Date: Mon, 16 Feb 2009 15:28:21 +0100 (CET) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-ipfw@FreeBSD.ORG, ozkan@mersin.edu.tr Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE Message-ID: <200902161428.n1GESLvL015103@lurza.secnetix.de> In-Reply-To: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Unfortunately I can't help you with your actual problem, but I have a few remarks that might be helpful. Özkan KIRIK wrote: > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via > if_vlan) . > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > interface which uses bge driver. > > My rule set is below: > > wan_intf="bge1" > ipfw nat 100 config ip X.X.X.1 reset same_ports > ipfw nat 101 config ip X.X.X.2 reset same_ports > ipfw nat 102 config ip X.X.X.3 reset same_ports > ... > ... > ipfw add 5 allow all from any to any layer2 > ipfw add 50 checkstate Note: It is spelled "check-state". Please verify that you have it correctly in your ipfw script. > ... > ... Other port forwarding and static nat rules without keep-state > ... > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via > $wan_intf > ... > ... > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > ... > ... > > About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly without > problems. I suspect about stateful inpection code. If you don't have an explicit check-state rule, then there's an implicit check-state rule at the first keep-state. If you don't want any check-state at all, you musr remove all stateful rules (i.e. all "keep-state" rules). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd $ dd if=/dev/urandom of=test.pl count=1 $ file test.pl test.pl: perl script text executable
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902161428.n1GESLvL015103>