From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 11:06:59 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F5551065673 for ; Mon, 11 Aug 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 40B0F8FC1E for ; Mon, 11 Aug 2008 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m7BB6x2v047224 for ; Mon, 11 Aug 2008 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m7BB6wMa047220 for freebsd-ipfw@FreeBSD.org; Mon, 11 Aug 2008 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Aug 2008 11:06:58 GMT Message-Id: <200808111106.m7BB6wMa047220@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 11:06:59 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 15 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit 30 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 11 20:47:29 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB8331065689 for ; Mon, 11 Aug 2008 20:47:29 +0000 (UTC) (envelope-from fportnoy@mail.plymouth.edu) Received: from cygnus.plymouth.edu (cygnus.plymouth.edu [158.136.1.191]) by mx1.freebsd.org (Postfix) with ESMTP id BB3048FC12 for ; Mon, 11 Aug 2008 20:47:23 +0000 (UTC) (envelope-from fportnoy@mail.plymouth.edu) Received: from localhost (localhost.localdomain [127.0.0.1]) by cygnus.plymouth.edu (Postfix) with ESMTP id 32D641A6407E; Mon, 11 Aug 2008 16:30:23 -0400 (EDT) X-Virus-Scanned: amavisd-new at X-Spam-Flag: NO X-Spam-Score: -2.96 X-Spam-Level: X-Spam-Status: No, score=-2.96 tagged_above=-10 required=6.6 tests=[AWL=-0.461, BAYES_00=-2.599, RDNS_NONE=0.1] Received: from cygnus.plymouth.edu ([127.0.0.1]) by localhost (cygnus.plymouth.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhkni3gA6IX6; Mon, 11 Aug 2008 16:30:14 -0400 (EDT) Received: from cygnus.plymouth.edu (cygnus.plymouth.edu [158.136.1.191]) by cygnus.plymouth.edu (Postfix) with ESMTP id 3FECD1A6406D; Mon, 11 Aug 2008 16:30:14 -0400 (EDT) Date: Mon, 11 Aug 2008 16:30:14 -0400 (EDT) From: Fred Portnoy To: freebsd-ipfw Message-ID: <142385261.269891218486614044.JavaMail.root@cygnus.plymouth.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [158.136.112.63] X-Mailer: Zimbra 5.0.7_GA_2450.RHEL4_64 (ZimbraWebClient - FF3.0 (Win)/5.0.7_GA_2450.RHEL4_64) Subject: ipv4 diffserv entry X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2008 20:47:30 -0000 By using Sniffer and tcpdump together, it appears that the entry in the "TOS" field of the IPv4 header is getting stripped off as the packet leaves the external facing interface of the firewall. Is this known behavior? Is there a way to preserve the TOS? thanks -fp Fred Portnoy Network Analyst Plymouth State University "unfettered by edgy modernisms, or classical influences" From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 12 11:48:27 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0420106566B for ; Tue, 12 Aug 2008 11:48:27 +0000 (UTC) (envelope-from ady@ady.ro) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.175]) by mx1.freebsd.org (Postfix) with ESMTP id A4E148FC20 for ; Tue, 12 Aug 2008 11:48:27 +0000 (UTC) (envelope-from ady@ady.ro) Received: by wf-out-1314.google.com with SMTP id 24so2098971wfg.7 for ; Tue, 12 Aug 2008 04:48:27 -0700 (PDT) Received: by 10.142.147.15 with SMTP id u15mr2636345wfd.181.1218540105808; Tue, 12 Aug 2008 04:21:45 -0700 (PDT) Received: by 10.142.80.3 with HTTP; Tue, 12 Aug 2008 04:21:45 -0700 (PDT) Message-ID: <78cb3d3f0808120421i334c483fm7aecddd30aed22d@mail.gmail.com> Date: Tue, 12 Aug 2008 13:21:45 +0200 From: "Adrian Penisoara" Sender: ady@ady.ro To: "Fred Portnoy" In-Reply-To: <142385261.269891218486614044.JavaMail.root@cygnus.plymouth.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <142385261.269891218486614044.JavaMail.root@cygnus.plymouth.edu> X-Google-Sender-Auth: f57768a3cabc7dc7 Cc: freebsd-ipfw Subject: Re: ipv4 diffserv entry X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2008 11:48:27 -0000 Hi, On Mon, Aug 11, 2008 at 10:30 PM, Fred Portnoy wrote: > By using Sniffer and tcpdump together, it appears that the entry in the "TOS" field of the IPv4 header is getting stripped off as the packet leaves the external facing interface of the firewall. Is this known behavior? Is there a way to preserve the TOS? Which firewall framework are we talking about (ipfw / pf / ipf) ? Does it reproduce with all/other firewalls ? If you completely disable the firewall, does the issue stop reproducing ? Regards, Adrian. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 12 12:22:29 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13C881065695 for ; Tue, 12 Aug 2008 12:22:29 +0000 (UTC) (envelope-from fportnoy@mail.plymouth.edu) Received: from cygnus.plymouth.edu (cygnus.plymouth.edu [158.136.1.191]) by mx1.freebsd.org (Postfix) with ESMTP id DDFD28FC1E for ; Tue, 12 Aug 2008 12:22:28 +0000 (UTC) (envelope-from fportnoy@mail.plymouth.edu) Received: from localhost (localhost.localdomain [127.0.0.1]) by cygnus.plymouth.edu (Postfix) with ESMTP id 1DF8460880D5; Tue, 12 Aug 2008 08:22:27 -0400 (EDT) X-Virus-Scanned: amavisd-new at X-Spam-Flag: NO X-Spam-Score: -2.961 X-Spam-Level: X-Spam-Status: No, score=-2.961 tagged_above=-10 required=6.6 tests=[AWL=-0.462, BAYES_00=-2.599, RDNS_NONE=0.1] Received: from cygnus.plymouth.edu ([127.0.0.1]) by localhost (cygnus.plymouth.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9s7MAz4EO-8N; Tue, 12 Aug 2008 08:22:23 -0400 (EDT) Received: from cygnus.plymouth.edu (cygnus.plymouth.edu [158.136.1.191]) by cygnus.plymouth.edu (Postfix) with ESMTP id D74F660880F4; Tue, 12 Aug 2008 08:22:23 -0400 (EDT) Date: Tue, 12 Aug 2008 08:22:23 -0400 (EDT) From: Fred Portnoy To: Adrian Penisoara Message-ID: <666535032.311481218543743824.JavaMail.root@cygnus.plymouth.edu> In-Reply-To: <1837587044.311191218543618034.JavaMail.root@cygnus.plymouth.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [158.136.33.81] X-Mailer: Zimbra 5.0.7_GA_2450.RHEL4_64 (ZimbraWebClient - FF3.0 (Win)/5.0.7_GA_2450.RHEL4_64) Cc: freebsd-ipfw Subject: Re: ipv4 diffserv entry X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2008 12:22:29 -0000 First question, ipfw on FreeBSD 5.4-RELEASE. Other questions are more difficult, since we're dealing with a production network.... thanks Fred Portnoy Network Analyst Plymouth State University "unfettered by edgy modernisms, or classical influences" ----- Original Message ----- From: "Adrian Penisoara" To: "Fred Portnoy" Cc: "freebsd-ipfw" Sent: Tuesday, August 12, 2008 7:21:45 AM GMT -05:00 US/Canada Eastern Subject: Re: ipv4 diffserv entry Hi, On Mon, Aug 11, 2008 at 10:30 PM, Fred Portnoy wrote: > By using Sniffer and tcpdump together, it appears that the entry in the "TOS" field of the IPv4 header is getting stripped off as the packet leaves the external facing interface of the firewall. Is this known behavior? Is there a way to preserve the TOS? Which firewall framework are we talking about (ipfw / pf / ipf) ? Does it reproduce with all/other firewalls ? If you completely disable the firewall, does the issue stop reproducing ? Regards, Adrian. From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 12 12:29:27 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37DBD106567B for ; Tue, 12 Aug 2008 12:29:27 +0000 (UTC) (envelope-from ady@ady.ro) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id 016C08FC23 for ; Tue, 12 Aug 2008 12:29:26 +0000 (UTC) (envelope-from ady@ady.ro) Received: by yw-out-2324.google.com with SMTP id 9so764434ywe.13 for ; Tue, 12 Aug 2008 05:29:25 -0700 (PDT) Received: by 10.143.4.11 with SMTP id g11mr1992888wfi.52.1218544165155; Tue, 12 Aug 2008 05:29:25 -0700 (PDT) Received: by 10.142.80.3 with HTTP; Tue, 12 Aug 2008 05:29:25 -0700 (PDT) Message-ID: <78cb3d3f0808120529i29408660v43b6430179b4fd47@mail.gmail.com> Date: Tue, 12 Aug 2008 14:29:25 +0200 From: "Adrian Penisoara" Sender: ady@ady.ro To: "Fred Portnoy" In-Reply-To: <666535032.311481218543743824.JavaMail.root@cygnus.plymouth.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1837587044.311191218543618034.JavaMail.root@cygnus.plymouth.edu> <666535032.311481218543743824.JavaMail.root@cygnus.plymouth.edu> X-Google-Sender-Auth: fec502e4565ead6b Cc: freebsd-ipfw Subject: Re: ipv4 diffserv entry X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2008 12:29:27 -0000 Hi, On Tue, Aug 12, 2008 at 2:22 PM, Fred Portnoy wrote: > First question, ipfw on FreeBSD 5.4-RELEASE. Other questions are more difficult, since we're dealing with a production network.... Are you able to setup a test environment with the same FreeBSD release and configuration and to reproduce the issue ? It would be a good start to make these tests. Regards, Adrian. > > thanks > > Fred Portnoy > Network Analyst > Plymouth State University > > "unfettered by edgy modernisms, or classical influences" > > ----- Original Message ----- > From: "Adrian Penisoara" > To: "Fred Portnoy" > Cc: "freebsd-ipfw" > Sent: Tuesday, August 12, 2008 7:21:45 AM GMT -05:00 US/Canada Eastern > Subject: Re: ipv4 diffserv entry > > Hi, > > On Mon, Aug 11, 2008 at 10:30 PM, Fred Portnoy > wrote: >> By using Sniffer and tcpdump together, it appears that the entry in the "TOS" field of the IPv4 header is getting stripped off as the packet leaves the external facing interface of the firewall. Is this known behavior? Is there a way to preserve the TOS? > > Which firewall framework are we talking about (ipfw / pf / ipf) ? > Does it reproduce with all/other firewalls ? > If you completely disable the firewall, does the issue stop reproducing ? > > Regards, > Adrian. >