From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 12 17:00:04 2009 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E423106564A for ; Sun, 12 Jul 2009 17:00:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CE7B18FC1B for ; Sun, 12 Jul 2009 17:00:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6CH03Fn059285 for ; Sun, 12 Jul 2009 17:00:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6CH035U059284; Sun, 12 Jul 2009 17:00:03 GMT (envelope-from gnats) Date: Sun, 12 Jul 2009 17:00:03 GMT Message-Id: <200907121700.n6CH035U059284@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Nicolas Rachinsky Cc: Subject: Re: kern/112561: [ipfw] ipfw fwd does not work with some TCP packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nicolas Rachinsky List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2009 17:00:04 -0000 The following reply was made to PR kern/112561; it has been noted by GNATS. From: Nicolas Rachinsky To: bug-followup@FreeBSD.org, myz@csu.ru Cc: Subject: Re: kern/112561: [ipfw] ipfw fwd does not work with some TCP packets Date: Sun, 12 Jul 2009 18:38:44 +0200 Hallo, this might be solved by the patch in kern/136695. Nicolas From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 13 11:06:57 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA19A1065675 for ; Mon, 13 Jul 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 965D28FC19 for ; Mon, 13 Jul 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6DB6vYm040650 for ; Mon, 13 Jul 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6DB6uld040646 for freebsd-ipfw@FreeBSD.org; Mon, 13 Jul 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 13 Jul 2009 11:06:57 GMT Message-Id: <200907131106.n6DB6uld040646@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 59 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 14 08:12:46 2009 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC38C106564A; Tue, 14 Jul 2009 08:12:46 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A115B8FC12; Tue, 14 Jul 2009 08:12:46 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (bz@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6E8Cka8076054; Tue, 14 Jul 2009 08:12:46 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6E8CkPX076050; Tue, 14 Jul 2009 08:12:46 GMT (envelope-from bz) Date: Tue, 14 Jul 2009 08:12:46 GMT Message-Id: <200907140812.n6E8CkPX076050@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-net@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/136695: [ipfw] [patch] fwd reached after skipto in dynamic rules does not work in every case X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 08:12:47 -0000 Old Synopsis: [ip] [patch] fwd reached after skipto in dynamic rules does not work in every case New Synopsis: [ipfw] [patch] fwd reached after skipto in dynamic rules does not work in every case Responsible-Changed-From-To: freebsd-net->freebsd-ipfw Responsible-Changed-By: bz Responsible-Changed-When: Tue Jul 14 08:12:22 UTC 2009 Responsible-Changed-Why: Re-assign to the right list. http://www.freebsd.org/cgi/query-pr.cgi?pr=136695 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 14 20:17:03 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32C8D1065675 for ; Tue, 14 Jul 2009 20:17:03 +0000 (UTC) (envelope-from dhorvay@4whitetiger.com) Received: from callisto.lunarpages.com (callisto.lunarpages.com [216.97.232.200]) by mx1.freebsd.org (Postfix) with ESMTP id CE6EA8FC26 for ; Tue, 14 Jul 2009 20:16:59 +0000 (UTC) (envelope-from dhorvay@4whitetiger.com) Received: from [216.144.51.159] (helo=scmedina17) by callisto.lunarpages.com with esmtpa (Exim 4.69) (envelope-from ) id 1MQnwY-00035V-TQ for freebsd-ipfw@freebsd.org; Tue, 14 Jul 2009 12:45:39 -0700 From: "David A. Horvay - MRINetwork " To: Date: Tue, 14 Jul 2009 15:45:42 -0400 Organization: Ultimate Placements, LLC Message-ID: <80CE6EE175AE42CC96E6C14733FA58C3@scmedina17> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 Thread-Index: AcoEuDGuDD9FbXkIThSI0ItQzPBFzA== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - callisto.lunarpages.