From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 18 07:58:57 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A525106564A for ; Thu, 18 Mar 2010 07:58:57 +0000 (UTC) (envelope-from szvyag@gmail.com) Received: from mail-wy0-f196.google.com (mail-wy0-f196.google.com [74.125.82.196]) by mx1.freebsd.org (Postfix) with ESMTP id 9B4828FC0A for ; Thu, 18 Mar 2010 07:58:56 +0000 (UTC) Received: by wya21 with SMTP id 21so235805wya.7 for ; Thu, 18 Mar 2010 00:58:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=jVNr378XnGJuRmnPBcCBzWYqsIgORe9YSpyhLc+DPnE=; b=Ad7rYOTPkpmLbYIYU3ZW5douXWlPlaPdlQqNjvnnsQfNEeHZol0GBeqSZuPCTrsNey /7SK3C/kXDTHcBg8ggaf+Xx8CKoYtcKl+b6bVlkg02WlBcN0OHGY6zpVbGN7lnTlP+fc DihPNFY1KP5kjc27XOkQ2aeTjwP51j+DWiWjw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=nQLZ7Hs+LPtvPeCFRHWJQf61nqaNNsv2sD+UarZuxUA83S5E/5/WlHgLA+hyk/bkON epKIjhyasU9xzlqnm0HcnvpRcJTTL8KFjcDDS4F1P/lc2vayD7L2H8G8tZqS81twZgas KP7+yUXjaX4BRkSc6pQkiHgiktUZxXlDadDNc= MIME-Version: 1.0 Received: by 10.216.89.84 with SMTP id b62mr934457wef.226.1268898351699; Thu, 18 Mar 2010 00:45:51 -0700 (PDT) Date: Thu, 18 Mar 2010 10:45:51 +0300 Message-ID: <8aca93011003180045y49ff6795s72646f5ca84901eb@mail.gmail.com> From: Sergey Zvyagintsev To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Loosing packets with stateful rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 07:58:57 -0000 Hi, I experience that single packets are not processed by ipfw ruleset with stateful rules on FreeBSD-7.2 with GENERIC kernel. The ipfw configuration (pretty match the same as in Handbook): 00002 allow ip from any to any via vr0 00003 allow ip from any to any via lo0 00100 divert 8668 ip from any to any in via vr1 00101 check-state 00125 skipto 500 ip from 172.16.10.0 to any out via vr1 limit src-addr 10 00130 allow ip from me to any out via vr1 keep-state 00420 allow tcp from 172.16.10.0 to me dst-port 22 in via vr0 keep-state 00430 allow icmp from any to me 00450 deny log logamount 5 ip from any to any 00500 divert 8668 ip from any to any out via vr1 00501 allow ip from any to any 65535 deny ip from any to any rc.conf: ifconfig_vr0="inet 172.16.0.3 netmask 0xffff0000" ifconfig_vr1="inet 192.168.1.108 netmask 0xffffff00" defaultrouter="192.168.1.8" firewall_enable="YES" firewall_script="/etc/ipfw.rules" natd_enable="YES" natd_interface="vr1" natd_flags="-dynamic -m" When I start P2P-client on host 172.16.10.0 to generate some traffic, everything works fine. But tcpdump shows single packets that are not NAT'ed and sent to default gateway with real IP-address: test# tcpdump -n -i vr1 host 172.16.10.0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vr1, link-type EN10MB (Ethernet), capture size 96 bytes 15:04:30.678021 IP 172.16.10.0.61972 > 77.195.187.79.49945: . ack 3659396937 win 0 15:04:30.678032 IP 172.16.10.0.61835 > 24.215.1.215.6892: . ack 1812223920 win 0 15:04:30.678083 IP 172.16.10.0.30501 > 178.161.128.26.7307: . ack 638704704 win 0 15:04:30.678174 IP 172.16.10.0.30410 > 96.255.209.125.6979: . ack 3538407393 win 0 15:04:35.677946 IP 172.16.10.0.30695 > 195.131.4.167.80: . ack 3863695978 win 0 15:04:35.677957 IP 172.16.10.0.30696 > 217.30.200.20.6688: . ack 4205907280 win 0 15:04:40.677866 IP 172.16.10.0.30712 > 24.215.1.215.8082: . ack 3863870641 win 0 15:04:40.677877 IP 172.16.10.0.30731 > 195.131.4.167.80: . ack 3878559558 win 0 ... CPU and memory usage are quite low. Removing limit option from rule 00125 completely solves the problem. Is this normal behavior for ipfw? Best regards, Sergey Zvyagintsev