From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 1 11:07:10 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63DEF1065677 for ; Mon, 1 Aug 2011 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 494FD8FC1B for ; Mon, 1 Aug 2011 11:07:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p71B7AK1014604 for ; Mon, 1 Aug 2011 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p71B79Bj014602 for freebsd-ipfw@FreeBSD.org; Mon, 1 Aug 2011 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Aug 2011 11:07:09 GMT Message-Id: <201108011107.p71B79Bj014602@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2011 11:07:10 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/144269 ipfw [ipfw] problem with ipfw tables o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result f kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o p kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v f kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 45 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 04:29:13 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE3151065677; Wed, 3 Aug 2011 04:29:13 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 869908FC15; Wed, 3 Aug 2011 04:29:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p734TD1X046497; Wed, 3 Aug 2011 04:29:13 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p734TCBq046493; Wed, 3 Aug 2011 04:29:12 GMT (envelope-from ae) Date: Wed, 3 Aug 2011 04:29:12 GMT Message-Id: <201108030429.p734TCBq046493@freefall.freebsd.org> To: eugen@grosbein.pp.ru, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be blocked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 04:29:13 -0000 Synopsis: [ipfw] blocks layer2 packets that should not be blocked State-Changed-From-To: patched->closed State-Changed-By: ae State-Changed-When: Wed Aug 3 04:28:48 UTC 2011 State-Changed-Why: Merged to stable/7 and stable/8. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 04:30:17 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23EAA1065670 for ; Wed, 3 Aug 2011 04:30:17 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 13D748FC08 for ; Wed, 3 Aug 2011 04:30:17 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p734UG8i046728 for ; Wed, 3 Aug 2011 04:30:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p734UG39046723; Wed, 3 Aug 2011 04:30:16 GMT (envelope-from gnats) Date: Wed, 3 Aug 2011 04:30:16 GMT Message-Id: <201108030430.p734UG39046723@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/131817: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 04:30:17 -0000 The following reply was made to PR kern/131817; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/131817: commit references a PR Date: Wed, 3 Aug 2011 04:28:06 +0000 (UTC) Author: ae Date: Wed Aug 3 04:27:47 2011 New Revision: 224622 URL: http://svn.freebsd.org/changeset/base/224622 Log: MFC r223753: ARP code reuses mbuf from ARP request to make a reply, but it does not reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP replies were received on specified interface. Reset rcvif to NULL for ARP replies to fix this issue. PR: kern/131817 Modified: stable/8/sys/netinet/if_ether.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) Modified: stable/8/sys/netinet/if_ether.c ============================================================================== --- stable/8/sys/netinet/if_ether.c Wed Aug 3 03:52:15 2011 (r224621) +++ stable/8/sys/netinet/if_ether.c Wed Aug 3 04:27:47 2011 (r224622) @@ -843,6 +843,7 @@ reply: ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */ m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln); m->m_pkthdr.len = m->m_len; + m->m_pkthdr.rcvif = NULL; sa.sa_family = AF_ARP; sa.sa_len = 2; (*ifp->if_output)(ifp, m, &sa, NULL); _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 04:30:20 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2F83106564A for ; Wed, 3 Aug 2011 04:30:20 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A2B388FC0A for ; Wed, 3 Aug 2011 04:30:20 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p734UK1n046904 for ; Wed, 3 Aug 2011 04:30:20 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p734UKAT046899; Wed, 3 Aug 2011 04:30:20 GMT (envelope-from gnats) Date: Wed, 3 Aug 2011 04:30:20 GMT Message-Id: <201108030430.p734UKAT046899@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/131817: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 04:30:20 -0000 The following reply was made to PR kern/131817; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/131817: commit references a PR Date: Wed, 3 Aug 2011 04:28:24 +0000 (UTC) Author: ae Date: Wed Aug 3 04:28:16 2011 New Revision: 224623 URL: http://svn.freebsd.org/changeset/base/224623 Log: MFC r223753: ARP code reuses mbuf from ARP request to make a reply, but it does not reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP replies were received on specified interface. Reset rcvif to NULL for ARP replies to fix this issue. PR: kern/131817 Modified: stable/7/sys/netinet/if_ether.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/netinet/if_ether.c ============================================================================== --- stable/7/sys/netinet/if_ether.c Wed Aug 3 04:27:47 2011 (r224622) +++ stable/7/sys/netinet/if_ether.c Wed Aug 3 04:28:16 2011 (r224623) @@ -981,6 +981,7 @@ reply: ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */ m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln); m->m_pkthdr.len = m->m_len; + m->m_pkthdr.rcvif = NULL; sa.sa_family = AF_ARP; sa.sa_len = 2; (*ifp->if_output)(ifp, m, &sa, (struct rtentry *)0); _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 10:28:57 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 355E1106564A for ; Wed, 3 Aug 2011 10:28:57 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) by mx1.freebsd.org (Postfix) with ESMTP id 12EEE8FC0A for ; Wed, 3 Aug 2011 10:28:56 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1QoYh6-0006wT-Ar for freebsd-ipfw@freebsd.org; Wed, 03 Aug 2011 03:28:56 -0700 Date: Wed, 3 Aug 2011 03:28:56 -0700 (PDT) From: timp To: freebsd-ipfw@freebsd.org Message-ID: <1312367336329-4661905.post@n5.nabble.com> In-Reply-To: <4E3165ED.1070506@wenks.ch> References: <4E3165ED.1070506@wenks.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: fwd in ipfw module X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 10:28:57 -0000 Do you know solution (for GENERIC kernel) that can port forwarding? I found /usr/ports/net/rinetd -- View this message in context: http://freebsd.1045724.n5.nabble.com/fwd-in-ipfw-module-tp4642321p4661905.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 10:38:48 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DEF12106566C for ; Wed, 3 Aug 2011 10:38:48 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward5.mail.yandex.net (forward5.mail.yandex.net [77.88.46.21]) by mx1.freebsd.org (Postfix) with ESMTP id 8926B8FC12 for ; Wed, 3 Aug 2011 10:38:48 +0000 (UTC) Received: from smtp1.mail.yandex.net (smtp1.mail.yandex.net [77.88.46.101]) by forward5.mail.yandex.net (Yandex) with ESMTP id 8CC721203F0F; Wed, 3 Aug 2011 14:38:46 +0400 (MSD) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1312367926; bh=Q9nEoUxCoXHqjLSYMi4oi4XkLh/VPI2VkGbD5YUsF8w=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=tVfXsk5QP60qxWxw0/FqEJvCRZk2zqnv2hF0wjKGbdeffjsNCgRyAFQvEzIW06gv8 vxYfqaoLVA7AmQll9aJBicMAU1B/Olxf8bHZMAaxfrNrCk7KyRMyvFz4v0dAw4OmOs k9c/A3HFwSvWXSjDzqz+4A+16vMnxHJUJAVrWq+Q= Received: from smtp1.mail.yandex.net (localhost [127.0.0.1]) by smtp1.mail.yandex.net (Yandex) with ESMTP id 75480120257; Wed, 3 Aug 2011 14:38:46 +0400 (MSD) Received: from mail.kirov.so-ups.ru (mail.kirov.so-ups.ru [178.74.170.1]) by smtp1.mail.yandex.net (nwsmtp/Yandex) with ESMTP id ckAGawdC; Wed, 3 Aug 2011 14:38:46 +0400 X-Yandex-Spam: 1 Message-ID: <4E392535.6090309@yandex.ru> Date: Wed, 03 Aug 2011 14:38:45 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: timp References: <4E3165ED.1070506@wenks.ch> <1312367336329-4661905.post@n5.nabble.com> In-Reply-To: <1312367336329-4661905.post@n5.nabble.com> X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: fwd in ipfw module X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 10:38:48 -0000 On 03.08.2011 14:28, timp wrote: > Do you know solution (for GENERIC kernel) that can port forwarding? I found > /usr/ports/net/rinetd You can use pf(4). -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 10:57:31 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF888106566C for ; Wed, 3 Aug 2011 10:57:30 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) by mx1.freebsd.org (Postfix) with ESMTP id C824F8FC08 for ; Wed, 3 Aug 2011 10:57:30 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1QoZ8k-0001B5-9q for freebsd-ipfw@freebsd.org; Wed, 03 Aug 2011 03:57:30 -0700 Date: Wed, 3 Aug 2011 03:57:30 -0700 (PDT) From: timp To: freebsd-ipfw@freebsd.org Message-ID: In-Reply-To: <4E392535.6090309@yandex.ru> References: <4E3165ED.1070506@wenks.ch> <1312367336329-4661905.post@n5.nabble.com> <4E392535.6090309@yandex.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: fwd in ipfw module X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 10:57:31 -0000 Thanks! =D0=A1=D0=BF=D0=B0=D1=81=D0=B8=D0=B1=D0=BE, =D0=B1=D1=83=D0=B4=D0= =B5=D0=BC =D0=BF=D0=BE=D1=81=D0=BC=D0=BE=D1=82=D1=80=D0=B5=D1=82=D1=8C 2011/8/3 Andrey V. Elsukov [via FreeBSD] < ml-node+4661936-1733336988-160842@n5.nabble.com> > On 03.08.2011 14:28, timp wrote: > > Do you know solution (for GENERIC kernel) that can port forwarding? I > found > > /usr/ports/net/rinetd > > You can use pf(4). > > -- > WBR, Andrey V. Elsukov > _______________________________________________ > [hidden email] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "[hidden email]" > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://freebsd.1045724.n5.nabble.com/fwd-in-ipfw-module-tp4642321p4661936= .html > To unsubscribe from fwd in ipfw module, click here. > > -- View this message in context: http://freebsd.1045724.n5.nabble.com/fwd-in-i= pfw-module-tp4642321p4661969.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 3 20:13:17 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17CF310656E0 for ; Wed, 3 Aug 2011 20:13:17 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5393A8FC08 for ; Wed, 3 Aug 2011 20:13:15 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p73K1Dpk033368 for ; Wed, 3 Aug 2011 23:01:13 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p73K1DwT033367 for freebsd-ipfw@freebsd.org; Wed, 3 Aug 2011 23:01:13 +0300 (EEST) Date: Wed, 3 Aug 2011 23:01:13 +0300 From: Zeus V Panchenko To: freebsd-ipfw@freebsd.org Message-ID: <20110803200113.GC6930@relay.ibs.dn.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Subject: weird results while ipsec + ipfv_nat (nat before vpn) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2011 20:13:17 -0000 Hi, i faced weird for me situation, may somebody agree to help to win it, please? we need to see some http/s resources behind the Cisco PIX IPSEC i'm trying to get working this schema: SCHEMA (`nat before vpn' as i believe): -------------- +-> a.a.0.1/16 LAN | +-> a.a.a.2/24 FreeBSD b.b.b.1 <-> c.c.c.1/24 IPSEC PEER PIX | | + x.x.x.x <-------> y.y.y.y + CONFIGURATION: -------------- > uname -a FreeBSD 8.2-STABLE #3: Tue Aug 2 15:39:33 EEST 2011 i386 > cat /etc/rc.conf ... gateway_enable="YES" cloned_interfaces="gif0" ifconfig_bge0="inet x.x.x.x/25" ifconfig_bge1="inet a.a.a.2/24" ifconfig_gif0="inet b.b.b.1 c.c.c.1 tunnel x.x.x.x y.y.y.y" ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/usr/local/etc/racoon/setkey.conf" racoon_enable="YES" ipfw_enable="YES" ipfw_nat_enable="YES" ... in kernel i have: options IPSEC options IPSEC_DEBUG device crypto options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_NAT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=200 options IPDIVERT options LIBALIAS > cat /usr/local/etc/racoon/setkey.conf flush; spdflush; spdadd b.b.b.1 c.c.c.0/24 any -P out ipsec \ esp/tunnel/x.x.x.x-y.y.y.y/require; spdadd c.c.c.0/24 b.b.b.1 any -P in ipsec \ esp/tunnel/y.y.y.y-x.x.x.x/require; > cat /etc/ipfw.conf ... add 000401 allow udp from x.x.x.x to y.y.y.y isakmp add 000402 allow udp from y.y.y.y to x.x.x.x isakmp add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24 nat 100 config log if bge1 ip b.b.b.1 reverse WHAT I DO: -------------- 1) trying to ping IPSEC PEER from LAN user@a.a.a.20> ping c.c.c.1 c.c.c.1 reply packets are coming in and are decrypted but replies doesn't reach ping initiator a.a.a.20 box a.a.a.20 reports ping statistics: 450 packets transmitted, 0 packets received, 100.0% packet loss at FreeBSD box i see: user@FreeBSD> tcpdump -n -i gif0 host c.c.c.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes ... 13:27:18.122542 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2903, length 64 13:27:19.123275 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2904, length 64 13:27:20.124517 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2905, length 64 13:27:21.125568 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2906, length 64 on WAN i see this user@FreeBSD> tcpdump -n -i bge0 esp ... 00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x7), length 132 00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x7), length 132 00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x8), length 132 00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x8), length 132 00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x9), length 132 00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x9), length 132 so, ipsec and ipfw_nat out works, but where are reply packets disappearing to after coming to gif0 interface? why no backward divert occures? 2) trying to ping IPSEC PEER from FreeBSD box user@b.b.b.1> ping c.c.c.1 everything works since no nat occures ... user@b.b.b.1> tcpdump -n -i gif0 host c.c.c.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes 13:45:56.759567 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 213, length 64 13:45:57.760745 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 214, length 64 13:45:58.762787 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 215, length 64 13:45:59.765493 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 216, length 64 13:46:00.764619 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 217, length 64 13:46:01.765676 IP c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 218, length 64 user@b.b.b.1> tcpdump -n -ettt -s0 -i bge0 host y.y.y.y tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan11, link-type EN10MB (Ethernet), capture size 65535 bytes 00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x7), length 132 00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x7), length 132 00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x8), length 132 00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x8), length 132 00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: ESP(spi=0xad597f86,seq=0x9), length 132 00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: ESP(spi=0x060bc3e3,seq=0x9), length 132 so, is it possible to get it working? if yes, where is my mistake, please? -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET) From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 4 05:43:34 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8396B106567A for ; Thu, 4 Aug 2011 05:43:34 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 021B68FC18 for ; Thu, 4 Aug 2011 05:43:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p745MdLm073215; Thu, 4 Aug 2011 15:22:39 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 4 Aug 2011 15:22:38 +1000 (EST) From: Ian Smith To: Zeus V Panchenko In-Reply-To: <20110803200113.GC6930@relay.ibs.dn.ua> Message-ID: <20110804145842.E42715@sola.nimnet.asn.au> References: <20110803200113.GC6930@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: weird results while ipsec + ipfv_nat (nat before vpn) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2011 05:43:34 -0000 On Wed, 3 Aug 2011, Zeus V Panchenko wrote: [..] I can't comment on your ipsec setup at all, but: > > cat /etc/ipfw.conf > ... > > add 000401 allow udp from x.x.x.x to y.y.y.y isakmp > add 000402 allow udp from y.y.y.y to x.x.x.x isakmp > add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y > add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x > > add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24 > nat 100 config log if bge1 ip b.b.b.1 reverse Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both. > so, ipsec and ipfw_nat out works, but where are reply packets > disappearing to after coming to gif0 interface? why no backward > divert occures? Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and maybe 'ipfw show' to check that all your other rules match ipfw.conf cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 4 12:51:00 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B8977106564A for ; Thu, 4 Aug 2011 12:51:00 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 2FF328FC0C for ; Thu, 4 Aug 2011 12:50:59 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p74Covwc089682; Thu, 4 Aug 2011 15:50:57 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p74Cotc7089677; Thu, 4 Aug 2011 15:50:55 +0300 (EEST) Date: Thu, 4 Aug 2011 15:50:55 +0300 From: Zeus V Panchenko To: Ian Smith Message-ID: <20110804125055.GA33376@relay.ibs.dn.ua> References: <20110803200113.GC6930@relay.ibs.dn.ua> <20110804145842.E42715@sola.nimnet.asn.au> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110804145842.E42715@sola.nimnet.asn.au> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 X-Face: iVBORw0KGgoAAAANSUhEUgAAACoAAAAqBAMAAAA37dRoAAAAFVBMVEWjjoiZhHDWzcZuW1U wOT+RcGxziJxEN0lIAAABrklEQVQokV2STXLbMAyFQaraE3a5dzSTfR1IF7CQrM3QuECn9z9DH0 gxzgSyFvr88PBD0uJxoR6BE+e8LtRgohE5ZB50sODP/REbfUnte/z12+llCekLUSKenFIMke6Be WinE8H0RJHSN71rUQp64gFDmtDDhRk0zam3FzpNVFprhwPGaFo6oY9wDBJQ9Qz6EuKyROJjDGa+ uza4VOTa8iHlN58Yv5BF9+4BGl0LA5pUD5xKXg4aQlVZm0co3NKxCGxQpu3aC352Gv3DZONmwQd tkrlaylV3YSew7bWtwAZF/zi9jblmprPoL7ktzeFSxmarVNmWRi+Bmxg7Y7tbGtR8XZUxLTo86G thANsssetjp3POuBvMBRlw6jRa5pKN7yVlP+F2lyiZGSMf5hnSU6eAVupmtfjRcxy0momwpxDnz 06hwnOWvBnUdR8U2/KX7cq26u1Jy5xFZMPOVONRbRUrwey8Qar6cWgf12xSymQuVX0DfYd4R8kN Hg0qCtLeaYZcj8B90M2N0cEX1P0vKSxw7NLy/3X8Qeriusu66jNA37P4Mn5QRTG2hz4d9D/6E3a EX852nwAAAABJRU5ErkJggg== Cc: freebsd-ipfw@freebsd.org Subject: Re: weird results while ipsec + ipfv_nat (nat before vpn) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2011 12:51:00 -0000 Ian Smith (smithi@nimnet.asn.au) [11.08.04 08:44] wrote: > On Wed, 3 Aug 2011, Zeus V Panchenko wrote: > [..] > > Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe > that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both. > > > so, ipsec and ipfw_nat out works, but where are reply packets > > disappearing to after coming to gif0 interface? why no backward > > divert occures? > > Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and > maybe 'ipfw show' to check that all your other rules match ipfw.conf > you are right, ipfw thinks about nat this way: # ipfw nat show config ipfw nat 100 config if bge1 log reverse i have tried both combinations and still no result: 1. with `if' i see `incorrect' (lan ip) traffic on gif0 2. with `ip' i see only ipsec peer replies and no back divert 3. bUt with both options i see the same as in p.2 any further idea? -- Zeus V. Panchenko JID:zeus@gnu.org.ua GMT+2 (EET)