From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 8 04:49:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30DC416A4CE for ; Sun, 8 Feb 2004 04:49:30 -0800 (PST) Received: from mail006.syd.optusnet.com.au (mail006.syd.optusnet.com.au [211.29.132.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3620843D1D for ; Sun, 8 Feb 2004 04:49:29 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-189.eburwd5.vic.optusnet.com.au [211.28.241.189])i18CnNg03780; Sun, 8 Feb 2004 23:49:23 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id DE158373; Sun, 8 Feb 2004 23:49:22 +1100 (EST) Date: Sun, 8 Feb 2004 23:49:22 +1100 From: Tony Frank To: Vasenin Alexander aka BlackSir Message-ID: <20040208124922.GA97343@marvin.home.local> References: <3.0.5.32.20040206125411.01e841f0@10.0.0.15> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i cc: "Jack L. Stone" cc: freebsd-ipfw@freebsd.org cc: Don Bowman cc: Luigi Rizzo Subject: Re: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Feb 2004 12:49:30 -0000 Hi, On Fri, Feb 06, 2004 at 10:59:03PM +0300, Vasenin Alexander aka BlackSir wrote: > To upgrade to IPFW2 you need to recompile the kernel with IPFW2 option, > recompile 'libalias' library and 'ipfw' control program. man ipfw would > help. I'm not sure, but I suppose IPFW2 don't marked STABLE for 4.x Word of advice, also recompile anything that staticly uses the libalias library. natd specifically is one I missed which broke my system after reboot. ipfw2 tool was built, new alias library was built but natd compiles in libalias as a static, hence although my firewall rules loaded, everything through natd broke (including DNS lookups which 'broke' the rest of the startup) I resolved this by adding 'IPFW2=YES' to /etc/make.conf Regards, Tony From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 8 04:56:29 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37A3B16A4CE for ; Sun, 8 Feb 2004 04:56:29 -0800 (PST) Received: from mail.park7.number.ru (host212-5-99-220.izmaylovo.ru [212.5.99.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00B1543D2F for ; Sun, 8 Feb 2004 04:56:29 -0800 (PST) (envelope-from blacksir@number.ru) Received: from blacksir.local ([192.168.2.166] helo=blacksir) by mail.park7.number.ru with smtp (Exim 4.30 #0 (Slackware)) id 1ApoTk-0007GX-Na; Sun, 08 Feb 2004 15:56:04 +0300 From: "Vasenin Alexander aka BlackSir" To: "Tony Frank" Date: Sun, 8 Feb 2004 15:54:38 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20040208124922.GA97343@marvin.home.local> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal cc: "Jack L. Stone" cc: Luigi Rizzo cc: Don Bowman cc: freebsd-ipfw@freebsd.org Subject: RE: Syntax to block 38 IPs X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Feb 2004 12:56:29 -0000 Hmmm.... stange... I've using IPFW2 on at least three 4.9 boxes(all using natd). I've never recompiled natd and everything works fine... > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Tony Frank > Sent: Sunday, February 08, 2004 3:49 PM > To: Vasenin Alexander aka BlackSir > Cc: Jack L. Stone; freebsd-ipfw@freebsd.org; Don Bowman; Luigi Rizzo > Subject: Re: Syntax to block 38 IPs > Word of advice, also recompile anything that staticly uses the > libalias library. > natd specifically is one I missed which broke my system after reboot. > > ipfw2 tool was built, new alias library was built but natd > compiles in libalias > as a static, hence although my firewall rules loaded, everything > through natd > broke (including DNS lookups which 'broke' the rest of the startup) > > I resolved this by adding 'IPFW2=YES' to /etc/make.conf > > Regards, > > Tony > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 9 00:23:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6F8216A4CE; Mon, 9 Feb 2004 00:23:15 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6A4D43D39; Mon, 9 Feb 2004 00:23:15 -0800 (PST) (envelope-from dwmalone@FreeBSD.org) Received: from freefall.freebsd.org (dwmalone@localhost [127.0.0.1]) i198NFbv074029; Mon, 9 Feb 2004 00:23:15 -0800 (PST) (envelope-from dwmalone@freefall.freebsd.org) Received: (from dwmalone@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i198NFBr074025; Mon, 9 Feb 2004 00:23:15 -0800 (PST) (envelope-from dwmalone) Date: Mon, 9 Feb 2004 00:23:15 -0800 (PST) From: David Malone Message-Id: <200402090823.i198NFBr074025@freefall.freebsd.org> To: dwmalone@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/62385: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 08:23:15 -0000 Synopsis: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: dwmalone Responsible-Changed-When: Mon Feb 9 00:20:53 PST 2004 Responsible-Changed-Why: Assing to maintainer list. The patch makes packets denied at layer cause EACCESS rather than ENOBUFS, and looks sensible to me. I can commit it if no one objects. David. http://www.freebsd.org/cgi/query-pr.cgi?pr=62385 From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 9 00:25:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07C0A16A4CE; Mon, 9 Feb 2004 00:25:51 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE7BF43D39; Mon, 9 Feb 2004 00:25:50 -0800 (PST) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i198PkAF028123; Mon, 9 Feb 2004 00:25:46 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i198Pksi028122; Mon, 9 Feb 2004 00:25:46 -0800 (PST) (envelope-from rizzo) Date: Mon, 9 Feb 2004 00:25:46 -0800 From: Luigi Rizzo To: David Malone Message-ID: <20040209002546.A26400@xorpc.icir.org> References: <200402090823.i198NFBr074025@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200402090823.i198NFBr074025@freefall.freebsd.org>; from dwmalone@freebsd.org on Mon, Feb 09, 2004 at 12:23:15AM -0800 cc: freebsd-bugs@freebsd.org cc: ipfw@freebsd.org Subject: Re: kern/62385: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 08:25:51 -0000 On Mon, Feb 09, 2004 at 12:23:15AM -0800, David Malone wrote: > Synopsis: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES > > Responsible-Changed-From-To: freebsd-bugs->ipfw > Responsible-Changed-By: dwmalone > Responsible-Changed-When: Mon Feb 9 00:20:53 PST 2004 > Responsible-Changed-Why: > Assing to maintainer list. The patch makes packets denied at layer > cause EACCESS rather than ENOBUFS, and looks sensible to me. I can > commit it if no one objects. fine with me cheers luigi > David. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=62385 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 9 11:01:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56C4716A4CE for ; Mon, 9 Feb 2004 11:01:55 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54E5F43D31 for ; Mon, 9 Feb 2004 11:01:55 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i19J1tbv083466 for ; Mon, 9 Feb 2004 11:01:55 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i19J1sBK083460 for ipfw@freebsd.org; Mon, 9 Feb 2004 11:01:54 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 9 Feb 2004 11:01:54 -0800 (PST) Message-Id: <200402091901.i19J1sBK083460@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 19:01:55 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/02/05] kern/62385 ipfw [PATCH] ipfw2: ip_output() returns ENOBUF 11 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 10 07:58:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6122216A4CE for ; Tue, 10 Feb 2004 07:58:55 -0800 (PST) Received: from accord.grasslake.net (accord.grasslake.net [209.98.56.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0019543D1F for ; Tue, 10 Feb 2004 07:58:54 -0800 (PST) (envelope-from swb@grasslake.net) Received: from swbgx150 (honda.grasslake.net [192.168.1.1]) by accord.grasslake.net (8.12.10/8.12.10) with SMTP id i1AFrwcW056347 for ; Tue, 10 Feb 2004 09:53:58 -0600 (CST) (envelope-from swb@grasslake.net) Message-ID: <021601c3efee$c8b759a0$62229fc0@ad.campbellmithun.com> From: "Shawn Barnhart" To: "freebsd-ipfw" Date: Tue, 10 Feb 2004 09:58:54 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Measure load of pipes? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2004 15:58:55 -0000 I've been trying to reign in our internet connectivity (multilink aggregation of 2 T1s) using a FreeBSD box bridged between our border router and our firewall. One thing that's not clear to me is if there's any way to measure the load on a specific pipe. "ipfw pipe show" lists the number of drops associated with the pipe. I'm thinking there might be a script I could kludge that would parse out the bytes on the pipe display and use that as mrtg input or something. Any other way to do this? From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 12 02:56:57 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBEAA16A4CE; Thu, 12 Feb 2004 02:56:56 -0800 (PST) Received: from eq.net (ns1.eq.net [208.186.104.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4E2F43D1F; Thu, 12 Feb 2004 02:56:56 -0800 (PST) (envelope-from agifford@infowest.com) Received: from voldemort.eq.net (voldemort.eq.net [10.0.0.3]) by eq.net (Postfix) with SMTP id 30C99620E; Thu, 12 Feb 2004 03:56:56 -0700 (MST) From: "Aaron D. Gifford" To: "FreeBSD List"@FreeBSD.ORG Message-Id: <20040212105656.30C99620E@eq.net> Date: Thu, 12 Feb 2004 03:56:56 -0700 (MST) X-Mailman-Approved-At: Thu, 12 Feb 2004 05:30:52 -0800 Subject: 5.2 Bridging issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 10:56:57 -0000 PROBLEM SUMMARY: ---------------- I've got a bridge(4) issue on a BSD 5.2.1 box. The bridging box has three ethernet interfaces, two bridged together in a single cluster, and one connected to the internet. The box acts as a bridge for the two network segments, and as a router to the Internet (it's the default gateway). The problem is, only one of the bridged segments can communicate with the BSD box directly (and thus the Internet), even though the two segments can talk to each other just fine. NETWORK SET-UP: --------------- First, let me clue you in on my network set-up: FreeBSD 5.2 Box with 3 ethernet interfaces, em0, rl0, and rl1: [FreeBSD Box] | | | rl0 rl1 em0 | | | | | +---To-Internal-Network-Segment-#1... | | | +---To-Internal-Network-Segment-#2.. | +---Internet... Interfaces rl1 and em0 are bridged: net.link.ether.bridge.config=em0:1,rl1:1 Since they ARE bridged and so are "on the same subnet", only em0 has an IP address: ifconfig em0 inet 10.10.10.1/16 I don't see how or why one would need or could assign an IP on the same subnet to the other interface, rl1, unless it was handled like many alias addresses, as a /32 host address. Interface rl0 is the link to the Internet. Bridging for the most part seems to be working. Hosts on segment #1 (via em0) are visible to hosts on segment #2 (connected via rl1). They can ping each other, get ARP address resolution, and pass IP traffic. All hosts use 10.10.10.1 as their default gateway to the Internet. Hosts on segment #1 can reach the Internet just fine. PROBLEM DETAILS: ---------------- Hosts on segment #2 cannot seem to be able to communicate with the bridinging/routing FreeBSD box's own IP addresses, and since it is the default gateway, in turn they cannot reach the Internet. No layer 2 traffic (ARP) reaches the FreeBSD box directly (the ARP table shows "incomplete" for all segment #2 addresses, even though ARP packets DO reach segment #1 just fine, passing transparently through the FreeBSD box. The BSD box just can't see stuff addressed directly to it. This is NOT a firewalling or NAT issue. This is exclusively a bridging issue. Firewalling/NAT occurse elsewhere. So since I'm a FreeBSD bridge(4) newbie, after scouring the man page, reading the Handbook's information, searching various mailing list archives, I can't find anything useful that tells me if bridge's bdg_forward() knows how to handle traffic like this. Apparently it doesn't. So bridging is just fine if you want your BSD box hidden, transparent, invisible. But if you want it visible so it can act as a default gateway to all segments of a subnet that are bridged together, HOW DOES ONE DO IT? I can't ifconfig the rl1 interface with an IP on the same subnet unless it's a /32, and that accomplishes nothing (the IP packets are addressed to the IP address assigned to em0). Bridging SHOULD just bridge, so traffic to the BSD box's em0 IP should come in on rl1 and be processed by the host. Somehow the bridging code knows the MAC addresses on the segment #2 side of things (rl1), since it passes traffic between the two segments just fine. But the kernel's ARP table is totally ignorant. It can't find those hosts. REQUEST FOR HELP: ----------------- Thanks in advance for all help, pointers, etc. If there's not a way to do this, then this sounds like an issue that should be added to the BUGS section of the bridge(4) man page. Aaron out. From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 12 13:04:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB8E016A4CE; Thu, 12 Feb 2004 13:04:48 -0800 (PST) Received: from delivery.infowest.com (delivery.infowest.com [204.17.177.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE64143D1F; Thu, 12 Feb 2004 13:04:48 -0800 (PST) (envelope-from agifford@infowest.com) Received: from infowest.com (unknown [208.186.104.163]) by delivery.infowest.com (Postfix) with ESMTP id 0E61AEB09F5; Thu, 12 Feb 2004 14:04:48 -0700 (MST) Message-ID: <402BEA38.8080301@infowest.com> Date: Thu, 12 Feb 2004 14:03:52 -0700 From: "Aaron D. Gifford" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: undisclosed-recipients: ; References: <20040212105656.30C99620E@eq.net> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 13 Feb 2004 05:51:05 -0800 Subject: Re: 5.2 Bridging issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2004 21:04:48 -0000 I asked: >> I've got a bridge(4) issue on a BSD 5.2.1 box. The bridging box has >> three ethernet interfaces, two bridged together in a single cluster, >> and one connected to the internet. The box acts as a bridge for the >> two network segments, and as a router to the Internet (it's the >> default gateway). The problem is, only one of the bridged segments >> can communicate with the BSD box directly (and thus the Internet), >> even though the two segments can talk to each other just fine. Bjorn Eikeland replied: > > Try sysctl net.inet.ip.check_interface=0 - sounds like the same problem > i had with my > bridge a while back. > > good luck! > > Bjorn Thanks! That was it! I didn't even think to check this, since I was unaware that it was set to 1 by default in 5.2. Maybe I'll submit a patch PR for the bridge(4) man page to mention this. Aaron out. From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 12 17:13:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FAA816A4CE; Thu, 12 Feb 2004 17:13:24 -0800 (PST) Received: from delivery.infowest.com (delivery.infowest.com [204.17.177.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0229D43D1F; Thu, 12 Feb 2004 17:13:24 -0800 (PST) (envelope-from agifford@infowest.com) Received: from infowest.com (unknown [208.186.104.163]) by delivery.infowest.com (Postfix) with ESMTP id 36129EAA346; Thu, 12 Feb 2004 18:13:23 -0700 (MST) Message-ID: <402C247B.4060009@infowest.com> Date: Thu, 12 Feb 2004 18:12:27 -0700 From: "Aaron D. Gifford" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: undisclosed-recipients: ; References: <20040212105656.30C99620E@eq.net> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 13 Feb 2004 05:51:05 -0800 Subject: Unsolved: 5.2 Bridging issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2004 01:13:24 -0000 I originally wrote: >> I've got a bridge(4) issue on a BSD 5.2.1 box. The bridging box has >> three ethernet interfaces, two bridged together in a single cluster, >> and one connected to the internet. The box acts as a bridge for the >> two network segments, and as a router to the Internet (it's the >> default gateway). The problem is, only one of the bridged segments >> can communicate with the BSD box directly (and thus the Internet), >> even though the two segments can talk to each other just fine. And Bjorn Eikeland responded: > Try sysctl net.inet.ip.check_interface=0 - sounds like the same problem > i had with