From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 16 22:38:12 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8762106582A for ; Mon, 16 Feb 2009 22:38:12 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.152]) by mx1.freebsd.org (Postfix) with ESMTP id 11D078FC0A for ; Mon, 16 Feb 2009 22:38:11 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so360643fgb.35 for ; Mon, 16 Feb 2009 14:38:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type; bh=CbsLOe0nv7XwVwGIbqGJQM2LJuM5oup3NKeG/QWXeLc=; b=Amj+t4RBUpuL3iI7QRw2p4sE6FkoRDcssR4Uwl5Md+2A6rs64aoEqCnCQ5W5H3owho vdiP3DJoDvZXc6ZNwqyU/AAD+fe/V9BAqqm6DI+R2Td1PPVoBaZW0K97dZxXaUGaOT8y LWW+m8st0laIrI4CrOIBQH7t1TE1J+FDvi6T0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=vOAosRPK7a/3ErxC00ME3pOshmueF+f+ZskOANli5HwYjj5kPGoi521xpLd31O3BDQ LFI9dxXlGyqA703TUqWNpe0d3yeyYw5cWYx8N2V9r7+2JZEEeR3rfyyzvJMpvj6WULHM NDg+4UIwe4E846Ym6QCbt520bzHmeBXtjjZS4= MIME-Version: 1.0 Sender: ozkan.kirik@gmail.com Received: by 10.86.74.4 with SMTP id w4mr245441fga.69.1234822375614; Mon, 16 Feb 2009 14:12:55 -0800 (PST) In-Reply-To: <200902161428.n1GESLvL015103@lurza.secnetix.de> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> Date: Tue, 17 Feb 2009 00:12:55 +0200 X-Google-Sender-Auth: 1597164782959ca1 Message-ID: <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 22:38:18 -0000 Thanks for you reply, it is only a typo. at real rule set it is correctly written. i wanna use stateful inspection. On Mon, Feb 16, 2009 at 4:28 PM, Oliver Fromme wrot= e: > Hello, > > Unfortunately I can't help you with your actual problem, > but I have a few remarks that might be helpful. > > =D6zkan KIRIK wrote: > > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans > via > > if_vlan) . > > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > > interface which uses bge driver. > > > > My rule set is below: > > > > wan_intf=3D"bge1" > > ipfw nat 100 config ip X.X.X.1 reset same_ports > > ipfw nat 101 config ip X.X.X.2 reset same_ports > > ipfw nat 102 config ip X.X.X.3 reset same_ports > > ... > > ... > > ipfw add 5 allow all from any to any layer2 > > ipfw add 50 checkstate > > Note: It is spelled "check-state". Please verify that you > have it correctly in your ipfw script. > > > ... > > ... Other port forwarding and static nat rules without keep-state > > ... > > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state v= ia > > $wan_intf > > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state v= ia > > $wan_intf > > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state v= ia > > $wan_intf > > ... > > ... > > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > > ... > > ... > > > > About 2 Minutes later after apply this rule set, system writes that bg= e1 > > watchdog timeout --- resetting and then system hangs, keyboard doesnt > > response. No logs can be observed. > > > > When i remove all skipto and checkstate rules, system work properly > without > > problems. I suspect about stateful inpection code. > > If you don't have an explicit check-state rule, then there's > an implicit check-state rule at the first keep-state. > If you don't want any check-state at all, you musr remove > all stateful rules (i.e. all "keep-state" rules). > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. > Handelsregister: Registergericht Muenchen, HRA 74606, Gesch=E4ftsfuehrun= g: > secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M=FC= n- > chen, HRB 125758, Gesch=E4ftsf=FChrer: Maik Bachmann, Olaf Erb, Ralf Geb= hart > > FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd > > $ dd if=3D/dev/urandom of=3Dtest.pl count=3D1 > $ file test.pl > test.pl: perl script text executable > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >