From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 11:12:27 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA0916A4CE; Sun, 16 Nov 2003 11:12:27 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1358C43FE1; Sun, 16 Nov 2003 11:12:25 -0800 (PST) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAGJBgUQ093146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 16 Nov 2003 20:11:42 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id hAGJBg35069203; Sun, 16 Nov 2003 20:11:42 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id UAA25957; Sun, 16 Nov 2003 20:11:37 +0100 (MET) Message-Id: <200311161911.UAA25957@galaxy.hbg.de.ao-srv.com> In-Reply-To: <20031115182409.GA2001@blossom.cjclark.org> from "Crist J. Clark" at "Nov 15, 2003 7:24: 9 pm" To: cjclark@alum.mit.edu Date: Sun, 16 Nov 2003 20:11:36 +0100 (MET) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 19:12:27 -0000 Crist J. Clark: >On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: >> From: Crist J. Clark [mailto:cristjc@comcast.net] >> > Two different ESP end points behind many-to-one NAT connected to >> > a single ESP end point on the other side of the NAT? I'd be very >> > curious to get the documentation on how they are cheating to get >> > that to work. >> You have posted a reference already. W2k SP4 supports UDP >> encapsulation of IPSec. And yes, it works fine, and reliably. >> Further, all of Cisco's and Checkpoints VPN gear support >> IPSec-over-UDP as well. This alone is >70% market share. >Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have >dealt with several of these implementations too. I thought that you >were implying that there were working NAT implementations that could >deal with ESP in these circumstances. Apologies... I am actually jumping between loosely related topics somewhat. In fact both Cisco and Checkpoint also support many-to-one NAT for ESP and AH protocols. One can indeed have multiple internal VPN devices hidden behind a single public address, and talking to the same outside VPN gateway - without requiring that the VPN devices themselves to tricks to work around NAT (such as UDP encapsulation). As we add Cisco routers (requiring a pretty recent IOS) here, the market share is potentially even higher. To add, there are all sorts of other drafts that amend IPSec functionality (such as XAUTH and Mode Config which are also pretty widely deployed in VPN remote access scenarios) that are missing. FreeBSD lacks features deployed in the market, when acting as a VPN endpoint, as well as when acting as a NAT device in the VPN packet flow. Either is a pity, unfortunately. I am not complaining; I am just stating that we're behind. But FreeS/WAN is in no better shape. Helge From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 11:37:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E75E716A4CE; Sun, 16 Nov 2003 11:37:22 -0800 (PST) Received: from complx.LF.net (complx.LF.net [212.9.190.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2716E43FCB; Sun, 16 Nov 2003 11:37:22 -0800 (PST) (envelope-from lists@complx.LF.net) Received: from lists by complx.LF.net with local (Exim 4.14) id 1ALSi0-000KJC-PE; Sun, 16 Nov 2003 20:37:20 +0100 Date: Sun, 16 Nov 2003 20:37:20 +0100 From: Kurt Jaeger To: freebsd-ipfw@freebsd.org, freebsd-isp@freebsd.org, freebsd-net@freebsd.org Message-ID: <20031116193720.GA61630@complx.LF.net> References: <20031115182409.GA2001@blossom.cjclark.org> <200311161911.UAA25957@galaxy.hbg.de.ao-srv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200311161911.UAA25957@galaxy.hbg.de.ao-srv.com> Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 19:37:23 -0000 Hi! > FreeBSD lacks features deployed in the market, when acting as a VPN > endpoint, as well as when acting as a NAT device in the VPN packet flow. > Either is a pity, unfortunately. > > I am not complaining; I am just stating that we're behind. But FreeS/WAN > is in no better shape. Who would be willing/capable to add this to the code, if someone else (maybe LF.net?) would pay for the expense ? -- MfG/Best regards, Kurt Jaeger 17 years to go ! LF.net GmbH fon +49 711 90074-23 pi@LF.net Ruppmannstr. 27 fax +49 711 90074-33 D-70565 Stuttgart mob +49 171 3101372 From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 13:39:32 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE42216A4CE for ; Sun, 16 Nov 2003 13:39:32 -0800 (PST) Received: from mail.evip.pl (mail.evip.com.pl [212.244.157.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2130143FE3 for ; Sun, 16 Nov 2003 13:39:31 -0800 (PST) (envelope-from w@evip.pl) Received: from drwebc by mail.evip.pl with drweb-scanned (Exim 4.22) id 1ALUcA-000AsN-PI for freebsd-ipfw@freebsd.org; Sun, 16 Nov 2003 22:39:26 +0100 Received: from w by mail.evip.pl with local (Exim 4.22) id 1ALUcA-000AsH-Mc for freebsd-ipfw@freebsd.org; Sun, 16 Nov 2003 22:39:26 +0100 Date: Sun, 16 Nov 2003 22:39:26 +0100 From: Wiktor Niesiobedzki To: freebsd-ipfw@freebsd.org Message-ID: <20031116213926.GE718@mail.evip.pl> References: <20031113104717.GK231@mail.evip.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031113104717.GK231@mail.evip.pl> User-Agent: Mutt/1.4i Sender: Wiktor Niesiobedzki Subject: Re: Uid keyword matches only on loopack interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 21:39:33 -0000 On Thu, Nov 13, 2003 at 11:47:17AM +0100, Wiktor Niesiobedzki wrote: > Hi, > > After setting my firewall I saw that only few packets match the uid keyword. > >From my trival test came out that only loopack traffic can be matched. Is > there some bug lying in here? > > The simple rule: > 00395 0 0 count log tcp from any to any uid root > > Will match only: > Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:80 > 127.0.0.1:50780 out via lo0 > Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780 > 127.0.0.1:80 in via lo0 > Nov 13 11:41:25 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780 > 127.0.0.1:80 out via lo0 > > That kind of traffic. Any traffic going by other interface is not counted. > I may precise my problem. As far as I checked, in check_uidgid() (line 1318 of ip_fw2.c) the in_pcblookup_hash() returns NULL for almost every packet durring connection. I ran quite a long time with a count rule, which showed that few thousand packets matched the rule (during weekend, constant transfer about 10KB/s from watched user). Packets had matched the rule adventitious. Does anybody have any clues, how may i debug the problem further? Cheers, Wiktor Niesiobedzki From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 13:51:10 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3E1E16A4CE for ; Sun, 16 Nov 2003 13:51:10 -0800 (PST) Received: from arthur.nitro.dk (port324.ds1-khk.adsl.cybercity.dk [212.242.113.