my > bridge a while back. > > good luck! > > Bjorn I then replied that his Bjorn's explanation worked. Well, I feel like an idiot now, but it turns out it didn't work after all. I just had plugged in my test machine into the wrong ethernet port, so of course things worked. Quick recap of my set-up: FreeBSD box with 3 interfaces, two bridged, the other connects to the Internet. The interfaces are as follows: em0 10.10.10.1/24 Bridged with rl1 rl0 10.20.20.2/24 Not bridged, connects to rest of net rl1 NO IP ADDRESS Bridged with em0 so hosts on this segment are on the same 10.10.10.0/24 subnet All hosts on 10.10.10.0/24 use 10.10.10.1 as the default gateway. The FreeBSD box in question acts as a router and bridge, routing stuff to an upstream router (call it 10.20.20.1). Some sysctl settings: --------------------- net.link.ether.bridge.enable: 1 net.link.ether.bridge.config: em0:1,rl1:1 net.link.ether.bridge_ipfw: 0 net.inet.ip.check_interface: 0 net.inet.ip.forwarding=1 Routing Table: -------------- Internet: Destination Gateway Flags Refs Use Netif default 10.20.20.1 UGS 0 193583 rl0 10/24 link#3 UC 0 0 em0 127.0.0.1 127.0.0.1 UH 0 2300 lo0 10.20.20.0/24 link#1 UC 0 0 rl0 10.20.20.1 01:23:45:67:89:ab UHLW 1 0 rl0 ifconfig sample: ---------------- rl0: flags=8843 mtu 1500 options=8 inet 10.20.20.2 netmask 0xfffffff0 broadcast 10.20.20.255 ether 0f:1e:2d:3c:4b:3a media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8943 mtu 1500 options=8 ether 00:11:aa:bb:22:cc media: Ethernet autoselect (100baseTX ) status: active em0: flags=8943 mtu 1500 options=3 inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 ether ab:cd:ef:98:76:54 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 PROBLEM RECAP: -------------- Traffic between em0 and rl1 is bridged just fine, EXCEPT for traffic TO/FROM the FreeBSD host itself TO any hosts on rl1 (the interface without the IP address). So 10.10.10.100 on rl1 can talk with 10.10.10.50 on em0, ARP traffic as well as IP traffic. But the BSD host will never get ARP or IP traffic to/from 10.10.10.100 on rl1. The BSD host can talk just fine to 10.10.10.50 on em0. Anyone else have any ideas? The system's running FreeBSD 5.2.1-RC2. Thanks again in advance! Aaron out. From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 14 05:30:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77B8816A4CE for ; Sat, 14 Feb 2004 05:30:24 -0800 (PST) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48AE643D1D for ; Sat, 14 Feb 2004 05:30:24 -0800 (PST) (envelope-from freebsd-ipfw@m.gmane.org) Received: from root by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1ArzsE-0004Ts-00 for ; Sat, 14 Feb 2004 14:30:22 +0100 Received: from pd9e76fee.dip.t-dialin.net ([217.231.111.238]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat Feb 14 13:30:22 2004 Received: from ino-qc by pd9e76fee.dip.t-dialin.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat Feb 14 13:30:22 2004 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org From: Clemens Fischer Date: Sat, 14 Feb 2004 13:11:12 +0100 Lines: 15 Message-ID: References: <3F833434.5090506@tenebras.com> <020201c39c6e$5f0fea40$080ba8c0@admin> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: pd9e76fee.dip.t-dialin.net User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3.50 (berkeley-unix) Cancel-Lock: sha1:ATnED6x/KxdpljtnmmfVMqhEoC8= Sender: news Subject: Re: Strange leakage of private source addresses w/ipfw and natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 13:30:24 -0000 * 2003-10-27 freebsd@dwec.ru: > Ok, maybe not THAT important but definitely a Bad Surprise. Here's > the sample (and in current configuration only ICMP packets from time > to time are being passed through unaltered): > > snort: [1:0:0] POSSIBLE address leakage - ICMP {ICMP} 192.168.5.2 -> > 208.115.104.193 > [**] POSSIBLE address leakage - ICMP [**] ICMP is connectionless, so anybody can ping/traceroute/whatever your machine if you don't block those private IPs, and this is what people usually do. clemens