Date: Fri, 3 Nov 2006 18:17:54 -0500
From: "cdavis" <cdavis@aspv.edu.mx>
To: freebsd-ipfw@freebsd.org
Subject: FreeBSD 5.5 - stable IPFW FWD to {another ip} doesn't work even with 5.3 beta patch
Message-ID: <20061103231642.M61391@aspv.edu.mx>
next in thread | raw e-mail | index | archive | help
I have had the same thing happen to me. I cvsupped to 5.5 stable and now my redirects don't work. I'm in a pickel. I think it has something to do with the ipfw2 and natd not being in the same boat. For documentations sake here is my simplist case and not the production case. When logged in to my gateway box that used to do the redirects I can see both inside and outside. My webserver on the inside works just fine. Other workstations on the inside get natted just fine. That is they can surf the web and ssh out and all. my kernconf has ######ipfw stuff options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_FORWARD_EXTENDED options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options LIBMCHAIN #mbuf management library options LIBICONV #Kernel side iconv library ############# #rc.conf defaultrouter="201.116.xxx.xxx" hostname="chipotle.xxx.xxx" network_interfaces="fxp0 em0 em1" ifconfig_fxp0="inet 192.168.0.4 netmask 255.255.255.0" ifconfig_em1="inet 201.116.226.229 netmask 255.255.255.240" ifconfig_em0="inet 192.168.1.1 netmask 255.255.255.0" routed_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" sshd_enable="YES" natd_interface="em1" inside_interface="em0" other_inside_interface="fxp0" firewall_enable="YES" firewall_logging="YES" gateway_enable="YES" firewall_type="OPEN" natd_enable="yes" natd_flags="-f /etc/natd.conf" ################# #rc.firewall /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any em1 ################################# I have also tried the statefull fire walls from http://www.freebsdwiki.net/index.php/Firewall%2C_Configuring and the standard "OPEN" from /usr/src/etc/rc.firewall All of which work fine as far as natting local traffic but none of which let the redirects out. ######################### #natd.conf interface em1 unregistered_only yes deny_incoming no use_sockets yes same_ports yes dynamic yes redirect_port tcp 192.168.0.2:80 8080 redirect_port tcp 192.168.0.3:80 5040 ############################## As I said this box was working like a champ and after the cvsup, buildworld, buildkernel, install kernel, installworld, mergemaster it stopped redirecting my ports 8080 and 5040. >From what I can tell on the net, ipfw2 natd don't use libalias the same way. I know there was some talk of making all of them modules. I have tried building with NO_MODULES=yes and with modules. This is a PAE machine with 2 gigs of memory so I took PAE out. Thanks for the consideration. Not to bore all of you but here is my dmesg As you can see I've rebuilt this kernel a few time trying to figure out what the problem is. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.5-STABLE #19: Fri Nov 3 13:59:27 CST 2006 cdavis@chipotle.xxx.xxx:/usr/obj/usr/src/sys/CHIPOTLE ACPI APIC Table: <DELL PE BKC > Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(TM) CPU 3.20GHz (3192.22-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf41 Stepping = 1 Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> Hyperthreading: 2 logical CPUs real memory = 2147221504 (2047 MB) avail memory = 2099965952 (2002 MB) ioapic0: Changing APIC ID to 2 ioapic1: Changing APIC ID to 3 ioapic1: WARNING: intbase 32 != expected base 24 ioapic2: Changing APIC ID to 4 ioapic2: WARNING: intbase 64 != expected base 56 ioapic3: Changing APIC ID to 5 ioapic3: WARNING: intbase 96 != expected base 88 ioapic0 <Version 2.0> irqs 0-23 on motherboard ioapic1 <Version 2.0> irqs 32-55 on motherboard ioapic2 <Version 2.0> irqs 64-87 on motherboard ioapic3 <Version 2.0> irqs 96-119 on motherboard netsmb_dev: loaded acpi0: <DELL PE BKC> on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0 cpu0: <ACPI CPU> on acpi0 pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0 pci0: <ACPI PCI bus> on pcib0 pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0 pci1: <ACPI PCI bus> on pcib1 pcib2: <ACPI PCI-PCI bridge> at device 0.0 on pci1 pci2: <ACPI PCI bus> on pcib2 amr0: <LSILogic MegaRAID 1.51> mem 0xdfec0000-0xdfefffff,0xda0f0000-0xda0fffff irq 46 at device 14.0 on pci2 amr0: <LSILogic PERC 4e/Di> Firmware 516A, BIOS H418, 256MB RAM pcib3: <ACPI PCI-PCI bridge> at device 0.2 on pci1 pci3: <ACPI PCI bus> on pcib3 pcib4: <ACPI PCI-PCI bridge> at device 3.0 on pci0 pci4: <ACPI PCI bus> on pcib4 pcib5: <ACPI PCI-PCI bridge> at device 0.0 on pci4 pci5: <ACPI PCI bus> on pcib5 fxp0: <Intel 82550 Pro/100 Ethernet> port 0xecc0-0xecff mem 0xdfbc0000-0xdfbdffff,0xdfbff000-0xdfbfffff irq 106 at device 4.0 on pci5 miibus0: <MII bus> on fxp0 inphy0: <i82555 10/100 media interface> on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:0e:0c:75:df:a8 pcib6: <ACPI PCI-PCI bridge> at device 0.2 on pci4 pci6: <ACPI PCI bus> on pcib6 pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0 pci7: <ACPI PCI bus> on pcib7 pcib8: <ACPI PCI-PCI bridge> at device 5.0 on pci0 pci10: <ACPI PCI bus> on pcib8 pcib9: <ACPI PCI-PCI bridge> at device 0.0 on pci10 pci11: <ACPI PCI bus> on pcib9 em0: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port 0xccc0-0xccff mem 0xdf7e0000-0xdf7fffff irq 64 at device 7.0 on pci11 em0: Ethernet address: 00:11:43:ef:c5:76 pcib10: <ACPI PCI-PCI bridge> at device 0.2 on pci10 pci12: <ACPI PCI bus> on pcib10 em1: <Intel(R) PRO/1000 Network Connection, Version - 1.7.35> port 0xbcc0-0xbcff mem 0xdf5e0000-0xdf5fffff irq 65 at device 8.0 on pci12 em1: Ethernet address: 00:11:43:ef:c5:77 pcib11: <ACPI PCI-PCI bridge> at device 6.0 on pci0 pci13: <ACPI PCI bus> on pcib11 pcib12: <ACPI PCI-PCI bridge> at device 30.0 on pci0 pci16: <ACPI PCI bus> on pcib12 pci16: <display, VGA> at device 13.0 (no driver attached) isab0: <PCI-ISA bridge> at device 31.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel ICH5 UDMA100 controller> port 0xfc00-0xfc0f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0 ata0: channel #0 on atapci0 ata1: channel #1 on atapci0 fdc0: <floppy drive controller> port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on acpi0 fd0: <1440-KB 3.5" drive> on fdc0 drive 0 atkbdc0: <Keyboard controller (i8042)> port 0x64,0x60 irq 1 on acpi0 atkbd0: <AT Keyboard> irq 1 on atkbdc0 kbd0 at atkbd0 psm0: <PS/2 Mouse> irq 12 on atkbdc0 psm0: model IntelliMouse, device ID 3 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A npx0: <math processor> on motherboard npx0: INT 16 interface orm0: <ISA Option ROMs> at iomem 0xec000-0xeffff,0xce800-0xcf7ff,0xcb000-0xcbfff,0xc0000-0xcafff on isa0 pmtimer0 on isa0 ppc0: parallel port not found. sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 3192224640 Hz quality 800 Timecounters tick every 10.000 msec ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to accept, logging unlimited acd0: CDROM <TEAC CD-ROM CD-224E/K.9A> at ata0-master PIO4 amrd0: <LSILogic MegaRAID logical drive> on amr0 amrd0: 34680MB (71024640 sectors) RAID 1 (optimal) amrd1: <LSILogic MegaRAID logical drive> on amr0 amrd1: 209640MB (429342720 sectors) RAID 5 (optimal) ses0 at amr0 bus 0 target 6 lun 0 ses0: <PE/PV 1x2 SCSI BP 1.0> Fixed Processor SCSI-2 device ses0: SAF-TE Compliant Device ses1 at amr0 bus 1 target 6 lun 0 ses1: <PE/PV 1x8 SCSI BP 1.0> Fixed Processor SCSI-2 device ses1: SAF-TE Compliant Device Mounting root from ufs:/dev/amrd0s3a em0: Link is up 100 Mbps Full Duplex em1: Link is up 100 Mbps Full Duplex ############################################################ Thanks again, Chris Davis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061103231642.M61391>