Date: Sat, 13 Apr 2013 15:34:39 +0200 From: Spil Oss <spil.oss@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Problems with ipfw/natd and axe(4) Message-ID: <CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi All,
I can't use ipfw with natd with my ASIX AX88772B USB NIC
ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset)
00010 allow ip from any to me dst-port 22 recv ue0
00010 allow tcp from me 22 to any xmit ue0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 deny ip from 10.16.2.1 to any in via ue0
01200 deny ip from 172.17.2.111 to any in via re0
01300 deny ip from any to 10.0.0.0/8 via ue0
01500 deny ip from any to 192.168.0.0/16 via ue0
01600 deny ip from any to 0.0.0.0/8 via ue0
01700 deny ip from any to 169.254.0.0/16 via ue0
01800 deny ip from any to 192.0.2.0/24 via ue0
01900 deny ip from any to 224.0.0.0/4 via ue0
02000 deny ip from any to 240.0.0.0/4 via ue0
02100 divert 8668 ip4 from any to any via ue0
02200 deny ip from 10.0.0.0/8 to any via ue0
02400 deny ip from 192.168.0.0/16 to any via ue0
02500 deny ip from 0.0.0.0/8 to any via ue0
02600 deny ip from 169.254.0.0/16 to any via ue0
02700 deny ip from 192.0.2.0/24 to any via ue0
02800 deny ip from 224.0.0.0/4 to any via ue0
02900 deny ip from 240.0.0.0/4 to any via ue0
03000 allow tcp from any to any established
03100 allow ip from any to any frag
03200 allow tcp from any to me dst-port 22 setup
03300 allow tcp from any to me dst-port 25 setup
03400 allow tcp from any to me dst-port 465 setup
03500 allow tcp from any to me dst-port 587 setup
03600 allow tcp from any to me dst-port 80 setup
03700 allow tcp from any to me dst-port 443 setup
03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp
03900 allow tcp from any to any setup
04000 allow udp from me to any dst-port 53 keep-state
04100 allow udp from me to any dst-port 123 keep-state
04200 allow ip from any to any dst-port 22 recv ue0
65535 deny ip from any to any
If I remove rule 10 it will NOT work with ue0, the same ruleset without
rule 10 DOES work with re0 on the same machine (re0 as external and ue0 as
internal NIC).
If I connect from the gateway on 172.17.2.1 to the ssh server on this
machine, I can see the ACK and SYN+ACK but there's no ACK from the client
to the server to establish the tcp session. Only difference I could find
was that the checksum was incorrect.
Found an older PR kern/170081 about fxp having trouble with nat when
rxcsum/txcsum was enabled, that is why I started fiddling with
rxcsum/txcsum and found that the NIC is unusable/dead without rxcsum/txcsum
enabled so this was not an option.
# ifconfig ue0
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE>
ether 00:60:6e:42:5b:53
inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7
inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
Any suggestions or pointers?
Kind regards,
Spil.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw>