From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 3 15:30:42 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4CCD61F3 for ; Sun, 3 Nov 2013 15:30:42 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from batman.home4u.ch (batman.home4u.ch [IPv6:2001:8a8:1005:1::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D0C56239E for ; Sun, 3 Nov 2013 15:30:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at home4u.ch Received: from flashback.wenks.ch (fabian@flashback.wenks.ch [IPv6:2001:8a8:1005:1:223:dfff:fedf:13c9]) (authenticated bits=0) by batman.home4u.ch (8.14.5/8.14.5) with ESMTP id rA3FUb8b067598 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 3 Nov 2013 16:30:37 +0100 (CET) (envelope-from fabian@wenks.ch) Message-ID: <52766C1D.6020104@wenks.ch> Date: Sun, 03 Nov 2013 16:30:37 +0100 From: Fabian Wenk User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Re: NAT/ipfw blocking internal traffic References: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> In-Reply-To: <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Nov 2013 15:30:42 -0000 Hello Casey On 31.10.2013 21:10, Casey Scott wrote: > The problem I'm encountering is that a portion of my outbound internal > traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so > I'm kind of at a loss since the config matches the handbook. Any suggestions > are appreciated. Did it block only already open TCP sessions after you did reload the firewall rules? If yes, this is probably expected behavior because it also flushed the states. bye Fabian From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 3 16:04:26 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 39145ABA for ; Sun, 3 Nov 2013 16:04:26 +0000 (UTC) (envelope-from pchychi@gmail.com) Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F174E2520 for ; Sun, 3 Nov 2013 16:04:25 +0000 (UTC) Received: by mail-ie0-f173.google.com with SMTP id u16so10544975iet.4 for ; Sun, 03 Nov 2013 08:04:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version:content-type; bh=bZ9Di4GEqITno+JouFKsmAX9njG04ehFOS4/7oVLERk=; b=zmbmxe3KHX8/WJLmSWVCsIc5VFqtI9U0yyU0rxL/MvVlr4CJXlom4oM3LAMDsm8F1Q M4+YU2ekQnhREc6ej+wWMtNRQFICPl4OKh0dPJazlfOBiiFxPAEzB9lSpDFQi52gzo3A qsnKXd7kdbEYIdWWZrdtHXSNdWaLjYmavLBdB5JjtUzichUh/nNsjU1iQYRHXkH/eSUc KT9Q0VVgTwSH3zAXlTi7SVCvP2VE3ZKfXC7G+n3aj5E9/mrpTjol/xNBZTTTlBmyVGPh Su56UEUxvyvHOcn+YI9y6H9KTXCs1kghmpqRO1kJJ+zcgezVbumFMa+7xjVCOGGgea8N JkFQ== X-Received: by 10.42.47.201 with SMTP id p9mr7515899icf.4.1383494664918; Sun, 03 Nov 2013 08:04:24 -0800 (PST) Received: from [192.168.1.82] ([50.98.200.189]) by mx.google.com with ESMTPSA id i11sm15925395igh.0.2013.11.03.08.04.21 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 03 Nov 2013 08:04:23 -0800 (PST) Date: Sun, 3 Nov 2013 08:04:20 -0800 From: Payam Chychi To: Casey Scott Message-ID: In-Reply-To: <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> References: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> Subject: Re: NAT/ipfw blocking internal traffic X-Mailer: sparrow 1.3.5 (build 507.62) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Nov 2013 16:04:26 -0000 Fo you have logs of whats being dropped? -- Payam Chychi Network Engineer / Security Specialist On Thursday, October 31, 2013 at 1:10 PM, Casey Scott wrote: > Hello, > > My NAT and ipfw ruleset follow almost exactly what is given at > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html > > The problem I'm encountering is that a portion of my outbound internal > traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so > I'm kind of at a loss since the config matches the handbook. Any suggestions > are appreciated. > > uname -a > *********************************************** > FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 > 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname > amd64 > *********************************************** > > /var/log/security: > *********************************************** > Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 > 174.129.210.177:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > *********************************************** > > firewall script: > *********************************************** > #!