From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 12 10:41:34 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B808106566C for ; Mon, 12 Jul 2010 10:41:34 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id BAC2C8FC0C for ; Mon, 12 Jul 2010 10:41:33 +0000 (UTC) Received: by bwz12 with SMTP id 12so2738129bwz.13 for ; Mon, 12 Jul 2010 03:41:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=8FlgvwUWRnTPuvq8T7GujJBaAWr0qdW1/ltSA2dpZzk=; b=YSQqRflXHihuQrY443d2xx/kvqmCtJ/M9e6LiJpqRMUnT+WjqhMwRCynb9FLTXgkIu TBSUx96OLgqIyzxNhBmFZUlCokXNZTPiOT4tELdDI3PFBZylMMCfkrxYBxkmlv0zhF/o f2Qz315opv6Zd+Lkd0vpS3CF7UCCk08hpWUlI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=iylDyh3emTwJ6ZGZP4fOGq9GKP1Te1efhR8WWHPbf0qAhe8zqF9NUJbNL8y6ws7K71 NnVaPoE/filVBn+2Zqld98hLs2mAQGvAgcZPIWCLQuHAaYBAO+S60GR8Sm/Vppr8ejR0 VBNqkEPzrl0EceRI/vgef9ikEmjNbvhH5PgYM= Received: by 10.204.115.200 with SMTP id j8mr10489069bkq.60.1278929485946; Mon, 12 Jul 2010 03:11:25 -0700 (PDT) Received: from prime.local (94-193-57-116.zone7.bethere.co.uk [94.193.57.116]) by mx.google.com with ESMTPS id a11sm14495750bkc.12.2010.07.12.03.11.25 (version=SSLv3 cipher=RC4-MD5); Mon, 12 Jul 2010 03:11:25 -0700 (PDT) Message-ID: <4C3AEA4E.50005@gmail.com> Date: Mon, 12 Jul 2010 11:11:26 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.10) Gecko/20100628 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: please help with NATing my jails X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 10:41:34 -0000 Hello. Does anybody has a working configuration with ipfw nated jails on loopback interface? It simply doesn't work on my system. I can not get any connections to outside world from within a jail. FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with 192.168.1.111 address obtained with DHCP. Jail with IP 127.127.127.1 aliased on lo0. Host system configuration: /etc/rc.conf ifconfig_wlan0="WPA DHCP" ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255" gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_nat_enable="YES" firewall_nat_interface="wlan0" /etc/resolve.conf nameserver 208.67.222.222 nameserver 208.67.220.220 /etc/ipfw.conf ipfw -q -f flush ipfw add 10 allow all from 127.0.0.1 to 127.0.0.1 via lo0 ipfw add 20 check-state ipfw add 30 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state ipfw nat 100 config ip 192.168.1.111 log ipfw add 40 allow all from any to any Jailed system configuration: /etc/rc.conf network_interfaces="" /etc/resolve.conf nameserver 208.67.222.222 nameserver 208.67.220.220 Now I'm doing ssh into a jailed system (127.127.127.1). Then on the jail system I'm trying to do for example: host freebsd.org ;; connection timed out; no servers could be reached After that on the host system I can get some more information: ipfw -d show 00010 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00020 0 0 check-state 00030 4 204 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state 00040 204 26764 allow ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules (2): 00030 1 51 (5s) STATE udp 127.127.127.1 19333 <-> 208.67.220.220 53 00030 1 51 (4s) STATE udp 127.127.127.1 37497 <-> 208.67.222.222 53 ipfw nat show nat 100: icmp=0, udp=4, tcp=0, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=4 So no packets got blocked but still it doesn't work properly. I'm struggling with this for couple weeks now and I'm afraid I just run out of ideas so any help would be very appreciated. The same jail works fine with pf so I believe it's a problem with my ipfw rules. Michael From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 12 11:07:02 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7404B10656D5 for ; Mon, 12 Jul 2010 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 625DB8FC34 for ; Mon, 12 Jul 2010 11:07:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6CB72AE094039 for ; Mon, 12 Jul 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6CB71ck094037 for freebsd-ipfw@FreeBSD.org; Mon, 12 Jul 2010 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Jul 2010 11:07:01 GMT Message-Id: <201007121107.o6CB71ck094037@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148429 ipfw net.inet.ip.dummynet.io_fast broken or documentation i o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 76 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 