From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 26 11:07:03 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 959CF106566B for ; Mon, 26 Apr 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8236E8FC20 for ; Mon, 26 Apr 2010 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o3QB73be004186 for ; Mon, 26 Apr 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o3QB72OO004184 for freebsd-ipfw@FreeBSD.org; Mon, 26 Apr 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Apr 2010 11:07:02 GMT Message-Id: <201004261107.o3QB72OO004184@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 70 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 27 15:56:42 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE7FA106567C for ; Tue, 27 Apr 2010 15:56:42 +0000 (UTC) (envelope-from rperry@womenshealth.com) Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id B0A178FC1D for ; Tue, 27 Apr 2010 15:56:42 +0000 (UTC) Received: by pwi9 with SMTP id 9so9677441pwi.13 for ; Tue, 27 Apr 2010 08:56:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.58.7 with SMTP id g7mr2062973rva.37.1272382335677; Tue, 27 Apr 2010 08:32:15 -0700 (PDT) Received: by 10.151.98.10 with HTTP; Tue, 27 Apr 2010 08:32:15 -0700 (PDT) Date: Tue, 27 Apr 2010 10:32:15 -0500 Message-ID: From: Ryan Perry To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: static NAT + ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2010 15:56:42 -0000 I understand ipfw needs special options if NAT is to be used. Is this also true if I'm only doing static NAT? I have 5 IP addresses on an interface, 4 of which I just forward with natd: -redirect_address 192.168.0.10 X.X.X.X -redirect_address 192.168.0.11 X.X.X.X -redirect_address 192.168.0.12 X.X.X.X -redirect_address 192.168.0.13 X.X.X.X -- Ryan Perry From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 08:58:47 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D1061065670 for ; Fri, 30 Apr 2010 08:58:47 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 22AEB8FC26 for ; Fri, 30 Apr 2010 08:58:46 +0000 (UTC) Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 04:58:46 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr02.lnh.mail.rcn.net (MOS 3.10.8-GA) with ESMTP id QRK03526; Fri, 30 Apr 2010 04:58:11 -0400 (EDT) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp01.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 04:58:12 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19418.39843.266203.180601@jerusalem.litteratus.org> Date: Fri, 30 Apr 2010 04:58:11 -0400 To: ipfw@freebsd.org X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr02.lnh.mail.rcn.net) Cc: roberthuff@rcn.com Subject: help wanted with NAT under ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 08:58:47 -0000 I have been trying to get NAT working under ipfw on: FreeBSD 9.0-CURRENT #0: Fri Apr 23 11:34:17 EDT 2010 amd64 and failing. The ipfw part works fine. I'm using: ipfw_load="YES" ipfw_nat_load="YES" # in-kernel ipfw nat libalias_load="YES" # for in-kernel ipfw nat my ipfw rules are appended. However, the moment I do this: ipfw add 5000 nat 15 all from any to any ipfw nat 15 config log same_ports if em0 the machine is cut off from the outside world. Removing that rule makes things right again. (Obviously checking whether NAT is happening is useless.) I've read the man page; I've read the Handbook. Neither are helpful. What am I doing wrong? Respectfully, Robert Huff 00100 7620493 3374930631 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00350 71122 27155575 allow udp from any 67-68 to any dst-port 67-68 06000 0 0 deny log tcp from any to any dst-port 137 in via em0 06050 32 3000 deny log udp from any to any dst-port 137 in via em0 06100 0 0 deny log tcp from any to any dst-port 138 in via em0 06150 1597 382354 deny log udp from any to any dst-port 138 in via em0 06200 0 0 deny log tcp from any to any dst-port 139 in via em0 06250 0 0 deny log udp from any to any dst-port 139 in via em0 07000 0 0 deny log tcp from any to any dst-port 111 in via em0 07050 0 0 deny log udp from any to any dst-port 111 in via em0 07100 0 0 deny log tcp from any to any dst-port 530 in via em0 07150 0 0 deny log udp from any to any dst-port 530 in via em0 07200 0 0 deny log logamount 100 tcp from any to any dst-port 161 in recv em0 07225 0 0 deny log logamount 100 udp from any to any dst-port 161 in recv em0 07250 0 0 deny log logamount 100 tcp from any to any dst-port 162 in recv em0 07275 0 0 deny log logamount 100 udp from any to any dst-port 162 in recv em0 07300 0 0 deny log tcp from any to any dst-port 194 07310 0 0 deny log udp from any to any dst-port 194 07320 0 0 deny log tcp from any to any dst-port 529 07330 0 0 deny log udp from any to any dst-port 529 07340 0 0 deny log tcp from any to any dst-port 994 07350 0 0 deny log udp from any to any dst-port 994 07360 129 5160 deny log tcp from any to any dst-port 6667 07370 3 603 deny log udp from any to any dst-port 6667 10000 2013254 824670340 allow tcp from any to any established 10100 234210 17681782 allow ip from any to any out via em0 10200 265 12720 allow tcp from 10.0.0.0/8 to any dst-port 80 10300 0 0 allow tcp from any 80 to any dst-port 1024-65535 via em0 10400 0 0 allow tcp from any 443 to any dst-port 1024-65535 via em0 10500 0 0 deny log tcp from any 1024-65535 to any dst-port 80 via em0 10600 0 0 deny log tcp from any 1024-65535 to any dst-port 443 via em0 65000 253161 38669952 allow ip from any to any 65535 12 1157 deny ip from any to any From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 11:31:18 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 421721065670 for ; Fri, 30 Apr 2010 11:31:18 +0000 (UTC) (envelope-from Lee@dilkie.com) Received: from spock.dilkie.com (spock.dilkie.com [142.46.160.214]) by mx1.freebsd.org (Postfix) with ESMTP id 8B67B8FC15 for ; Fri, 30 Apr 2010 11:31:17 +0000 (UTC) Received: from [IPv6:2001:470:8900::11] ([IPv6:2001:470:8900::11]) (authenticated bits=0) by spock.dilkie.com (8.14.4/8.14.4) with ESMTP id o3UBHTpd088373 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 30 Apr 2010 07:17:31 -0400 (EDT) (envelope-from Lee@dilkie.com) X-DKIM: Sendmail DKIM Filter v2.8.3 spock.dilkie.com o3UBHTpd088373 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dilkie.com; s=mail; t=1272626252; bh=DOFT98yRPAHEaDswr8AmYtxiERscQ3yILfuOHlzIy/8=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type; b=HKLSJqD42t4u/Apr9LlhRRRdOiuwJvKFXpoxsuX5rqCHs0NiYZ64HaxMYxukd705e j5Eg/46EY2+zE1P4YtREqJAb9890cJJLZueWJJvz0wAmR29OLg2R+vjzikTz+Vc Message-ID: <4BDABC49.2040600@dilkie.com> Date: Fri, 30 Apr 2010 07:17:29 -0400 From: Lee Dilkie User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4 MIME-Version: 1.0 To: Robert Huff References: <19418.39843.266203.180601@jerusalem.litteratus.org> In-Reply-To: <19418.39843.266203.180601@jerusalem.litteratus.org> X-Enigmail-Version: 1.0.1 X-Scanned-By: MIMEDefang 2.67 on IPv6:2001:470:8900::40 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: ipfw@freebsd.org Subject: Re: help wanted with NAT under ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 11:31:18 -0000 On 4/30/2010 4:58 AM, Robert Huff wrote: > I have been trying to get NAT working under ipfw on: > > FreeBSD 9.0-CURRENT #0: Fri Apr 23 11:34:17 EDT 2010 amd64 > > and failing. > The ipfw part works fine. I'm using: > > ipfw_load="YES" > ipfw_nat_load="YES" # in-kernel ipfw nat > libalias_load="YES" # for in-kernel ipfw nat > > my ipfw rules are appended. > However, the moment I do this: > > ipfw add 5000 nat 15 all from any to any > ipfw nat 15 config log same_ports if em0 > > the machine is cut off from the outside world. Removing that > rule makes things right again. (Obviously checking whether NAT is > happening is useless.) > I've read the man page; I've read the Handbook. Neither are > helpful. > What am I doing wrong? > > Not an expert by any means, but I put the config line first and it matches the same number as the nat rule. ie. ipfw nat 5000 config ... ipfw add nat 5000 ipv4 from any to any via fxp0 (I specify the interface) not sure if that'll help. -lee From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 14:12:47 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6D7A31065674 for ; Fri, 30 Apr 2010 14:12:47 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 30DFB8FC0A for ; Fri, 30 Apr 2010 14:12:46 +0000 (UTC) Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 10:12:46 -0400 Received: from mx04.lnh.mail.rcn.net (mx04.lnh.mail.rcn.net [207.172.157.54]) by mr02.lnh.mail.rcn.net (MOS 3.10.8-GA) with ESMTP id QRK40609; Fri, 30 Apr 2010 10:12:28 -0400 (EDT) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp04.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 10:12:27 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19418.58699.57587.941119@jerusalem.litteratus.org> Date: Fri, 30 Apr 2010 10:12:27 -0400 To: Lee Dilkie In-Reply-To: <4BDABC49.2040600@dilkie.com> References: <19418.39843.266203.180601@jerusalem.litteratus.org> <4BDABC49.2040600@dilkie.com> X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr02.lnh.mail.rcn.net) Cc: Robert Huff , ipfw@freebsd.org Subject: Re: help wanted with NAT under ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 14:12:47 -0000 Lee Dilkie writes: > Not an expert by any means, but I put the config line first and it > matches the same number as the nat rule. > > ie. > > ipfw nat 5000 config ... > ipfw add nat 5000 ipv4 from any to any via fxp0 (I specify the interface) > > not sure if that'll help. I'll try it. However, I adapted my material directly off the man page .... Robert Huff From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 14:18:29 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DABF01065673 for ; Fri, 30 Apr 2010 14:18:29 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9F7F28FC20 for ; Fri, 30 Apr 2010 14:18:29 +0000 (UTC) Received: from mr08.lnh.mail.rcn.net ([207.172.157.28]) by smtp02.