/bin/sh > cmd="ipfw -q add" > skip="skipto 500" > pif=fxp0 > ks="keep-state" > good_tcpo="22,25,37,43,53,80,443" > > ipfw -q -f flush > > $cmd 002 allow all from any to any via em0 # exclude LAN traffic > $cmd 003 allow all from any to any via lo0 # exclude loopback traffic > > $cmd 100 divert natd ip from any to any in via $pif > $cmd 101 check-state > > # Authorized outbound packets > $cmd 136 $skip udp from any to any 53 out via $pif $ks > $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks > $cmd 151 $skip icmp from any to any out via $pif $ks > $cmd 152 $skip udp from any to any 123 out via $pif $ks > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private > IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private > IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private > IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E > multicast > > # Authorized inbound packets > $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 > $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 > $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > $cmd 450 deny log ip from any to any > > # This is skipto location for outbound stateful rules > $cmd 500 divert natd ip from any to any out via $pif > *********************************************** > > natd run options: > *********************************************** > /sbin/natd -dynamic -m -n fxp0 > *********************************************** > > -Casey > > ----- Forwarded Message ----- > > Hello, > > My NAT and ipfw ruleset follow almost exactly what is given at > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html > > The problem I'm encountering is that a portion of my outbound internal > traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so > I'm kind of at a loss since the config matches the handbook. Any suggestions > are appreciated. > > uname -a > *********************************************** > FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 > 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname amd64 > *********************************************** > > /var/log/security: > *********************************************** > Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 > 174.129.210.177:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > *********************************************** > > firewall script: > *********************************************** > #!/bin/sh > cmd="ipfw -q add" > skip="skipto 500" > pif=fxp0 > ks="keep-state" > good_tcpo="22,25,37,43,53,80,443" > > ipfw -q -f flush > > $cmd 002 allow all from any to any via em0 # exclude LAN traffic > $cmd 003 allow all from any to any via lo0 # exclude loopback traffic > > $cmd 100 divert natd ip from any to any in via $pif > $cmd 101 check-state > > # Authorized outbound packets > $cmd 136 $skip udp from any to any 53 out via $pif $ks > $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks > $cmd 151 $skip icmp from any to any out via $pif $ks > $cmd 152 $skip udp from any to any 123 out via $pif $ks > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast > > # Authorized inbound packets > $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 > $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 > $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > > $cmd 450 deny log ip from any to any > > # This is skipto location for outbound stateful rules > $cmd 500 divert natd ip from any to any out via $pif > *********************************************** > > natd run options: > *********************************************** > /sbin/natd -dynamic -m -n fxp0 > *********************************************** > > -Casey > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 