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0644A43FAF for ; Sun, 16 Nov 2003 13:51:10 -0800 (PST) (envelope-from simon@arthur.nitro.dk) Received: by arthur.nitro.dk (Postfix, from userid 1000) id 1906A10BF8E; Sun, 16 Nov 2003 22:51:09 +0100 (CET) Date: Sun, 16 Nov 2003 22:51:09 +0100 From: "Simon L. Nielsen" To: Wiktor Niesiobedzki Message-ID: <20031116215107.GE402@arthur.nitro.dk> References: <20031113104717.GK231@mail.evip.pl> <20031116213926.GE718@mail.evip.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="I3tAPq1Rm2pUxvsp" Content-Disposition: inline In-Reply-To: <20031116213926.GE718@mail.evip.pl> User-Agent: Mutt/1.5.5.1i cc: freebsd-ipfw@freebsd.org Subject: Re: Uid keyword matches only on loopack interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 21:51:11 -0000 --I3tAPq1Rm2pUxvsp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003.11.16 22:39:26 +0100, Wiktor Niesiobedzki wrote: > On Thu, Nov 13, 2003 at 11:47:17AM +0100, Wiktor Niesiobedzki wrote: > > Hi, > >=20 > > After setting my firewall I saw that only few packets match the uid key= word. >=20 > Does anybody have any clues, how may i debug the problem further? Perhaps the same problem as kern/59314 ? --=20 Simon L. Nielsen FreeBSD Documentation Team --I3tAPq1Rm2pUxvsp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/t/FKh9pcDSc1mlERAiAtAKCJhTyU9Jvwuamq5IvVNJy7XxtpFACfYIVa CPEvqxHSDtwFpacA/5Vr1SA= =0WI/ -----END PGP SIGNATURE----- --I3tAPq1Rm2pUxvsp-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 16 14:35:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD5E716A4D2; Sun, 16 Nov 2003 14:35:49 -0800 (PST) Received: from mail.evip.pl (mail.evip.com.pl [212.244.157.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8915543F85; Sun, 16 Nov 2003 14:35:48 -0800 (PST) (envelope-from w@evip.pl) Received: from drwebc by mail.evip.pl with drweb-scanned (Exim 4.22) id 1ALVUh-000B4u-N1; Sun, 16 Nov 2003 23:35:47 +0100 Received: from w by mail.evip.pl with local (Exim 4.22) id 1ALVUh-000B4o-K5; Sun, 16 Nov 2003 23:35:47 +0100 Date: Sun, 16 Nov 2003 23:35:47 +0100 From: Wiktor Niesiobedzki To: "Simon L. Nielsen" Message-ID: <20031116223547.GH718@mail.evip.pl> References: <20031113104717.GK231@mail.evip.pl> <20031116213926.GE718@mail.evip.pl> <20031116215107.GE402@arthur.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20031116215107.GE402@arthur.nitro.dk> User-Agent: Mutt/1.4i Sender: Wiktor Niesiobedzki cc: freebsd-ipfw@freebsd.org Subject: Re: Uid keyword matches only on loopack interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 22:35:49 -0000 On Sun, Nov 16, 2003 at 10:51:09PM +0100, Simon L. Nielsen wrote: > On 2003.11.16 22:39:26 +0100, Wiktor Niesiobedzki wrote: > > On Thu, Nov 13, 2003 at 11:47:17AM +0100, Wiktor Niesiobedzki wrote: > > > Hi, > > > > > > After setting my firewall I saw that only few packets match the uid keyword. > > > > Does anybody have any clues, how may i debug the problem further? > > Perhaps the same problem as kern/59314 ? Exactly, thank you. Wiktor NiesiobÄ™dzki From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 09:59:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6422816A4CE for ; Mon, 17 Nov 2003 09:59:49 -0800 (PST) Received: from smtp.doruk.net.tr (smtp.doruk.net.tr [212.58.5.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id F23B843FBF for ; Mon, 17 Nov 2003 09:59:47 -0800 (PST) (envelope-from vahric@doruk.net.tr) Received: from VAHOXP (vahric.doruk.net.tr [212.58.13.17]) by smtp.doruk.net.tr (8.12.8/8.12.8) with ESMTP id hAHIAMNc027283 for ; Mon, 17 Nov 2003 20:10:23 +0200 From: "Vahric MUHTARYAN" To: Date: Mon, 17 Nov 2003 19:58:56 +0200 Message-ID: <030101c3ad34$79ad48d0$110d3ad4@VAHOXP> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: Which Firewall --> ipfw or iptable or ipsec X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 17:59:49 -0000 Hi Everybody , I'm linux admin . Now I'm working to pass my server to FreeBSD .. I'm using iptable on Linux box . on FreeBSD which firewall do you advise ?! I can't find any documents or How-to about ip-fw .. Do you have ?! Thanks Vahric MUHTARYAN From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 11:03:16 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D00A116A4CE for ; Mon, 17 Nov 2003 11:03:16 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4ADE743FBF for ; Mon, 17 Nov 2003 11:03:15 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hAHJ3FFY006896 for ; Mon, 17 Nov 2003 11:03:15 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hAHJ3E9c006890 for ipfw@freebsd.org; Mon, 17 Nov 2003 11:03:14 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 17 Nov 2003 11:03:14 -0800 (PST) Message-Id: <200311171903.hAHJ3E9c006890@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 19:03:16 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 17 14:46:23 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F1A16A4CE for ; Mon, 17 Nov 2003 14:46:23 -0800 (PST) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68E1E43FDD for ; Mon, 17 Nov 2003 14:46:22 -0800 (PST) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 4588A2F959; Mon, 17 Nov 2003 17:46:23 -0500 (EST) Date: Mon, 17 Nov 2003 17:46:23 -0500 From: Haesu To: Vahric MUHTARYAN , freebsd-ipfw@freebsd.org Message-ID: <20031117224623.GA78965@scylla.towardex.com> References: <030101c3ad34$79ad48d0$110d3ad4@VAHOXP> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <030101c3ad34$79ad48d0$110d3ad4@VAHOXP> User-Agent: Mutt/1.4.1i Subject: Re: Which Firewall --> ipfw or iptable or ipsec X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 22:46:23 -0000 IPFW. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Mon, Nov 17, 2003 at 07:58:56PM +0200, Vahric MUHTARYAN wrote: > Hi Everybody , > > I'm linux admin . Now I'm working to pass my server to FreeBSD > .. I'm using iptable on Linux box . on FreeBSD which firewall do you > advise ?! > > > I can't find any documents or How-to about ip-fw .. Do you have ?! > > Thanks > Vahric MUHTARYAN > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 18 05:29:39 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55C8D16A4CE for ; Tue, 18 Nov 2003 05:29:39 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 464FC43FB1 for ; Tue, 18 Nov 2003 05:29:38 -0800 (PST) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng4.kundenserver.de with esmtp (Exim 3.35 #1) id 1AM5vB-00084j-00; Tue, 18 Nov 2003 14:29:33 +0100 Received: from [217.83.7.177] (helo=max2400) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1AM5vA-0005LP-00; Tue, 18 Nov 2003 14:29:32 +0100 Date: Tue, 18 Nov 2003 14:29:29 +0100 From: Max Laier X-Mailer: The Bat! (v2.00) UNREG / CD5BF9353B3B7091 Organization: n/a X-Priority: 3 (Normal) Message-ID: <671461625.20031118142929@love2party.net> To: "Vahric MUHTARYAN" In-Reply-To: <030101c3ad34$79ad48d0$110d3ad4@VAHOXP> References: <030101c3ad34$79ad48d0$110d3ad4@VAHOXP> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit cc: freebsd-ipfw@freebsd.org Subject: Re: Which Firewall --> ipfw or iptable or ipsec X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Max Laier List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2003 13:29:39 -0000 Monday, November 17, 2003, 6:58:56 PM, Vahric wrote: VM> I'm linux admin . Now I'm working to pass my server to FreeBSD VM> .. I'm using iptable on Linux box . on FreeBSD which firewall do you VM> advise ?! VM> I can't find any documents or How-to about ip-fw .. Do you have ?! Didn't want to answer in the first place, but after that other reply here come your options: 1) IPFW (don't like it personally) 2) IPFILTER (a bit dated but with quite a few FAQs around) 3) PF: security/pf (from ports. The OpenBSD FAQ is a good starting point to learn about it's capabilities: http://www.openbsd.org/faq/pf/index.html) For case 2) & 3) you'll need "option PFIL_HOOKS" in your kernel, which is - sadly enough - not (yet) in GENERIC. Case 1) can be activated by setting some values in rc.conf(5) with a GENERIC install. My suggestion is to read through sample configuration (somewhere in usr/share) and choose the program that you understand - which has a look & feel like iptables (which I didn't use for quite some time). If you don't want to install security/pf - it's like a new version of ipfilter in regards to the syntax, but has many additional features. -- Best regards, Max mailto:max@love2party.net From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 18 14:40:32 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F48B16A4CE; Tue, 18 Nov 2003 14:40:32 -0800 (PST) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B04243FEA; Tue, 18 Nov 2003 14:40:28 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc13) with ESMTP id <2003111822402701500ovt06e>; Tue, 18 Nov 2003 22:40:27 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAIMeksb010901; Tue, 18 Nov 2003 14:40:46 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAIMeiC5010900; Tue, 18 Nov 2003 14:40:44 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Tue, 18 Nov 2003 14:40:44 -0800 From: "Crist J. Clark" To: Helge Oldach Message-ID: <20031118224044.GA10828@blossom.cjclark.org> References: <20031115182409.GA2001@blossom.cjclark.org> <200311161911.UAA25957@galaxy.hbg.de.ao-srv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200311161911.UAA25957@galaxy.hbg.de.ao-srv.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2003 22:40:32 -0000 On Sun, Nov 16, 2003 at 08:11:36PM +0100, Helge Oldach wrote: > Crist J. Clark: > >On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: > >> From: Crist J. Clark [mailto:cristjc@comcast.net] > >> > Two different ESP end points behind many-to-one NAT connected to > >> > a single ESP end point on the other side of the NAT? I'd be very > >> > curious to get the documentation on how they are cheating to get > >> > that to work. > >> You have posted a reference already. W2k SP4 supports UDP > >> encapsulation of IPSec. And yes, it works fine, and reliably. > >> Further, all of Cisco's and Checkpoints VPN gear support > >> IPSec-over-UDP as well. This alone is >70% market share. > >Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have > >dealt with several of these implementations too. I thought that you > >were implying that there were working NAT implementations that could > >deal with ESP in these circumstances. > > Apologies... I am actually jumping between loosely related topics > somewhat. > > In fact both Cisco and Checkpoint also support many-to-one NAT for ESP > and AH protocols. One can indeed have multiple internal VPN devices > hidden behind a single public address, and talking to the same outside > VPN gateway - without requiring that the VPN devices themselves to > tricks to work around NAT (such as UDP encapsulation). You can't use AH with NAT. (period) The whole point of AH is to detect someone tampering with the packet. NAT tampers with the packet. If you can do NAT, AH is broken. As for ESP, Cisco uses a trick. Their implementation, 'spi-matching,' ...is available only for endpoints that choose SPIs according to the predictive algorithm implemented in Cisco IOS Release 12.2(15)T. I am not aware of this algorithm being published anywhere. If it is freely distributed, we could add that support if there was a call for it. As for Checkpoint, I couldn't find any documentation of this ability and from my experience using NG FP2, this doesn't work. It did not NAT ESP at all, not even for one client behind NAT. If this is a new feature in AI or if there is a hidden knob to activate it, I would appreciate a pointer. > To add, there are all sorts of other drafts that amend IPSec > functionality (such as XAUTH and Mode Config which are also pretty > widely deployed in VPN remote access scenarios) that are missing. That's IKE which is really a whole separate beast. The open source IKE daemons are definately not chock full of bleeding edge or vendor-specific features. And the racoon documentation... But all of these IKE extensions are only useful if the vendors using them publish what they are actually doing with them. Reverse engineering this stuff can be really painful since you can't see the data on the wire. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 18 17:05:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4432116A4CE for ; Tue, 18 Nov 2003 17:05:19 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id E380043F75 for ; Tue, 18 Nov 2003 17:05:17 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc11) with ESMTP id <2003111901051701300es428e>; Wed, 19 Nov 2003 01:05:17 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAJ15asb011376; Tue, 18 Nov 2003 17:05:36 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAJ15ZXQ011375; Tue, 18 Nov 2003 17:05:35 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Tue, 18 Nov 2003 17:05:35 -0800 From: "Crist J. Clark" To: Max Laier Message-ID: <20031119010535.GC10828@blossom.cjclark.org> References: <030101c3ad34$79ad48d0$110d3ad4@VAHOXP> <671461625.20031118142929@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <671461625.20031118142929@love2party.net> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@freebsd.org cc: Vahric MUHTARYAN Subject: Re: Which Firewall --> ipfw or iptable or ipsec X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2003 01:05:19 -0000 On Tue, Nov 18, 2003 at 02:29:29PM +0100, Max Laier wrote: [snip] > 2) IPFILTER (a bit dated but with quite a few FAQs around) > 3) PF: security/pf (from ports. The OpenBSD FAQ is a good starting > point to learn about it's capabilities: > http://www.openbsd.org/faq/pf/index.html) > > For case 2) & 3) you'll need "option PFIL_HOOKS" in your kernel, which > is - sadly enough - not (yet) in GENERIC. You do not need PFIL_HOOKS for the 4_RELENG branch (FreeBSD 4.x). Starting with 5.2 you will not need it in the 5.x branch either. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 18 18:06:37 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9D6816A4CF for ; Tue, 18 Nov 2003 18:06:37 -0800 (PST) Received: from degaspe.orco.ca (h66-38-219-41.gtconnect.net [66.38.219.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id B50BA43F93 for ; Tue, 18 Nov 2003 18:06:36 -0800 (PST) (envelope-from math@degaspe.orco.ca) Received: from localhost (math@localhost) by degaspe.orco.ca (8.11.1/8.11.1) with ESMTP id hAJ26XR05856 for ; Tue, 18 Nov 2003 21:06:34 -0500 (EST) (envelope-from math@degaspe.orco.ca) Date: Tue, 18 Nov 2003 21:06:33 -0500 (EST) From: Mathieu Vaillancourt To: freebsd-ipfw@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: problem with fwd rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2003 02:06:38 -0000 i tried to setup a source routing firewall to split traffic between two ISP connection, based on to comment i have found at: http://docs.freebsd.org/mail/archive/2002/freebsd-ipfw/20020901.freebsd-ipfw.html more specificly, using 'fwd' on incoming packets from the internal networks, with a rule like: fwd ISP2_GATEWAY ip from INTERNAL_IP_X to any in via INTERNAL_IF and after that hoping to catch the packet again on the external interface to divert it to natd. what happens is that the packet goes through the fwd rule, and never come back to the firewall, so ISP2_GATEWAY receive a packet with an internal(private) return address. in the above discussion the author seemed to say that the fowarding of incoming packet was just included recently (in 2002). is anyone knows if i have to setup a sysctl for that or some compile options? i use releng 4.8 compiled with ipfw2 should i upgrade something or change to ipfw1? any ideas would be apreciated math From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 19 02:50:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB51E16A4CF for ; Wed, 19 Nov 2003 02:50:45 -0800 (PST) Received: from mobil-4.internett.de (mobil-4.internett.de [195.30.143.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF56243FDD for ; Wed, 19 Nov 2003 02:50:44 -0800 (PST) (envelope-from michael@mobil-4.internett.de) Received: from mobil-4.internett.de (localhost.internett.de [127.0.0.1]) hAJAncZZ014607; Wed, 19 Nov 2003 11:49:38 +0100 (CET) (envelope-from michael@mobil-4.internett.de) Received: (from michael@localhost) by mobil-4.internett.de (8.12.9p2/8.12.9/Submit) id hAJAnaDM014606; Wed, 19 Nov 2003 11:49:36 +0100 (CET) (envelope-from michael) Date: Wed, 19 Nov 2003 11:49:36 +0100 From: michael To: Vahric MUHTARYAN , freebsd-ipfw@freebsd.org Message-ID: <20031119104936.GB14007@mobil-4.internett.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Re: Which Firewall --> ipfw or iptable or ipsec X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2003 10:50:46 -0000 Hello, i don't know about the other Answers, but here ist mine. I use ipfw fully and only, it's a little bit newer the ipfilter and very good and easy to understand. Ok, if you have using iptables before, then you get a little bit confused, may if you have understand the knowledge-bases, then you will find it easy. If you have Problems with ipfw you can conect me, then i would you getting help to create a simple and good firewall-start-script. I have 3 or 4 firewall-scripts for serval circumstances: a)DSL-subscriber with userland ppp and opening ports to connect from outside b)very simple but fuly functionally 1 rule-firewall for clients c)Firewall for an internet-bastion and nat on external-interface includes ip-accounting based on ipa d) Firewall with traffic-shaping/queueing and QOS weight-based Contact me if you are interested. Best regards Michael From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 19 07:01:47 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19B0916A4CE for ; Wed, 19 Nov 2003 07:01:47 -0800 (PST) Received: from russell.hamline.edu (russell.hamline.edu [138.192.24.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id E19C643F75 for ; Wed, 19 Nov 2003 07:01:41 -0800 (PST) (envelope-from rjohanne@piper.hamline.edu) Received: from piper.hamline.edu (piper.hamline.edu [138.192.2.101]) by russell.hamline.edu (8.11.6+Sun/8.11.6) with ESMTP id hAJF1bs23302 for ; Wed, 19 Nov 2003 09:01:37 -0600 (CST) Received: from poincare (poincare [138.192.2.103]) by piper.hamline.edu (8.12.6/8.12.6) with ESMTP id hAJF1V0o019708 for ; Wed, 19 Nov 2003 09:01:31 -0600 (CST) Date: Wed, 19 Nov 2003 09:01:47 -0600 (CST) From: Robert Johannes X-X-Sender: rjohanne@poincare.hamline.edu To: freebsd-ipfw@freebsd.org In-Reply-To: <20031119104936.GB14007@mobil-4.internett.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: ipfw script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2003 15:01:47 -0000 Hello Michael, I would like to set up an ipfw box. The kernel is configured, and right now I've some simple rules active. Specifically, I have a private LAN, on 192.168.0.0; the firewall/gateway is 192.168.0.253. I would like to be able to let in port 80, 25 and 22 from the outside. Port 80, I need to nat it so it gets forwarded to an internal box. All outgoing traffic I want to let through. Could someone send me a script that would accomplish this, straight forward, and simply, without leaving any conspicuous gaping holes? thanks robert On Wed, 19 Nov 2003, michael wrote: > Hello, > > i don't know about the other Answers, but here ist mine. > > I use ipfw fully and only, it's a little bit newer the ipfilter and > very good and easy to understand. > > Ok, if you have using iptables before, then you get a little > bit confused, may if you have understand the knowledge-bases, > then you will find it easy. > > If you have Problems with ipfw you can conect me, > then i would you getting help to create a simple and good > firewall-start-script. > > I have 3 or 4 firewall-scripts for serval circumstances: > > a)DSL-subscriber with userland ppp and opening > ports to connect from outside > b)very simple but fuly functionally 1 rule-firewall > for clients > c)Firewall for an internet-bastion and nat on external-interface > includes ip-accounting based on ipa > d) Firewall with traffic-shaping/queueing and QOS weight-based > > Contact me if you are interested. > > Best regards > > Michael > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 19 07:58:04 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 757DE16A4CE for ; Wed, 19 Nov 2003 07:58:04 -0800 (PST) Received: from madhaus.cns.utoronto.ca (madhaus.cns.utoronto.ca [128.100.103.10]) by mx1.FreeBSD.org (Postfix) with SMTP id A748D43F3F for ; Wed, 19 Nov 2003 07:58:03 -0800 (PST) (envelope-from russ@madhaus.cns.utoronto.ca) Received: (qmail 25618 invoked by uid 1032); 19 Nov 2003 15:58:02 -0000 Date: Wed, 19 Nov 2003 10:58:02 -0500 To: freebsd-ipfw@freebsd.org Message-ID: <20031119155802.GH21513@madhaus.cns.utoronto.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i Organization: University of Toronto From: Russell Sutherland X-Delivery-Agent: TMDA/0.51 (Python 2.1.3 on Linux/i686) Subject: ipfw fwd question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Nov 2003 15:58:04 -0000 I am currently using the ipfw fwd rule action to perform source based policy routing. Specifically I'm fwd'ing traffic that has come in on intf1 and is going out intf2. (The reason the traffic is normally heading out this interface is its the interface for the default route). As the packet is going out, I forward it, which causes it to be sent to another machine on the same LAN as attached to intf1. So the packet: - comes in on intf1 - traverses the routing table - matches the default route (whose next hop is out intf2) - goes out on intf2 - gets fwd'ed to IP1 (whose next hop is back out intf1) This all works fine... except the fwd rule seems to only count the first forwarded packet. I'm testing the routing/fwding using ping from a remote machine. tcpdump indicates that each packet is being sent from the test machine to intf1. (Rather than getting a redirect from my router/firewall). Any ideas as to why the count is not being incremented correctly? -- Russell P. Sutherland Email: russ @ madhaus.cns.utoronto.ca 4 Bancroft Ave., Rm. 102 Voice: +1.416.978.0470 University of Toronto Fax: +1.416.978.6620 Toronto, ON M5S 1C1 WWW: http://madhaus.cns.utoronto.ca/~russ CANADA From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 19 17:40:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B760816A4CE for ; Wed, 19 Nov 2003 17:40:15 -0800 (PST) Received: from msresearch.ma.cx (D8451.d.pppool.de [80.184.132.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FEC743F75 for ; Wed, 19 Nov 2003 17:40:00 -0800 (PST) (envelope-from root@msresearch.ma.cx) Received: from msresearch.ma.cx (localhost.msresearch.org [127.0.0.1]) by msresearch.ma.cx (8.12.10/8.12.10) with ESMTP id hAK1cOrd093064; Thu, 20 Nov 2003 02:38:42 +0100 (CET) (envelope-from root@msresearch.ma.cx) Received: (from root@localhost) by msresearch.ma.cx (8.12.10/8.12.10/Submit) id hAK1bJBK093033; Thu, 20 Nov 2003 02:37:19 +0100 (CET) (envelope-from root) Date: Thu, 20 Nov 2003 02:37:19 +0100 From: michael , michael To: Robert Johannes , freebsd-ipfw@freebsd.org Message-ID: <20031120013630.GA93021@brenner.msresearch.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: Re: ipfw script X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2003 01:40:15 -0000 >Hello Michael, >I would like to set up an ipfw box. The kernel is configured, and right >now I've some simple rules active. Specifically, I have >a private LAN, on 192.168.0.0; the firewall/gateway is 192.168.0.253. >I would like to be able to let in port 80, 25 and 22 from the outside. >Port 80, I need to nat it so it gets forwarded to an internal box. All Hi, i have seen your posting. You woul to contact me directly? You should send the E-Mail to me! Well, yes i can get you this script! May this costs Time.... I be a little busy....may no problem First can you me send your Posting to me again? I could't fully read your message (see above) all that you need is an Kernel with ipfw and divert. than can you use the fwd-option from ipfw this rewrite the packets eg. dnat. I thin you whish... ipfw add 1000 pass tcp from any to me 25 in recv $EXT_IF keep-state ipfw add 2000 fwd $INT_HTTP_SRV,$INT_HTTP_PORT tcp from any to me 80 in recv $EX T_IF keep-state ....and so on.... I hope this help you for the first Time. Other ipfw-list-readers have also wished support on ipfw/nat/dnat, o i would create an ipfw-knowledge-base to make the work a little bit better. I hope you and the others can spend a little bit time to wait for the support from me, so