From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 26 11:07:04 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A89E61065670 for ; Mon, 26 Sep 2011 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9731C8FC21 for ; Mon, 26 Sep 2011 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8QB74Sr088182 for ; Mon, 26 Sep 2011 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8QB73s2088180 for freebsd-ipfw@FreeBSD.org; Mon, 26 Sep 2011 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Sep 2011 11:07:03 GMT Message-Id: <201109261107.p8QB73s2088180@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/144269 ipfw [ipfw] problem with ipfw tables o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result f kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v f kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 44 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 27 18:19:52 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA6F51065670 for ; Tue, 27 Sep 2011 18:19:52 +0000 (UTC) (envelope-from remy.sanchez@hyperthese.net) Received: from slow3-v.mail.gandi.net (slow3-v.mail.gandi.net [217.70.178.89]) by mx1.freebsd.org (Postfix) with ESMTP id 3B3BA8FC0C for ; Tue, 27 Sep 2011 18:19:52 +0000 (UTC) X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by slow3-v.mail.gandi.net (Postfix) with ESMTP id 2A6A070376 for ; Tue, 27 Sep 2011 19:58:51 +0200 (CEST) X-Originating-IP: 217.70.178.144 Received: from mfilter16-d.gandi.net (mfilter16-d.gandi.net [217.70.178.144]) by relay3-d.mail.gandi.net (Postfix) with ESMTP id 069F8A8077 for ; Tue, 27 Sep 2011 19:58:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter16-d.gandi.net Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mfilter16-d.gandi.net (mfilter16-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id 2CpGwHZdPmd3 for ; Tue, 27 Sep 2011 19:58:38 +0200 (CEST) X-Originating-IP: 82.227.216.130 Received: from magi.localnet (beato.hyperthese.net [82.227.216.130]) (Authenticated sender: remy.sanchez@hyperthese.net) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 865D7A8088 for ; Tue, 27 Sep 2011 19:58:38 +0200 (CEST) From: =?iso-8859-1?q?R=E9my_Sanchez?= To: freebsd-ipfw@freebsd.org Date: Tue, 27 Sep 2011 19:57:45 +0200 User-Agent: KMail/1.13.7 (Linux/3.0.0-1-amd64; KDE/4.6.5; x86_64; ; ) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2765392.YQ8WKpG6AD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201109271958.29919.remy.sanchez@hyperthese.net> Subject: Random freezes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 18:19:52 -0000 --nextPart2765392.YQ8WKpG6AD Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, Well, I'm not sure that it's the kind of message you'd expect on this maili= ng=20 list, but I couldn't really find a users mailing list, so here I am. In short, we (=3D http://maiznet.fr/) use ipfw for our network, mainly beca= use=20 of dummynet's capabilities, that clearly outperforms any other solution for= =20 our needs. The network in question is inside a dormitory, to provide Intern= et=20 to somewhat 150 people. We have : - 3 WAN (2 ADSL and 1 SDSL). I know, it is quite insufficient, but we can= 't=20 get more. [re1, re2, re3] - 1 students network [re0] - 1 DMZ [re4] - 1 office network [re5] Both are on different subnets, and NAT is used a bit everywhere, along with= =20 load-balancing. Here is a recent ipfw show : http://pastebin.com/ma3h9FUU Now everything works fine, excepted that sometimes, for no reason, it looks= =20 like there is a rule that just stops working : sometimes the DNS gets block= ed,=20 or some users complain about not having internet at all (including internal= =20 routing not working for them)... Take yesterday's example : packets that were routed through ADSL2 were NATe= d=20 correctly outgoing, were correctly reverse-NATed incoming, but were not rou= ted=20 to the client. If I added a custom "allow" just after the NAT, it went work= ing=20 again (but the allow should be automatic due to state checking). The only solution we have so far : we just reload the rules, and everything= =20 