4 05:30:17 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F41C6A01 for ; Mon, 4 Nov 2013 05:30:16 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A88672939 for ; Mon, 4 Nov 2013 05:30:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id rA459IhW085318; Mon, 4 Nov 2013 16:09:19 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 4 Nov 2013 16:09:18 +1100 (EST) From: Ian Smith To: Casey Scott Subject: Re: NAT/ipfw blocking internal traffic In-Reply-To: <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> Message-ID: <20131104145819.J89530@sola.nimnet.asn.au> References: <789665157.296.1383076677766.JavaMail.root@phantombsd.org> <1695827686.288.1383250242478.JavaMail.root@phantombsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Nov 2013 05:30:17 -0000 On Thu, 31 Oct 2013 13:10:42 -0700, Casey Scott wrote: > Hello, > > My NAT and ipfw ruleset follow almost exactly what is given at > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html Almost, but perhaps not quite near enough. Firstly, I'd normally advise largely ignoring the handbook section on ipfw; it's wrong-headed in more ways than I care to detail, and contains a number of factual errors that if taken as true will impede learning about ipfw. I'd instead advise using the appropriate ruleset from /etc/rc.firewall, in this case apparently the 'client' ruleset, however let's have a look at it .. > The problem I'm encountering is that a portion of my outbound internal > traffic is being blocked by ipfw. This is a fresh Freebsd installaion, so > I'm kind of at a loss since the config matches the handbook. Any suggestions > are appreciated. > > uname -a > *********************************************** > FreeBSD hostname 9.2-RELEASE FreeBSD 9.2-RELEASE #6 r256447: Fri Oct 18 > 20:06:53 PDT 2013 root@hostname:/usr/src/sys/amd64/compile/hostname > amd64 > *********************************************** > > /var/log/security: > *********************************************** > Oct 29 10:14:46 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:47 hostname kernel: ipfw: 450 Deny TCP 65.126.84.81:80 > 192.168.1.6:61681 in via fxp0 > Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 > 174.129.210.177:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61877 > 65.126.84.88:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > Oct 29 10:17:58 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61921 > 208.85.40.45:80 out via fxp0 > *********************************************** Ok, first to confirm that 192.168.1.6 the address of your box, and not another box on your LAN? ie, you are not doing NAT as gateway for your LAN, but only for your single box? No gateway_enable set in rc.conf? How are you connecting to your upstream gateway / ISP? > firewall script: > *********************************************** > #!/bin/sh > cmd="ipfw -q add" > skip="skipto 500" > pif=fxp0 > ks="keep-state" > good_tcpo="22,25,37,43,53,80,443" > > ipfw -q -f flush > > $cmd 002 allow all from any to any via em0 # exclude LAN traffic That would be no good if you were acting as the gateway for your LAN. > $cmd 003 allow all from any to any via lo0 # exclude loopback traffic > > $cmd 100 divert natd ip from any to any in via $pif > $cmd 101 check-state > > # Authorized outbound packets > $cmd 136 $skip udp from any to any 53 out via $pif $ks > $cmd 150 $skip tcp from any to any $good_tcpo out via $pif setup $ks > $cmd 151 $skip icmp from any to any out via $pif $ks > $cmd 152 $skip udp from any to any 123 out via $pif $ks > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private > IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private > IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private > IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E > multicast Ok, but see below re missing rule .. > # Authorized inbound packets > $cmd 400 allow tcp from any to me 76 in via $pif setup limit src-addr 2 > $cmd 402 allow ip from any to me 53 in via $pif setup limit src-addr 2 If you're running DNS for external hosts, you need to allow both tcp 53 and udp 53 in. 'ip' (or 'all') doesn't specify ports, and 'setup' only applies to tcp, so that's wrong. If not serving DNS, drop this. > $cmd 420 allow tcp from any to me 80 in via $pif setup limit src-addr 2 > $cmd 421 allow tcp from any to me 80 in via $pif setup limit src-addr 2 These are duplicates. And 'limit src-addr 2' is silly for web traffic; any webpage you serve with say text and several images will likely want at least several ccncurrent connections, many people run 'download helpers' that open one connection per item. Change '2' to say '10', at least while testing. Even 50 connections hardly constitutes a DoS. Similarly, Joe's recommended logging limit of 5 is silly. Try 50 or the default 100, again at least while testing. Add 'log' to any rules you want to see working (pass or deny), and use the logging to watch and learn about the various flows, until satisfied all is working properly. Part of what's wrong here may be that you've left out an important rule to use with an all-stateful ruleset (which I personally think overkill, but sticking with this method ..) is one that you've just missed; I'll quote it from the block that comes BEFORE '# Authorised inbound pkts': # Deny any late arriving packets # DON'T DO IT, BAD ADVICE esp. UDP DNS: ### $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $pif Some of those packets in your log may be of this type, and again may come from the 'limit 2' .. all subsequent connections will be refused. However, that doesn't explain why some of your outbound connections are being denied, from above .. ======= > Oct 29 10:14:54 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61915 > 174.129.210.177:80 out via fxp0 > Oct 29 10:17:55 hostname kernel: ipfw: 450 Deny TCP 192.168.1.6:61876 > 65.126.84.88:80 out via fxp0 ======= .. which can only get here by falling through .. > $cmd 450 deny log ip from any to any .. which isn't right, by that ruleset, it should be: # Reject & Log all unauthorized out going connections to the public Internet $cmd 450 deny log all from any to any out via $pif Big difference .. your 450 is catching ALL traffic, in and out anywhere, not just 'out via $pif', which really should be 'out xmit $pif' anyway. And yet, I'm still bemused as to why that traffic wasn't passed to rule 500 by rule 150, so you might try fixing those things, adding more logging (eg on rule 150), and trying again; report more logging on a couple of controlled tests so it's clear what's happening. > # This is skipto location for outbound stateful rules > $cmd 500 divert natd ip from any to any out via $pif which should be followed by, from that ruleset: $cmd 801 allow ip from any to any # IMPORTANT if deny by default # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any # ADVISABLE > *********************************************** > > natd run options: > *********************************************** > /sbin/natd -dynamic -m -n fxp0 > *********************************************** Sadly that section is also well out of date; modern advice is to use in-kernel NAT rather than natd(8), but you'd need to refer to ipfw(8) for that. NATD still works, so that's unlikely an issue here. HTH, Ian From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 4 11:06:51 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F3C6568C for ; Mon, 4 Nov 2013 11:06:50 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E0ED02C38 for ; Mon, 4 Nov 2013 11:06:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rA4B6onX048414 for ; Mon, 4 Nov 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rA4B6or5048412 for freebsd-ipfw@FreeBSD.org; Mon, 4 Nov 2013 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Nov 2013 11:06:50 GMT Message-Id: <201311041106.rA4B6or5048412@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Nov 2013 11:06:51 