Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Mar 2010 10:45:51 +0300
From:      Sergey Zvyagintsev <szvyag@gmail.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Loosing packets with stateful rules
Message-ID:  <8aca93011003180045y49ff6795s72646f5ca84901eb@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi,

I experience that single packets are not processed by ipfw ruleset
with stateful rules on FreeBSD-7.2 with GENERIC kernel.

The ipfw configuration (pretty match the same as in Handbook):

00002 allow ip from any to any via vr0
00003 allow ip from any to any via lo0
00100 divert 8668 ip from any to any in via vr1
00101 check-state
00125 skipto 500 ip from 172.16.10.0 to any out via vr1 limit src-addr 10
00130 allow ip from me to any out via vr1 keep-state
00420 allow tcp from 172.16.10.0 to me dst-port 22 in via vr0 keep-state
00430 allow icmp from any to me
00450 deny log logamount 5 ip from any to any
00500 divert 8668 ip from any to any out via vr1
00501 allow ip from any to any
65535 deny ip from any to any

rc.conf:

ifconfig_vr0="inet 172.16.0.3 netmask 0xffff0000"
ifconfig_vr1="inet 192.168.1.108 netmask 0xffffff00"
defaultrouter="192.168.1.8"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
natd_enable="YES"
natd_interface="vr1"
natd_flags="-dynamic -m"

When I start P2P-client on host 172.16.10.0 to generate some traffic,
everything works fine. But tcpdump shows single packets that are not
NAT'ed and sent to default gateway with real IP-address:

test# tcpdump -n -i vr1 host 172.16.10.0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vr1, link-type EN10MB (Ethernet), capture size 96 bytes
15:04:30.678021 IP 172.16.10.0.61972 > 77.195.187.79.49945: . ack
3659396937 win 0
15:04:30.678032 IP 172.16.10.0.61835 > 24.215.1.215.6892: . ack 1812223920 win 0
15:04:30.678083 IP 172.16.10.0.30501 > 178.161.128.26.7307: . ack
638704704 win 0
15:04:30.678174 IP 172.16.10.0.30410 > 96.255.209.125.6979: . ack
3538407393 win 0
15:04:35.677946 IP 172.16.10.0.30695 > 195.131.4.167.80: . ack 3863695978 win 0
15:04:35.677957 IP 172.16.10.0.30696 > 217.30.200.20.6688: . ack
4205907280 win 0
15:04:40.677866 IP 172.16.10.0.30712 > 24.215.1.215.8082: . ack 3863870641 win 0
15:04:40.677877 IP 172.16.10.0.30731 > 195.131.4.167.80: . ack 3878559558 win 0
...

CPU and memory usage are quite low.
Removing limit option from rule 00125 completely solves the problem.

Is this normal behavior for ipfw?

Best regards,
Sergey Zvyagintsev

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8aca93011003180045y49ff6795s72646f5ca84901eb>