From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 25 11:06:45 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 20C2CFF0 for ; Mon, 25 Mar 2013 11:06:45 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 12AF2C1 for ; Mon, 25 Mar 2013 11:06:45 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r2PB6iRZ007182 for ; Mon, 25 Mar 2013 11:06:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r2PB6iTr007180 for freebsd-ipfw@FreeBSD.org; Mon, 25 Mar 2013 11:06:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Mar 2013 11:06:44 GMT Message-Id: <201303251106.r2PB6iTr007180@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Mar 2013 11:06:45 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176503 ipfw [ipfw] ipfw layer2 problem o kern/174749 ipfw Unexpected change of default route o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 42 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 26 15:37:01 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E488AB82 for ; Tue, 26 Mar 2013 15:37:01 +0000 (UTC) (envelope-from jau@oxit.fi) Received: from smtp.oxit.fi (smtp.oxit.fi [193.185.41.132]) by mx1.freebsd.org (Postfix) with ESMTP id A2BA263D for ; Tue, 26 Mar 2013 15:37:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.oxit.fi (Postfix) with ESMTP id 282246C377D for ; Tue, 26 Mar 2013 17:29:04 +0200 (EET) X-Virus-Scanned: Debian amavisd-new at smtp.oxit.fi Received: from smtp.oxit.fi ([127.0.0.1]) by localhost (huskvarna.oxit.fi [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kavcpI7ZQdOR for ; Tue, 26 Mar 2013 17:28:59 +0200 (EET) Received: from [193.64.26.117] (ip193-64-26-117.cust.eunet.fi [193.64.26.117]) by smtp.oxit.fi (Postfix) with ESMTPSA id 96A096C373A for ; Tue, 26 Mar 2013 17:28:59 +0200 (EET) Message-ID: <5151BEA9.2080907@oxit.fi> Date: Tue, 26 Mar 2013 17:28:41 +0200 From: Jukka Ukkonen User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130324 Thunderbird/17.0.4 MIME-Version: 1.0 To: ipfw@freebsd.org Subject: kernel NAT with ipfw failing Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 15:37:02 -0000 Hello, Does anyone have a confirmed working example (one that is in daily active use) of the ipfw NAT inside the kernel? I have been trying to create a 1-to-1 static NAT between a small intranet and the corresponding external addresses. This keeps persistently failing and the whatever I do the intranet addresses are being leaked out of the external NIC. I am starting to suspect there is something going seriously wrong with the NAT implementation in ipfw. All the necessary kernel modules should be loaded... 9 1 0xffffffff81a30000 79a0 if_tap.ko 10 4 0xffffffff81a38000 1ad58 ipfw.ko 11 2 0xffffffff81a53000 6aa8 bridgestp.ko 12 1 0xffffffff81a5a000 e620 if_bridge.ko ... 51 2 0xffffffff81ebe000 14510 libalias.ko 52 1 0xffffffff81ed3000 4118 ipfw_nat.ko 53 1 0xffffffff81ed8000 4c60 ipdivert.ko 54 1 0xffffffff81edd000 15aa0 dummynet.ko Checksum offloading has been turned off from the interfaces, both internal and external. (em0, em1) The output from 'uname -a' is... FreeBSD sleipnir 9.1-STABLE FreeBSD 9.1-STABLE #0 r248699M: Mon Mar 25 12:26:33 EET 2013 root@sleipnir:/usr/obj/usr/src/sys/Sleipnir amd64 The only real difference between the GENERIC kernel and my own custom kernel is the setting... options ROUTETABLES=4 Could this break the NAT implementation? I have previously done similar things using divert sockets and the natd. They have always worked just fine, except they have maybe wasted some time and resources bouncing back and forth between the kernel and user space. So, this has been a very surprising experience. What should I try next? Cheers, --jau From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 26 15:58:19 2013 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 043791DD for ; Tue, 26 Mar 2013 15:58:19 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by mx1.freebsd.org (Postfix) with ESMTP id CAE30787 for ; Tue, 26 Mar 2013 15:58:18 +0000 (UTC) Received: by mail-oa0-f41.google.com with SMTP id f4so5221987oah.28 for ; Tue, 26 Mar 2013 08:58:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=Ucj7BORq5+mMoSnvkRlsvTgkszl+oqvu+0NFXWxeLJw=; b=IJpHkqZmgOS7eDWBmE0XOyuerLgBkulqgBtawrAT57wC6xULKP123MdYMpMOmgdYHV J2swCxsmZJekkbnI4Wp93dekPK1ZjuHtYyV1j9Q08yGdQd3TQrcvwPgVU11mSHcjVuA1 eNoe3RRk7D0xTL/JtzEqIwgJQfUCoPwfLp4evgOZBK0QlECTy6Min8r3iDJpxfEBFSkM 2BTNkx7n7RKAiTbbFHKTofujPC3FgUKFKCHtQSIHiVwBQn8Ypz6pikAODwcZtkG9QJUr NAvJBzLFsy940pVt/T1ZGlhK0+eoHSTqMleZqs7x6DoD5eniolkst4X6icpzyos+eRzT E+8g== MIME-Version: 1.0 X-Received: by 10.182.127.115 with SMTP id nf19mr2344939obb.49.1364313492348; Tue, 26 Mar 2013 08:58:12 -0700 (PDT) Received: by 10.60.20.34 with HTTP; Tue, 26 Mar 2013 08:58:12 -0700 (PDT) In-Reply-To: <5151BEA9.2080907@oxit.fi> References: <5151BEA9.2080907@oxit.fi> Date: Tue, 26 Mar 2013 08:58:12 -0700 Message-ID: Subject: Re: kernel NAT with ipfw failing From: Michael Sierchio To: Jukka Ukkonen Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQk4dHQ2ycxnUFYW4xVsWS6fExGuHl4AdAd0mV2x1n8W1jXLpUemPxxjQLIHmWD+JMjCT94X Cc: ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 15:58:19 -0000 On Tue, Mar 26, 2013 at 8:28 AM, Jukka Ukkonen wrote: > > > Does anyone have a confirmed working example (one that is > in daily active use) of the ipfw NAT inside the kernel? > > I have been trying to create a 1-to-1 static NAT between > a small intranet and the corresponding external addresses. > It would be helpful if you showed the ipfw commands you use to configure the nat instance and the rules you use. If I understand you, you're trying to map a network to a network of the same size via NAT? Or are you using a single address on the outside interface of the firewall? Does the firewall "own" all the external addresses, or are they statically routed to it from upstream? (your ISP?). Have you grokked the redirect_addr and redirect_port examples in the manpage? Have you made sure that sysctl -q net.inet.ip.fw.one_pass=0 ? etc. At this point I can only speculate, but given the complexities that sometimes appear in firewall rulesets, I would not assume that it is broken. It works for me. Show us what you're trying to do - make it easier for us to help. ;-) - M PS it's helpful to separate inbound and outbound traffic. Remember that a firewall will see packets several times, inbound and outbound, etc. E.g., $FW nat 200 config if $if_wan unreg_only reset $FW add 03000 set 0 nat 200 ip from any to any in recv $if_wan [rules that send traffic here and there...] $FW add 15001 set 0 nat 200 ip from any to any out xmit $if_wan $FW add 15005 set 0 allow ip from any to any out xmit $if_wan $FW add 15010 set 0 deny log logamount 0 ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 26 16:11:03 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 564D06A1 for ; Tue, 26 Mar 2013 16:11:03 +0000 (UTC) (envelope-from