Date: Sun, 3 Sep 2017 08:54:53 +1000 From: Graham Menhennitt <graham@menhennitt.com.au> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW NAT behaviour different on 10-Stable versus 11-Stable [SOLVED] Message-ID: <026e695f-4fb7-7c86-fddb-e49ccdcbdcda@menhennitt.com.au> In-Reply-To: <20170902202655.T23641@sola.nimnet.asn.au> References: <e0f5f6bb-490e-ba36-25dc-c510bcae8c53@menhennitt.com.au> <20170902202655.T23641@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/09/2017 20:46, Ian Smith wrote:
> On Sat, 2 Sep 2017 11:44:51 +1000, Graham Menhennitt wrote:
>
> > I have a problem that seems to be a difference between ipfw/NAT
> > behaviour in 10-Stable versus 11-Stable. I have two servers: one running
> > 10-Stable and one running 11-Stable. I'm using the same rule set on both
> > (see below). It works correctly on 10-Stable but not on 11.
> >
> > The problem is seen on two places: an outgoing SMTP connection on port
> > 465, and an incoming to an IMAP server on port 993. In both cases, there
> > are lost packets and retransmissions. See below for a tshark capture of
> > one attempted SMTP session.
> >
> > Setting sysctl net.inet.ip.fw.one_pass to one or zero makes no
> > difference. Deleting the sshguard rule (table 22) makes no difference.
> > Deleting the nat rule makes everything work for this SMTP session (but
> > breaks the other machines on my network obviously).
> >
> > I have no doubt that I have misconfigured the firewall, but I don't see
> > what. And why is 11 different to 10? Any help would be much appreciated.
> >
> > Thanks in advance,
> >
> > Graham
>
> Mysterious. Unless this is some other networking issue, three thoughts:
>
> 1) given that YYY is your public IP address, are the problematic SMTP
> sessions actually going through NAT at all, or are they initiated from
> YYY directly? If the latter, it's hard to see why removing the NAT rule
> should affect these session at all?
>
> 2) does it make any difference if you split the NAT rules into separate
> rules, as per the ipfw(8) 'NAT, REDIRECT AND LSNAT' section in EXAMPLES?
>
> 3) given the tokens used in your ruleset, it appears that you are using
> a preproceesor to substitute values rather than shell variables? If so
> (or even if not) can you confirm that the resulting in-place rulesets
> shown by 'ipfw list' are absolutely identical on both machines?
>
> Just some long shots ..
>
> cheers, Ian
Thanks for replying, Ian.
Well I solved it. Similarly to my previous problem, the solution was to
disable the TXCSUM option on the interface. So, now the entry in
/etc/rc.conf says:
ifconfig_igb1="DHCP -vlanhwtso -tso4 -txcsum"
And it all works.
Thanks again,
Graham
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?026e695f-4fb7-7c86-fddb-e49ccdcbdcda>