From owner-freebsd-ipfw@freebsd.org Sun May 22 04:06:11 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC34EB412CD for ; Sun, 22 May 2016 04:06:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id ACE2A13BB for ; Sun, 22 May 2016 04:06:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4M46BIF077755 for ; Sun, 22 May 2016 04:06:11 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Date: Sun, 22 May 2016 04:06:11 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2016 04:06:11 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-ipfw@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sun May 22 07:57:02 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49700B44FCA for ; Sun, 22 May 2016 07:57:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 39E941378 for ; Sun, 22 May 2016 07:57:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4M7v2TO050986 for ; Sun, 22 May 2016 07:57:02 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Date: Sun, 22 May 2016 07:57:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: graham@menhennitt.com.au X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2016 07:57:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 graham@menhennitt.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |graham@menhennitt.com.au --- Comment #1 from graham@menhennitt.com.au --- I suspect I'm having the same problem. I backup my system vi "s3cmd sync" e= ach week. The backup file is about 2.5Gb in size and the s3 usually dies after a few hundred Mb. I've broken the backup file into 500Mb chunks and it eventu= ally got through after a few tries. I have only seen this in the last few weeks. But I hadn't updated for a few weeks before then, so the problem could have started any time in the last 6 weeks or so. I'm running 11-current amd64 and using ipfw with kernel NAT. I'm happy to do any diagnosis or testing if required. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Mon May 23 05:42:05 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46977B465F9 for ; Mon, 23 May 2016 05:42:05 +0000 (UTC) (envelope-from pchychi@gmail.com) Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 18E1F1C0E for ; Mon, 23 May 2016 05:42:05 +0000 (UTC) (envelope-from pchychi@gmail.com) Received: by mail-pa0-x233.google.com with SMTP id tb2so42202831pac.2 for ; Sun, 22 May 2016 22:42:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=+8ZW9PvD49XK9QLx1mc+DROEVZ2+ihieLkaL/WOYQVs=; b=sSmuIATA0Rne7gknxQ36FHgbpU/+cQyyMbETo7n4ti73DtzbX1VaK5TvNiHPhj3w3t tBtpCSoN3pEy4gpBV9cclI9MiHYaG3YPWYoE/uXcVO5bqOXw0cR95KTOrAiqeD93kjHH vqzM1N8XhSmL2tcVEHX+YR1Yrdz4BIpisMCavmFgM8MBXRjVHrpi4eb43FeoLx7tE66F /zk8xKcDkt6BnNE+lfxBjS1K5NqTDDDVCsMzuXf0RYVc+GI7dc2k2KQYv8oEUbWmgjtT fO0AAesoPuDoFbBcFfRQJR0j6Ls03SXyFSVceyh8NXV8Nz3sACCDaGo39rNB9Tah5D2a z3rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=+8ZW9PvD49XK9QLx1mc+DROEVZ2+ihieLkaL/WOYQVs=; b=IVZDwSSGcZDOSQBuICHfEgTaL9riTBcgcLcDsdZJUzAY0e7Ia3PZHrBMv6POqgPj6M GUNeX9iHalYMNzHzXcpHSZUkKCM2TDIELtJ8Qi2+XkV9VHy6tJhEgPuAnoA6Dsh4Hvwg easxxae6/4SwUEG0OvsbHRKk545/GeeDXci6fx4oeIkP0VBGN4ZTZChn7d3iurQCtBnr /24qIG6wxVfHTpjqES3sJlvLG+ejjTMb0EH+kLsHnkYt938WtMhLNa9lCuCewRdWsCgn LRmm/Nx7pPkOnpm6SJybkyfU5ltlc7y0mK+HP0HQ27+X6R/vhcAdjXuiDZoJaYdg3hR9 RexA== X-Gm-Message-State: AOPr4FVSSY8ecdBFRFZHcWJKloyLVfqefrXz+2AXbN3mLvJEcWYbm5x3ZBqtt9OgGUL2Ug== X-Received: by 10.66.2.168 with SMTP id 8mr24775020pav.152.1463982124543; Sun, 22 May 2016 22:42:04 -0700 (PDT) Received: from [192.168.0.17] (S010600fc8df07b33.vf.shawcable.net. [174.1.142.195]) by smtp.gmail.com with ESMTPSA id 141sm5990825pfx.68.2016.05.22.22.42.02 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 22 May 2016 22:42:03 -0700 (PDT) Date: Sun, 22 May 2016 22:41:30 -0700 From: Payam Chychi To: freebsd-ipfw@freebsd.org, jack@jarasoft.org Message-ID: In-Reply-To: <0cb16cbad9293c346cb6938505a9418c.squirrel@jarasoft.net> References: <0cb16cbad9293c346cb6938505a9418c.squirrel@jarasoft.net> Subject: Re: IPW problem X-Readdle-Message-ID: be76fd60-a915-421c-872d-343a68186ee1@Spark MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 05:42:05 -0000 