From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 15 19:04:33 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 01610439 for ; Mon, 15 Apr 2013 19:04:33 +0000 (UTC) (envelope-from spil.oss@gmail.com) Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) by mx1.freebsd.org (Postfix) with ESMTP id C49AF1436 for ; Mon, 15 Apr 2013 19:04:32 +0000 (UTC) Received: by mail-ie0-f178.google.com with SMTP id bn7so6156499ieb.37 for ; Mon, 15 Apr 2013 12:04:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:reply-to:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8At6pn7/Vw9B628R8DnlMDIb15vaMUpu3QUylTflrNg=; b=qC7CDxzXQQ5vBx+DKTZAJAT0N9FXr9ZCjLx/YxTzaN73u3mJMOG3iA7qMNxMD8sIwB 86/p6BdVE1lYV8XnQJVjUlp1mnRRvKIcDf6GbUpMFmqhjyEjVkosxu+Tbg13MCE6cd2I sblqmy2pX5OIEUbhD/pTuJQxIggXCWqJdoWD2wJZ/7r33DNgBOCit5m2aM0mKl0JfTmB YZI/CaOA/CHSs4+YUY1wMzci2Yso3DANZaC1/Htf9HjfXacdPOZCKiwWPY+ZQX4ySvJX CqiZYGInzUTvrw8WF9ooI5wf4i5ZPrTFb/GHXMYyj0pl4T7Iip+NAmIfKxDmEv/Jldph M/5Q== MIME-Version: 1.0 X-Received: by 10.50.50.40 with SMTP id z8mr6134733ign.59.1366052672464; Mon, 15 Apr 2013 12:04:32 -0700 (PDT) Received: by 10.42.189.4 with HTTP; Mon, 15 Apr 2013 12:04:32 -0700 (PDT) In-Reply-To: <20130415160625.K56386@sola.nimnet.asn.au> References: <20130415015850.Y56386@sola.nimnet.asn.au> <20130415160625.K56386@sola.nimnet.asn.au> Date: Mon, 15 Apr 2013 21:04:32 +0200 Message-ID: Subject: Re: Problems with ipfw/natd and axe(4) From: Spil Oss To: Ian Smith Content-Type: multipart/mixed; boundary=089e0118320c496d1604da6aec84 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw@freebsd.org, Michael Sierchio X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: spil.oss@gmail.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 19:04:33 -0000 --089e0118320c496d1604da6aec84 Content-Type: text/plain; charset=ISO-8859-1 Hi all, Network dumps as promised On 172.17.2.1: tcpdump -p -i bridge0 -s 0 -w ssh-fail.pcap host not 172.17.2.167 >From 172.17.2.1 I ran telnet 172.17.2.111/157 22 In Wireshark I trimmed the capture a bit further with expression 'not stp and not http' Initial setup (ue0 ext, re0 int, rule 10 to allow ssh) -> ue0-ssh-success.pcap Removed rule 10 -> ue0-ssh-fail.pcap Switched re0 and ue0, default ruleset (without 10) -> re0-ssh-success.pcap According to YungHyeong the sample ASIX NIC he has works normally when checksumming is disabled. Kind regards, Spil. On Mon, Apr 15, 2013 at 8:25 AM, Ian Smith wrote: > On Sun, 14 Apr 2013 10:34:06 -0700, Michael Sierchio wrote: > > On Sun, Apr 14, 2013 at 10:26 AM, Ian Smith > wrote: > > > > > 'allow ip' aka 'allow all' doesn't usually take a port number, which > > > applies only to tcp and udp. > > > > It does in ipfw - in which case it means ( udp | tcp ) > > You're quite right, and my assumption that it would also permit icmp > was quite wrong, after a quick test. > > Which appears to leave the bypassed divert not working with rx/txcsum > the only viable suspect. The ruleset is otherwise 'out of the box'. > > Does anyone know whether this is an issue with libalias(3) generally - > in which case using nat instead of divert shouldn't help - or just with > natd in particular? > > cheers, Ian > --089e0118320c496d1604da6aec84 Content-Type: application/octet-stream; name="ue0-ssh-success.pcap" Content-Disposition: attachment; filename="ue0-ssh-success.pcap" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hfk07tn90 1MOyoQIABAAAAAAAAAAAAP//AAABAAAAAEhsUVpTBQBKAAAASgAAAABgbkJbU2a7ILCfuwgARRAA PNEqQABABgzvrBECAawRAm81kwAWf3SVWQAAAACgAv//8WAAAAIEBbQBAwMGBAIICqd3CB8AAAAA AEhsUUBaBQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPAByQABABt23rBECb6wRAgEAFjWTkzJU Y390lVqgEv//d74AAAIEBbQBAwMGBAIICqz+5PyndwgfAEhsUapaBQBCAAAAQgAAAABgbkJbU2a7 ILCfuwgARRAANNEsQABABgz1rBECAawRAm81kwAWf3SVWpMyVGSAEAQQoncAAAEBCAqndwghrP7k /ABIbFF4oQUAcQAAAHEAAABmuyCwn7sAYG5CW1MIAEUAAGMAc0AAQAbdj6wRAm+sEQIBABY1k5My VGR/dJVagBgEEGHoAAABAQgKrP7lDad3CCFTU0gtMi4wLU9wZW5TU0hfNi4xX2hwbjEzdjExIEZy ZWVCU0QtMjAxMjA5MDENCgBIbFEhKAcAQgAAAEIAAAAAYG5CW1NmuyCwn7sIAEUQADTRQ0AAQAYM 3qwRAgGsEQJvNZMAFn90lVqTMlSTgBAEEKHBAAABAQgKp3cIl6z+5Q0GSGxRHdUJAEIAAABCAAAA AGBuQltTZrsgsJ+7CABFEAA01StAAEAGCPasEQIBrBECbzWTABZ/dJVakzJUk4ARBBCJoQAAAQEI Cqd3ILas/uUNBkhsUQvcCQBCAAAAQgAAAGa7ILCfuwBgbkJbUwgARQAANAB0QABABt29rBECb6wR AgEAFjWTkzJUk390lVuAEAQQcRgAAAEBCAqs/v2Wp3cgtgZIbFEJ3wkAQgAAAEIAAABmuyCwn7sA YG5CW1MIAEUAADQAdUAAQAbdvKwRAm+sEQIBABY1k5MyVJN/dJVbgBEEEHEXAAABAQgKrP79lqd3 ILYGSGxRTN8JAEIAAABCAAAAAGBuQltTZrsgsJ+7CABFEAA01S1AAEAGCPSsEQIBrBECbzWTABZ/ dJVbkzJUlIAQBBBxFAAAAQEICqd3ILms/v2W --089e0118320c496d1604da6aec84 Content-Type: application/octet-stream; name="ue0-ssh-fail.pcap" Content-Disposition: attachment; filename="ue0-ssh-fail.pcap" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hfk0dsas1 1MOyoQIABAAAAAAAAAAAAP//AAABAAAAqkhsUfTjBQBKAAAASgAAAABgbkJbU2a7ILCfuwgARRAA PFF+QABABoybrBECAawRAm/zXAAWr5htewAAAACgAv//kxkAAAIEBbQBAwMGBAIICqd5oFQAAAAA qkhsUdnqBQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACAQABABt2prBECb6wRAgEAFvNc6BsY a6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKneaBUrUhsUb/lBQBKAAAASgAAAABgbkJbU2a7 ILCfuwgARRAAPFNmQABABoqzrBECAawRAm/zXAAWr5htewAAAACgAv//h2EAAAIEBbQBAwMGBAII Cqd5rAwAAAAArUhsUajsBQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACBQABABt2orBECb6wR AgEAFvNc6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKneaBUrUhsUT7tBQBKAAAASgAA AGa7ILCfuwBgbkJbUwgARQAAPACCQABABt2nrBECb6wRAgEAFvNc6BsYa6+YbXygEv//XMEAAAIE BbQBAwMGBAIICkWr/nKneawMsEhsUQkABgBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACDQABA Bt2mrBECb6wRAgEAFvNc6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKneawMsEhsUbn1 CABKAAAASgAAAABgbkJbU2a7ILCfuwgARRAAPFVZQABABojArBECAawRAm/zXAAWr5htewAAAACg Av//euAAAAIEBbQBAwMGBAIICqd5uI0AAAAAsEhsUab8CABKAAAASgAAAGa7ILCfuwBgbkJbUwgA RQAAPACEQABABt2lrBECb6wRAgEAFvNc6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKn ebiNs0hsUQ0NCQBKAAAASgAAAGa7ILCfuwBgbkJbUwgARQAAPACFQABABt2krBECb6wRAgEAFvNc 6BsYa6+YbXygEv//XMEAAAIEBbQBAwMGBAIICkWr/nKnebiNs0hsUZ8FDAA+AAAAPgAAAABgbkJb U2a7ILCfuwgARRAAMFeGQABABoafrBECAawRAm/zXAAWr5htewAAAABwAv//FwcAAAIEBbQEAgAA s0hsUXwMDABCAAAAQgAAAGa7ILCfuwBgbkJbUwgARQAANACGQABABt2rrBECb6wRAgEAFvNc6BsY a6+YbXyAEv//XLkAAAIEBbQBAwMGBAIAAA== --089e0118320c496d1604da6aec84 Content-Type: application/octet-stream; name="re0-ssh-success.pcap" Content-Disposition: attachment; filename="re0-ssh-success.pcap" Content-Transfer-Encoding: base64 X-Attachment-Id: f_hfk0dxij2 1MOyoQIABAAAAAAAAAAAAP//AAABAAAAmUpsUYUgAgBKAAAASgAAAEBhhhCGwWa7ILCfuwgARRAA PKa0QABABjc3rBECAawRAp2KXgAWnq5AegAAAACgAv//rS0AAAIEBbQBAwMGBAIICqeBLPQAAAAA mUpsUWohAgBKAAAASgAAAGa7ILCfu0BhhhCGwQgARQAAPAC1QABABt1GrBECnawRAgEAFopetvA6 556uQHugEv//3FEAAAIEBbQBAwMGBAIICmWfeVOngSz0mUpsUdQhAgBCAAAAQgAAAEBhhhCGwWa7 ILCfuwgARRAANKa1QABABjc+rBECAawRAp2KXgAWnq5Ae7bwOuiAEAQQBwwAAAEBCAqngSz1ZZ95 U5lKbFGjYgIAcQAAAHEAAABmuyCwn7tAYYYQhsEIAEUAAGMAtkAAQAbdHqwRAp2sEQIBABaKXrbw OuierkB7gBgEEMZ5AAABAQgKZZ95Z6eBLPVTU0gtMi4wLU9wZW5TU0hfNi4xX2hwbjEzdjExIEZy ZWVCU0QtMjAxMjA5MDENCplKbFFl5gMAQgAAAEIAAABAYYYQhsFmuyCwn7sIAEUQADSm1UAAQAY3 HqwRAgGsEQKdil4AFp6uQHu28DsXgBAEEAZUAAABAQgKp4EtamWfeWeeSmxRA5QMAEIAAABCAAAA QGGGEIbBZrsgsJ+7CABFEAA0qnFAAEAGM4KsEQIBrBECnYpeABaerkB7tvA7F4ARBBDwkgAAAQEI CqeBQypln3lnnkpsUc6UDABCAAAAQgAAAGa7ILCfu0BhhhCGwQgARQAANAC3QABABt1MrBECnawR AgEAFopetvA7F56uQHyAEAQQ2mwAAAEBCApln4+Np4FDKp5KbFF3mAwAQgAAAEIAAABmuyCwn7tA YYYQhsEIAEUAADQAuEAAQAbdS6wRAp2sEQIBABaKXrbwOxeerkB8gBEEENprAAABAQgKZZ+PjaeB QyqeSmxR0pgMAEIAAABCAAAAQGGGEIbBZrsgsJ+7CABFEAA0qnJAAEAGM4GsEQIBrBECnYpeABae rkB8tvA7GIAQBBDaagAAAQEICqeBQytln4+N --089e0118320c496d1604da6aec84--