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 10:18:29 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr08.lnh.mail.rcn.net (MOS 3.10.8-GA) with ESMTP id LOS93517; Fri, 30 Apr 2010 10:18:28 -0400 (EDT) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp01.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 10:18:29 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19418.59059.967920.334659@jerusalem.litteratus.org> Date: Fri, 30 Apr 2010 10:18:27 -0400 To: Robert Huff In-Reply-To: <19418.58699.57587.941119@jerusalem.litteratus.org> References: <19418.39843.266203.180601@jerusalem.litteratus.org> <4BDABC49.2040600@dilkie.com> <19418.58699.57587.941119@jerusalem.litteratus.org> X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr08.lnh.mail.rcn.net) Cc: ipfw@freebsd.org, Lee Dilkie Subject: Re: help wanted with NAT under ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 14:18:29 -0000 Robert Huff writes: > > Not an expert by any means, but I put the config line first and it > > matches the same number as the nat rule. > > > not sure if that'll help. > > I'll try it. Sorry, doesn't work. Robert Huff From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 16:23:17 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 630AB1065670 for ; Fri, 30 Apr 2010 16:23:17 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from mgw1.apollo.lv (mgw1.apollo.lv [80.232.168.216]) by mx1.freebsd.org (Postfix) with ESMTP id 1DF098FC1A for ; Fri, 30 Apr 2010 16:23:16 +0000 (UTC) Received: from [81.198.51.54] (unknown [81.198.51.54]) by mgw1.apollo.lv (Postfix) with ESMTP id CC2983D99EA; Fri, 30 Apr 2010 19:23:14 +0300 (EEST) From: Dmitriy Demidov To: freebsd-ipfw@freebsd.org Date: Fri, 30 Apr 2010 19:23:13 +0300 User-Agent: KMail/1.9.10 References: <19418.39843.266203.180601@jerusalem.litteratus.org> In-Reply-To: <19418.39843.266203.180601@jerusalem.litteratus.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <201004301923.13306.dima_bsd@inbox.lv> X-Brightmail-Tracker: AAAAAA== Cc: Robert Huff Subject: Re: help wanted with NAT under ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 16:23:17 -0000 On Friday 30 April 2010, Robert Huff wrote: > I have been trying to get NAT working under ipfw on: > > FreeBSD 9.0-CURRENT #0: Fri Apr 23 11:34:17 EDT 2010 amd64 > > and failing. > The ipfw part works fine. I'm using: > > ipfw_load="YES" > ipfw_nat_load="YES" # in-kernel ipfw nat > libalias_load="YES" # for in-kernel ipfw nat > > my ipfw rules are appended. > However, the moment I do this: > > ipfw add 5000 nat 15 all from any to any > ipfw nat 15 config log same_ports if em0 > > the machine is cut off from the outside world. Removing that > rule makes things right again. (Obviously checking whether NAT is > happening is useless.) > I've read the man page; I've read the Handbook. Neither are > helpful. > What am I doing wrong? > > Respectfully, > > > Robert Huff Hi, This could happen because of old annoying bug (or "feature"?) that seats somethere in the middle of libalias and em driver: http://www.freebsd.org/cgi/query-pr.cgi?pr=143939&cat=kern Try to turn off RXCSUM,TXCSUM on em interface: ifconfig em0 -rxcsum -txcsum -tso Good luck. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 30 19:18:07 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CDE5D1065673 for ; Fri, 30 Apr 2010 19:18:07 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 907D18FC20 for ; Fri, 30 Apr 2010 19:18:07 +0000 (UTC) Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 14:49:16 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr02.lnh.mail.rcn.net (MOS 3.10.8-GA) with ESMTP id QRL35635; Fri, 30 Apr 2010 14:49:15 -0400 (EDT) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp01.lnh.mail.rcn.net with ESMTP; 30 Apr 2010 14:49:14 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19419.9769.1823.944619@jerusalem.litteratus.org> Date: Fri, 30 Apr 2010 14:49:13 -0400 To: Dmitriy Demidov In-Reply-To: <201004301923.13306.dima_bsd@inbox.lv> References: <19418.39843.266203.180601@jerusalem.litteratus.org> <201004301923.13306.dima_bsd@inbox.lv> X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr02.lnh.mail.rcn.net) Cc: freebsd-ipfw@freebsd.org, Robert Huff Subject: Re: help wanted with NAT under ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Apr 2010 19:18:07 -0000 Dmitriy Demidov writes: > > I have been trying to get NAT working under ipfw on: > > What am I doing wrong? > > This could happen because of old annoying bug (or "feature"?) that seats > somethere in the middle of libalias and em driver: > http://www.freebsd.org/cgi/query-pr.cgi?pr=143939&cat=kern > > Try to turn off RXCSUM,TXCSUM on em interface: > > ifconfig em0 -rxcsum -txcsum -tso YES! YES! YES! YES! YES! YES! YES! [insert anime of burly bearded guy jumping up and down in elation] [Goes off to try NAT.] YES! YES! YES! YES! YES! YES! YES! Thank you, and the person who diagnosed this. It has been hanging for over a year. Robert Huff