Hi, Are you simply using two nics to achieve 200mbps? I cant understand your topology and why you are doing what your doing, can you please explain WHY the two nic setup when both nics are on the same broadcast domain Payam On May 21, 2016, 1:41 PM -0700, Jack Raats, wrote: > Hi everyone, > > I have the following problem. > > My home server has 2 NICs > > NIC1 > bge0 ip-address 10.10.10.30 netmask 255.255.255.0 gateway 10.10.10.100 > ADSL connection 10 Mbit/1 Mbit > > NIC2 > bge1 ip-address 10.10.10.32 netmask 255.255.255.0 gateway 10.10.10.200 > Cable connection 200 Mbit/20 Mbit > > I have to use NIC1 for all services I'm running, but when the home server > wants to download something e.g. the ports, then it has to use NIC2 > > How can this be done using IPFW??? > IPFW is compiled in the kernel. I'm using FreeBSD 10.3-STABLE > > Thanks for the help > > Jack > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@freebsd.org Mon May 23 05:46:35 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0C6AB4683A for ; Mon, 23 May 2016 05:46:35 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 773AF103C for ; Mon, 23 May 2016 05:46:35 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-yw0-x235.google.com with SMTP id x189so161089153ywe.3 for ; Sun, 22 May 2016 22:46:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=kHUHIHa4thKKCTo+EKz8HQ5ZMnaYB6EUIIwR/wW+XX0=; b=pCFA9eam7S54/5J9BNJOob06FvZCaaUrvJrjHehsmyMRc95fiPcrJpi2GcLThEm6k3 lPpJU5BIRSDBynPKyBgal5SowDiXpaj4vyM6okRUeXF2O6rxr3t7i/1mNRkc9Lu0Q8lC qrbFJMGpWgIFiWhRVsTDMNLtAy+vy6DsaCLLiIGFiwinExzZk2JMRkZ2aeirghpuFkky nDOOvxoMm5SPURTArPF3HKaROGpn1a+5PGruz76+ArzJSrWpivZSTn1oYTr3bz0OjNYy VdtD1mwd/qqFN2myFd9j7VUWppb67mOpPAo00b8slW6pZyGUcZVzk73EstZ+4Z9oqk/5 csWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=kHUHIHa4thKKCTo+EKz8HQ5ZMnaYB6EUIIwR/wW+XX0=; b=cBr76A8ix0+JsjgHu3xoh4a6ioAooARx4qEIxKEpLb1q9jj4ifeQeOOg14QpM814XV E6IuIVCYv8QKCepNFnpfEtmkfGVz4PDDuIW/d+jR59Tw793aV/tytE+uISQeatuMpxqk keRo96LsJZtMseoChdaLwTSbAlxRF1N48jKBwqWhibBjRluxsk8+pYMxrUZM8+mEI+ea IGhrbKq2eJboEzTOyGW8JUP6fCl8h57HLdOEQWGXAcRDzYiFKbML0RxCPnsSoA87XUaI QQxvLf8OnoFd7X2s//9AMCKpgHsRe9YHrLgOjm86ifTrcfZdAAm/TpIqQitN48bAsPvK OOOw== X-Gm-Message-State: AOPr4FV9+VmzOP/yv64JuvxrPufjhaj4u/TveZWF7h/7+7Y60POs0AjiWwgurmNbsbLLUvmQ4skcAlizuS4Is0E8 MIME-Version: 1.0 X-Received: by 10.13.213.9 with SMTP id x9mr8541223ywd.253.1463982394575; Sun, 22 May 2016 22:46:34 -0700 (PDT) Received: by 10.37.217.132 with HTTP; Sun, 22 May 2016 22:46:34 -0700 (PDT) In-Reply-To: <0cb16cbad9293c346cb6938505a9418c.squirrel@jarasoft.net> References: <0cb16cbad9293c346cb6938505a9418c.squirrel@jarasoft.net> Date: Sun, 22 May 2016 22:46:34 -0700 Message-ID: Subject: Re: IPW problem From: Michael Sierchio To: jack@jarasoft.org Cc: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 05:46:35 -0000 You can do this with judicious use of a ruleset and setfib (see the man page). You can do all kinds of policy based routing. If you need more than 2 route tables, you'll need a custom kernel - but for your purposes, 2 will do. - M On Sat, May 21, 2016 at 1:39 PM, Jack Raats wrote: > Hi everyone, > > I have the following problem. > > My home server has 2 NICs > > NIC1 > bge0 ip-address 10.10.10.30 netmask 255.255.255.0 gateway 10.10.10.100 > ADSL connection 10 Mbit/1 Mbit > > NIC2 > bge1 ip-address 10.10.10.32 netmask 255.255.255.0 gateway 10.10.10.200 > Cable connection 200 Mbit/20 Mbit > > I have to use NIC1 for all services I'm running, but when the home server > wants to download something e.g. the ports, then it has to use NIC2 > > How can this be done using IPFW??? > IPFW is compiled in the kernel. I'm using FreeBSD 10.3-STABLE > > Thanks for the help > > Jack > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Mon May 23 06:12:48 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96E1DB46F88 for ; Mon, 23 May 2016 06:12:48 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D3F61F09 for ; Mon, 23 May 2016 06:12:47 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-225-151.lns20.per1.internode.on.net [121.45.225.151]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u4N6CYOS092065 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 22 May 2016 23:12:38 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: IPW problem To: jack@jarasoft.org, freebsd-ipfw@freebsd.org References: <0cb16cbad9293c346cb6938505a9418c.squirrel@jarasoft.net> From: Julian Elischer Message-ID: <45a991b0-cf28-c934-ed99-4e1c23ceeadd@freebsd.org> Date: Mon, 23 May 2016 14:12:27 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <0cb16cbad9293c346cb6938505a9418c.squirrel@jarasoft.