Date: Mon, 15 Apr 2013 21:04:32 +0200 From: Spil Oss <spil.oss@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org, Michael Sierchio <kudzu@tenebras.com> Subject: Re: Problems with ipfw/natd and axe(4) Message-ID: <CAEJyAvP-4FZ7eZ0o4c3qMzC0nY_gT4GfS3KjBVQiuzNY3aXz4Q@mail.gmail.com> In-Reply-To: <20130415160625.K56386@sola.nimnet.asn.au> References: <CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw@mail.gmail.com> <20130415015850.Y56386@sola.nimnet.asn.au> <CAHu1Y73Xu64NY1B=idaKmHKDGOB3AHbcXKi4A48-SNkhJrMy6Q@mail.gmail.com> <20130415160625.K56386@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--089e0118320c496d1604da6aec84
Content-Type: text/plain; charset=ISO-8859-1
Hi all,
Network dumps as promised
On 172.17.2.1:
tcpdump -p -i bridge0 -s 0 -w ssh-fail.pcap host not 172.17.2.167
>From 172.17.2.1 I ran
telnet 172.17.2.111/157 22
In Wireshark I trimmed the capture a bit further with expression
'not stp and not http'
Initial setup (ue0 ext, re0 int, rule 10 to allow ssh)
-> ue0-ssh-success.pcap
Removed rule 10
-> ue0-ssh-fail.pcap
Switched re0 and ue0, default ruleset (without 10)
-> re0-ssh-success.pcap
According to YungHyeong the sample ASIX NIC he has works normally when
checksumming is disabled.
Kind regards,
Spil.
On Mon, Apr 15, 2013 at 8:25 AM, Ian Smith <smithi@nimnet.asn.au> wrote:
> On Sun, 14 Apr 2013 10:34:06 -0700, Michael Sierchio wrote:
> > On Sun, Apr 14, 2013 at 10:26 AM, Ian Smith <smithi@nimnet.asn.au>
> wrote:
> >
> > > 'allow ip' aka 'allow all' doesn't usually take a port number, which
> > > applies only to tcp and udp.
> >
> > It does in ipfw - in which case it means ( udp | tcp )
>
> You're quite right, and my assumption that it would also permit icmp
> was quite wrong, after a quick test.
>
> Which appears to leave the bypassed divert not working with rx/txcsum
> the only viable suspect. The ruleset is otherwise 'out of the box'.
>
> Does anyone know whether this is an issue with libalias(3) generally -
> in which case using nat instead of divert shouldn't help - or just with
> natd in particular?
>
> cheers, Ian
>
--089e0118320c496d1604da6aec84
Content-Type: application/octet-stream; name="ue0-ssh-success.pcap"
Content-Disposition: attachment; filename="ue0-ssh-success.pcap"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hfk07tn90
1MOyoQIABAAAAAAAAAAAAP//AAABAAAAAEhsUVpTBQBKAAAASgAAAABgbkJbU2a7ILCfuwgARRAA
PNEqQABABgzvrBECAawRAm81kwAWf3SVWQAAAACgAv//8WAAAAIEBbQBAwMGBAIICqd3CB8AAAAA
AEhsUUBaBQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPAByQABABt23rBECb6wRAgEAFjWTkzJU
Y390lVqgEv//d74AAAIEBbQBAwMGBAIICqz+5PyndwgfAEhsUapaBQBCAAAAQgAAAABgbkJbU2a7
ILCfuwgARRAANNEsQABABgz1rBECAawRAm81kwAWf3SVWpMyVGSAEAQQoncAAAEBCAqndwghrP7k
/ABIbFF4oQUAcQAAAHEAAABmuyCwn7sAYG5CW1MIAEUAAGMAc0AAQAbdj6wRAm+sEQIBABY1k5My
VGR/dJVagBgEEGHoAAABAQgKrP7lDad3CCFTU0gtMi4wLU9wZW5TU0hfNi4xX2hwbjEzdjExIEZy
ZWVCU0QtMjAxMjA5MDENCgBIbFEhKAcAQgAAAEIAAAAAYG5CW1NmuyCwn7sIAEUQADTRQ0AAQAYM
3qwRAgGsEQJvNZMAFn90lVqTMlSTgBAEEKHBAAABAQgKp3cIl6z+5Q0GSGxRHdUJAEIAAABCAAAA
AGBuQltTZrsgsJ+7CABFEAA01StAAEAGCPasEQIBrBECbzWTABZ/dJVakzJUk4ARBBCJoQAAAQEI
Cqd3ILas/uUNBkhsUQvcCQBCAAAAQgAAAGa7ILCfuwBgbkJbUwgARQAANAB0QABABt29rBECb6wR
AgEAFjWTkzJUk390lVuAEAQQcRgAAAEBCAqs/v2Wp3cgtgZIbFEJ3wkAQgAAAEIAAABmuyCwn7sA
YG5CW1MIAEUAADQAdUAAQAbdvKwRAm+sEQIBABY1k5MyVJN/dJVbgBEEEHEXAAABAQgKrP79lqd3