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - 4whitetiger.com Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Atheros wireless device driver developer X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dhorvay@4whitetiger.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 20:17:06 -0000 Hello Everyone, =20 I have an opportunity for a device driver developer with a heavy = wireless Atheros background. =20 Please let me know if anyone is interested or might know someone. =20 Please see job description below. =20 Thank you very much.... =20 -Dave =20 Senior Software Engineer with WLAN Device Driver Development Experience The ideal candidate will have several years of communication experience = as well as experience programming low level hardware drivers. Requirements: = * BSCS or BSEE or relevant experience=20 * 5+ years of experience in development of WLAN device drivers=20 * Fluency in coding and debugging C * Experience with Atheros drivers a plus * Expertise in one or more of these protocols:=20 =A7 802.11=20 =A7 ATM=20 =A7 Sonet/SDH=20 =A7 NDIS=20 =A7 Bluetooth=20 =A7 Ethernet, GBit Ethernet=20 * Experience with one or more of the following operating = systems:=20 =A7 MS Windows, WinCE=20 =A7 Linux=20 =A7 Embedded RTOS=20 =20 =20 =20 David A. Horvay Sr. Account Executive Technology Solutions Division=20 MRINetwork Ultimate Placements, LLC One Park Centre Drive, Suite 305A TF:877-334-0285 ext. 202 dhorvay@4whitetiger.com http://www.linkedin.com/in/davidhorvay www.MRINetwork.com =20 BUILDING THE HEART OF BUSINESS (TM) =20 Please understand my mission at MRI Ultimate Placements is to partner = with those select clients where there is a philosophical fit. My goal has = never been to be all things to all people. =93As a client-focused search = consultant I evaluate each potential assignment based on alignment with my area of expertise and the timing and urgency of each search.=94 =20 =20 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 14 21:55:40 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80F1210656C2 for ; Tue, 14 Jul 2009 21:55:40 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp1.apollo.lv (smtp1.apollo.lv [80.232.168.211]) by mx1.freebsd.org (Postfix) with ESMTP id CAD168FC0A for ; Tue, 14 Jul 2009 21:55:39 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) X-Cloudmark-Score: 0.000000 [] X-Virusscan: Clamd Received: from [87.110.118.70] ([87.110.118.70] verified) by smtp1.apollo.lv (CommuniGate Pro SMTP 5.2.10) with ESMTP id 586382448 for freebsd-ipfw@freebsd.org; Tue, 14 Jul 2009 23:55:35 +0300 From: Dmitriy Demidov To: freebsd-ipfw@freebsd.org Date: Tue, 14 Jul 2009 23:55:34 +0300 User-Agent: KMail/1.9.10 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200907142355.34973.dima_bsd@inbox.lv> Subject: ipfw nat and localy initiated UDP traffic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 21:55:41 -0000 Hi list. I have a problems with ipfw nat. It makes me crazy (I realy have no idea how to troubleshoot this problem). Looks like ipfw nat do not pass through itself localy initiated UDP traffic! Is there any hint that I do not know about ipfw nat? Any clue please :( ipfw configuration: (fxp0 - is local network, and em0 is ISP side) === add allow ip from any to any via fxp0 add allow udp from any 68 to any 67 add allow udp from any 67 to