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 06:12:48 -0000 On 22/05/2016 4:39 AM, Jack Raats wrote: > Hi everyone, > > I have the following problem. > > My home server has 2 NICs > > NIC1 > bge0 ip-address 10.10.10.30 netmask 255.255.255.0 gateway 10.10.10.100 > ADSL connection 10 Mbit/1 Mbit > > NIC2 > bge1 ip-address 10.10.10.32 netmask 255.255.255.0 gateway 10.10.10.200 > Cable connection 200 Mbit/20 Mbit > > I have to use NIC1 for all services I'm running, but when the home server > wants to download something e.g. the ports, then it has to use NIC2 > > How can this be done using IPFW??? > IPFW is compiled in the kernel. I'm using FreeBSD 10.3-STABLE > > Thanks for the help where is the NAT hapenning? at each of the modems? If so, configure 2 FIBs then assign regular behaviour fib 0 but make fib 1 have the cable modem as default all 'fetch' operations should then be performed with fib 1. e.g. setfib 1 fetch https:example.com/test.txt > Jack > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@freebsd.org Mon May 23 14:41:34 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59CBEB47369 for ; Mon, 23 May 2016 14:41:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4A5E6147A for ; Mon, 23 May 2016 14:41:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NEfXG4015728 for ; Mon, 23 May 2016 14:41:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Date: Mon, 23 May 2016 14:41:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: fk@fabiankeil.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 14:41:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 Fabian Keil changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fk@fabiankeil.de --- Comment #2 from Fabian Keil --- Created attachment 170568 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D170568&action= =3Dedit (Hopefully) make TCP/IP connections reliable under memory pressure again I don't use ipfw, but have occasionally seen similar issues recently and am currently testing the attached patch in an attempt to prevent them. While I haven't seen the problem since applying the patch, I'm not absolutely sure yet that the patch is responsible for this. Given that you seem to be able to reliably reproduce the issue I'd be interested to know if the patch makes a difference for your workloads. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Mon May 23 14:48:57 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B17EB4751F for ; Mon, 23 May 2016 14:48:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7BA7C18BE for ; Mon, 23 May 2016 14:48:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NEmvim029507 for ; Mon, 23 May 2016 14:48:57 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Date: Mon, 23 May 2016 14:48:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: fk@fabiankeil.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 14:48:57 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 --- Comment #3 from Fabian Keil --- Created attachment 170569 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D170569&action= =3Dedit ipfw: Prefill the dynamic rule zone and prevent uma from freeing unused ite= ms If the previous patch doesn't make a difference you could try adding this one which may work around the problem. If it does, this could help diagnosing the cause of the problem. As I don't use ipfw myself I only compile-tested the patch. It will increase the memory used by ipfw. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Mon May 23 22:43:39 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0F934B47D84 for ; Mon, 23 May 2016 22:43:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 002BC1825 for ; Mon, 23 May 2016 22:43:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4NMhcBZ025658 for ; Mon, 23 May 2016 22:43:38 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 209680] ipfw: when enabled, net connections time out/ssh results in "broken pipe" Date: Mon, 23 May 2016 22:43:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: graham@menhennitt.com.au X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2016 22:43:39 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209680 --- Comment #4 from graham@menhennitt.com.au --- (In reply to graham from comment #1) Sorry, I'm an idiot. This isn't happening on my 11-current box - it's on my 10-stable box. However, the point still stands - it was reliable up until a= few weeks ago and now it's not. I'll attempt to diagnose some more. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Tue May 24 09:24:33 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4861B48697 for ; Tue, 24 May 2016 09:24:33 +0000 (UTC) (envelope-from graham@menhennitt.com.au) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CA5021CD6 for ; Tue, 24 May 2016 09:24:33 +0000 (UTC) (envelope-from graham@menhennitt.com.au) Received: from homiemail-a81.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) by hapkido.dreamhost.com (Postfix) with ESMTP id 63421A8701 for ; Tue, 24 May 2016 02:24:27 -0700 (PDT) Received: from homiemail-a81.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a81.g.dreamhost.com (Postfix) with ESMTP id 0C19FA806E for ; Tue, 24 May 2016 02:24:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=menhennitt.com.au; h=to :from:subject:message-id:date:mime-version:content-type: content-transfer-encoding; s=menhennitt.com.au; bh=6PKlN6cDN81zW IVO3tii68MiH6s=; b=NLg+GvUjNdmXdniq6W0jm8KmglyYTKGauszj4Q5CtVqBD PppIUODNa9Vh7N8rwmvRjXDBl4MP1FACcOZPD/3bmX6/+rJOet8mgBRXIMbAnNP4 xcP/nG7zzA2jSWyq19AMkwQMyX+DIDSb/pOuwU3LoN4uSSJp0y2a4EVnb73Y9I= Received: from [203.2.73.68] (c122-107-214-88.mckinn3.vic.optusnet.com.au [122.107.214.88]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: graham@menhennitt.com.au) by homiemail-a81.g.dreamhost.com (Postfix) with ESMTPSA id 976F6A8061 for ; Tue, 24 May 2016 02:24:20 -0700 (PDT) To: freebsd-ipfw@freebsd.org From: Graham Menhennitt Subject: SIP registrations getting through firewall Message-ID: Date: Tue, 24 May 2016 19:24:18 +1000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2016 09:24:34 -0000 Hello IPFW list, I'm running IPFW on FreeBSD 10-Stable. I thought I'd blocked any bad things coming in from the outside world. However, I'm seeing SIP registration attempts logged by Asterisk and I don't understand how they're getting through. A sample log message is: chan_sip.c: Registration from '"1201" ' failed for '5.56.133.46:5061' - Wrong password (where the 'x's are my external IP address). SIP registrations should only come from the phones on my internal network. Could somebody please explain why this is getting through and what I should do to prevent it. One thing I will do is only have Asterisk bind to my internal NICs. But I'd like to know what the problem with the firewall is too. Below are my IPFW rules. The VPN and IPv6 connections are not up. Thanks in advance for any assistance, Graham # stop spoofing add deny all from LAN_NET to any in via OUTSIDE_IF add deny all from WIFI_NET to any in via OUTSIDE_IF # allow anything on the LAN add allow all from any to any via LAN_IF # and from the VPN add allow all from any to any via VPN_IF # allow anything from the wireless network to the outside world (but not to the LAN) add allow ip from any to not LAN_NET via WIFI_IF # create a table of addresses to block table 1 flush # add RFC1918 nets table 1 add 10.0.0.0/8 table 1 add 172.16.0.0/12 table 1 add 192.168.0.0/16 # and draft-manning-dsua-03.txt nets table 1 add 0.0.0.0/8 table 1 add 169.254.0.0/16 table 1 add 192.0.2.0/24 table 1 add 224.0.0.0/4 table 1 add 240.0.0.0/4 # stop entries in the table coming in on the outside interface add deny all from table(1) to any in recv OUTSIDE_IF # similarly for IPv6 table 2 flush # Stop unique local unicast address on the outside interface table 2 add fc00::/7 # Stop site-local on the outside interface table 2 add fec0::/10 # Disallow "internal" addresses to appear on the wire. table 2 add ::ffff:0.0.0.0/96 # Disallow packets to malicious IPv4 compatible prefix. #table 2 add ::224.0.0.0/100 gives error "Use IPv4 instead of v4-compatible" #table 2 add ::127.0.0.0/104 ditto table 2 add ::0.0.0.0/104 #table 2 add ::255.0.0.0/104 ditto # table 2 add ::0.0.0.0/96 # Disallow packets to malicious 6to4 prefix. table 2 add 2002:e000::/20 table 2 add 2002:7f00::/24 table 2 add 2002:0000::/24 table 2 add 2002:ff00::/24 # table 2 add 2002:0a00::/24 table 2 add 2002:ac10::/28 table 2 add 2002:c0a8::/32 # table 2 add ff05::/16 # block these addresses both incoming and outgoing add deny all from table(2) to any via IPV6_IF add deny all from any to table(2) via IPV6_IF # block sshguard entries add reset ip from table(22) to me # allow setup of incoming SSH, IMAPS, and OpenVPN add allow tcp from any to me ssh setup add allow tcp from any to me6 ssh setup add allow tcp from any to me imaps setup add allow tcp from any to me6 imaps setup add allow tcp from any to me openvpn setup add allow tcp from any to me6 openvpn setup add allow udp from any to me openvpn # allow IPP, IMAPS, and SMTP from wireless add allow ip from any to LAN_NET dst-port printer setup via WIFI_IF add allow ip from any to me dst-port ipp setup via WIFI_IF add allow ip from any to me dst-port smtp setup via WIFI_IF add allow ip from any to me dst-port imaps setup via WIFI_IF # allow some ICMP types but nothing else add allow icmp from any to any icmptypes 0,3,8,11 add deny icmp from any to any #add allow ipv6 from any to any # NAT # redirect ports to PS4 nat 1 config if OUTSIDE_IF same_ports redirect_port tcp PS4_ADDR:1935 1935 redirect_port tcp PS4_ADDR:3478 3478 redirect_port tcp PS4_ADDR:3479 3479 redirect_port tcp PS4_ADDR:3480 3480 redirect_port udp PS4_ADDR:3478 3478 redirect_port udp PS4_ADDR:3479 3479 add nat 1 ip4 from any to any via OUTSIDE_IF # and block the above table again outbound add deny all from table(1) to any out xmit OUTSIDE_IF # allow TCP through if setup succeeded add pass tcp from any to any established # allow IP fragments to pass through add pass all from any to any frag # allow TCP ports needed for PS4 add allow tcp from any to PS4_ADDR 1935 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3478 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3479 in via OUTSIDE_IF setup add allow tcp from any to PS4_ADDR 3480 in via OUTSIDE_IF setup add allow udp from any to PS4_ADDR 3478 in via OUTSIDE_IF add allow udp from any to PS4_ADDR 3479 in via OUTSIDE_IF # allow DNS & NTP queries out to the world (and their replies back in) add allow udp from me to any 53 keep-state add allow udp from me to any 123 keep-state # but no other UDP in from outside add deny udp from any to any in via OUTSIDE_IF # and allow any other UDP add allow udp from any to any # reject all setup of incoming connections from the outside add deny tcp from any to any in via OUTSIDE_IF setup # reject all setup of incoming connections from the IPV6 tunnel add deny tcp from any to any in via gif0 setup # reject all setup of incoming connections from the wireless add deny tcp from any to any in via WIFI_IF setup # allow setup of any other TCP connection add pass tcp from any to any setup # Everything else is denied by default, unless the IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel config file. From owner-freebsd-ipfw@freebsd.org Wed May 25 18:03:35 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7A39B494D5 for ; Wed, 25 May 2016 18:03:35 +0000 (UTC) (envelope-from donileo@gmail.com) Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 842221E51 for ; Wed, 25 May 2016 18:03:35 +0000 (UTC) (envelope-from donileo@gmail.com) Received: by mail-qk0-x22e.google.com with SMTP id y126so40322919qke.1 for ; Wed, 25 May 2016 11:03:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=Nvhgtx4UHt4GW9YDskAsrLkWnjMmgyWmS/2l7bUcCvE=; b=SVESW7ZFlyy8QTKq9VvYXJ/7nXuvfNAhDhIb7pn4+aLkk7/uAxile2Pxiou8Mhsaa+ U2jkCQ4V/SzfcBpswtQWuGM890RR5kYz+QjOhG00Y5obAf0oq3m32GhB/I0MNikjlFE/ z0VKBb9VcnosVqk8XKWHukeKVYsluY/CNFG8L0IeT9Foyk7GszVkqsfLPO34dIV1xQkF vEBBgS4rvX+qZrk8HLfJm12+vmhRVpFTcDqRmgLofOIXyyL21epd5itgVc70d5FaFmHT 54dSHkYThk33yM6LcwIRIsKkgYXwVwvt6m9maJ6/yMQQIVo2daFxhRW48Wean1V/437A a4bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=Nvhgtx4UHt4GW9YDskAsrLkWnjMmgyWmS/2l7bUcCvE=; b=MYTTEWDMSihwE2qqM9kmARjpHzOL+Nlvx716RJvOH4K3/66/Pafa0WAVsn1mG6m3rV hAWOLEZedQmesD4rjJeOQ/pOlc/4sdntEYmjfGVyWDjaYewqmU18yd9PFYuhqSE56nZS yLq9VEsNIg50FaH8VySLaduY/sCSV1zhhtMyoHz1iYQhE98SNZmHXuEY2whnLlSYUvg9 nJYW4B6tJnkBkgBMb2jOuEaTlvxF5iE/OlWn8afr8aeiFQPINFY9XwFyUiyJoyK33cpO K5te2DvAN06PDGHLYEXMdtTd2X/TGQ089/hB7DGLI2hTsJKg4TLTKOkJZBZcwbzIZmLo 50pQ== X-Gm-Message-State: ALyK8tK2DbB71tvSdg7gFRpHuuhIhbXXZwiDaxeUc3rWqXBfUazVeVAF9cNsXCwBNYLoXw== X-Received: by 10.55.10.130 with SMTP id 124mr4998276qkk.91.1464199414352; Wed, 25 May 2016 11:03:34 -0700 (PDT) Received: from [192.168.1.5] (c-24-0-16-19.hsd1.nj.comcast.net. [24.0.16.19]) by smtp.gmail.com with ESMTPSA id r127sm2642199qkf.47.2016.05.25.11.03.33 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 May 2016 11:03:33 -0700 (PDT) From: Adonis Peralta Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: ipfw fwd sends to port but also through gateway Message-Id: <9227BA17-B289-494D-8A82-603DB1B35457@gmail.com> Date: Wed, 25 May 2016 14:03:32 -0400 To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 18:03:35 -0000 Hi all, I am noticing something weird in regards to ipfw forwarding when I am = attempting to set up squid web proxying.=20 Here is the info: ipfw rule: ipfw -q add fwd 127.0.0.1,8080 tcp from = 192.168.1.0/24{1-5,7-254} to any dst-port 80 in via igb0 //I exclude the = servers ip 192.168.1.6 here to prevent a loop Squid Proxy: running on localhost (127.0.0.1) port 8080. Freebsd box ip: 192.168.1.6 Router box: 192.168.1.1 Essentially when any ip (not my freebsd ip) makes a request to port 80 = my router will route that ip using policy based routing to my freebsd = box. Then the ipfw fwd rule above sends that traffic over to my squid = proxy port. This is working fine and the fwd rule above does definitely = match. However the issue Im seeing is that ipfw fwd not only sends the packet = out to the squid proxy but ALSO sends it out to the original destination = causing all sorts of issues for my client because it messes up the tcp = flow/handshaking. To be more clear what I see is when client 192.168.1.3 makes a request = on port 80=E2=80=A6 my freebsd box receives it.. then forwards it to = squid but also sends it out to the original destination so for every = packet coming to port 80 i see two going out.. To debug this problem a bit further I stopped squid, and setup "nc -l = 8080" to catch incoming requests via the fwd. Doing a tcpdump I see: 192.168.1.3.57653 > s3-us-west-1.amazonaws.com.http: Flags [S], cksum = 0x9385 (correct), seq 1939422713, win 65535, options [mss = 1460,nop,wscale 5,nop,nop,TS val 1149232947 ecr 0,sackOK,eol], length 0 13:14:16.209753 IP (tos 0x0, ttl 64, id 10951, offset 0, flags [DF], = proto TCP (6), length 60) s3-us-west-1.amazonaws.com.http > 192.168.1.3.57653: Flags [S.], = cksum 0xe4da (incorrect -> 0x8343), seq 3934654233, ack 1939422714, win = 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1794161828 ecr = 1149232947], length 0 Netcat catches the HTTP Get request (i can see it in netcats console).. = but the above tcpdump definitely tells me that the request was also sent = to to aws itself this is implied by the fact that aws responded back to = original ip (192.168.1.3). When I have squid running I see the same thing in the above tcpdump but = also communication between my freebsd box ip 192.168.1.6 and the = requested http site. Why is this happening? Is this a bug? -Adonis= From owner-freebsd-ipfw@freebsd.org Wed May 25 19:27:15 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44754B4AB18 for ; Wed, 25 May 2016 19:27:15 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:201:6350::2]) by