ato@volt.iem.pw.edu.pl) Received: from volt.iem.pw.edu.pl (volt.iem.pw.edu.pl [194.29.146.3]) by mx1.freebsd.org (Postfix) with ESMTP id 1E49988C for ; Tue, 26 Mar 2013 16:11:02 +0000 (UTC) Received: by volt.iem.pw.edu.pl (Postfix, from userid 700) id A995DA66A67; Tue, 26 Mar 2013 17:10:56 +0100 (CET) Date: Tue, 26 Mar 2013 17:10:56 +0100 From: Andrzej Tobola To: freebsd-ipfw@freebsd.org Subject: Re: kernel NAT with ipfw failing Message-ID: <20130326161056.GA34850@volt.iem.pw.edu.pl> References: <5151BEA9.2080907@oxit.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5151BEA9.2080907@oxit.fi> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 16:11:03 -0000 On Tue, Mar 26, 2013 at 05:28:41PM +0200, Jukka Ukkonen wrote: > > Hello, > > Does anyone have a confirmed working example (one that is > in daily active use) of the ipfw NAT inside the kernel? Yes. >From a long time. On FreeBSD 9.1-STABLE amd64. % # ipfw -a list 00100 21174480 25689611435 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00500 25956378 24125425085 nat 1 ip from any to 194.29.146.4 00500 88469999 28195999566 nat 1 ip from any to any recv lagg0 ............. % grep nat /etc/rc.conf nat_enable=YES # NAT (/usr/local/etc/rc.d) nat_LAN=lagg0 # LAN nat_IP=194.29.146.4 # nat1 % cat /usr/local/etc/rc.d/nat #!/bin/sh # # $FreeBSD: src/etc/rc.d/nat,v 0.1 2010/11/7 22:04:50 ato Exp $ # # ato 2010 # PROVIDE: nat # REQUIRE: NETWORKING # REQUIRE: named # KEYWORD: nojail # To enable User must define: # nat_enable=YES # nat_IP= or nat_WAN= # NATed IP (raw or DNS name) or WAN interface name # nat_LAN= # LAN interface name # # if not specified get `route -n get -inet default | grep interface:` . /etc/rc.subr name=nat rcvar=nat_enable load_rc_config $name : ${nat_enable:=NO} : ${nat_CONF="reset unreg_only same_ports log"} # deny_in : ${nat_N:=1} : ${nat_R:=500} #set_rcvar nat_enable NO "NAT (ipfw)" >/dev/null start_precmd=nat_prestart start_cmd=nat_start required_modules="ipfw_nat.ko" # XXX why .ko necessary ? stop_cmd=nat_stop extra_commands="status show dump" status_cmd=nat_show show_cmd=nat_show dump_cmd=nat_dump nat_prestart() { [ "$nat_WAN$nat_IP" ] || err 1 "You must define \$nat_IP or \$nat_WAN." [ "$nat_LAN" ] || err 1 "You must define \$nat_LAN." ifconfig -l ether | grep -q $nat_LAN || err 1 "Can't find LAN interface $nat_LAN." if [ "$nat_IP" ]; then # TODO test czy IP przypisany: ping -q -c1 -W100 $nat_IP 2> /dev/null | grep -q '100.0% packet loss' && return 1 else nat_IP=me fi return 0 } nat_start() { # XXX test if ON echo "Enabling NAT on $nat_LAN." if [ "$nat_WAN" ] ; then nat_CONF="if $nat_WAN $nat_CONF" elif [ "$nat_IP" ]; then nat_CONF="ip $nat_IP $nat_CONF" else # no nat_WAN or nat_IP defined - get default inet gateway interface: nat_WAN=`route -n get -inet default | grep interface:` ; nat_WAN=${nat_WAN##*: } nat_CONF="if $nat_WAN $nat_CONF" fi ipfw nat $nat_N config $nat_CONF ipfw add $nat_R nat $nat_N all from any to $nat_IP ipfw add $nat_R nat $nat_N all from any to any recv $nat_LAN sysctl net.inet.ip.forwarding=1 #sysctl net.inet.ip.fw.one_pass=1 # def=0 (nie wplywa?) #Bound dummynet to CPU0: #cpuset -l 0 -t $(procstat -t 0 | awk '/dummynet/ {print $2}') } nat_stop() { echo "Disabling NAT" # XXX test if ON ipfw delete $nat_R kldunload $required_modules } nat_show() { # XXX test if ON ipfw nat $nat_N show config ipfw -a list $nat_R && ipfw nat $nat_N show arp -ai $nat_LAN } nat_dump() { # XXX test