i create an webpage. On this Page i would place sample-script's with more speaking comment'S and explaining the rules in detail. if you could wait the time (i think at this weekend) so you should read the fine Manuals (rtfm) from BSD and stay tuned :-) else you should contect me directly and give me an view from your problem, so i can write an complete easy to understand firewall-script with tuning many sysctl-parameters. next step is then to create rules with QOS and pipes with bandwith limitation for DMZ and intranet. let me know your Problem and i help.... (i like the beatles...help... :-)))) so on now i must sleep a little bit, at 5 hours is time to go working bye.... regards michael From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 20 01:19:57 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE66B16A4CE for ; Thu, 20 Nov 2003 01:19:57 -0800 (PST) Received: from mobil-4.internett.de (mobil-4.internett.de [195.30.143.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id A616543FB1 for ; Thu, 20 Nov 2003 01:19:56 -0800 (PST) (envelope-from michael@mobil-4.internett.de) Received: from mobil-4.internett.de (localhost.internett.de [127.0.0.1]) hAK9J0ZZ064287; Thu, 20 Nov 2003 10:19:00 +0100 (CET) (envelope-from michael@mobil-4.internett.de) Received: (from michael@localhost) by mobil-4.internett.de (8.12.9p2/8.12.9/Submit) id hAK9IxoL064286; Thu, 20 Nov 2003 10:18:59 +0100 (CET) (envelope-from michael) Date: Thu, 20 Nov 2003 10:18:59 +0100 From: michael To: Russell Sutherland , freebsd-ipfw@freebsd.org Message-ID: <20031120091859.GC63284@mobil-4.internett.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: ipfw fwd question X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2003 09:19:58 -0000 Hello Russell, i hope you and the other questioneers can wait a little bit. I would create an Webpage with answers to all the questions, that i can understand and solve. I create an Page with sample Scripts for many Problems, also the Problems to undestanding the dnat (fwd) from ipfw, these Pages also includes then piping with ipfw for bandwith-limitation and QOS-like queueing with Traffic-weight's. I become very happy if one or two Persons can collect the questions for me so i can me concentrate to writing the answers and the sample scripts. At this Time i can not forwarding any Script from me, while these scripts contains confidential data and have no comment's!. So i first must rewrite an commenting these Script's to explain how ipfw works. On the other hand i must a little thinking about what is recomended, useful and required. p.e. to use the fwd option from ipfw you must compile your own kernel...... i think you understand what i mean. I post this message also on the ipfw-mailin-list that others can see my work and can contact me. so on, i bee a little bit busy....and must working :-) If i not reciving messages from interests, so i would Post an message on this Mailin-list and on the stable-list so that you only must take a look on this list...if you or the others are to busy. ups, i have forgotten to sa first i must remake my own Firewall, these was crashed this night at 3:50.... only to see what FreeBSD makes possible: this crashed Firewall was: PI 200MHz-MMX 128MB RAM 2G-root-disk 512MB-Swap-disk ;-)) not really used but better is it Running: sendmail bind(named) squid thttp ppp-subscriber ISDN-Answerbox ISDN-ROUTING (DSL-backup) I know no other OS that makes this possible (except *BSD) with Linux i have many trouble to install the os, the Processor was too outdated.....;-))) also......FreeBSD makes you happy! best regards Michael From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 20 06:05:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10F9816A4CE for ; Thu, 20 Nov 2003 06:05:12 -0800 (PST) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A3AA43FEA for ; Thu, 20 Nov 2003 06:05:08 -0800 (PST) (envelope-from mav@alkar.net) Received: from [212.86.226.11] (HELO alkar.net) by mail.alkar.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 122189428 for freebsd-ipfw@freebsd.org; Thu, 20 Nov 2003 16:05:06 +0200 Message-ID: <3FBCCA12.1000906@alkar.net> Date: Thu, 20 Nov 2003 16:05:06 +0200 From: Alexander Motin User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5b) Gecko/20030913 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: dummynet & IP fragmentation bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2003 14:05:12 -0000 Hello. I have one strange problem with dummynet & IP fragmentation. I have FreeBSD 4.8-RELEASE router with few interfaces: em0: flags=8843 mtu 1500 options=3 inet 195.248.191.172 netmask 0xffffffc0 broadcast 195.248.191.191 ether 00:30:48:20:8e:7e media: Ethernet autoselect (1000baseTX ) status: active ng4: flags=88d1 mtu 1492 inet 195.248.191.172 --> 212.86.231.58 netmask 0xffffffff Interface ng4 have MTU 1492 because it is PPPoE link. When I do not use dummynet on router and somebody send a big (>1492bytes) packet to 212.86.231.58 with DontFragment flag set router generates ICMP reply message (Fragmentation Needed). This is correct. But when I use dummynet on that interface: 10170 pipe 10009 ip from any to any out xmit ng4 10175 allow ip from any to any via ng4 10009: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 udp 195.248.191.65/53 212.86.231.58/1118 50965 28380582 0 0 143 router stops sending that ICMP messages. Pipe is not overflowed at that tme, it is empty. -- Alexander Motin From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 03:26:49 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE5A416A4CE; Fri, 21 Nov 2003 03:26:49 -0800 (PST) Received: from kozlik.carrier.kiev.ua (kozlik.carrier.kiev.ua [193.193.193.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A56343FE0; Fri, 21 Nov 2003 03:26:44 -0800 (PST) (envelope-from mav@alkar.net) Received: from news.lucky.net (IDENT:root@news.lucky.net [193.193.193.102]) by kozlik.carrier.kiev.ua with ESMTP id hBLBQdpq017274; Fri, 21 Nov 2003 13:26:40 +0200 (EET) (envelope-from mav@alkar.net) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id NII02277; Fri, 21 Nov 2003 13:21:37 +0200 (envelope-from mav@alkar.net) From: Alexander Motin To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Date: Fri, 21 Nov 2003 12:52:50 +0200 Organization: Alkar Teleport News Server Message-ID: <3FBDEE82.3020504@alkar.net> References: <3FBCCA12.1000906@alkar.net.lucky.freebsd.ipfw> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Trace: pandora.alkar.net 1069411970 68264 212.86.226.11 (21 Nov 2003 10:52:50 GMT) X-Complaints-To: abuse@alkar.net User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5b) Gecko/20030913 X-Accept-Language: ru, en-us, en In-Reply-To: <3FBCCA12.1000906@alkar.net.lucky.freebsd.ipfw> X-Verify-Sender: verified Subject: Re: dummynet & IP fragmentation bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 11:26:50 -0000 I successfully reproduced this on few different 4.8 routers. Does anybody knows what is this? How to fix or workaround this problem? Alexander Motin wrote: > I have one strange problem with dummynet & IP fragmentation. > > I have FreeBSD 4.8-RELEASE router with few interfaces: > em0: flags=8843 mtu 1500 > options=3 > inet 195.248.191.172 netmask 0xffffffc0 broadcast 195.248.191.191 > ether 00:30:48:20:8e:7e > media: Ethernet autoselect (1000baseTX ) > status: active > ng4: flags=88d1 mtu 1492 > inet 195.248.191.172 --> 212.86.231.58 netmask 0xffffffff > > Interface ng4 have MTU 1492 because it is PPPoE link. > When I do not use dummynet on router and somebody send a big > (>1492bytes) packet to 212.86.231.58 with DontFragment flag set router > generates ICMP reply message (Fragmentation Needed). This is correct. > > But when I use dummynet on that interface: > 10170 pipe 10009 ip from any to any out xmit ng4 > 10175 allow ip from any to any via ng4 > > 10009: 128.000 Kbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 0 udp 195.248.191.65/53 212.86.231.58/1118 50965 28380582 0 > 0 143 > > router stops sending that ICMP messages. Pipe is not overflowed at that > tme, it is empty. -- Alexander Motin From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 05:44:56 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9539016A4CE for ; Fri, 21 Nov 2003 05:44:56 -0800 (PST) Received: from web14526.mail.yahoo.com (web14526.mail.yahoo.com [216.136.224.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CFCC43FEC for ; Fri, 21 Nov 2003 05:44:55 -0800 (PST) (envelope-from sslyle@yahoo.com) Message-ID: <20031121134455.83205.qmail@web14526.mail.yahoo.com> Received: from [64.132.169.245] by web14526.mail.yahoo.com via HTTP; Fri, 21 Nov 2003 14:44:55 CET Date: Fri, 21 Nov 2003 14:44:55 +0100 (CET) From: =?iso-8859-1?q?Steve=20Lyle?= To: freebsd-ipfw-owner@freebsd.org Cc: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: troubles sending messages into freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 13:44:56 -0000 Every attempt I make to send mesages to: freebsd-ipfw@freebsd.org or freebsd-ipfw-owner@freebsd.org from my work email (slyle@plasticmoldings.com) is returned undeliverable by my servers. I have not witnessed any trouble recieveing memos from freebsd-ipfw Does your system use my MX record to verify my mail domain's ip address before accepting a given inbound message from a sending server's ip? Thanks, -Steve Lyle ===== Thanks, -Steve Lyle 513.557.5207 ______________________________________________________________________ Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/ From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 05:58:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58CE316A4CF for ; Fri, 21 Nov 2003 05:58:18 -0800 (PST) Received: from ptb-mailc05.plus.net (ptb-mailc05.plus.net [212.159.14.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id C78BA43F93 for ; Fri, 21 Nov 2003 05:58:16 -0800 (PST) (envelope-from simong@desktop-guardian.com) Received: from [81.174.227.186] (helo=desktop-guardian.com) by ptb-mailc05.plus.net with smtp (Exim 4.12) id 1ANBnb-000Nom-00 for freebsd-ipfw@freebsd.org; Fri, 21 Nov 2003 13:58:15 +0000 Received: (qmail 27990 invoked by uid 1006); 21 Nov 2003 13:59:40 -0000 Received: from simong@desktop-guardian.com by dtg25 by uid 82 with qmail-scanner-1.16 (clamscan: 0.54. spamassassin: 2.55. Clear:. Processed in 10.48954 secs); 21 Nov 2003 13:59:40 -0000 Received: from unknown (HELO dtg17) (192.168.0.17) by 192.168.0.25 with SMTP; 21 Nov 2003 13:59:28 -0000 Message-ID: <01cd01c3b037$45a384e0$1100a8c0@dtg17> From: "Simon Gray" To: "Steve Lyle" References: <20031121134455.83205.qmail@web14526.mail.yahoo.com> Date: Fri, 21 Nov 2003 13:56:33 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-ipfw@freebsd.org Subject: Re: troubles sending messages into freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 13:58:18 -0000 > Every attempt I make to send mesages to: > freebsd-ipfw@freebsd.org or > freebsd-ipfw-owner@freebsd.org > from my work email (slyle@plasticmoldings.com) is > returned undeliverable by my servers. > > I have not witnessed any trouble recieveing memos from > freebsd-ipfw > > Does your system use my MX record to verify my mail > domain's ip address before accepting a given inbound > message from a sending server's ip? Do you have the same problem when sending from a different email address but using the same smtp server? (Or try sending from a different smtp server, but using your works email address) Simon From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 13:22:06 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53CBF16A4CE for ; Fri, 21 Nov 2003 13:22:06 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56B1643FB1 for ; Fri, 21 Nov 2003 13:22:05 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (c-24-6-186-224.client.comcast.net[24.6.186.224]) by comcast.net (rwcrmhc11) with ESMTP id <2003112121220401300imooke>; Fri, 21 Nov 2003 21:22:05 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hALLMNsb023238; Fri, 21 Nov 2003 13:22:23 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hALLMMcs023237; Fri, 21 Nov 2003 13:22:22 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 21 Nov 2003 13:22:22 -0800 From: "Crist J. Clark" To: Mathieu Vaillancourt Message-ID: <20031121212222.GA22946@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: problem with fwd rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2003 21:22:06 -0000 On Tue, Nov 18, 2003 at 09:06:33PM -0500, Mathieu Vaillancourt wrote: [snip] > more specificly, using 'fwd' on incoming packets from the internal > networks, with a rule like: > > fwd ISP2_GATEWAY ip from INTERNAL_IP_X to any in via INTERNAL_IF > > and after that hoping to catch the packet again on the external > interface to divert it to natd. > > what happens is that the packet goes through the fwd rule, and never > come back to the firewall, so ISP2_GATEWAY receive a packet with an > internal(private) return address. > > in the above discussion the author seemed to say that the fowarding > of incoming packet was just included recently (in 2002). > is anyone knows if i have to setup a sysctl for that or some compile > options? 