mx1.freebsd.org (Postfix) with ESMTP id F0DDC1FF3; Wed, 25 May 2016 19:27:14 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [127.0.0.1] (unknown [89.113.128.32]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 5B4A8CD7; Wed, 25 May 2016 22:27:05 +0300 (MSK) Reply-To: lev@FreeBSD.org Subject: Re: [RFC] ipfw named states support References: <573C803E.5020600@FreeBSD.org> To: "Andrey V. Elsukov" , freebsd-ipfw Cc: luigi@FreeBSD.org, "Alexander V. Chernikov" From: Lev Serebryakov Organization: FreeBSD Message-ID: <52cb33e1-91bf-b1f0-6e8d-943241c90a07@FreeBSD.org> Date: Wed, 25 May 2016 22:26:58 +0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <573C803E.5020600@FreeBSD.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="OBSVJeNgX4xmooDjHBrV8U6xGE62GtPAj" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 19:27:15 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --OBSVJeNgX4xmooDjHBrV8U6xGE62GtPAj Content-Type: multipart/mixed; boundary="eI6eIuKKuJtbxeM1oST46mVt7TLBnEQKI" From: Lev Serebryakov Reply-To: lev@FreeBSD.org To: "Andrey V. Elsukov" , freebsd-ipfw Cc: luigi@FreeBSD.org, "Alexander V. Chernikov" Message-ID: <52cb33e1-91bf-b1f0-6e8d-943241c90a07@FreeBSD.org> Subject: Re: [RFC] ipfw named states support References: <573C803E.5020600@FreeBSD.org> In-Reply-To: <573C803E.5020600@FreeBSD.org> --eI6eIuKKuJtbxeM1oST46mVt7TLBnEQKI Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 18.05.2016 17:46, Andrey V. Elsukov wrote: > 1. Is this feature useful? IMHO, yes. > 2. How to commit it? Due to changed syntax it can break existing > rulesets. Probably, we can add some mandatory prefix to state name, e.g= =2E > ':'. How about simply disable names which are keywords? Like variable names in conventional programming language. --=20 // Lev Serebryakov --eI6eIuKKuJtbxeM1oST46mVt7TLBnEQKI-- --OBSVJeNgX4xmooDjHBrV8U6xGE62GtPAj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJXRfyHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP/3YQAIWeCkyAvy5s3iFWYx83Uk+2 vSnSBI2A18Lk0LGu9vOYUuPYMczW2F1qM5j8JE4tvuRGtPQ7jPdHJMraAivyyjzT xDKOPEEPSfb3zD300aFUPUMod1qeCJ+5CiQEXl+iERSZ5vJI8PJlgeX+t/auDdbP RV+B2s/zCVmAgNUwlBdqdkX6WzzMRItpgIm/y12fZJNkGYk7zmQqP2+oWTd5qtik 8Lqmgi9K9ZbHAwQ0MAKf+nXUKuFyNH+RLBV7Ud3cejD3wBsTl1JEFtFanNB+CcnH JN8n8ynBrKZl7iJEcZIo90YepUOzGxO57gtbmmTAVqUOr3zQ880bxIoP17NmXrIX PqiUh4U0SBRYFDlcwA5pez4jeGUI0xl05EKqyjxeavfkMFrJhdkzLZRfhaCFfzkQ lp7BgxpMcE2yTHRmnwzryJkg1ZZWYk8vL1kK9S2ZI7yl+Ojl1mV/ugiprlIEoV4x jRJ0sDIQUKAZg99JJBLJYAV7Hlk7IS+Dy6MN01g+mVo8dq9nedUF7kx1TRKdtpSF P01OrT46GxntEe5bWqr4ZLy5smZMUBefVqO5wxmrKg+Sv5CLpMIDCuNN2vU60PdI +hOvEYpU1hbolYcQLzBymxm4sEMMoGscOpTnbytszGpSaMjCrZnydvr9qSKIDwIb /ng4R+HxWc7MGuh99iPH =axls -----END PGP SIGNATURE----- --OBSVJeNgX4xmooDjHBrV8U6xGE62GtPAj-- From owner-freebsd-ipfw@freebsd.org Thu May 26 10:55:19 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4083CB4AFD3 for ; Thu, 26 May 2016 10:55:19 +0000 (UTC) (envelope-from sd@rlan.ru) Received: from mail.rlan.ru (mail.rlan.ru [213.234.25.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EE4191232; Thu, 26 May 2016 10:55:18 +0000 (UTC) (envelope-from sd@rlan.ru) Subject: Re: [RFC] ipfw named states support To: "Andrey V. Elsukov" , freebsd-ipfw References: <573C803E.5020600@FreeBSD.org> From: Dmitry Selivanov Message-ID: Date: Thu, 26 May 2016 13:11:13 +0300 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <573C803E.5020600@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 10:55:19 -0000 18.05.2016 17:46, Andrey V. Elsukov пишет: > We have the patch that adds named states support to ipfw. > The idea is that we add a symbolic name-label to each dynamic state in > addition to IP addresses, protocol and ports. > This introduces new syntax for check-state and keep-state rules: > > check-state { token | default | any } > keep-state { token | default } > 1. Is this feature useful? Yes. > 2. How to commit it? Due to changed syntax it can break existing > rulesets. Probably, we can add some mandatory prefix to state name, e.g. > ':'. Maybe create new opcode, e.g. "save-state", and deprecate "keep-state" with "save-state default". I'm