From owner-freebsd-ipfw@FreeBSD.ORG Sun May 9 12:20:05 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 505121065672 for ; Sun, 9 May 2010 12:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 3FA8C8FC08 for ; Sun, 9 May 2010 12:20:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o49CK4eg072577 for ; Sun, 9 May 2010 12:20:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o49CK4FG072575; Sun, 9 May 2010 12:20:04 GMT (envelope-from gnats) Date: Sun, 9 May 2010 12:20:04 GMT Message-Id: <201005091220.o49CK4FG072575@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Terrence Koeman" Cc: Subject: Re: kern/145305: [ipfw] ipfw problems, panics, data corruption, ipv6 socket weirdness X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Terrence Koeman List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 May 2010 12:20:05 -0000 The following reply was made to PR kern/145305; it has been noted by GNATS. From: "Terrence Koeman" To: "bug-followup@FreeBSD.org" , "root@mediamonks.net" Cc: Subject: Re: kern/145305: [ipfw] ipfw problems, panics, data corruption, ipv6 socket weirdness Date: Sun, 09 May 2010 10:01:12 +0200 Still present on 8-STABLE as of 30 April. FreeBSD xxx 8.0-STABLE FreeBSD 8.0-STABLE #45: Fri Apr 30 05:32:09 CEST 201= 0 terrence@xxx.mediamonks.net:/usr/obj/usr/src/sys/ADINAVA-SMP amd64 -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote all replies in correspondence. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 10 11:06:59 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E93AE1065670 for ; Mon, 10 May 2010 11:06:59 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id D78B98FC12 for ; Mon, 10 May 2010 11:06:59 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4AB6xvM082112 for ; Mon, 10 May 2010 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4AB6x1N082110 for freebsd-ipfw@FreeBSD.org; Mon, 10 May 2010 11:06:59 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 May 2010 11:06:59 GMT Message-Id: <201005101106.o4AB6x1N082110@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2010 11:07:00 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 70 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 10 13:47:12 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E013C106566B for ; Mon, 10 May 2010 13:47:11 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id A59358FC15 for ; Mon, 10 May 2010 13:47:11 +0000 (UTC) Received: from mr08.lnh.mail.rcn.net ([207.172.157.28]) by smtp02.lnh.mail.rcn.net with ESMTP; 10 May 2010 09:47:10 -0400 Received: from mx04.lnh.mail.rcn.net (mx04.lnh.mail.rcn.net [207.172.157.54]) by mr08.lnh.mail.rcn.net (MOS 3.10.8-GA) with ESMTP id LPP09035; Mon, 10 May 2010 09:46:53 -0400 (EDT) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp04.lnh.mail.rcn.net with ESMTP; 10 May 2010 09:46:52 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19432.3660.572167.437210@jerusalem.litteratus.org> Date: Mon, 10 May 2010 09:46:52 -0400 To: ipfw@freebsd.org X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr08.lnh.mail.rcn.net) Cc: roberthuff@rcn.com Subject: nat blocks CUPS, ssh X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2010 13:47:12 -0000 With this: ipfw add 5000 nat 15 ip from any to any via em0 ipfw nat 15 config log same_ports if em0 added to the firewall, the local CUPS instance won't print. Also, it is ssh (PuTTY) can't connect from the same /8. Without it. both work. The ipfw rules - without line 5000 - are appended. What do I need to add to resolve this? Respectfully, Robert Huff 00100 19769284 8649860985 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00350 187476 71173934 allow udp from any 67-68 to any dst-port 67-68 06000 0 0 deny log tcp from any to any dst-port 137 in via em0 06050 32 3000 deny log udp from any to any dst-port 137 in via em0 06100 0 0 deny log tcp from any to any dst-port 138 in via em0 06150 4039 967213 deny log udp from any to any dst-port 138 in via em0 06200 0 0 deny log tcp from any to any dst-port 139 in via em0 06250 0 0 deny log udp from any to any dst-port 139 in via em0 07000 0 0 deny log tcp from any to any dst-port 111 in via em0 07050 0 0 deny log udp from any to any dst-port 111 in via em0 07100 0 0 deny log tcp from any to any dst-port 530 in via em0 07150 0 0 deny log udp from any to any dst-port 530 in via em0 07200 0 0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0 07225 0 0 deny log logamount 100 udp from any to any dst-port 161 in recv em0 07250 0 0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0 07275 0 0 deny log logamount 100 udp from any to any dst-port 162 in recv em0 07300 0 0 deny log tcp from any to any dst-port 194 07310 0 0 deny log udp from any to any dst-port 194 07320 0 0 deny log tcp from any to any dst-port 529 07330 0 0 deny log udp from any to any dst-port 529 07340 0 0 deny log tcp from any to any dst-port 994 07350 0 0 deny log udp from any to any dst-port 994 07360 335 13400 deny log tcp from any to any dst-port 6667 07370 3 603 deny log udp from any to any dst-port 6667 10000 23928192 7554903291 allow tcp from any to any established 10100 578246 43710271 allow ip from any to any out via em0 10200 16635 798480 allow tcp from 10.0.0.0/8 to any dst-port 80 10300 0 0 allow tcp from any 80 to any dst-port 1024-65535 via em0 10400 0 0 allow tcp from any 443 to any dst-port 1024-65535 via em0 10500 0 0 deny log tcp from any 1024-65535 to any dst-port 80 via em0 10600 113 5844 deny log tcp from any 1024-65535 to any dst-port 443 via em0 65000 753790 117719801 allow ip from any to any 65535 12 1157 deny ip from any to any