'fwd'ed packets do not go through ipfw(8) processing on the way out. Look in ip_output.c, /* * Check with the firewall... * but not if we are already being fwd'd from a firewall. */ if (fw_enable && IPFW_LOADED && !args.next_hop) { The args.next_hop variable is non-NULL for a 'fwd'ed packet. You can 'fwd' incoming packets now, but you can think of that as being pretty much the end of the story; 'fwd'ed packets head straight out of the system without further IP hacks. You'll have to rewrite your ruleset so that the 'fwd' happens after the packets go to natd(8). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 16:09:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F1D416A4E4 for ; Fri, 21 Nov 2003 16:09:17 -0800 (PST) Received: from degaspe.orco.ca (h66-38-219-41.gtconnect.net [66.38.219.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30AD843FBD for ; Fri, 21 Nov 2003 16:09:16 -0800 (PST) (envelope-from math@degaspe.orco.ca) Received: from localhost (math@localhost) by degaspe.orco.ca (8.11.1/8.11.1) with ESMTP id hAM09D515146 for ; Fri, 21 Nov 2003 19:09:14 -0500 (EST) (envelope-from math@degaspe.orco.ca) Date: Fri, 21 Nov 2003 19:09:13 -0500 (EST) From: Mathieu Vaillancourt To: freebsd-ipfw@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: problem with fwd rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2003 00:09:17 -0000 i finally solved my problem, thanks to all who wrote me. i though i could write back what i did because i saw, there where others trying to do policy routing based on the source of the traffic. to share two different isps. first i compiled ipfw whith the forwarding options and i created aliases for most of my public ips in rc.conf the default route is set to ISP1 (the main isp) i created two different /etc/natd.conf one for the main isp: /etc/natd.conf.ISP1 ---------------------------------------- port 8668 interface rl0 ... redirect_address internal_ip_a public_ip_a redirect_address .... ---------------------------------------- one for the second isp: /etc/natd.conf.ISP2 ---------------------------------------- in_port 8669 out_port 8670 interface rl1 ... redirect_address internal_ip_b public_ip_b redirect_address .... ---------------------------------------- i created a custom rc.firewall file: ---------------------------------------- #start natd /sbin/natd -f /etc/natd.conf.ISP1 /sbin/natd -f /etc/natd.conf.ISP2 #local loopback ... #basic security ... #allow internal traffic pass all from internal_subnet to internal_subnet via internal_interface #allow external services pass all from any to public_ip_service via external_ispx_interface ... #external redirections divert 8670 all from me to any via ips2_interface divert 8669 all from any to me via ips2_interface divert 8668 all from any to any via ips1_interface #internal redirections divert 8670 all from internal_ip_x to any in recv internal_interface #internal redirections to ISP1 (main isp pass all from not internal_ip_x to any in recv internal_interface #internal redirections to ISP2 fwd isp2_gateway all from any to any in recv internal_interface #for testing pass all from any to any ------------------------------------ the trick was to catch in the divert the packet before the fwd rule happens and to use the in_port and out_port option of natd, so when natd receive a packet on internal interface it believes that it is going out instead of in ther is probably other solution and better ones, if you have sugestion to improve this, ill be happy to hear thanks math From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 21 22:36:45 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35E9B16A4D0 for ; Fri, 21 Nov 2003 22:36:45 -0800 (PST) Received: from dino.dnsalias.com (h24-80-253-172.vc.shawcable.net [24.80.253.172]) by mx1.FreeBSD.org (Postfix) with SMTP id EEFD143FE1 for ; Fri, 21 Nov 2003 22:36:41 -0800 (PST) (envelope-from stephen@dino.dnsalias.com) Received: (qmail 31014 invoked from network); 22 Nov 2003 06:36:40 -0000 Received: from unknown (HELO anakin.) (192.168.2.4) by dino.dnsalias.com with SMTP; 22 Nov 2003 06:36:40 -0000 Received: (from stephen@localhost) by anakin. (8.11.6/8.11.6) id hAM6ZsK30178; Fri, 21 Nov 2003 22:35:54 -0800 From: "Stephen J. Bevan" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16319.970.22297.204715@anakin.> Date: Fri, 21 Nov 2003 22:35:54 -0800 To: cjclark@alum.mit.edu In-Reply-To: <20031114201246.GA62521@blossom.cjclark.org> References: <20031114163654.GB61960@blossom.cjclark.org> <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> <20031114201246.GA62521@blossom.cjclark.org> X-Mailer: VM 7.07 under Emacs 21.2.1 cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: Helge Oldach cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2003 06:36:45 -0000 Crist J. Clark writes: > Two different ESP end points behind many-to-one NAT connected to a > single ESP end point on the other side of the NAT? I'd be very curious > to get the documentation on how they are cheating to get that to work. A cheat is to use the sequence number in the ESP header to matchup the SPI on the inbound packet with the SPI on the outbound packet. This only works if the NAT box doesn't have multiple ESP connections all starting at the same time (otherwise there would obviously be no way to tell which outbound SPI a packet with ESP sequence number 1 should match). A workaround for that is to have the NAT box delay the IKE negotiation for one connection if another one has not completed and resulted in traffic being sent. It all has a bit of a bad smell to it but then NAT isn't exactly sweet smelling either.