From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 7 06:50:02 2013 Return-Path: Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 38A35FF2 for ; Sun, 7 Apr 2013 06:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 286C51AC6 for ; Sun, 7 Apr 2013 06:50:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r376o1mk095469 for ; Sun, 7 Apr 2013 06:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r376o1RB095466; Sun, 7 Apr 2013 06:50:01 GMT (envelope-from gnats) Date: Sun, 7 Apr 2013 06:50:01 GMT Message-Id: <201304070650.r376o1RB095466@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org Cc: From: =?koi8-r?B?+8HT1MnOIOHMxcvTwc7E0iDzxdLHxcXXyd4=?= Subject: Re: kern/174749: Unexpected change of default route X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: =?koi8-r?B?+8HT1MnOIOHMxcvTwc7E0iDzxdLHxcXXyd4=?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Apr 2013 06:50:02 -0000 The following reply was made to PR kern/174749; it has been noted by GNATS. From: =?koi8-r?B?+8HT1MnOIOHMxcvTwc7E0iDzxdLHxcXXyd4=?= To: "'bug-followup@FreeBSD.org'" , "'radek.krejca@starnet.cz'" Cc: Subject: Re: kern/174749: Unexpected change of default route Date: Sun, 7 Apr 2013 06:40:05 +0000 --_000_DFF2BF98BA64E94F82B01B663522984C798340MX01SFsibservcom_ Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable I have same problem. Freebsd 9.1R Kernel ipfw dummynet, pf nat Same config ipfw, pf work fine on freebsd 8.3 stable (December), if I start= freebsd 9.1 Routes changes automaticly and not only default, any other changed too Routes changed every 5 minets and message log contain this: ---------- Apr 5 20:39:04 gw kernel: pf: state key linking mismatch! dir=3DOUT, if=3D= igb0, stored af=3D2, a0: 46.219.13.140:38308, a1: 46.x.x.x:52242, proto=3D6= , found af=3D2, a0: 172.24.37.19:59953, a1: 85.26.164.174:6881, proto=3D6. Apr 5 20:39:14 gw kernel: pf: state key linking mismatch! dir=3DOUT, if=3D= igb0, stored af=3D2, a0: 88.201.177.111:12749, a1: 172.24.22.192:57573, pro= to=3D17, found af=3D2, a0: 172.24.37.21:4704, a1: 36.234.221.79:7288, proto= =3D6. Apr 5 20:39:16 gw kernel: pf: state key linking mismatch! dir=3DOUT, if=3D= igb0, stored af=3D2, a0: 178.208.241.243:10262, a1: 46.x.x.x:52727, proto= =3D6, found af=3D2, a0: 172.24.70.68:53987, a1: 37.220.178.247:35412, proto= =3D6. Apr 5 20:39:16 gw kernel: pf: state key linking mismatch! dir=3DOUT, if=3D= igb0, stored af=3D2, a0: 178.125.65.157:22887, a1: 46.x.x.x:55395, proto=3D= 17, found af=3D2, a0: 172.24.70.68:53988, a1: 85.26.234.152:46651, proto=3D= 6. Apr 5 20:39:17 gw kernel: pf: state key linking mismatch! dir=3DOUT, if=3D= igb0, stored af=3D2, a0: 109.252.190.162:16837, a1: 172.24.9.125:50591, pro= to=3D17, found af=3D2, a0: 172.24.99.113:1734, a1: 176.121.217.249:35692, p= roto=3D6. Apr 5 20:39:18 gw kernel: arpresolve: can't allocate llinfo for 81.109.86.= 123 Apr 5 20:39:18 gw last message repeated 359 times Apr 5 20:39:18 gw kernel: 81.109.86.123 Apr 5 20:39:18 gw kernel: arpresolve: can't allocate llinfo for 81.109.86.= 123 ------------ igb0 is internal interface, 81.109.86.123 is fake route, an= d not my network Route delete default, route add my router isp and small time later again Apr 5 20:37:15 gw kernel: pf: state key linking mismatch! dir=3DOUT, if=3D= igb0, stored af=3D2, a0: 172.24.49.75:26167, a1: 93.77.135.82:46401, proto= =3D17, found af=3D2, a0: 172.24.70.30:50699, a1: 94.20.68.43:11789, proto= =3D6. Apr 5 20:37:17 gw kernel: arpresolve: can't allocate llinfo for 5.9.99.11 Apr 5 20:37:17 gw last message repeated 158 times Apr 5 20:37:17 gw kernel: allocate llinfo for 5.9.99.11 Apr 5 20:37:17 gw kernel: arpresolve: can't allocate llinfo for 5.9.99.11 ------- 5.9.99.11 fake gateway --_000_DFF2BF98BA64E94F82B01B663522984C798340MX01SFsibservcom_ Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable

I have same problem.=

Freebsd 9.1R<= /p>

Kernel ipfw dummynet, pf nat

Same config ipfw, pf work fine = on freebsd 8.3 stable (December), if I start freebsd 9.1<= /p>

Routes changes automaticly and = not only default, any other changed too

Routes changed every 5 minets a= nd message log contain this:

----------

Apr  5 20:39:04 gw kernel:= pf: state key linking mismatch! dir=3DOUT, if=3Digb0, stored af=3D2, a0: 4= 6.219.13.140:38308, a1: 46.x.x.x:52242, proto=3D6, found af=3D2, a0: 172.24= .37.19:59953, a1: 85.26.164.174:6881, proto=3D6.

Apr  5 20:39:14 gw kernel:= pf: state key linking mismatch! dir=3DOUT, if=3Digb0, stored af=3D2, a0: 8= 8.201.177.111:12749, a1: 172.24.22.192:57573, proto=3D17, found af=3D2, a0:= 172.24.37.21:4704, a1: 36.234.221.79:7288, proto=3D6.

Apr  5 20:39:16 gw kernel:= pf: state key linking mismatch! dir=3DOUT, if=3Digb0, stored af=3D2, a0: 1= 78.208.241.243:10262, a1: 46.x.x.x:52727, proto=3D6, found af=3D2, a0: 172.= 24.70.68:53987, a1: 37.220.178.247:35412, proto=3D6.

Apr  5 20:39:16 gw kernel:= pf: state key linking mismatch! dir=3DOUT, if=3Digb0, stored af=3D2, a0: 1= 78.125.65.157:22887, a1: 46.x.x.x:55395, proto=3D17, found af=3D2, a0: 172.= 24.70.68:53988, a1: 85.26.234.152:46651, proto=3D6.

Apr  5 20:39:17 gw kernel:= pf: state key linking mismatch! dir=3DOUT, if=3Digb0, stored af=3D2, a0: 1= 09.252.190.162:16837, a1: 172.24.9.125:50591, proto=3D17, found af=3D2, a0:= 172.24.99.113:1734, a1: 176.121.217.249:35692, proto=3D6.

Apr  5 20:39:18 gw kernel:= arpresolve: can't allocate llinfo for 81.109.86.123

Apr  5 20:39:18 gw last me= ssage repeated 359 times

Apr  5 20:39:18 gw kernel:= 81.109.86.123

Apr  5 20:39:18 gw kernel:= arpresolve: can't allocate llinfo for 81.109.86.123

------------ igb0 is internal i= nterface,    81.109.86.123 is fake route, and not my network=

Route delete default, route add= my router isp and small time later again

Apr  5 20:37:15 gw kernel:= pf: state key linking mismatch! dir=3DOUT, if=3Digb0, stored af=3D2, a0: 1= 72.24.49.75:26167, a1: 93.77.135.82:46401, proto=3D17, found af=3D2, a0: 17= 2.24.70.30:50699, a1: 94.20.68.43:11789, proto=3D6.

Apr  5 20:37:17 gw kernel:= arpresolve: can't allocate llinfo for 5.9.99.11

Apr  5 20:37:17 gw last me= ssage repeated 158 times

Apr  5 20:37:17 gw kernel:= allocate llinfo for 5.9.99.11

Apr  5 20:37:17 gw kernel:= arpresolve: can't allocate llinfo for 5.9.99.11

------- 5.9.99.11 fake gateway<= o:p>

 

 

