Date: Thu, 16 Jul 2009 22:19:04 +0300 From: Dmitriy Demidov <dima_bsd@inbox.lv> To: freebsd-ipfw@freebsd.org Subject: Re: ipfw nat and localy initiated UDP traffic (bad udp cksum) Message-ID: <200907162219.04986.dima_bsd@inbox.lv> In-Reply-To: <200907142355.34973.dima_bsd@inbox.lv> References: <200907142355.34973.dima_bsd@inbox.lv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 14 July 2009, Dmitriy Demidov wrote:
> Hi list.
>
> I have a problems with ipfw nat. It makes me crazy (I realy have no idea
> how to troubleshoot this problem). Looks like ipfw nat do not pass through
> itself localy initiated UDP traffic! Is there any hint that I do not know
> about ipfw nat? Any clue please :(
>
Update about this issue.
There is somthing wrong with UDP pass through - ipfw nat makes it "bad cksum".
tcpdump on ISP-side nic (tcpdump -i 2 -X -vvv -n -l ip) shows this:
for localy initiated UDP/DNS trafic:
====
21:58:30.116680 IP (tos 0x0, ttl 64, id 6212, offset 0, flags [none], proto
UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum
aa89!] 50277+ A? www.freebsd.org. (33)
0x0000: 4500 003d 1844 0000 4011 a6d9 576e 6c4a E..=.D..@...WnlJ
0x0010: 5bc6 9c14 f39d 0035 0029 bbcd c465 0100 [......5.)...e..
0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre
0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org.....
21:58:35.116809 IP (tos 0x0, ttl 64, id 6239, offset 0, flags [none], proto
UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum
aa89!] 50277+ A? www.freebsd.org. (33)
0x0000: 4500 003d 185f 0000 4011 a6be 576e 6c4a E..=._..@...WnlJ
0x0010: 5bc6 9c14 f39d 0035 0029 bbcd c465 0100 [......5.)...e..
0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre
0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org.....
21:58:40.117744 IP (tos 0x0, ttl 64, id 6240, offset 0, flags [none], proto
UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum
====
for UDP/DNS trafic that pass via nat from local network:
====
21:58:21.925741 IP (tos 0x0, ttl 63, id 632, offset 0, flags [none], proto UDP
(17), length 61) 87.110.108.74.58124 > 91.198.156.20.53: [udp sum ok] 36465+
A? www.freebsd.org. (33)
0x0000: 4500 003d 0278 0000 3f11 bda5 576e 6c4a E..=.x..?...WnlJ
0x0010: 5bc6 9c14 e30c 0035 0029 8bfd 8e71 0100 [......5.)...q..
0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre
0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org.....
21:58:21.932623 IP (tos 0x0, ttl 59, id 39585, offset 0, flags [none], proto
UDP (17), length 165) 91.198.156.20.53 > 87.110.108.74.58124: 36465 q: A?
www.freebsd.org. 1/3/0 www.freebsd.org. A 69.147.83.33 ns: freebsd.org.[|
domain]
0x0000: 4500 00a5 9aa1 0000 3b11 2914 5bc6 9c14 E.......;.).[...
0x0010: 576e 6c4a 0035 e30c 0091 8f66 8e71 8180 WnlJ.5.....f.q..
0x0020: 0001 0001 0003 0000 0377 7777 0766 7265 .........www.fre
0x0030: 6562 7364 036f 7267 0000 0100 01c0 0c00 ebsd.org........
0x0040: 0100 0100 000b 6600 0445 9353 21c0 1000 ......f..E.S!...
0x0050: 0200 ..
====
ipfw config:
====
add allow ip from any to any via fxp0
add allow udp from any 68 to any 67
add allow udp from any 67 to any 68
add count ip from any to any
nat 1 config log if em0 reset same_ports deny_in
nat 2 config log if em0
nat 3 config log if em0 reset same_ports deny_in
add count ip from any to any
add nat 1 tcp from any to any out xmit em0
add nat 2 udp from any to any out xmit em0
add nat 3 icmp from any to any out xmit em0
add nat 1 tcp from any to me in recv em0
add nat 2 udp from any to me in recv em0
add nat 3 icmp from any to me in recv em0
add count ip from any to any
====
ipfw show
====
00100 1642 372640 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 9 990 allow ip from any to any via fxp0
00500 0 0 allow udp from any 68 to any dst-port 67
00600 0 0 allow udp from any 67 to any dst-port 68
00700 25 1404 count ip from any to any
00800 25 1404 count ip from any to any
00900 0 0 nat 1 tcp from any to any out xmit em0
01000 7 427 nat 2 udp from any to any out xmit em0
01100 0 0 nat 3 icmp from any to any out xmit em0
01200 17 812 nat 1 tcp from any to me in recv em0
01300 1 165 nat 2 udp from any to me in recv em0
01400 0 0 nat 3 icmp from any to me in recv em0
01500 0 0 count ip from any to any
65535 3 520 deny ip from any to any
====
uname -a
FreeBSD hius.local.home 7.2-STABLE FreeBSD 7.2-STABLE #0: Wed Jul 15 20:59:17
EEST 2009 root@hius.local.home:/usr/obj/usr/src/sys/STABLE i386
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907162219.04986.dima_bsd>