this. System: FreeBSD gw.smnolde.com 4.6-STABLE FreeBSD 4.6-STABLE #4: Tue Aug 6 14:10:57 EDT 2002 root@gw.smnolde.com:/usr/obj/usr/src/sys/FIREWALL i386 Sorry for any flood, but here's the data from gdb: This GDB was configured as "i386-unknown-freebsd"... IdlePTD at phsyical address 0x003fc000 initial pcb at physical address 0x0034f900 panicstr: integer divide fault panic messages: --- Fatal trap 18: integer divide fault while in kernel mode instruction pointer = 0x8:0xc02d5b06 stack pointer = 0x10:0xc8f70a4c frame pointer = 0x10:0xc8f70ab8 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 591 (natd) interrupt mask = net tty trap number = 18 panic: integer divide fault syncing disks... 4 done Uptime: 1h45m43s dumping to dev #da/0x20001, offset 536576 dump 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487 487 if (dumping++) { (kgdb) where #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487 #1 0xc018f3f7 in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316 #2 0xc018f835 in panic (fmt=0xc03198cc "%s") at /usr/src/sys/kern/kern_shutdown.c:595 #3 0xc02be0e7 in trap_fatal (frame=0xc8f70a0c, eva=0) at /usr/src/sys/i386/i386/trap.c:974 #4 0xc02bda9e in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = -1056562568, tf_esi = 0, tf_ebp = -923333960, tf_isp = -923334088, tf_ebx = 3932160, tf_edx = 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 18, tf_err = 0, tf_eip = -1070769402, tf_cs = 8, tf_eflags = 66118, tf_esp = 0, tf_ss = -1055003648}) at /usr/src/sys/i386/i386/trap.c:636 #5 0xc02d5b06 in __qdivrem (uq=3932160, vq=0, arq=0x0) at /usr/src/sys/libkern/qdivrem.c:100 #6 0xc02d5ee6 in __udivdi3 (a=3932160, b=0) at /usr/src/sys/libkern/udivdi3.c:50 #7 0xc01e507f in dummynet_io (m=0xc0b47500, pipe_nr=1, dir=1, fwa=0xc8f70ba8) at /usr/src/sys/netinet/ip_dummynet.c:1205 #8 0xc01ec13e in ip_output (m0=0xc0b47500, opt=0x0, ro=0xc8771ed8, flags=0, imo=0x0) at /usr/src/sys/netinet/ip_output.c:626 #9 0xc01f4ec5 in syncache_respond (sc=0xc8771ea0, m=0xc0b47500) at /usr/src/sys/netinet/tcp_syncache.c:1196 #10 0xc01f4b15 in syncache_add (inc=0xc8f70cd4, to=0xc8f70d40, th=0xc0b475d8, sop=0xc8f70cd0, m=0xc0b47500) at /usr/src/sys/netinet/tcp_syncache.c:1011 #11 0xc01ef52d in tcp_input (m=0xc0b47500, off0=20, proto=6) at /usr/src/sys/netinet/tcp_input.c:831 #12 0xc01ea530 in ip_input (m=0xc8f70dfc) at /usr/src/sys/netinet/ip_input.c:821 #13 0xc01e36c3 in div_output (so=0xc85a6e00, m=0xc0b47500, sin=0xc1129710, control=0x0) at /usr/src/sys/netinet/ip_divert.c:327 #14 0xc01e3863 in div_send (so=0xc85a6e00, flags=0, m=0xc0b47500, nam=0xc1129710, control=0x0, p=0xc7fb52a0) at /usr/src/sys/netinet/ip_divert.c:440 #15 0xc01adc87 in sosend (so=0xc85a6e00, addr=0xc1129710, uio=0xc8f70ecc, top=0xc0b47500, control=0x0, flags=0, p=0xc7fb52a0) at /usr/src/sys/kern/uipc_socket.c:609 #16 0xc01b1057 in sendit (p=0xc7fb52a0, s=3, mp=0xc8f70f0c, flags=0) at /usr/src/sys/kern/uipc_syscalls.c:585 #17 0xc01b115a in sendto (p=0xc7fb52a0, uap=0xc8f70f80) at /usr/src/sys/kern/uipc_syscalls.c:638 #18 0xc02be39d in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 1, tf_esi = -1078002568, tf_ebp = -1077937032, tf_isp = -923332652, tf_ebx = 60, tf_edx = 134811904, tf_ecx = 1, tf_eax = 133, tf_trapno = 7, tf_err = 2, tf_eip = 134551080, tf_cs = 31, tf_eflags = 647, tf_esp = -1078002740, tf_ss = 47}) at /usr/src/sys/i386/i386/trap.c:1175 #19 0xc02af2e5 in Xint0x80_syscall () #20 0x8048837 in ?? () #21 0x8048137 in ?? () -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 23:44:54 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED47837B400; Tue, 6 Aug 2002 23:44:43 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96B2D43E4A; Tue, 6 Aug 2002 23:44:43 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g776ial37566; Tue, 6 Aug 2002 23:44:36 -0700 (PDT) (envelope-from rizzo) Date: Tue, 6 Aug 2002 23:44:36 -0700 From: Luigi Rizzo To: "Scott M. Nolde" Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: kernel backtrace after panic - dummynet? Message-ID: <20020806234436.A37532@iguana.icir.org> References: <20020806205900.D370@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020806205900.D370@smnolde.com>; from scott@smnolde.com on Tue, Aug 06, 2002 at 08:59:00PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG this sounds like a bug that i fixed a few days ago: src/sys/netinet/ip_dummynet.c Revision 1.24.2.16 / Sat Aug 3 16:56:39 2002 UTC by luigi Branch: RELENG_4 Changes since 1.24.2.15: +4 -0 lines Include "opt_ipfw.h" so we can tell whether we are being compiled for the old ipfw or for ipfw2. The absence of this caused surprising "divide by zero" panics in "pipe" rules. (i assume you are using ipfw2 on -stable ?). Please check that your version of ip_dummynet.c is up to date cheers luigi On Tue, Aug 06, 2002 at 08:59:00PM -0400, Scott M. Nolde wrote: > I've just had a 4.6-stable box (my firewall reboot) and I've been able to > capture a backtrace with gdb. If someone would please offer some > assistance I'd appreciate this. Sorry about the crossposts. > > Disclaimer: I'm not a coder, but I hope to learn something from this. > I've added debugging symbols into the kernel in hopes of catching just > this. > > System: FreeBSD gw.smnolde.com 4.6-STABLE FreeBSD 4.6-STABLE #4: Tue Aug > 6 14:10:57 EDT 2002 root@gw.smnolde.com:/usr/obj/usr/src/sys/FIREWALL > i386 > > Sorry for any flood, but here's the data from gdb: > This GDB was configured as "i386-unknown-freebsd"... > IdlePTD at phsyical address 0x003fc000 > initial pcb at physical address 0x0034f900 > panicstr: integer divide fault > panic messages: > --- > Fatal trap 18: integer divide fault while in kernel mode > instruction pointer = 0x8:0xc02d5b06 > stack pointer = 0x10:0xc8f70a4c > frame pointer = 0x10:0xc8f70ab8 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 591 (natd) > interrupt mask = net tty > trap number = 18 > panic: integer divide fault > > syncing disks... 4 > done > Uptime: 1h45m43s > > dumping to dev #da/0x20001, offset 536576 > dump 128 127 126 125 124 123 122 121 120 119 118 117 116 115 114 113 112 > 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 > 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 > 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 > 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 > 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 > > #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487 > 487 if (dumping++) { > (kgdb) where > #0 dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487 > #1 0xc018f3f7 in boot (howto=256) at > /usr/src/sys/kern/kern_shutdown.c:316 > #2 0xc018f835 in panic (fmt=0xc03198cc "%s") at > /usr/src/sys/kern/kern_shutdown.c:595 > #3 0xc02be0e7 in trap_fatal (frame=0xc8f70a0c, eva=0) at > /usr/src/sys/i386/i386/trap.c:974 > #4 0xc02bda9e in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi > = -1056562568, tf_esi = 0, > tf_ebp = -923333960, tf_isp = -923334088, tf_ebx = 3932160, tf_edx = > 0, tf_ecx = 0, tf_eax = 1, tf_trapno = 18, > tf_err = 0, tf_eip = -1070769402, tf_cs = 8, tf_eflags = 66118, > tf_esp = 0, tf_ss = -1055003648}) > at /usr/src/sys/i386/i386/trap.c:636 > #5 0xc02d5b06 in __qdivrem (uq=3932160, vq=0, arq=0x0) at > /usr/src/sys/libkern/qdivrem.c:100 > #6 0xc02d5ee6 in __udivdi3 (a=3932160, b=0) at > /usr/src/sys/libkern/udivdi3.c:50 > #7 0xc01e507f in dummynet_io (m=0xc0b47500, pipe_nr=1, dir=1, > fwa=0xc8f70ba8) > at /usr/src/sys/netinet/ip_dummynet.c:1205 > #8 0xc01ec13e