--_000_DFF2BF98BA64E94F82B01B663522984C798340MX01SFsibservcom_-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 8 11:06:47 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3C96B1EB for ; Mon, 8 Apr 2013 11:06:47 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 2C5F3358 for ; Mon, 8 Apr 2013 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r38B6lnn057269 for ; Mon, 8 Apr 2013 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r38B6kAj057267 for freebsd-ipfw@FreeBSD.org; Mon, 8 Apr 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Apr 2013 11:06:46 GMT Message-Id: <201304081106.r38B6kAj057267@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2013 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176503 ipfw [ipfw] ipfw layer2 problem o kern/174749 ipfw Unexpected change of default route o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 42 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 13 13:34:40 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 64D4EC24 for ; Sat, 13 Apr 2013 13:34:40 +0000 (UTC) (envelope-from spil.oss@gmail.com) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) by mx1.freebsd.org (Postfix) with ESMTP id 3D59E3E5 for ; Sat, 13 Apr 2013 13:34:40 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id qd14so1596097ieb.24 for ; Sat, 13 Apr 2013 06:34:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:reply-to:date:message-id:subject:from:to :content-type; bh=63lyQ5xJQHsYIsRs4HEG8HM2KhUWsczuOX8IfhltqJ0=; b=cQgovuBW4WCjJRnJV9Ko+RX5h3viMummhcykpqoBmg4WRLZp2AoL/h6U4l5RRP3j1S O3OQuiMUZ+3FsjJSz07+0wQed9hYsjwBnCcY+wDv1kOrHf2etFtaQCFoNSc87SJw+l1a iYdk4e0exp+6mMRjPArlVVNGiWaT9hcrMHA6c40kLffna0fwzhvctVjVI8IUQ/Tvoz0r NuFPQDSXe9HNimBzC+aagxpJxI595stNFGe+Xzmsa8kSQai4aZ+q8hYo1859iKZLi22E bUZW7g/mxhVOAWhzrtTKvLq5CafIEpPSQf9CHgvRSyS0fZyTWOrLWcV4B1mUDHS2AUHw 6DeQ== MIME-Version: 1.0 X-Received: by 10.50.50.40 with SMTP id z8mr1536298ign.59.1365860079862; Sat, 13 Apr 2013 06:34:39 -0700 (PDT) Received: by 10.42.189.4 with HTTP; Sat, 13 Apr 2013 06:34:39 -0700 (PDT) Date: Sat, 13 Apr 2013 15:34:39 +0200 Message-ID: Subject: Problems with ipfw/natd and axe(4) From: Spil Oss To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: spil.oss@gmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Apr 2013 13:34:40 -0000 Hi All, I can't use ipfw with natd with my ASIX AX88772B USB NIC ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) 00010 allow ip from any to me dst-port 22 recv ue0 00010 allow tcp from me 22 to any xmit ue0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 01100 deny ip from 10.16.2.1 to any in via ue0 01200 deny ip from 172.17.2.111 to any in via re0 01300 deny ip from any to 10.0.0.0/8 via ue0 01500 deny ip from any to 192.168.0.0/16 via ue0 01600 deny ip from any to 0.0.0.0/8 via ue0 01700 deny ip from any to 169.254.0.0/16 via ue0 01800 deny ip from any to 192.0.2.0/24 via ue0 01900 deny ip from any to 224.0.0.0/4 via ue0 02000 deny ip from any to 240.0.0.0/4 via ue0 02100 divert 8668 ip4 from any to any via ue0 02200 deny ip from 10.0.0.0/8 to any via ue0 02400 deny ip from 192.168.0.0/16 to any via ue0 02500 deny ip from 0.0.0.0/8 to any via ue0 02600 deny ip from 169.254.0.0/16 to any via ue0 02700 deny ip from 192.0.2.0/24 to any via ue0 02800 deny ip from 224.0.0.0/4 to any via ue0 02900 deny ip from 240.0.0.0/4 to any via ue0 03000 allow tcp from any to any established 03100 allow ip from any to any frag 03200 allow tcp from any to me dst-port 22 setup 03300 allow tcp from any to me dst-port 25 setup 03400 allow tcp from any to me dst-port 465 setup 03500 allow tcp from any to me dst-port 587 setup 03600 allow tcp from any to me dst-port 80 setup 03700 allow tcp from any to me dst-port 443 setup 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp 03900 allow tcp from any to any setup 04000 allow udp from me to any dst-port 53 keep-state 04100 allow udp from me to any dst-port 123 keep-state 04200 allow ip from any to any dst-port 22 recv ue0 65535 deny ip from any to any If I remove rule 10 it will NOT work with ue0, the same ruleset without rule 10 DOES work with re0 on the same machine (re0 as external and ue0 as internal NIC). If I connect from the gateway on 172.17.2.1 to the ssh server on this machine, I can see the ACK and SYN+ACK but there's no ACK from the client to the server to establish the tcp session. Only difference I could find was that the checksum was incorrect. Found an older PR kern/170081 about fxp having trouble with nat when rxcsum/txcsum was enabled, that is why I started fiddling with rxcsum/txcsum and found that the NIC is unusable/dead without rxcsum/txcsum enabled so this was not an option. # ifconfig ue0 ue0: flags=8843 metric 0 mtu 1500 options=8000b ether 00:60:6e:42:5b:53 inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 nd6 options=21 media: Ethernet autoselect (100baseTX ) status: active Any suggestions or pointers? Kind regards, Spil. From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 13 18:01:38 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CDF0EDE0 for ; Sat, 13 Apr 2013 18:01:38 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) by mx1.freebsd.org (Postfix) with ESMTP id 9F2D1E59 for ; Sat, 13 Apr 2013 18:01:38 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id ef5so3172161obb.27 for ; Sat, 13 Apr 2013 11:01:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=CQjKRqSwuR0/b0KKn50Fv7YVCpS5CCqNFDZHAbqBQs4=; b=MVn5NdFUgxTQ2V4kEgaH4GXYANnvRJv56WG5OOkQd9iSuSE+KZ8BIBLm1SPP5/L02/ 5VPPWRIAzcFGP8l2Wgrdhhq7qQqAijS1ezn7dDP5Ng3iO1qpkdSpMw2PHVKkmrxF+nTW EwA/4s73G7a/oF0ymxI1IDOyHbGTLgxv9EurWx8xwudz6c/gxbWn/2RhINBqjUpHVFfu IwWMEP4QGiMVT8hnWKKN3djg+CNVw/e26GiEBJ2wJ0Y9JeVza3mpiKtjqLLsrFj+r1S6 Ltc7wDa0v2A9fxcjwvhRfJgSXJuZUHD9pOKlIUi1TKZm3/U2zyDMIZWF49NmmyLDXENt JDFg== MIME-Version: 1.0 X-Received: by 10.60.60.10 with SMTP id d10mr5439079oer.6.1365876098182; Sat, 13 Apr 2013 11:01:38 -0700 (PDT) Received: by 10.60.140.229 with HTTP; Sat, 13 Apr 2013 11:01:38 -0700 (PDT) In-Reply-To: References: Date: Sat, 13 Apr 2013 11:01:38 -0700 Message-ID: Subject: Re: Problems with ipfw/natd and axe(4) From: Michael Sierchio To: spil.oss@gmail.com Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQnNT+I2GwOwn3+IQq3E1qmEkDmk/izgFLY+6hIZ+BHSbeExAE+vkEhp8Z6DH/5T+0WySLr+ Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Apr 2013 18:01:38 -0000 There are some things about this ruleset that are confused. Multiple deny rules where one will do, et. > 01100 deny ip from 10.16.2.1 to any in via ue0 > 01200 deny ip from 172.17.2.111 to any in via re0 > 01300 deny ip from any to 10.0.0.0/8 via ue0 > 01500 deny ip from any to 192.168.0.0/16 via ue0 > 01600 deny ip from any to 0.0.0.0/8 via ue0 > 01700 deny ip from any to 169.254.0.0/16 via ue0 > 01800 deny ip from any to 192.0.2.0/24 via ue0 > 01900 deny ip from any to 224.0.0.0/4 via ue0 > 02000 deny ip from any to 240.0.0.0/4 via ue0 and you need to think about inbound and outbound traffic, and a few other things. You have keep-state rules way down the ruleset and a divert natd in the middle. This won't do. 1. State what the requirements and intent are. I'm reluctant to dive into the solution space for an ill-defined problem. You conclude that the problem is with the NIC, and I think it's with your ruleset. For example, which interfaces are external, what's the topology, do external interfaces have public or private addresses, etc? Is this a firewall or a standalone box? Note that if you do a tcpdump, the checksums will look wrong because they're offloaded onto the NIC. That's normal. 2. Until you understand the interaction of NAT + stateful rules, don't use them. 3. Start with a small ruleset and nat config (show us your natd config) that is permissive, then gradually add protection. natd by itself is stateful, and will probably provide all you need. - M On Sat, Apr 13, 2013 at 6:34 AM, Spil Oss wrote: > Hi All, > > I can't use ipfw with natd with my ASIX AX88772B USB NIC > > ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) > 00010 allow ip from any to me dst-port 22 recv ue0 > 00010 allow tcp from me 22 to any xmit ue0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > 01100 deny ip from 10.16.2.1 to any in via ue0 > 01200 deny ip from 172.17.2.111 to any in via re0 > 01300 