if ON sysctl net.inet.ip.fw.verbose=0 tcpdump -i ipfw0 sysctl net.inet.ip.fw.verbose=1 } run_rc_command "$1" cheers, -a From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 26 20:58:42 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ABCA5D0D for ; Tue, 26 Mar 2013 20:58:42 +0000 (UTC) (envelope-from prvs=1797d483f0=admin@cadamericas.com) Received: from cadamericas.com (mail02.amotive.com [173.164.153.20]) by mx1.freebsd.org (Postfix) with ESMTP id 8EDCFEE6 for ; Tue, 26 Mar 2013 20:58:41 +0000 (UTC) Received: from agave.cadamericas.com ([64.183.139.162]) by amotive.com (mail02.amotive.com) (MDaemon PRO v13.0.2) with ESMTP id md50001487711.msg; Tue, 26 Mar 2013 13:58:27 -0700 X-Spam-Processed: mail02.amotive.com, Tue, 26 Mar 2013 13:58:27 -0700 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 64.183.139.162 X-Return-Path: prvs=1797d483f0=admin@cadamericas.com X-Envelope-From: admin@cadamericas.com X-MDaemon-Deliver-To: freebsd-ipfw@freebsd.org Date: Tue, 26 Mar 2013 13:58:28 -0700 To: freebsd-ipfw From: CAD Americas Subject: CAD Americas Training Is Coming Message-ID: X-Priority: 3 X-Mailer: PHPMailer 5.2.1 (http://code.google.com/a/apache-extras.org/p/phpmailer/) X-CampTrackID: e67a75a1-8c8a-bc31-e1ed-51520b3ee859 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Info Desk List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 20:58:42 -0000 ATTEND CAD AMERICAS TRAINING DAYS =E2=80=A6 and reach new heights! =0AMark = your calendar: A CAD Americas Training Day is coming to your area this Spri= ng! Join us for this one-day training event with an information-packed agen= da of topics important to you. Whether your focus is Mechanical Design, Con= struction, BIM, Electrical Design or Plant Design, there will be sessions t= hat will improve your productivity immediately!=0AIMPROVE YOUR PERFORMANCE = WITH NEW TOOLS AND TECHNIQUES=0A=0A=0A=0A=0ARick Ellis Civil 3D ExpertMore= =0ARobert Green CAD Mgmt ExpertMore=0ASteve Schain AutoCAD ExpertMore=0ATod= Stephens Revit ExpertMore=0ALearn from well-known industry instructors who= will share best practices and trends, product tips and tricks, new feature= s =E2=80=A6 and more.=0AImprove your productivity with new techniques that = you can put to work right away.=0AMeet your peers and exchange ideas on how= to best use the CAD tools you have to meet the demands of your job.=0ATake= a closer look at services and technologies offered by resellers in your ar= ea.=0ACHECK FOR A DATE IN YOUR LOCATION =E2=80=A6 AND REGISTER TODAY!=0A=0A= =C2=A0April 17 =E2=80=93 San Jose, CA April 18 =E2=80=93 San Bernardino, C= A =0A=0A=0A April 23 =E2=80=93 Cleveland, OH =C2=A0 April 24 =E2=80=93 Detr= oit, MI =0A=0A=0A April 25 =E2=80=93 Cincinnati, OH =C2=A0 April 30 =E2=80= =93 Atlanta, GA May 1 =E2=80=93 Dallas, TX =0A=0ACOMPLETE THIS SURVEY AND I= NFLUENCE THE SESSION CONTENT Tell us what session content you're looking fo= r. Take this survey today =E2=80=A6 and enter a drawing to win a free CAD A= mericas registration.=0AREGISTER BY MARCH 27TH AND SAVE Register for this C= AD Americas Training Day by March 27th and save.=0AEarly Bird Rate: $150 (U= ntil March 27th)=0AStandard Rate: $195 (AFTER March 27th)=0AStudent/Faculty= Rate: $95 (must present current student ID upon check-in at registration)= =0AREGISTER FOR CAD AMERICAS TRAINING TODAY! =0A=0A=0A=0A Join us at=0A=0A= =0A=0A=0A=0A=0A=0A=0A To Unsubscribe please click=C2=A0 Opt-Out=0A