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/180731 ipfw [ipfw] problem with displaying 255.255.255.255 address o kern/180729 ipfw [ipfw] ipfw nat show empty output o kern/178482 ipfw [ipfw] logging problem from vnet jail o kern/178480 ipfw [ipfw] dynamically loaded ipfw with a vimage kernel do o kern/178317 ipfw [ipfw] ipfw options need to specifed in specific order o kern/177948 ipfw [ipfw] ipfw fails to parse port ranges (p1-p2) for udp o kern/176503 ipfw [ipfw] ipfw layer2 problem o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipfw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 42 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 5 17:41:51 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D655F404 for ; Tue, 5 Nov 2013 17:41:51 +0000 (UTC) (envelope-from 176374749-63980-94133-socialdigest@bounces.fanbridge.com) Received: from r226-m4.fanbridge.com (r226-m4.fanbridge.com [174.37.97.226]) by mx1.freebsd.org (Postfix) with ESMTP id 9F25428E6 for ; Tue, 5 Nov 2013 17:41:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=p04; d=fanbridge.com; h=From:To:Subject:Message-ID:List-Unsubscribe:Sender:Date:Content-Type:MIME-Version; i=noreply-collection-484984@fanbridge.com; bh=JbxikcuZvJ/YTaHfLZWRaBgfDyI=; b=jwNyCt9og3/HDgE14Z0UFebHmzADkR+fPcfzmgWZ2g9r25hNMQkCGp8Q+iw4FRdFCc5/LqI78tRV U/wxWtMwFLdXWOO3Iqjs+y4tRyBTYRmvaXz9DCmtTBMfcJlS35tCYSn8LvzQQDVKaFfc6a0uctwh tbm4OUjjuoH0LM2kzMs= DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=p04; d=fanbridge.com; b=cCuSE8uXhEmkUUZDq5426HXJefmR5W2EEUm3EhRekECsnLi9gY9lCd58ciUpdy3ZM8R/3U1gxfYK co/SwA2durZ1xQSI4jaHW6HbLIriCuY58EVVtGvrwB4pnSEHXeBmsuJlaZfOOU1gSTSXnbXbytBM 6L2powGPqxoxzA1JXVc=; Received: from 127.0.0.1 (108.168.153.227) by r226-m4.fanbridge.com id hf4mtu1lrc0c for ; Tue, 5 Nov 2013 12:41:45 -0500 (envelope-from <176374749-63980-94133-socialdigest@bounces.fanbridge.com>) From: "ZOO LIFE ENT." To: freebsd-ipfw@freebsd.org Subject: =?utf-8?Q?ZOO=20LIFE=20ENT.:=20New=20updates=20for=20November=205?= Message-ID: <9ee6d34105025a31c29f5caf1cfecca6@fanbridge.com> X-fbridge-collection: collection-484984 X-fbridge-sid: 176374749 X-fbridge-cfc: X5K1c32rdKBtr9ek5XXB65hrr2 X-fbridge-uid: 63980 X-fbridge-sdrid: 94133 X-fbridge-feature: socialdigest X-fbridge-cluster: limonada X-Report-Abuse: Please report abuse here: http://www.fanbridge.com/contact.php?report_abuse Sender: FanBridge Date: Tue, 05 Nov 2013 12:41:45 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Nov 2013 17:41:51 -0000 =20 =09=09Email not displaying correctly? View it in your browser. [1] ZOO LIFE ENT.=20 Social Digest for the week of November 4, 2013 Follow Me: [2] [3] [4] [5] =20 WELCOME TO THIS WEEKS SOCIAL DIGEST! BELOW YOULL FIND A RECAP OF SOME =09 great things that happened over the past week. If you like what you read, just click on it and reply, comment, post or let us know what you think! Thanks for your support. =20 See something you think is hot? Share it with your friends by clicking on the fire icon =09=09 =09=09 [6] =09=09 [7] =20 =09=09Featured Sponsor =09=09 [8] =09=09 [9] =20 =09 NEW "@djvlad: 40 Glocc AKA Yon Ju - "Hate That" (Music Video) (@40GLOCC)=20 http://t.co/jffWqCDUZp border-bottom: none">=20 =09 RT @Vladtv_djwill: 40 Glocc AKA Yon Ju - "Hate That" (Music Video) (@40GLOCC): New music video from Yon Ju Feat. Tya Ma... =20 =09=09 _4 retweets_ [15]=20 =09=09 [16]=20 =09=09via Twitter [17] on 10.30.13 =09=09 [18] =09HAPPY GEE-DAY @50os -ME, FLAVOR FLAV, LEGEND, @crissangel (THE MAGICIAN), @joejudah , @djerocksf1 & POE.. #turntup #TURNUP #TurndownForWhat #40GLOCC #ZOOGANG #COLTON #IE #LA #LASVEGAS #LOSANGELES #YONJU #zoolife #GUNIT #MUSIC #MONEY #WOMEN #LADIES #GIRLS #FFP #FITNESS #GYM #WORKOUT #INLANDEMPIRE #GLOBAL #TIMETRAVELER =20 =09=09 [19]=20 =09=09 [20]=20 =09=09 via Instagram [21] on 11.03.13=20 =09=09 [22] =09=09 [28] =20 =09=09 [30]=20 =09=09 [31]=20 =09=09VIA INSTAGRAM [32] ON 11.03.13 =09=09 [33] =09ME & @locielocc ..YEA FOO.. THIZ THAT MAD AZZ #ZOOGANG I DOES THIS WORLD WIDE.. "DONT NOTHING COME WITH SLEEP, BUT DREAMS"..ILL SLEEP WHEN IM DEAD.. #40GLOCC #YONJU #ZOOLIFE #MUSIC #MONEY #WOMEN #GIRLS #LADIES #TurndownForWhat #TURNUP #GUNIT #INFAMOUS #WESTCOAST #CALIFORNIA #LASVEGAS #INLANDEMPIRE #LOSANGELOS #LOSANGELES #IE #LA #WESTWEST #SOCAL #FOLLOWME... =20 =09=09 [55]=20 =09=09 [56]=20 =09=09 via Instagram [57] on 11.03.13=20 =09=09 [58] =09=09 [59] =20 =09 HAPPY GEE-DAY @omarsamhan -ME, FLAVOR FLAV, LEGEND, @crissangel (THE MAGICIAN), joejudah , @djerocksf1…=20 http://t.co/KIae1nYKgO [60] =20 =09=09 _1 retweet_ [61]=20 =09=09 [62]=20 =09=09via Twitter [63] on 11.04.13 =09=09 [64] =09 *VIDEO* 40 GLOCC border-bottom: none" colspan=3D"5">=20 =09My Cuzin @sun_days be pissin me off with his driving... #40GLOCC #YONJU #ZOOGANG #ZOOLIFE =20 =09=09 [70]=20 =09=09 [71]=20 =09=09 via Instagram [72] on 11.03.13=20 =09=09 [73] =09 If u never heard thus record check it out on I-tunes 40 glocc aka big bad 40 featuring ceelo green… ... =20 =09=09 _1 retweet_ [74]=20 =09=09 [75]=20 =09=09via Twitter [76] on 11.03.13 =09=09 [77] =09 40 Glocc AKA Yon Ju - "Hate That" (Music Video)=20 http://t.co/0jXOFjWA1U [78] via @youtube =20 =09=09 _1 retweet_ [79]=20 =09=09 [80]=20 =09=09via Twitter [81] on 11.03.13 =09=09 [82] =09IF U CAN FIND THIS MIX TAPE ONLINE U WILL HERE NOTHING BUT THST REAL.. ME border-bottom: none">=20 =09 RT @WorldWrap: New Music: @40Glocc - Dedicated=20 =09=09 Unsubscribe [87] | Update Info [88] | Privacy Policy [89]=20 ZOO LIFE ENT. sent this message to freebsd-ipfw@freebsd.org Questions? Contact ZOO LIFE ENT.=20 c/o FanBridge, Inc. - 14525 SW Millikan Way #16910 Beaverton Oregon 97005 United States Powered by: [90] =20 =20 ------ [1][6] http://40GLOCC.fanbridge.com/socialdigest/show.php?sdrid=3D94133&sid=3D1= 76374749 [2] http://facebook.com/125820717478711 [3] http://instagram.com/40glocc [4] https://www.youtube.com/subscription_center?add_user_id=3DRwe0GCrUNFehlS= gGLcy7AQ [5][12][13][16][17][25][26][35][36][40][41][48][49][52][53][62][63][67][= 68][75][76][80][81] http://twitter.com/ [7][8] https://www.spotify.com/?utm_source=3Dspotify_webplayer&utm_medium=3Dmkt= _consumer&utm_campaign=3Dacquisition_magnacarta_email_us&utm_content=3Du= s500616&utm_term=3Demail [9][59] https://play.spotify.com/album/0OTjYdGtP7AbwOwbYsGhyi?utm_source=3Dspoti= fy_webplayer&utm_medium=3Dmkt_consumer&utm_campaign=3Dacquisition_magnac= arta_email_us&utm_content=3Dus500614&utm_term=3Demail [10] http://t.co/jffWqCDUZp" [11][14] https://twitter.com/#!//status/395704971137515520 [15][18] https://twitter.com/#!//status/395672537088016384 [19][22] http://instagram.com/p/gR3RFdlHej/ [20][21][44][45][56][57][71][72][84][85] http://40GLOCC.fanbridge.com [23] http://t.co/dKpODHVfJV [24] https://twitter.com/#!//status/392450945734287361 [27] HTTPS://TWITTER.COM/#!//STATUS/392450945734287361 [28][29] HTTPS://PLAY.SPOTIFY.COM/ALBUM/37UQAKT9DLSLOB7YOMDWY4?UTM_SOURCE=3DSPOTI= FY_WEBPLAYER&UTM_MEDIUM=3DMKT_CONSUMER&UTM_CAMPAIGN=3DACQUISITION_MAGNAC= ARTA_EMAIL_US&UTM_CONTENT=3DUS500615&UTM_TERM=3DEMAIL [30] HTTP://INSTAGRAM.COM/P/GRQCCIFHE-/ [31][32] HTTP://40GLOCC.FANBRIDGE.COM [33] http://instagram.com/p/gRqCcIFHe-/ [34][37] https://twitter.com/#!//status/397189284182368256 [38] http://t.co/guUo4ovLq0 [39][42] https://twitter.com/#!//status/396889479870681089 [43][46] http://instagram.com/p/gRfoZilHQM/ [47][50] https://twitter.com/#!//status/395643818214555648 [51][54] https://twitter.com/#!//status/394997008663986176 [55][58] http://instagram.com/p/gRBUv4lHcG/ [60] http://t.co/KIae1nYKgO [61][64] https://twitter.com/#!//status/397218806839640064 [65] http://t.co/gFDuaB6VGI [66][69] https://twitter.com/#!//status/397203840438521856 [70][73] http://instagram.com/p/gQsYXXlHec/ [74][77] https://twitter.com/#!//status/396862726368423937 [78] http://t.co/0jXOFjWA1U [79][82] https://twitter.com/#!//status/396876286544445440 [83][86] http://instagram.com/p/gPh-DelHQ2/ [87] http://t.co/vdhdRxRsGh