any 68 nat 1 config log if em0 reset same_ports deny_in add nat 1 all from any to any via em0 === When I start nslookup and do queue from NAT machine, I got: === (tcpdump on em0) 23:24:10.591959 IP (tos 0x0, ttl 64, id 2646, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? forums.freebsd.org. (36) 23:24:15.591009 IP (tos 0x0, ttl 64, id 2647, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? forums.freebsd.org. (36) 23:24:20.591563 IP (tos 0x0, ttl 64, id 2674, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.52697 > 91.198.156.20.53: 58731+ A? forums.freebsd.org. (36) (nslookup) > server Default server: 91.198.156.20 Address: 91.198.156.20#53 > forums.freebsd.org. ;; connection timed out; no servers could be reached === In the same time, if I make a queue from machine that is in 192.168.1.0/24 network (behind nat) I got correct result: === (tcpdump on em0) 23:24:59.360796 IP (tos 0x0, ttl 63, id 581, offset 0, flags [none], proto UDP (17), length 64) 87.110.118.70.61735 > 91.198.156.20.53: 16871+ A? forums.freebsd.org. (36) 23:25:01.052611 IP (tos 0x0, ttl 60, id 49380, offset 0, flags [none], proto UDP (17), length 224) 91.198.156.20.53 > 87.110.118.70.61735: 16871 2/3/3 forums.freebsd.org. CNAME[|domain] (nslookup) > server Default server: 91.198.156.20 Address: 91.198.156.20#53 > forums.freebsd.org. Server: 91.198.156.20 Address: 91.198.156.20#53 Non-authoritative answer: forums.freebsd.org canonical name = freebsd-forums.liquidneon.com. Name: freebsd-forums.liquidneon.com Address: 149.20.54.209 === On NAT machine I'm using FreeBSD 7.2-STABLE (FreeBSD 7.2-STABLE #0: Wed Jun 24 12:59:06 EEST 2009 i386). GENERIC kernel with extra options: === options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_NAT options LIBALIAS options DUMMYNET options HZ="1000" device vlan === From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 16 10:11:54 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B39C0106566B for ; Thu, 16 Jul 2009 10:11:54 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from exchange.playsafesa.com (exchange.playsafesa.com [196.212.35.153]) by mx1.freebsd.org (Postfix) with ESMTP id ACD818FC14 for ; Thu, 16 Jul 2009 10:11:53 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from server-02.playsafesa.com ([10.0.15.253]) by server-02.playsafesa.com ([10.0.15.253]) with mapi; Thu, 16 Jul 2009 12:12:36 +0200 From: Kim Attree To: Kim Attree Date: Thu, 16 Jul 2009 12:12:34 +0200 Thread-Topic: Problem with source based policy routing Thread-Index: Acn+Wm0Pl0An4RoqSXiWdQpkSNu6oQAeNZHQAcpy6KA= Message-ID: <00265389C30B444288C246DF37651D0C37970A1028@server-02.playsafesa.com> References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com> In-Reply-To: <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-ipfw@freebsd.org" Subject: RE: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 10:11:55 -0000 > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd- > ipfw@freebsd.org] On Behalf Of Kim Attree > Sent: 07 July 2009 09:21 AM > To: Giuliano Gavazzi > Cc: freebsd-ipfw@freebsd.org > Subject: RE: Problem with source based policy routing >=20 > > -----Original Message----- > > From: Giuliano Gavazzi [mailto:dev+lists@humph.com] > > Sent: 06 July 2009 06:54 PM > > To: Kim Attree > > Cc: freebsd-ipfw@freebsd.org > > Subject: Re: Problem with source based policy routing > > > > > > On M 6 Jul, 2009, at 15:35 , Kim Attree wrote: > > > > > I have one Internal Exchange server (don't laugh), and NAT handles > > > the static mapping of IP/Port to that server. The original point > > > here is to have two mapped NAT port 25's to the same internal Mail > > > server, hence the addition of the NAT before and during the forward > > > logic (obviously wrong though). > > > > > > > > > ah, if you want to have an internal server to be reachable on both > > public addresses, via the corresponding two firewall interfaces, you > > must have a way to tell the firewall how to distinguish the return > > packets in order to use the correct natd instance. If the internal > > exchange server port is the same, there is no way telling that. At > > most you could use the peer port, but even that would not be > > failproof, and I would not know how to proceed (I think dynamic rules > > can only establish holes - allow action - in the firewall, not a fwd > > action). So you must use two different ports or alias addresses on > the > > exchange server, and divert to the appropriate outgoing natd instance > > on the basis of that. > > > > I have not enough time at the moment to write down a complete > > workflow, but I hope this, with the remarks in my previous post, > gives > > you enough hints. >=20 > It has, I realised that the return traffic needs differing source IP's > - I've added another IP and SMTP Connector to exchange and will test > the theory out today. SUCCESS !!!!! I setup the Microsoft server to have a second SMTP connector on 10.0.0.2:58= 8 NATD setup as follows: port 8669 alias_address 192.168.2.1 same_ports yes use_sockets yes log_ipfw_denied yes redirect_port tcp 10.0.0.2:588 192.168.2.1:25 Then, in IPFW: (Making sure packets hit the NAT first...:) add 00079 divert 8669 all from any to any via re1 =20 add 00080 skipto 00082 all from 10.0.0.2 to 10.0.0.0/20 add 00080 skipto 00082 all from not 10.0.0.2 to any add 00081 fwd 192.168.2.254 all from 10.0.0.2 to any And a quick test from an outside server 12000 miles away: [root@bubbles ~]# telnet 192.168.2.1 25 Trying 192.168.2.1... Connected to 192.168.2.1. Escape character is '^]'. 220 xxx.xxx.com Microsoft ESMTP MAIL Service ready at Thu, 16 Jul 2009 12:1= 0:51 +0200 quit 221 2.0.0 Service closing transmission channel Connection closed by foreign host. Thanks again Giuliano !!! Kim Attree >=20 >=20 > > > > Giuliano >=20 > Thanks, >=20 > Kim > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 16 19:19:08 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C594E106566B for ; Thu, 16 Jul 2009 19:19:08 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp2.apollo.lv (smtp2.apollo.lv [80.232.168.229]) by mx1.freebsd.org (Postfix) with ESMTP id 2863D8FC0C for ; Thu, 16 Jul 2009 19:19:07 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) X-Cloudmark-Score: 0.000000 [] X-Virusscan: Clamd Received: from [87.110.108.74] ([87.110.108.74] verified) by smtp2.apollo.lv (CommuniGate Pro SMTP 5.2.10) with ESMTP id 455745379 for freebsd-ipfw@freebsd.org; Thu, 16 Jul 2009 22:19:05 +0300 From: Dmitriy Demidov To: freebsd-ipfw@freebsd.org Date: Thu, 16 Jul 2009 22:19:04 +0300 User-Agent: KMail/1.9.10 References: <200907142355.34973.dima_bsd@inbox.lv> In-Reply-To: <200907142355.34973.dima_bsd@inbox.lv> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200907162219.04986.dima_bsd@inbox.lv> Subject: Re: ipfw nat and localy initiated UDP traffic (bad udp cksum) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 19:19:09 -0000 On Tuesday 14 July 2009, Dmitriy Demidov wrote: > Hi list. > > I have a problems with ipfw nat. It makes me crazy (I realy have no idea > how to troubleshoot this problem). Looks like ipfw nat do not pass through > itself localy initiated UDP traffic! Is there any hint that I do not know > about ipfw nat? Any clue please :( > Update about this issue. There is somthing wrong with UDP pass through - ipfw nat makes it "bad cksum". tcpdump on ISP-side nic (tcpdump -i 2 -X -vvv -n -l ip) shows this: for localy initiated UDP/DNS trafic: ==== 21:58:30.116680 IP (tos 0x0, ttl 64, id 6212, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum aa89!] 50277+ A? www.freebsd.org. (33) 0x0000: 4500 003d 1844 0000 4011 a6d9 576e 6c4a E..=.D..@...WnlJ 0x0010: 5bc6 9c14 f39d 0035 0029 bbcd c465 0100 [......5.)...e.. 0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org..... 21:58:35.116809 IP (tos 0x0, ttl 64, id 6239, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum aa89!] 50277+ A? www.freebsd.org. (33) 0x0000: 4500 003d 185f 0000 4011 a6be 576e 6c4a E..=._..@...WnlJ 0x0010: 5bc6 9c14 f39d 0035 0029 bbcd c465 0100 [......5.)...e.. 0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org..... 21:58:40.117744 IP (tos 0x0, ttl 64, id 6240, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum ==== for UDP/DNS trafic that pass via nat from local network: ==== 21:58:21.925741 IP (tos 0x0, ttl 63, id 632, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.58124 > 91.198.156.20.53: [udp sum ok] 36465+ A? www.freebsd.org. (33) 0x0000: 4500 003d 0278 0000 3f11 bda5 576e 6c4a E..=.x..?...WnlJ 0x0010: 5bc6 9c14 e30c 0035 0029 8bfd 8e71 0100 [......5.)...q.. 0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org..... 21:58:21.932623 IP (tos 0x0, ttl 59, id 39585, offset 0, flags [none], proto UDP (17), length 165) 91.198.156.20.53 > 87.110.108.74.58124: 36465 q: A? www.freebsd.org. 1/3/0 www.freebsd.org. A 69.147.83.33 ns: freebsd.org.[| domain] 0x0000: 4500 00a5 9aa1 0000 3b11 2914 5bc6 9c14 E.......;.).[... 0x0010: 576e 6c4a 0035 e30c 0091 8f66 8e71 8180 WnlJ.5.....f.q.. 0x0020: 0001 0001 0003 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01c0 0c00 ebsd.org........ 0x0040: 0100 0100 000b 6600 0445 9353 21c0 1000 ......f..E.S!... 0x0050: 0200 .. ==== ipfw config: ==== add allow ip from any to any via fxp0 add allow udp from any 68 to any 67 add allow udp from any 67 to any 68 add count ip from any to any nat 1 config log if em0 reset same_ports deny_in nat 2 config log if em0 nat 3 config log if em0 reset same_ports deny_in add count ip from any to any add nat 1 tcp from any to any out xmit em0 add nat 2 udp from any to any out xmit em0 add nat 3 icmp from any to any out xmit em0 add nat 1 tcp from any to me in recv em0 add nat 2 udp from any to me in recv em0 add nat 3 icmp from any to me in recv em0 add count ip from any to any ==== ipfw show ==== 00100 1642 372640 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 9 990 allow ip from any to any via fxp0 00500 0 0 allow udp from any 68 to any dst-port 67 00600 0 0 allow udp from any 67 to any dst-port 68 00700 25 1404 count ip from any to any 00800 25 1404 count ip from any to any 00900 0 0 nat 1 tcp from any to any out xmit em0 01000 7 427 nat 2 udp from any to any out xmit em0 01100 0 0 nat 3 icmp from any to any out xmit em0 01200 17 812 nat 1 tcp from any to me in recv em0 01300 1 165 nat 2 udp from any to me in recv em0 01400 0 0 nat 3 icmp from any to me in recv em0 01500 0 0 count ip from any to any 65535 3 520 deny ip from any to any ==== uname -a FreeBSD hius.local.home 7.2-STABLE FreeBSD 7.2-STABLE #0: Wed Jul 15 20:59:17 EEST 2009 root@hius.local.home:/usr/obj/usr/src/sys/STABLE i386 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 16 19:50:53 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDFF6106568C for ; Thu, 16 Jul 2009 19:50:53 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp2.apollo.lv (smtp2.apollo.lv [80.232.168.229]) by mx1.freebsd.org (Postfix) with ESMTP id 4B13B8FC1D for ; Thu, 16 Jul 2009 19:50:53 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) X-Cloudmark-Score: 0.000000 [] X-Virusscan: Clamd Received: from [87.110.108.74] ([87.110.108.74] verified) by smtp2.apollo.lv (CommuniGate Pro SMTP 5.2.10) with ESMTP id 455753913; Thu, 16 Jul 2009 22:50:52 +0300 From: Dmitriy Demidov To: Chuck Swiger Date: Thu, 16 Jul 2009 22:50:51 +0300 User-Agent: KMail/1.9.10 References: <200907142355.34973.dima_bsd@inbox.lv> <200907162219.04986.dima_bsd@inbox.lv> <2CE3CD12-D430-4378-92C1-591227888428@mac.com> In-Reply-To: <2CE3CD12-D430-4378-92C1-591227888428@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200907162250.51585.dima_bsd@inbox.lv> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw nat and localy initiated UDP traffic (bad udp cksum) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 19:50:54 -0000 On Thursday 16 July 2009, Chuck Swiger wrote: > On Jul 16, 2009, at 12:19 PM, Dmitriy Demidov wrote: > > Update about this issue. > > There is somthing wrong with UDP pass through - ipfw nat makes it > > "bad cksum". > > tcpdump receives local network traffic before the checksums are > computed (especially if hardware checksums are enabled); this is a non- > issue, although you could confirm by sniffing the traffic from an > external machine like a laptop. > > Regards, Wow! :) Thank you Chuck for this hint! I catch the problem! My em0 have offload options on, so I turned them off and now all is working as expected. before: === em0: flags=8843 metric 0 mtu 1500 options=9b ether 00:20:ed:91:97:93 inet 87.110.108.74 netmask 0xfffffe00 broadcast 255.255.255.255 media: Ethernet autoselect (100baseTX ) status: active === after: === em0: flags=8843 metric 0 mtu 1500 options=98 ether 00:20:ed:91:97:93 inet 87.110.108.74 netmask 0xfffffe00 broadcast 255.255.255.255 media: Ethernet autoselect (100baseTX ) status: active === dmesg | grep em0 === em0: port 0xa000-0xa03f mem 0xdb100000-0xdb11ffff irq 21 at device 9.0 on pci2 em0: [FILTER] em0: Ethernet address: 00:20:ed:91:97:93 === pciconf -lv === em0@pci0:2:9:0: class=0x020000 card=0x30138086 chip=0x100e8086 rev=0x02 hdr=0x00 vendor = 'Intel Corporation' device = 'Gigabit Ethernet Controller (82540EM)' class = network subclass = ethernet === Do this looks like a bug (em drivers, nat, etc...) or not? Should I make new PR for this problem? From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 16 20:22:45 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A93C106566B for ; Thu, 16 Jul 2009 20:22:45 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout021.mac.com (asmtpout021.mac.com [17.148.16.96]) by mx1.freebsd.org (Postfix) with ESMTP id 468AE8FC2E for ; Thu, 16 Jul 2009 20:22:45 +0000 (UTC) (envelope-from cswiger@mac.com) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from cswiger1.apple.com ([17.227.140.124]) by asmtp021.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0KMW001DH35KAP70@asmtp021.mac.com> for freebsd-ipfw@freebsd.org; Thu, 16 Jul 2009 12:22:33 -0700 (PDT) Message-id: <2CE3CD12-D430-4378-92C1-591227888428@mac.com> From: Chuck Swiger To: Dmitriy Demidov In-reply-to: <200907162219.04986.dima_bsd@inbox.lv> Date: Thu, 16 Jul 2009 12:22:32 -0700 References: <200907142355.34973.dima_bsd@inbox.lv> <200907162219.04986.dima_bsd@inbox.lv> X-Mailer: Apple Mail (2.935.3) Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw nat and localy initiated UDP traffic (bad udp cksum) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 20:22:45 -0000 On Jul 16, 2009, at 12:19 PM, Dmitriy Demidov wrote: > Update about this issue. > There is somthing wrong with UDP pass through - ipfw nat makes it > "bad cksum". tcpdump receives local network traffic before the checksums are computed (especially if hardware checksums are enabled); this is a non- issue, although you could confirm by sniffing the traffic from an external machine like a laptop. Regards, -- -Chuck