From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 16 19:19:08 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C594E106566B for ; Thu, 16 Jul 2009 19:19:08 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp2.apollo.lv (smtp2.apollo.lv [80.232.168.229]) by mx1.freebsd.org (Postfix) with ESMTP id 2863D8FC0C for ; Thu, 16 Jul 2009 19:19:07 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) X-Cloudmark-Score: 0.000000 [] X-Virusscan: Clamd Received: from [87.110.108.74] ([87.110.108.74] verified) by smtp2.apollo.lv (CommuniGate Pro SMTP 5.2.10) with ESMTP id 455745379 for freebsd-ipfw@freebsd.org; Thu, 16 Jul 2009 22:19:05 +0300 From: Dmitriy Demidov To: freebsd-ipfw@freebsd.org Date: Thu, 16 Jul 2009 22:19:04 +0300 User-Agent: KMail/1.9.10 References: <200907142355.34973.dima_bsd@inbox.lv> In-Reply-To: <200907142355.34973.dima_bsd@inbox.lv> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200907162219.04986.dima_bsd@inbox.lv> Subject: Re: ipfw nat and localy initiated UDP traffic (bad udp cksum) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 19:19:09 -0000 On Tuesday 14 July 2009, Dmitriy Demidov wrote: > Hi list. > > I have a problems with ipfw nat. It makes me crazy (I realy have no idea > how to troubleshoot this problem). Looks like ipfw nat do not pass through > itself localy initiated UDP traffic! Is there any hint that I do not know > about ipfw nat? Any clue please :( > Update about this issue. There is somthing wrong with UDP pass through - ipfw nat makes it "bad cksum". tcpdump on ISP-side nic (tcpdump -i 2 -X -vvv -n -l ip) shows this: for localy initiated UDP/DNS trafic: ==== 21:58:30.116680 IP (tos 0x0, ttl 64, id 6212, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum aa89!] 50277+ A? www.freebsd.org. (33) 0x0000: 4500 003d 1844 0000 4011 a6d9 576e 6c4a E..=.D..@...WnlJ 0x0010: 5bc6 9c14 f39d 0035 0029 bbcd c465 0100 [......5.)...e.. 0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org..... 21:58:35.116809 IP (tos 0x0, ttl 64, id 6239, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum aa89!] 50277+ A? www.freebsd.org. (33) 0x0000: 4500 003d 185f 0000 4011 a6be 576e 6c4a E..=._..@...WnlJ 0x0010: 5bc6 9c14 f39d 0035 0029 bbcd c465 0100 [......5.)...e.. 0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org..... 21:58:40.117744 IP (tos 0x0, ttl 64, id 6240, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.62365 > 91.198.156.20.53: [bad udp cksum ==== for UDP/DNS trafic that pass via nat from local network: ==== 21:58:21.925741 IP (tos 0x0, ttl 63, id 632, offset 0, flags [none], proto UDP (17), length 61) 87.110.108.74.58124 > 91.198.156.20.53: [udp sum ok] 36465+ A? www.freebsd.org. (33) 0x0000: 4500 003d 0278 0000 3f11 bda5 576e 6c4a E..=.x..?...WnlJ 0x0010: 5bc6 9c14 e30c 0035 0029 8bfd 8e71 0100 [......5.)...q.. 0x0020: 0001 0000 0000 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01 ebsd.org..... 21:58:21.932623 IP (tos 0x0, ttl 59, id 39585, offset 0, flags [none], proto UDP (17), length 165) 91.198.156.20.53 > 87.110.108.74.58124: 36465 q: A? www.freebsd.org. 1/3/0 www.freebsd.org. A 69.147.83.33 ns: freebsd.org.[| domain] 0x0000: 4500 00a5 9aa1 0000 3b11 2914 5bc6 9c14 E.......;.).[... 0x0010: 576e 6c4a 0035 e30c 0091 8f66 8e71 8180 WnlJ.5.....f.q.. 0x0020: 0001 0001 0003 0000 0377 7777 0766 7265 .........www.fre 0x0030: 6562 7364 036f 7267 0000 0100 01c0 0c00 ebsd.org........ 0x0040: 0100 0100 000b 6600 0445 9353 21c0 1000 ......f..E.S!... 0x0050: 0200 .. ==== ipfw config: ==== add allow ip from any to any via fxp0 add allow udp from any 68 to any 67 add allow udp from any 67 to any 68 add count ip from any to any nat 1 config log if em0 reset same_ports deny_in nat 2 config log if em0 nat 3 config log if em0 reset same_ports deny_in add count ip from any to any add nat 1 tcp from any to any out xmit em0 add nat 2 udp from any to any out xmit em0 add nat 3 icmp from any to any out xmit em0 add nat 1 tcp from any to me in recv em0 add nat 2 udp from any to me in recv em0 add nat 3 icmp from any to me in recv em0 add count ip from any to any ==== ipfw show ==== 00100 1642 372640 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 9 990 allow ip from any to any via fxp0 00500 0 0 allow udp from any 68 to any dst-port 67 00600 0 0 allow udp from any 67 to any dst-port 68 00700 25 1404 count ip from any to any 00800 25 1404 count ip from any to any 00900 0 0 nat 1 tcp from any to any out xmit em0 01000 7 427 nat 2 udp from any to any out xmit em0 01100 0 0 nat 3 icmp from any to any out xmit em0 01200 17 812 nat 1 tcp from any to me in recv em0 01300 1 165 nat 2 udp from any to me in recv em0 01400 0 0 nat 3 icmp from any to me in recv em0 01500 0 0 count ip from any to any 65535 3 520 deny ip from any to any ==== uname -a FreeBSD hius.local.home 7.2-STABLE FreeBSD 7.2-STABLE #0: Wed Jul 15 20:59:17 EEST 2009 root@hius.local.home:/usr/obj/usr/src/sys/STABLE i386