gets back to normal. Which is a bit unpleasant I must say... So, I've fallen short of ideas, does anyone see why some rules just block l= ike=20 that ? Maybe we should move to the in-kernel NAT ? Help is much appreciated, =2D-=20 R=E9my Sanchez http://hyperthese.net/ --nextPart2765392.YQ8WKpG6AD Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABECAAYFAk6CDpoACgkQpMMQ4XyIN1ZrxACffz6cpc1YgmGakdY9RWQhOeLF z34AoJ5koFoVFGwKwMglfZA7QNcV8nVn =UFBD -----END PGP SIGNATURE----- --nextPart2765392.YQ8WKpG6AD-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 27 19:28:34 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 268221065670 for ; Tue, 27 Sep 2011 19:28:34 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout030.mac.com (asmtpout030.mac.com [17.148.16.105]) by mx1.freebsd.org (Postfix) with ESMTP id 0C3A38FC13 for ; Tue, 27 Sep 2011 19:28:33 +0000 (UTC) MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp030.mac.com (Oracle Communications Messaging Server 7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPSA id <0LS700HFK1Z4GL30@asmtp030.mac.com> for freebsd-ipfw@freebsd.org; Tue, 27 Sep 2011 11:28:16 -0700 (PDT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.4.6813,1.0.211,0.0.0000 definitions=2011-09-27_09:2011-09-27, 2011-09-27, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1109270199 From: Chuck Swiger In-reply-to: <201109271958.29919.remy.sanchez@hyperthese.net> Date: Tue, 27 Sep 2011 11:28:15 -0700 Content-transfer-encoding: quoted-printable Message-id: References: <201109271958.29919.remy.sanchez@hyperthese.net> To: =?iso-8859-1?Q?R=E9my_Sanchez?= X-Mailer: Apple Mail (2.1084) Cc: freebsd-ipfw@freebsd.org Subject: Re: Random freezes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 19:28:34 -0000 Hi-- On Sep 27, 2011, at 10:57 AM, R=E9my Sanchez wrote: > The only solution we have so far : we just reload the rules, and = everything=20 > gets back to normal. Which is a bit unpleasant I must say... >=20 > So, I've fallen short of ideas, does anyone see why some rules just = block like=20 > that ? Maybe we should move to the in-kernel NAT ? Sounds like you're running out of dynamic rule entries. Check net.inet.ip.fw.dyn_count sysctl and increase = net.inet.ip.fw.dyn_max as needed. Also consider not using stateful = rules for UDP traffic like DNS and NTP if at all possible... Regards, --=20 -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 28 22:25:54 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F78A106564A for ; Wed, 28 Sep 2011 22:25:54 +0000 (UTC) (envelope-from remy.sanchez@hyperthese.net) Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) by mx1.freebsd.org (Postfix) with ESMTP id F410A8FC13 for ; Wed, 28 Sep 2011 22:25:53 +0000 (UTC) X-Originating-IP: 217.70.178.134 Received: from mfilter4-d.gandi.net (mfilter4-d.gandi.net [217.70.178.134]) by relay3-d.mail.gandi.net (Postfix) with ESMTP id 830A0A8077 for ; Thu, 29 Sep 2011 00:25:42 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter4-d.gandi.net Received: from relay3-d.mail.gandi.net ([217.70.183.195]) by mfilter4-d.gandi.net (mfilter4-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id BxZ-6Ms8x3QO for ; Thu, 29 Sep 2011 00:25:41 +0200 (CEST) X-Originating-IP: 82.227.216.130 Received: from magi.localnet (beato.hyperthese.net [82.227.216.130]) (Authenticated sender: remy.sanchez@hyperthese.net) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 13B4AA8078 for ; Thu, 29 Sep 2011 00:25:40 +0200 (CEST) From: =?iso-8859-1?q?R=E9my_Sanchez?= To: freebsd-ipfw@freebsd.org Date: Thu, 29 Sep 2011 00:25:12 +0200 User-Agent: KMail/1.13.7 (Linux/3.0.0-1-amd64; KDE/4.6.5; x86_64; ; ) References: <201109271958.29919.remy.sanchez@hyperthese.net> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4658668.LArootMMVP"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201109290025.22202.remy.sanchez@hyperthese.net> Subject: Re: Random freezes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2011 22:25:54 -0000 --nextPart4658668.LArootMMVP Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Tuesday 27 September 2011 20:28:15 Chuck Swiger wrote: > Sounds like you're running out of dynamic rule entries. >=20 > Check net.inet.ip.fw.dyn_count sysctl and increase net.inet.ip.fw.dyn_max > as needed. Also consider not using stateful rules for UDP traffic like > DNS and NTP if at all possible... Well, it could have been that, but unfortunately after 1 day of pushing the= =20 limit to 32768 (whereas we have in average 1500 states), it is still not=20 working. Maybe that we can go without DNS states, but I doubt that it solves the=20 problem. Any other suggestion ? =2D-=20 R=E9my Sanchez http://hyperthese.net/ --nextPart4658668.LArootMMVP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEABECAAYFAk6DnsgACgkQpMMQ4XyIN1YAPwCfS1Fh5ctULfUI8nG6BRu+5YGT nEUAoLEYrJMrKA0eG9mZ8JrGIHwg9jpe =O60i -----END PGP SIGNATURE----- --nextPart4658668.LArootMMVP-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 30 18:35:10 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80AE0106564A for ; Fri, 30 Sep 2011 18:35:10 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3EE408FC15 for ; Fri, 30 Sep 2011 18:35:10 +0000 (UTC) Received: by qyk4 with SMTP id 4so2381977qyk.13 for ; Fri, 30 Sep 2011 11:35:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:cc:content-type; bh=7E/IXWbweAIYaFkFF0P7jKTk3cJfw35p+0xeslS0jKI=; b=moY+UhAqidhIDu1zNliR8d74jqMcDUTPVmcBy8KxWvL+ncxKO7YBf+YwHMxh/ugdp0 F67lV+l3Ee6i6rMGyWv+TIydHWH4sBAspNQOTFWreZ4aaLMFRkXavZLGWRcSONmVybIb uvT1QK8Jm62dnctHDuv2wrM+Ecvhs+JUtSQc0= Received: by 10.229.101.68 with SMTP id b4mr7270724qco.68.1317406222245; Fri, 30 Sep 2011 11:10:22 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.229.80.13 with HTTP; Fri, 30 Sep 2011 11:10:02 -0700 (PDT) From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Fri, 30 Sep 2011 20:10:02 +0200 X-Google-Sender-Auth: XD_B02XmoXmOvqQ_NPWRTMzW9HY Message-ID: To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: mav@freebsd.org Subject: ipfw doesn't support IPv6 PPTP VPN (IPFW2: IPV6 - Unknown Extension Header(47)) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 18:35:10 -0000 Hi list, I've got 2 PPTP VPN tunnels (using net/mpd5) between 2 FreeBSD based router (8.2-RELEASE-p3) : One IPv6 tunnel (IPv6 end point addresses) and one IPv4 tunnel (IPv4 end points addresses), and would to try to enable IPFW between them. I've first begin to enable IPFW in open mode, but as soon as I enable it, my IPv6 tunnel goes down and my console fill with theses messages : IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 And there is no denied rules matched: [root@R4]~# ipfw -a list 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 7 536 allow ipv6-icmp from :: to ff02::/16 00700 49 3336 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 20 1736 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 50 3400 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65000 1727 102386 allow ip from any to any 65535 0 0 deny ip from any to any I don't think it's a normal behaviour: Does anyone know how to fix that ? If you need more information on this setup, all configuration are online (It's router 4): http://bsdrp.net/documentation/examples/maximum_bsdrp_features_lab Regards, Olivier From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 30 18:59:15 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71A3A106564A for ; Fri, 30 Sep 2011 18:59:15 +0000 (UTC) (envelope-from mavbsd@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id EE26B8FC20 for ; Fri, 30 Sep 2011 18:59:14 +0000 (UTC) Received: by bkbzs8 with SMTP id zs8so2455072bkb.13 for ; Fri, 30 Sep 2011 11:59:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=IhmUTooXR7/ReDYN/n5LibO4o9NsItTTVm0vvUJuAKI=; b=AQx2JC5XHcRMVZqscjB3G4zy7pw+e63Z+MwPSs4CAOa1oVnvFSeH9UnLr+zlWfsbeF skQiBl2zPvsc71fAmn4HPCH2rxWJWubndbU1GSuPBOdz2JMxLABRB5xUGHLqy3OzEa0N +p16NuUm77XehMgXfYGSlKL7BoAvEkMH+xzdM= Received: by 10.204.140.82 with SMTP id h18mr8617430bku.73.1317407747955; Fri, 30 Sep 2011 11:35:47 -0700 (PDT) Received: from mavbook2.mavhome.dp.ua (pc.mavhome.dp.ua. [212.86.226.226]) by mx.google.com with ESMTPS id t13sm195217fae.0.2011.09.30.11.35.46 (version=SSLv3 cipher=OTHER); Fri, 30 Sep 2011 11:35:46 -0700 (PDT) Sender: Alexander Motin Message-ID: <4E860BF6.1060303@FreeBSD.org> Date: Fri, 30 Sep 2011 21:35:34 +0300 From: Alexander Motin User-Agent: Thunderbird 2.0.0.23 (X11/20091212) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Olivier_Cochard-Labb=E9?= References: In-Reply-To: X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw doesn't support IPv6 PPTP VPN (IPFW2: IPV6 - Unknown Extension Header(47)) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 18:59:15 -0000 Hi. Olivier Cochard-Labbé wrote: > I've got 2 PPTP VPN tunnels (using net/mpd5) between 2 FreeBSD based > router (8.2-RELEASE-p3) : > One IPv6 tunnel (IPv6 end point addresses) and one IPv4 tunnel (IPv4 > end points addresses), and would to try to enable IPFW between them. > I've first begin to enable IPFW in open mode, but as soon as I enable > it, my IPv6 tunnel goes down and my console fill with theses messages > : > > IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0 > > And there is no denied rules matched: > > [root@R4]~# ipfw -a list > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 deny ip from any to ::1 > 00500 0 0 deny ip from ::1 to any > 00600 7 536 allow ipv6-icmp from :: to ff02::/16 > 00700 49 3336 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 20 1736 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 50 3400 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > 65000 1727 102386 allow ip from any to any > 65535 0 0 deny ip from any to any > > I don't think it's a normal behaviour: Does anyone know how to fix that ? > > If you need more information on this setup, all configuration are > online (It's router 4): > http://bsdrp.net/documentation/examples/maximum_bsdrp_features_lab Quick look on ipfw kernel sources shown sysctl controlling that: net.inet6.ip6.fw.deny_unknown_exthdrs. You may try set it to zero. IPv6 is more flexible in stacking different packet headers. And so things like unknown protocol code that are usual for IPv4 could be not an easy question for IPv6 firewall. I am not very good in IPv6, but present behavior looks too strict to me. I am not sure why there can't be used same logic as with non-first fragment of fragmented IPv4, when "allow all" that is doesn't look inside (not mentioning protocol or ports) should still match. -- Alexander Motin From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 30 19:34:15 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C63E106564A; Fri, 30 Sep 2011 19:34:15 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 25A4D8FC14; Fri, 30 Sep 2011 19:34:14 +0000 (UTC) Received: by qadz30 with SMTP id z30so772469qad.13 for ; Fri, 30 Sep 2011 12:34:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=pp2hYANvPbo0JwwYnoz9/+XUVPAR3sPoKm1VfFcCHi8=; b=RN04gIFdv6RInttopa/fPFa78AJq3yBQD+szU104FyxOGLPXgIUDHbsk3OevH1QAiz pf84Loz0qg5ipsAV8cIRo0mD0HcCgjM/AC0hLSvpL43ZCzmkGTqrA+A2JiQ5lYFwPFju 83swMSPNYlv0o79YIaJxnJDKVoB09NxNQcFXI= Received: by 10.229.219.67 with SMTP id ht3mr9203695qcb.30.1317411254339; Fri, 30 Sep 2011 12:34:14 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.229.80.13 with HTTP; Fri, 30 Sep 2011 12:26:22 -0700 (PDT) In-Reply-To: <4E860BF6.1060303@FreeBSD.org> References: <4E860BF6.1060303@FreeBSD.org> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Fri, 30 Sep 2011 21:26:22 +0200 X-Google-Sender-Auth: ezLwsh1-YDrbQym8yx0Arr1uN-0 Message-ID: To: Alexander Motin Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw doesn't support IPv6 PPTP VPN (IPFW2: IPV6 - Unknown Extension Header(47)) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 19:34:15 -0000 2011/9/30 Alexander Motin : > Quick look on ipfw kernel sources shown sysctl controlling that: > net.inet6.ip6.fw.deny_unknown_exthdrs. You may try set it to zero. > Thanks a lot's ! This solve the first problem: My IPv6 tunnel is permit again. Need to found how to prevent the log message because my console is still full of "IPFW2: IPV6 - Unknown Extension Header(47), ext_hd=0". Regards, Olivier