deny ip from any to 10.0.0.0/8 via ue0 > 01500 deny ip from any to 192.168.0.0/16 via ue0 > 01600 deny ip from any to 0.0.0.0/8 via ue0 > 01700 deny ip from any to 169.254.0.0/16 via ue0 > 01800 deny ip from any to 192.0.2.0/24 via ue0 > 01900 deny ip from any to 224.0.0.0/4 via ue0 > 02000 deny ip from any to 240.0.0.0/4 via ue0 > 02100 divert 8668 ip4 from any to any via ue0 > 02200 deny ip from 10.0.0.0/8 to any via ue0 > 02400 deny ip from 192.168.0.0/16 to any via ue0 > 02500 deny ip from 0.0.0.0/8 to any via ue0 > 02600 deny ip from 169.254.0.0/16 to any via ue0 > 02700 deny ip from 192.0.2.0/24 to any via ue0 > 02800 deny ip from 224.0.0.0/4 to any via ue0 > 02900 deny ip from 240.0.0.0/4 to any via ue0 > 03000 allow tcp from any to any established > 03100 allow ip from any to any frag > 03200 allow tcp from any to me dst-port 22 setup > 03300 allow tcp from any to me dst-port 25 setup > 03400 allow tcp from any to me dst-port 465 setup > 03500 allow tcp from any to me dst-port 587 setup > 03600 allow tcp from any to me dst-port 80 setup > 03700 allow tcp from any to me dst-port 443 setup > 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp > 03900 allow tcp from any to any setup > 04000 allow udp from me to any dst-port 53 keep-state > 04100 allow udp from me to any dst-port 123 keep-state > 04200 allow ip from any to any dst-port 22 recv ue0 > 65535 deny ip from any to any > > If I remove rule 10 it will NOT work with ue0, the same ruleset without > rule 10 DOES work with re0 on the same machine (re0 as external and ue0 as > internal NIC). > > If I connect from the gateway on 172.17.2.1 to the ssh server on this > machine, I can see the ACK and SYN+ACK but there's no ACK from the client > to the server to establish the tcp session. Only difference I could find > was that the checksum was incorrect. > > Found an older PR kern/170081 about fxp having trouble with nat when > rxcsum/txcsum was enabled, that is why I started fiddling with > rxcsum/txcsum and found that the NIC is unusable/dead without rxcsum/txcsum > enabled so this was not an option. > > # ifconfig ue0 > ue0: flags=8843 metric 0 mtu 1500 > options=8000b > ether 00:60:6e:42:5b:53 > inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 > inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 > nd6 options=21 > media: Ethernet autoselect (100baseTX ) > status: active > > Any suggestions or pointers? > > Kind regards, > > Spil. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 13 18:26:42 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0C54EB8F for ; Sat, 13 Apr 2013 18:26:42 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id C6F61F51 for ; Sat, 13 Apr 2013 18:26:41 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 3534873027; Sat, 13 Apr 2013 20:28:12 +0200 (CEST) Date: Sat, 13 Apr 2013 20:28:12 +0200 From: Luigi Rizzo To: Spil Oss Subject: Re: Problems with ipfw/natd and axe(4) Message-ID: <20130413182812.GA27554@onelab2.iet.unipi.it> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Apr 2013 18:26:42 -0000 On Sat, Apr 13, 2013 at 03:34:39PM +0200, Spil Oss wrote: > Hi All, > > I can't use ipfw with natd with my ASIX AX88772B USB NIC ... > Found an older PR kern/170081 about fxp having trouble with nat when > rxcsum/txcsum was enabled, that is why I started fiddling with > rxcsum/txcsum and found that the NIC is unusable/dead without rxcsum/txcsum > enabled so this was not an option. unfortunately, i do think that the hw checksum is the problem with ipfw+natd -- i have heard similar reports in the past and all disappeared when hw checksum was disabled. Besides, the natd code is old and probably it has not been updated to handle hardware offloadings, jumbo buffers and so on. cheers luigi > # ifconfig ue0 > ue0: flags=8843 metric 0 mtu 1500 > options=8000b > ether 00:60:6e:42:5b:53 > inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 > inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 > nd6 options=21 > media: Ethernet autoselect (100baseTX ) > status: active > > Any suggestions or pointers? > > Kind regards, > > Spil. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"