in ip_output (m0=0xc0b47500, opt=0x0, ro=0xc8771ed8, > flags=0, imo=0x0) > at /usr/src/sys/netinet/ip_output.c:626 > #9 0xc01f4ec5 in syncache_respond (sc=0xc8771ea0, m=0xc0b47500) at > /usr/src/sys/netinet/tcp_syncache.c:1196 > #10 0xc01f4b15 in syncache_add (inc=0xc8f70cd4, to=0xc8f70d40, > th=0xc0b475d8, sop=0xc8f70cd0, m=0xc0b47500) > at /usr/src/sys/netinet/tcp_syncache.c:1011 > #11 0xc01ef52d in tcp_input (m=0xc0b47500, off0=20, proto=6) at > /usr/src/sys/netinet/tcp_input.c:831 > #12 0xc01ea530 in ip_input (m=0xc8f70dfc) at > /usr/src/sys/netinet/ip_input.c:821 > #13 0xc01e36c3 in div_output (so=0xc85a6e00, m=0xc0b47500, sin=0xc1129710, > control=0x0) > at /usr/src/sys/netinet/ip_divert.c:327 > #14 0xc01e3863 in div_send (so=0xc85a6e00, flags=0, m=0xc0b47500, > nam=0xc1129710, control=0x0, p=0xc7fb52a0) > at /usr/src/sys/netinet/ip_divert.c:440 > #15 0xc01adc87 in sosend (so=0xc85a6e00, addr=0xc1129710, uio=0xc8f70ecc, > top=0xc0b47500, control=0x0, flags=0, > p=0xc7fb52a0) at /usr/src/sys/kern/uipc_socket.c:609 > #16 0xc01b1057 in sendit (p=0xc7fb52a0, s=3, mp=0xc8f70f0c, flags=0) at > /usr/src/sys/kern/uipc_syscalls.c:585 > #17 0xc01b115a in sendto (p=0xc7fb52a0, uap=0xc8f70f80) at > /usr/src/sys/kern/uipc_syscalls.c:638 > #18 0xc02be39d in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, > tf_edi = 1, tf_esi = -1078002568, > tf_ebp = -1077937032, tf_isp = -923332652, tf_ebx = 60, tf_edx = > 134811904, tf_ecx = 1, tf_eax = 133, > tf_trapno = 7, tf_err = 2, tf_eip = 134551080, tf_cs = 31, tf_eflags > = 647, tf_esp = -1078002740, tf_ss = 47}) > at /usr/src/sys/i386/i386/trap.c:1175 > #19 0xc02af2e5 in Xint0x80_syscall () > #20 0x8048837 in ?? () > #21 0x8048137 in ?? () > > -- > Scott Nolde > GPG Key 0xD869AB48 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Aug 6 23:48:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DDBB37B401 for ; Tue, 6 Aug 2002 23:48:52 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C65443E42 for ; Tue, 6 Aug 2002 23:48:52 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g776mo237616; Tue, 6 Aug 2002 23:48:50 -0700 (PDT) (envelope-from rizzo) Date: Tue, 6 Aug 2002 23:48:50 -0700 From: Luigi Rizzo To: "Scott M. Nolde" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: reboots with IPFW2 Message-ID: <20020806234850.B37532@iguana.icir.org> References: <20020806153639.B43925@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020806153639.B43925@smnolde.com>; from scott@smnolde.com on Tue, Aug 06, 2002 at 03:36:39PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG when did you upgrade your sources ? There was a commit to ip_dummynet.c which might be related to (and fix) this problem: ip_dummynet.c 1.24.2.16 / Sat Aug 3 16:56:39 2002 UTC so you should check that you have an up-to-date version of that file. cheers luigi On Tue, Aug 06, 2002 at 03:36:39PM -0400, Scott M. Nolde wrote: > I've recently isntalled a few new kernels with IPFW2 enabled on my > firewall machine and have been experiencing reboots every 4-16 hours. > This has only been happening since the ipfw2 code was compiled in. > > I don't have any debugging symbols in the kernel (yet) and there's nothing > very suspicious in /var/log/messages except "+++ send reject". I don't do > any type of coding, but skimming through the source, this shouldn't be the > problem. > > The last five reboots are listed here: > reboot ~ Tue Aug 6 13:04 > reboot ~ Mon Aug 5 17:59 > reboot ~ Mon Aug 5 08:37 > reboot ~ Sun Aug 4 14:04 > reboot ~ Sun Aug 4 09:28 > > I like the speed enhancement with IPFW2, but something about the reboots > scares me. > > Out of curiosity, before we go into great detail, has anyone else > experienced mysterious reboots with IPFW2? > > -- > Scott Nolde > GPG Key 0xD869AB48 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 7 15: 8:33 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CB1C37B400 for ; Wed, 7 Aug 2002 15:08:30 -0700 (PDT) Received: from kali.avantgo.com (shadow.avantgo.com [64.157.226.