ILYGSGxRTN8JAEIAAABCAAAAAGBuQltTZrsgsJ+7CABFEAA01S1AAEAGCPSsEQIBrBECbzWTABZ/
dJVbkzJUlIAQBBBxFAAAAQEICqd3ILms/v2W
--089e0118320c496d1604da6aec84
Content-Type: application/octet-stream; name="ue0-ssh-fail.pcap"
Content-Disposition: attachment; filename="ue0-ssh-fail.pcap"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hfk0dsas1
1MOyoQIABAAAAAAAAAAAAP//AAABAAAAqkhsUfTjBQBKAAAASgAAAABgbkJbU2a7ILCfuwgARRAA
PFF+QABABoybrBECAawRAm/zXAAWr5htewAAAACgAv//kxkAAAIEBbQBAwMGBAIICqd5oFQAAAAA
qkhsUdnqBQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACAQABABt2prBECb6wRAgEAFvNc6BsY
a6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKneaBUrUhsUb/lBQBKAAAASgAAAABgbkJbU2a7
ILCfuwgARRAAPFNmQABABoqzrBECAawRAm/zXAAWr5htewAAAACgAv//h2EAAAIEBbQBAwMGBAII
Cqd5rAwAAAAArUhsUajsBQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACBQABABt2orBECb6wR
AgEAFvNc6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKneaBUrUhsUT7tBQBKAAAASgAA
AGa7ILCfuwBgbkJbUwgARQAAPACCQABABt2nrBECb6wRAgEAFvNc6BsYa6+YbXygEv//XMEAAAIE
BbQBAwMGBAIICkWr/nKneawMsEhsUQkABgBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACDQABA
Bt2mrBECb6wRAgEAFvNc6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKneawMsEhsUbn1
CABKAAAASgAAAABgbkJbU2a7ILCfuwgARRAAPFVZQABABojArBECAawRAm/zXAAWr5htewAAAACg
Av//euAAAAIEBbQBAwMGBAIICqd5uI0AAAAAsEhsUab8CABKAAAASgAAAGa7ILCfuwBgbkJbUwgA
RQAAPACEQABABt2lrBECb6wRAgEAFvNc6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKn
ebiNs0hsUQ0NCQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACFQABABt2krBECb6wRAgEAFvNc
6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKnebiNs0hsUZ8FDAA+AAAAPgAAAABgbkJb
U2a7ILCfuwgARRAAMFeGQABABoafrBECAawRAm/zXAAWr5htewAAAABwAv//FwcAAAIEBbQEAgAA
s0hsUXwMDABCAAAAQgAAAGa7ILCfuwBgbkJbUwgARQAANACGQABABt2rrBECb6wRAgEAFvNc6BsY
a6+YbXyAEv//XLkAAAIEBbQBAwMGBAIAAA==
--089e0118320c496d1604da6aec84
Content-Type: application/octet-stream; name="re0-ssh-success.pcap"
Content-Disposition: attachment; filename="re0-ssh-success.pcap"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_hfk0dxij2
1MOyoQIABAAAAAAAAAAAAP//AAABAAAAmUpsUYUgAgBKAAAASgAAAEBhhhCGwWa7ILCfuwgARRAA
PKa0QABABjc3rBECAawRAp2KXgAWnq5AegAAAACgAv//rS0AAAIEBbQBAwMGBAIICqeBLPQAAAAA
mUpsUWohAgBKAAAASgAAAGa7ILCfu0BhhhCGwQgARQAAPAC1QABABt1GrBECnawRAgEAFopetvA6
556uQHugEv//3FEAAAIEBbQBAwMGBAIICmWfeVOngSz0mUpsUdQhAgBCAAAAQgAAAEBhhhCGwWa7
ILCfuwgARRAANKa1QABABjc+rBECAawRAp2KXgAWnq5Ae7bwOuiAEAQQBwwAAAEBCAqngSz1ZZ95
U5lKbFGjYgIAcQAAAHEAAABmuyCwn7tAYYYQhsEIAEUAAGMAtkAAQAbdHqwRAp2sEQIBABaKXrbw
OuierkB7gBgEEMZ5AAABAQgKZZ95Z6eBLPVTU0gtMi4wLU9wZW5TU0hfNi4xX2hwbjEzdjExIEZy
ZWVCU0QtMjAxMjA5MDENCplKbFFl5gMAQgAAAEIAAABAYYYQhsFmuyCwn7sIAEUQADSm1UAAQAY3
HqwRAgGsEQKdil4AFp6uQHu28DsXgBAEEAZUAAABAQgKp4EtamWfeWeeSmxRA5QMAEIAAABCAAAA
QGGGEIbBZrsgsJ+7CABFEAA0qnFAAEAGM4KsEQIBrBECnYpeABaerkB7tvA7F4ARBBDwkgAAAQEI
CqeBQypln3lnnkpsUc6UDABCAAAAQgAAAGa7ILCfu0BhhhCGwQgARQAANAC3QABABt1MrBECnawR
AgEAFopetvA7F56uQHyAEAQQ2mwAAAEBCApln4+Np4FDKp5KbFF3mAwAQgAAAEIAAABmuyCwn7tA
YYYQhsEIAEUAADQAuEAAQAbdS6wRAp2sEQIBABaKXrbwOxeerkB8gBEEENprAAABAQgKZZ+PjaeB
QyqeSmxR0pgMAEIAAABCAAAAQGGGEIbBZrsgsJ+7CABFEAA0qnJAAEAGM4GsEQIBrBECnYpeABae
rkB8tvA7GIAQBBDaagAAAQEICqeBQytln4+N
--089e0118320c496d1604da6aec84--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEJyAvP-4FZ7eZ0o4c3qMzC0nY_gT4GfS3KjBVQiuzNY3aXz4Q>