sorry I didn't understand what Lev Serebryakov suggests, and I could duplicate his suggestion. Maybe there is a sense to add "search-state" option and use it instead of "check-state" action. E.g. "allow dst-port 80 search-state NAME". From owner-freebsd-ipfw@freebsd.org Thu May 26 14:29:15 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90E61B4BF6E for ; Thu, 26 May 2016 14:29:15 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 591CC1666 for ; Thu, 26 May 2016 14:29:15 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-225-151.lns20.per1.internode.on.net [121.45.225.151]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id u4QET4m9009303 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 26 May 2016 07:29:07 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: ipfw fwd sends to port but also through gateway To: Adonis Peralta , freebsd-ipfw@freebsd.org References: <9227BA17-B289-494D-8A82-603DB1B35457@gmail.com> From: Julian Elischer Message-ID: <98c5b4fe-151f-1be1-7d29-89a89c5616ec@freebsd.org> Date: Thu, 26 May 2016 22:28:58 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <9227BA17-B289-494D-8A82-603DB1B35457@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 14:29:15 -0000 On 26/05/2016 2:03 AM, Adonis Peralta wrote: > Hi all, > > I am noticing something weird in regards to ipfw forwarding when I am attempting to set up squid web proxying. > > Here is the info: > > ipfw rule: ipfw -q add fwd 127.0.0.1,8080 tcp from 192.168.1.0/24{1-5,7-254} to any dst-port 80 in via igb0 //I exclude the servers ip 192.168.1.6 here to prevent a loop > Squid Proxy: running on localhost (127.0.0.1) port 8080. > Freebsd box ip: 192.168.1.6 > Router box: 192.168.1.1 > > Essentially when any ip (not my freebsd ip) makes a request to port 80 my router will route that ip using policy based routing to my freebsd box. Then the ipfw fwd rule above sends that traffic over to my squid proxy port. This is working fine and the fwd rule above does definitely match. > However the issue Im seeing is that ipfw fwd not only sends the packet out to the squid proxy but ALSO sends it out to the original destination causing all sorts of issues for my client because it messes up the tcp flow/handshaking. > > To be more clear what I see is when client 192.168.1.3 makes a request on port 80… my freebsd box receives it.. then forwards it to squid but also sends it out to the original destination so for every packet coming to port 80 i see two going out.. > > To debug this problem a bit further I stopped squid, and setup "nc -l 8080" to catch incoming requests via the fwd. > > Doing a tcpdump I see: > > 192.168.1.3.57653 > s3-us-west-1.amazonaws.com.http: Flags [S], cksum 0x9385 (correct), seq 1939422713, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1149232947 ecr 0,sackOK,eol], length 0 > 13:14:16.209753 IP (tos 0x0, ttl 64, id 10951, offset 0, flags [DF], proto TCP (6), length 60) > s3-us-west-1.amazonaws.com.http > 192.168.1.3.57653: Flags [S.], cksum 0xe4da (incorrect -> 0x8343), seq 3934654233, ack 1939422714, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1794161828 ecr 1149232947], length 0 > > Netcat catches the HTTP Get request (i can see it in netcats console).. but the above tcpdump definitely tells me that the request was also sent to to aws itself this is implied by the fact that aws responded back to original ip (192.168.1.3). > > When I have squid running I see the same thing in the above tcpdump but also communication between my freebsd box ip 192.168.1.6 and the requested http site. > > Why is this happening? Is this a bug? definitely sounds like a bug.. The fwd rule is supposed to terminate the search.. Can you confirm that a matching rule following the fwd does not see the packet continuing on? I used it for many years and it acted as expected. Is there any rule you can add that catches the outgoing extra packet and blocks it (as a work-around) what does squid's outgoing packet look like? is it masquerading the client or is it using its own address? > > -Adonis > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > >