Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Jul 2010 21:52:31 +0200
From:      Spil Oss <spil.oss@gmail.com>
To:        freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org, snasonov@bcc.ru
Subject:   Re: Changes to ipfw in 8.1
Message-ID:  <AANLkTinZmQ2sjIAwvcKv62nWvKlODtkFCvh32sbC2-k3@mail.gmail.com>
In-Reply-To: <AANLkTimDth1nShNSrCY_OPjqNELl8oWFD54_hdIKtN-j@mail.gmail.com>
References:  <AANLkTin6Ao8etOxX180N1NcI7M20eYFCO1ooCMREk7pg@mail.gmail.com> <AANLkTimDth1nShNSrCY_OPjqNELl8oWFD54_hdIKtN-j@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Sergey,

I'm dumbstruck!

Switching 'ip' to 'ip4' in both the divert rules fixed my problem.
Personally I think that should go into the UPDATING file as well. I
wouldn't have found it if you hadn't told me!

Many thanks,

Spil.

On Wed, Jul 21, 2010 at 9:08 PM, Spil Oss <spil.oss@gmail.com> wrote:
> Hi Sergey,
>
> Has the change from ip to ip4 solved the problem for you? The
> documentation states that proto 'ip' is the same as 'all' "Matches any
> packet."
>
> Rule # 60
> =A0 =A0 $cmd 060 skipto 1000 ip6 from any to any
> will have already skipped to the ipv6 rules block thus proto 'ip'
> should always match remaining packets.
>
> Meanwhile I found bug 148137 [ipfw] call order of natd and ipfw startup s=
cripts
> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D148137&cat=3Dconf
> Don't know if that's directly related, but it may be worth a try to
> revert back to the RELENG_8_0 script.
>
> Will let you now my findings.
>
> Kind regards,
>
> Spil.
>
>
> On Wed, Jul 21, 2010 at 2:57 PM, Sergey G Nasonov <snasonov@bcc.ru> wrote=
:
>> Hello Spill,
>>
>> I have get the same trouble after updating my 8.0 Stable. I thing you ne=
ed
>> modify some firewall rules.
>>
>> Please change
>>
>> $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound
>>
>> to
>>
>> $cmd 100 divert natd ip4 from any to any in via $pif # Mangle inbound
>>
>> and
>>
>> $cmd 500 divert natd ip from any to any out via $pif
>>
>> to
>>
>> $cmd 500 divert natd ip4 from any to any out via $pif
>>
>> accordingly.
>>
>> --
>>
>> Best Regards,
>>
>> Nasonov Sergey
>
>
> On Wed, Jul 21, 2010 at 11:40 AM, Spil Oss <spil.oss@gmail.com> wrote:
>> Hi,
>>
>> Testing FreeBSD 8.1 I noticed that I seem to have routing or nat or
>> firewall issues. (csupped RELENG_8_1 which was -RELEASE not -RC last
>> night?)
>> - 8.1 booted fine
>> - connections from the system itself were fine
>> - connections from my jails to the internet were not working
>> - connections from my LAN/WLAN to the internet were not working
>> Reverting back to 8.0-p2 with the same configuration works fine.
>>
>> In UPDATING I see that rc.firewall and rc.firewall6 were unified.
>>
>> Setup is
>> - xl0 connected to internet/public IP via dhcp
>> - bge0/wlan0(ath0) connected to LAN
>> - jails have ip's on bge0 in the same subnet as the LAN
>> - allow all from any to any via bge0|wlan0|lo0
>> - NAT using natd
>>
>> My guess is that something's changed to ipfw that is affecting my
>> network settings. Any clues where I went wrong?
>>
>> Help appreciated/ Kind regards,
>>
>> Spil.
>>
>> rc.conf:
>> firewall_enable=3D"YES"
>> firewall_script=3D"/etc/ipfw.rules"
>>
>> natd.conf
>> interface xl0
>> dynamic yes
>> same_ports yes
>> # http/https to http jail
>> redirect_port tcp 192.168.2.3:80 80
>> redirect_port tcp 192.168.2.3:443 443
>>
>> Part of /etc/ipfw.rules
>> #!/bin/sh
>> cmd=3D"ipfw -q add"
>> skip=3D"skipto 500"
>> pif=3Dxl0
>> pif6=3Dgif0
>> ext6=3D"2001:dead:beef:1::1"
>> ks=3D"keep-state"
>>
>> ipfw -q -f flush
>>
>> # Allow internal traffic
>> $cmd 002 allow all from any to any via bge0 # exclude LAN traffic
>> $cmd 003 allow all from any to any via lo0 =A0# exclude loopback traffic
>> $cmd 004 allow all from any to any via wlan0 # exclude WLAN traffic
>> $cmd 005 allow all from any to any via bridge0 # exclude WLAN traffic
>> $cmd 006 allow all from any to any via tun0 # exclude WLAN traffic
>>
>> # Allow all encapulated IPv6 to/from tunnel PoP
>> $cmd 010 allow ip4 from <tunnel-provider-ipv4> to me via $pif
>> $cmd 010 allow ip4 from me to <tunnel-provider-ipv4> via $pif
>>
>> # Black-hole some stuff using tables
>> $cmd 050 drop ip from "table(17)" to any in via $pif
>> $cmd 050 drop ip from any to "table(17)" out via $pif
>>
>> # Separate IPv6 rules (no NAT!)
>> $cmd 060 skipto 1000 ip6 from any to any
>>
>> $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound
>> packets from external
>> $cmd 101 check-state
>>
>> # Authorized outbound packets
>> $cmd 130 $skip icmp from any to any out via $pif $ks
>> $cmd 150 $skip tcp from any to any out via $pif $ks
>> $cmd 151 $skip udp from any to any out via $pif $ks
>>
>> $cmd 200 allow udp from 10.50.0.1 to me 68 in $ks
>>
>> # Deny all inbound traffic from non-routable reserved address spaces
>> $cmd 300 unreach host all from 192.168.0.0/16 =A0to any in via $pif
>> #RFC 1918 private IP
>> $cmd 301 unreach host all from 172.16.0.0/12 =A0 to any in via $pif
>> #RFC 1918 private IP
>> $cmd 302 unreach host all from 10.0.0.0/8 =A0 =A0 =A0to any in via $pif
>> #RFC 1918 private IP
>> $cmd 303 unreach host all from 127.0.0.0/8 =A0 =A0 to any in via $pif =
=A0#loopback
>> $cmd 304 unreach host all from 0.0.0.0/8 =A0 =A0 =A0 to any in via $pif =
=A0#loopback
>> $cmd 305 unreach host all from 169.254.0.0/16 =A0to any in via $pif
>> #DHCP auto-config
>> $cmd 306 unreach host all from 192.0.2.0/24 =A0 =A0to any in via $pif
>> #reserved for docs
>> $cmd 307 unreach host all from 204.152.64.0/23 to any in via $pif =A0#Su=
n cluster
>> $cmd 308 unreach host all from 224.0.0.0/3 =A0 =A0 to any in via $pif
>> #Class D & E multicast
>>
>> # Deny packets that did not match the dynamic rule table
>> #$cmd 330 deny all from any to any frag in via $pif # All late fragments
>> #$cmd 332 deny tcp from any to any established in via $pif # Deny ACK
>>
>> # Authorized inbound packets
>> $cmd 400 allow icmp from any to any icmptypes 0,11 # echo reply and TTL-=
exceeded
>> $cmd 420 allow tcp from any to me ssh in via $pif setup $ks
>> $cmd 421 allow tcp from any to me smtp in via $pif
>> $cmd 422 allow tcp from any to me http in via $pif
>> $cmd 423 allow tcp from any to me https in via $pif
>> $cmd 424 allow tcp from any to me imaps in via $pif
>>
>> #$cmd 449 unreach host ip from any to any in via $pif
>> $cmd 448 reject log all from any to any in via $pif
>> $cmd 449 reject log all from any to any out via $pif
>> $cmd 450 reject log ip from any to any
>>
>> # This is skipto location for outbound stateful rules
>> $cmd 500 divert natd ip from any to any out via $pif
>> $cmd 510 allow ip from any to any
>>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinZmQ2sjIAwvcKv62nWvKlODtkFCvh32sbC2-k3>