Date: Sun, 3 Sep 2017 08:54:53 +1000 From: Graham Menhennitt <graham@menhennitt.com.au> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW NAT behaviour different on 10-Stable versus 11-Stable [SOLVED] Message-ID: <026e695f-4fb7-7c86-fddb-e49ccdcbdcda@menhennitt.com.au> In-Reply-To: <20170902202655.T23641@sola.nimnet.asn.au> References: <e0f5f6bb-490e-ba36-25dc-c510bcae8c53@menhennitt.com.au> <20170902202655.T23641@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/09/2017 20:46, Ian Smith wrote: > On Sat, 2 Sep 2017 11:44:51 +1000, Graham Menhennitt wrote: > > > I have a problem that seems to be a difference between ipfw/NAT > > behaviour in 10-Stable versus 11-Stable. I have two servers: one running > > 10-Stable and one running 11-Stable. I'm using the same rule set on both > > (see below). It works correctly on 10-Stable but not on 11. > > > > The problem is seen on two places: an outgoing SMTP connection on port > > 465, and an incoming to an IMAP server on port 993. In both cases, there > > are lost packets and retransmissions. See below for a tshark capture of > > one attempted SMTP session. > > > > Setting sysctl net.inet.ip.fw.one_pass to one or zero makes no > > difference. Deleting the sshguard rule (table 22) makes no difference. > > Deleting the nat rule makes everything work for this SMTP session (but > > breaks the other machines on my network obviously). > > > > I have no doubt that I have misconfigured the firewall, but I don't see > > what. And why is 11 different to 10? Any help would be much appreciated. > > > > Thanks in advance, > > > > Graham > > Mysterious. Unless this is some other networking issue, three thoughts: > > 1) given that YYY is your public IP address, are the problematic SMTP > sessions actually going through NAT at all, or are they initiated from > YYY directly? If the latter, it's hard to see why removing the NAT rule > should affect these session at all? > > 2) does it make any difference if you split the NAT rules into separate > rules, as per the ipfw(8) 'NAT, REDIRECT AND LSNAT' section in EXAMPLES? > > 3) given the tokens used in your ruleset, it appears that you are using > a preproceesor to substitute values rather than shell variables? If so > (or even if not) can you confirm that the resulting in-place rulesets > shown by 'ipfw list' are absolutely identical on both machines? > > Just some long shots .. > > cheers, Ian Thanks for replying, Ian. Well I solved it. Similarly to my previous problem, the solution was to disable the TXCSUM option on the interface. So, now the entry in /etc/rc.conf says: ifconfig_igb1="DHCP -vlanhwtso -tso4 -txcsum" And it all works. Thanks again, Graham
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?026e695f-4fb7-7c86-fddb-e49ccdcbdcda>