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CC3043E70 for ; Wed, 7 Aug 2002 15:08:30 -0700 (PDT) (envelope-from cforsythe@avantgo.com) X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: ipfw+nat rules question Date: Wed, 7 Aug 2002 15:08:25 -0700 Message-ID: <4C4CB317C3CD6A40AAF9B1C7686696699018C7@kali.avantgo.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw+nat rules question Thread-Index: AcI+XvNdwQ3bt9JNQoiJVJ64DPcsXQ== From: "Carl Forsythe" To: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi folks, Some questions about rule processing with ipfw and natd, if this is = better suited for -questions let me know and I'll send it off to there. Ok the situation/network layout is thus: Box A provides NAT/ipfw services to Box B which is on a private network, = Box A is dual homed to Net A and Net B. Box B has certain services on it = that need to be accessible to a block of addresses only, or in some = cases only a certain other server. Box B also has a requirement that it = needs to make outbound requests to an external service provider. Box A = acts as the default gateway for Box B. Net A is firewalled from the = internet by another firewall entirely. I setup an aliased IP on Box A to represent Box B to the machines that = need to talk to it. Was this necessary for external servers to talk to = Box B, or would normal port redirection be sufficient in this case? I do = however want Box B to be pingable for our monitoring system which = resides out on Net A. So the questions I have at this point: 1) Using the redirect_port function of natd, can I specify a network = with mask instead of a host for the third argument? i.e. redirect_port = tcp Box_B:80 Box_A_Alias:80 Net_A/24 Failing the above, where in the ipfw ruleset would I place any rules for = traffic destined to Box B, before the natd divert or after it? If after = the divert, what IP address do I use? the external Box A alias, or the = translated Box B address? What does the source address look like after = the divert? Has it been translated to Box A's Net B address at that = point? /sbin/ipfw add pass tcp from Net A/24 to ??? 80 setup So to sum it up, Box B has a limited number of services that only need = to be available to servers that are on Net A. Box A provides NAT/ipfw = services to Box B. Box B needs to be able to talk to an external web = server(s), Box B needs to be able to resolve DNS, Box B needs to talk to = our NTP server. What I'm not grasping is what address to use in the ipfw rules to = identify Box B and where in the rules to place those checks, before the = natd divert using the external alias address or after the divert using ? Thanks in advance for any help, Carl Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 8 6:36:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1212037B49F for ; Thu, 8 Aug 2002 06:36:51 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FCCF43E4A for ; Thu, 8 Aug 2002 06:36:51 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17cnT8-0003iP-00; Thu, 08 Aug 2002 09:36:50 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17cnT8-000E95-00; Thu, 08 Aug 2002 09:36:50 -0400 Date: Thu, 8 Aug 2002 09:36:50 -0400 From: "Scott M. Nolde" To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: kernel backtrace after panic - dummynet? Message-ID: <20020808093650.A54293@smnolde.com> References: <20020806205900.D370@smnolde.com> <20020806234436.A37532@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020806234436.A37532@iguana.icir.org>; from rizzo@icir.org on Tue, Aug 06, 2002 at 11:44:36PM -0700 X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo(rizzo@icir.org)@2002.08.06 23:44:36 +0000: > this sounds like a bug that i fixed a few days ago: > > src/sys/netinet/ip_dummynet.c > > Revision 1.24.2.16 / Sat Aug 3 16:56:39 2002 UTC by luigi > Branch: RELENG_4 > Changes since 1.24.2.15: +4 -0 lines > > Include "opt_ipfw.h" so we can tell whether we are being > compiled for the old ipfw or for ipfw2. The absence of this > caused surprising "divide by zero" panics in "pipe" rules. > > (i assume you are using ipfw2 on -stable ?). > Please check that your version of ip_dummynet.c is up to date > > cheers > luigi > > Well, with the new version of ip_dummynet.c, everything is behaving very well. I appreciate the help. Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 8 7:35:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0B1137B400 for ; Thu, 8 Aug 2002 07:35:14 -0700 (PDT) Received: from fep03-mail.bloor.is.net.cable.rogers.com (fep03-mail.bloor.is.net.cable.rogers.com [66.185.86.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBCE743E5E for ; Thu, 8 Aug 2002 07:35:13 -0700 (PDT) (envelope-from eankingston@rogers.com) Received: from prosporo ([24.112.56.49]) by fep03-mail.bloor.is.net.cable.rogers.com (InterMail vM.5.01.05.06 201-253-122-126-106-20020509) with ESMTP id <20020808143445.NHYD383482.fep03-mail.bloor.is.net.cable.rogers.com@prosporo>; Thu, 8 Aug 2002 10:34:45 -0400 Subject: Re: ipfw+nat rules question From: Ean Kingston To: Carl Forsythe Cc: freebsd-ipfw@freebsd.org In-Reply-To: <4C4CB317C3CD6A40AAF9B1C7686696699018C7@kali.avantgo.com> References: <4C4CB317C3CD6A40AAF9B1C7686696699018C7@kali.avantgo.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.5 Date: 08 Aug 2002 10:37:05 -0400 Message-Id: <1028817426.32616.69.camel@prosporo.hedron.org> Mime-Version: 1.0 X-Authentication-Info: Submitted using SMTP AUTH PLAIN at fep03-mail.bloor.is.net.cable.rogers.com from [24.112.56.49] using ID at Thu, 8 Aug 2002 10:34:44 -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Carl, I don't know if your question belongs in -questions or -ipfw. I don't monitor -questions. I have seen this sort of questions in the newsgroup and I believe I can answer them for you. On Wed, 2002-08-07 at 18:08, Carl Forsythe wrote: > Hi folks, > Some questions about rule processing with ipfw and natd, if this is > better suited for -questions let me know and I'll send it off to > there. > > Ok the situation/network layout is thus: > > Box A provides NAT/ipfw services to Box B which is on a private > network, Box A is dual homed to Net A and Net B. Box B has certain > services on it that need to be accessible to a block of addresses > only, or in some cases only a certain other server. Box B also has a > requirement that it needs to make outbound requests to an external > service provider. Box A acts as the default gateway for Box B. Net A > is firewalled from the internet by another firewall entirely. > > I setup an aliased IP on Box A to represent Box B to the machines that > need to talk to it. Was this necessary for external servers to talk to > Box B, or would normal port redirection be sufficient in this case? I > do however want Box B to be pingable for our monitoring system which > resides out on Net A. If you don't need to ping the external interface your firewall (box A) then you could get away without using an alias for box B but it is a lot simpler to use the alias (IMHO). The sample below assumes an alias for box B. > > So the questions I have at this point: > > 1) Using the redirect_port function of natd, can I specify a network with > mask instead of a host for the third argument? i.e. redirect_port tcp > Box_B:80 Box_A_Alias:80 Net_A/24 I do not believe that this is how the redirect-port directive works. > > Failing the above, where in the ipfw ruleset would I place any rules for > traffic destined to Box B, before the natd divert or after it? If > after the divert, what IP address do I use? the external Box A alias, > or the translated Box B address? What does the source address look > like after the divert? Has it been translated to Box A's Net B address > at that point? Either place. You just have to identify it differenly. I'll show you in the example below. > > /sbin/ipfw add pass tcp from Net A/24 to ??? 80 setup This needs to go after the divert statement so your ??? should be the real box B address. > > So to sum it up, Box B has a limited number of services that only need to > be available to servers that are on Net A. Box A provides NAT/ipfw > services to Box B. Box B needs to be able to talk to an external web > server(s), Box B needs to be able to resolve DNS, Box B needs to talk > to our NTP server. > > What I'm not grasping is what address to use in the ipfw rules to identify > Box B and where in the rules to place those checks, before the natd > divert using the external alias address or after the divert using ? > Please note, I don't have the resource to test these configs so there may be some minor errors (syntax and such) but the basic structure should be sound. This example does not include any way to get to the firewall (box-A) itself. Here is what I would do: // ipfw.conf -- configuration file for ipfw // usage: ipfw -p /usr/bin/cpp ipfw.conf #define IF_A // interface name of nic on net-A (IE: ed0) #define NET_A // network:mask of net-A network #define IF_B // interface name of nic on net-B (IE: ed1) #define BOX_B_ALIAS // ip address alias on net-A interface for box B #define BOX_B // ip address of box-B (found in box-B config) #define MONITOR // ip address of monitoring server #define NTP_MASTER // ip address of NTP server add divert natd all from any to any via IF_A // NOTE the divert happens as traffic travels through the IF_A // interface so: // 1 Anything coming from net-B will have the net-B address // when it comes in IF_B but will have the net-A-alias when // it passes out IF_A. // 2 Anything going to net-B will already have the net-B // address. add check-state // This checks all dynamic rules at this point. No dynamic rules // should be defined before this point. In this example, only the // outbound NTP service sets up dynamic rules. All others are // static. If you don't want dynamic rules, remove the directive. // for monitoring via icmp ping // NOTE the two rules for outbound, one for each interface add allow icmp from MONITOR to BOX_B icmptypes 8 add allow icmp from BOX_B to MONITOR in via IF_B icmptypes 0 add allow icmp from BOX_B_ALIAS to MONITOR out via IF_A icmptypes 0 // for inbound traffic to box-B (ssh and http in this example) // NOTE two rules for outbound again; also, you may use service // names or port numbers (see /etc/services file). // 'established' flag indicates session already initiated. add allow tcp from NET_A to BOX_B telnet,http add allow tcp from BOX_B ssh,http to NET_A in via IF_B established add allow tcp from BOX_B_ALIAS 22,80 to NET_A out via IF_A established // for outbound traffic from box-B (ntp via udp for this example) // NOTE keep-state configures a dynamic rule when box-B sends // a request to the ntp master server. This is more secure than // having static rules for udp services. add allow udp from BOX_B ntp to NTP_MASTER ntp in via IF_B keep-state add allow udp from BOX_B_ALIAS ntp to NTP_MASTER ntp via IF_A // If you don't want dynamic rules, remove the keep-state option from // the line above and add the following line for return traffic: // add allow udp from NTP_MASTER ntp to BOX_B // for outbound traffic from box-B (http and https for this example) // NOTE the 'established' directive is on the return traffic now. add allow tcp from BOX_B to any http,https in via IF_B add allow tcp from BOX_B_ALIAS to any http,https out via IF_A add allow tcp from any http,https to BOX_B established // end of ipfw.conf ## natd.conf for use with natd daemon ## usage: natd -f natd.conf interface IF_A ## need to change this to actual interface use_sockets same_ports redirect_address BOX_B BOX_B_ALIAS ## neet to change this to addresses ## end of natd.conf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Aug 9 21:40:16 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 666D637B400 for ; Fri, 9 Aug 2002 21:40:06 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 944A243E3B for ; Fri, 9 Aug 2002 21:40:05 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g7A4e5969344 for ipfw@freebsd.org; Fri, 9 Aug 2002 21:40:05 -0700 (PDT) (envelope-from rizzo) Date: Fri, 9 Aug 2002 21:40:05 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: [luigi@FreeBSD.org: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw ipfw2.c] Message-ID: <20020809214005.A69034@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG FYI, a new ipfw2 feature. I think this is quite useful in practice. cheers luigi ----- Forwarded message from Luigi Rizzo ----- Date: Fri, 9 Aug 2002 21:37:33 -0700 (PDT) From: Luigi Rizzo Subject: cvs commit: src/sys/netinet ip_fw.h ip_fw2.c src/sbin/ipfw ipfw2.c To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org luigi 2002/08/09 21:37:33 PDT Modified files: sys/netinet ip_fw.h ip_fw2.c sbin/ipfw ipfw2.c Log: One bugfix and one new feature. The bugfix (ipfw2.c) makes the handling of port numbers with a dash in the name, e.g. ftp-data, consistent with old ipfw: use \\ before the - to consider it as part of the name and not a range separator. The new feature (all this description will go in the manpage): each rule now belongs to one of 32 different sets, which can be optionally specified in the following form: ipfw add 100 set 23 allow ip from any to any If "set N" is not specified, the rule belongs to set 0. Individual sets can be disabled, enabled, and deleted with the commands: ipfw disable set N ipfw enable set N ipfw delete set N Enabling/disabling of a set is atomic. Rules belonging to a disabled set are skipped during packet matching, and they are not listed unless you use the '-S' flag in the show/list commands. Note that dynamic rules, once created, are always active until they expire or their parent rule is deleted. Set 31 is reserved for the default rule and cannot be disabled. All sets are enabled by default. The enable/disable status of the sets can be shown with the command ipfw show sets Hopefully, this feature will make life easier to those who want to have atomic ruleset addition/deletion/tests. Examples: To add a set of rules atomically: ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18 To delete a set of rules atomically ipfw disable set 18 ipfw delete set 18 ipfw enable set 18 To test a ruleset and disable it and regain control if something goes wrong: ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18 here if everything goes well, you press control-C before the "sleep" terminates, and your ruleset will be left active. Otherwise, e.g. if you cannot access your box, the ruleset will be disabled after the sleep terminates. I think there is only one more thing that one might want, namely a command to assign all rules in set X to set Y, so one can test a ruleset using the above mechanisms, and once it is considered acceptable, make it part of an existing ruleset. Revision Changes Path 1.8 +85 -22 src/sbin/ipfw/ipfw2.c 1.74 +3 -3 src/sys/netinet/ip_fw.h 1.7 +95 -18 src/sys/netinet/ip_fw2.c ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Aug 10 6: 1:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D041637B400 for ; Sat, 10 Aug 2002 06:01:18 -0700 (PDT) Received: from attila.stevens-tech.edu (attila.stevens-tech.edu [155.246.14.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81D2543E7B for ; Sat, 10 Aug 2002 06:01:17 -0700 (PDT) (envelope-from joshl-ng@levindustries.com) Received: from levindustries.com (jlevine-1.u05.stevens-tech.edu [155.246.211.36]) by attila.stevens-tech.edu (SGI-8.9.3/8.9.3/7) with ESMTP id JAA76093 for ; Sat, 10 Aug 2002 09:01:09 -0400 (EDT) Message-ID: <3D550E38.61503529@levindustries.com> Date: Sat, 10 Aug 2002 08:59:36 -0400 From: Josh Levine X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: natd/ipfw problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! For the past several hours, I've been struggling to get NAT working. I have two NIC cards - ed0 is connected to the internet, and rl0 is connected to my local hub. I've followed the directions at several sites, including: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/natd.html But no matter what I did, I couldn't get it to work...natd wasn't even showing up when I ran ps ax. I could ping the server's external IP address from a computer connected to the hub - just couldn't get to the internet. The only error message I saw was after it listed the rules, it said: "Firewall rules loaded, starting divert daemons: natdnatd: aliasing address not given" I am using the stock /etc/rc.firewall file, with firewall_type="OPEN" Finally, from reading the man page for natd, I tried the following: natd -interface ed0 /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any and it worked! Any ideas why natd isn't loading from the /etc/rc.conf file (which I have enclosed at the end of this message)? Thanks in advance for your help, Josh Levine My /etc/rc.conf: gateway_enable="YES" network_interfaces="ed0 rl0 lo0" hostname="jlevine-research" ifconfig_ed0="DHCP" ifconfig_rl0="inet 192.168.60.1 netmask 255.255.255.0" kern_securelevel_enable="NO" linux_enable="YES" nfs_reserved_port_only="YES" saver="daemon" sendmail_enable="NO" sshd_enable="YES" inetd_enable="NO" portmap_enable="NO" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_inteface="ed0" natd_flags="" ipmon_enable="YES" #Firewall logging ipmon_flags="-Dsn" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Aug 10 15:40:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B80737B400 for ; Sat, 10 Aug 2002 15:40:12 -0700 (PDT) Received: from attila.stevens-tech.edu (attila.stevens-tech.edu [155.246.14.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id D11D643E65 for ; Sat, 10 Aug 2002 15:40:10 -0700 (PDT) (envelope-from joshl-ng@levindustries.com) Received: from levindustries.com (jlevine-1.u05.stevens-tech.edu [155.246.211.36]) by attila.stevens-tech.edu (SGI-8.9.3/8.9.3/7) with ESMTP id SAA87099 for ; Sat, 10 Aug 2002 18:40:09 -0400 (EDT) Message-ID: <3D55962A.69FF422F@levindustries.com> Date: Sat, 10 Aug 2002 18:39:38 -0400 From: Josh Levine X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Re: natd/ipfw problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I wrote: > Hi! > > For the past several hours, I've been struggling to get NAT working. I > Any ideas why natd isn't loading from the /etc/rc.conf file (which I > have enclosed at the end of this message)? > natd_inteface="ed0" Turned out it was a typo I had overlooked... --Josh Levine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message