12 12:47:37 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AC5D106566C for ; Mon, 12 Jul 2010 12:47:37 +0000 (UTC) (envelope-from steve@ipv6canada.com) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 0A9A88FC1D for ; Mon, 12 Jul 2010 12:47:36 +0000 (UTC) Received: (qmail 57832 invoked by uid 89); 12 Jul 2010 12:49:45 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 12 Jul 2010 12:49:45 -0000 Message-ID: <4C3B0ED7.9010807@ipv6canada.com> Date: Mon, 12 Jul 2010 08:47:19 -0400 From: Steve Bertrand User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1 MIME-Version: 1.0 To: Michael References: <4C3AEA4E.50005@gmail.com> In-Reply-To: <4C3AEA4E.50005@gmail.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: please help with NATing my jails X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 12:47:37 -0000 On 2010.07.12 06:11, Michael wrote: > Hello. > > Does anybody has a working configuration with ipfw nated jails on > loopback interface? > It simply doesn't work on my system. I can not get any connections to > outside world from within a jail. > > FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with > 192.168.1.111 address obtained with DHCP. > Jail with IP 127.127.127.1 aliased on lo0. > > Host system configuration: > /etc/rc.conf > ifconfig_wlan0="WPA DHCP" > ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255" > gateway_enable="YES" > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > firewall_nat_enable="YES" > firewall_nat_interface="wlan0" > /etc/resolve.conf > nameserver 208.67.222.222 > nameserver 208.67.220.220 > /etc/ipfw.conf > ipfw -q -f flush > ipfw add 10 allow all from 127.0.0.1 to 127.0.0.1 via lo0 > ipfw add 20 check-state > ipfw add 30 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state ...do you need a second nat rule for the inbound traffic, or does nat handle that by itself? If you run tcpdump on the wlan interface, do you see the inbound traffic that relates to your request? Steve From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 12 13:48:39 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3494A1065670; Mon, 12 Jul 2010 13:48:39 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0C79E8FC1E; Mon, 12 Jul 2010 13:48:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6CDmcl7036885; Mon, 12 Jul 2010 13:48:38 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6CDmckD036881; Mon, 12 Jul 2010 13:48:38 GMT (envelope-from linimon) Date: Mon, 12 Jul 2010 13:48:38 GMT Message-Id: <201007121348.o6CDmckD036881@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-ifpw@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/148430: [ipfw] IPFW schedule delete broken. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 13:48:39 -0000 Old Synopsis: IPFW schedule delete broken. New Synopsis: [ipfw] IPFW schedule delete broken. Responsible-Changed-From-To: freebsd-ifpw->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jul 12 13:48:20 UTC 2010 Responsible-Changed-Why: fix assignment http://www.freebsd.org/cgi/query-pr.cgi?pr=148430 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 14 02:08:40 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 619F41065676 for ; Wed, 14 Jul 2010 02:08:40 +0000 (UTC) (envelope-from candy-sendpr@kgc.co.jp) Received: from ns.kgc.co.jp (ns.kgc.co.jp [210.163.35.34]) by mx1.freebsd.org (Postfix) with SMTP id CC0738FC19 for ; Wed, 14 Jul 2010 02:08:39 +0000 (UTC) Received: (qmail 91070 invoked from network); 14 Jul 2010 10:41:57 +0900 Received: from unknown (HELO localhost) (172.30.2.3) by ika6.kgc.co.jp with SMTP; 14 Jul 2010 10:41:57 +0900 Date: Wed, 14 Jul 2010 10:41:57 +0900 (JST) Message-Id: <20100714.104157.59462157.candy@kgc.co.jp> To: bug-followup@FreeBSD.org, vnovy@vnovy.ne, freebsd-ipfw@FreeBSD.org From: candy-sendpr@kgc.co.jp X-Mailer: Mew version 5.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: candy-sendpr@kgc.co.jp Subject: Re: conf/148137: [ipfw] call order of natd and ipfw startup scripts X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 02:08:40 -0000 Fix: Just copy 8.0-RELEASE version /etc/rc.d/ipfw script to your 8.1 box :-) It seems /etc/rc.d/ipfw 1.21.2.2's bug. It moved `/etc/rc.d/natd quietstart' sequence from ipfw_start() to ipfw_poststart(). Natd(8) must be started before ipfw(8) rules are proceeded. Should be in ipfw_prestart() or ipfw_start(). > From 8.0-RELEASE ipfw startup script doesn't call natd startup script. > Also there is no information about call order of ipfw a natd startup > script. On my system ipfw is called before natd. If ipdivert module is > not loaded using loader.conf, natd loads it, but ipfw running before fail > to install divert rules. KANDA Toshihiro From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 14 02:10:10 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F9BF1065676 for ; Wed, 14 Jul 2010 02:10:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8FBF38FC08 for ; Wed, 14 Jul 2010 02:10:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6E2AAxX000571 for ; Wed, 14 Jul 2010 02:10:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6E2AAat000570; Wed, 14 Jul 2010 02:10:10 GMT (envelope-from gnats) Date: Wed, 14 Jul 2010 02:10:10 GMT Message-Id: <201007140210.o6E2AAat000570@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: candy-sendpr@kgc.co.jp Cc: Subject: Re: conf/148137: [ipfw] call order of natd and ipfw startup scripts X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: candy-sendpr@kgc.co.jp List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jul 2010 02:10:10 -0000 The following reply was made to PR conf/148137; it has been noted by GNATS. From: candy-sendpr@kgc.co.jp To: bug-followup@FreeBSD.org, vnovy@vnovy.ne, freebsd-ipfw@FreeBSD.org Cc: candy-sendpr@kgc.co.jp Subject: Re: conf/148137: [ipfw] call order of natd and ipfw startup scripts Date: Wed, 14 Jul 2010 10:41:57 +0900 (JST) Fix: Just copy 8.0-RELEASE version /etc/rc.d/ipfw script to your 8.1 box :-) It seems /etc/rc.d/ipfw 1.21.2.2's bug. It moved `/etc/rc.d/natd quietstart' sequence from ipfw_start() to ipfw_poststart(). Natd(8) must be started before ipfw(8) rules are proceeded. Should be in ipfw_prestart() or ipfw_start(). > From 8.0-RELEASE ipfw startup script doesn't call natd startup script. > Also there is no information about call order of ipfw a natd startup > script. On my system ipfw is called before natd. If ipdivert module is > not loaded using loader.conf, natd loads it, but ipfw running before fail > to install divert rules. KANDA Toshihiro From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 15 08:11:31 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8BCF106566B for ; Thu, 15 Jul 2010 08:11:31 +0000 (UTC) (envelope-from mr.xanto@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 377338FC17 for ; Thu, 15 Jul 2010 08:11:30 +0000 (UTC) Received: by bwz12 with SMTP id 12so291188bwz.13 for ; Thu, 15 Jul 2010 01:11:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:x-mailer:x-priority :message-id:to:subject:mime-version:content-type :content-transfer-encoding; bh=ohdwIokE/U2SmcHGq9mJuEyxPV+d0KH80g8adSsNbZI=; b=IjKJMBj9ZbgcBpco8sQHlosSVxLN2yYPXSlnYmUKRrRoUoNLooeH69vCOH+pd6RPqy +JUBQRL4QjWsmjp77VlEe5Ib215Ap9U8nVAnX4u/rpuUCkITyKuTcl9ZMspA7pRmCuBg GgNC2XR283nLKFNH17Yk6OY+d3YJxAdhkVP/Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:x-mailer:x-priority:message-id:to:subject:mime-version :content-type:content-transfer-encoding; b=hQx8W+2z4loB/3fpJWMEbtxMy5ToX9DFsf7dcuir9TfwmpC+20RdyD2LWIl2Ixx5Th WYr3RRo8Pqwjfn+irBnsrhtl0nW8b0wWKl+zYbItTnOjGWnejN5HVOT7s2Lxtq7VAVgn Rq+kGRXssuA8ftZyDSU77GWtTaL4gHmJHLVdc= Received: by 10.204.163.70 with SMTP id z6mr4269582bkx.29.1279179930956; Thu, 15 Jul 2010 00:45:30 -0700 (PDT) Received: from RMAMONTOV ([91.202.20.10]) by mx.google.com with ESMTPS id a9sm4740284bky.11.2010.07.15.00.45.29 (version=SSLv3 cipher=OTHER); Thu, 15 Jul 2010 00:45:30 -0700 (PDT) Date: Thu, 15 Jul 2010 11:45:12 +0400 From: Mamontov Roman X-Mailer: Voyager (v3.99.8) Professional X-Priority: 3 (Normal) Message-ID: <1931583025.20100715114512@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Problem with ipfw nat and packet to local services X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jul 2010 08:11:31 -0000 Hello, freebsd-ipfw. I try to use ipfw nat with this rules: 00035 138 10242 nat 1 log ip from any to any via ext_if1 65000 6823 689594 allow ip from any to any 65535 170 13629 deny ip from any to any ipfw nat 1 config ip xxx.xxx.xxx.xxx deny_in same_ports unreg_only redirect_port udp 192.168.54.50:417 417 redirect_port tcp 192.168.54.50:417 417 redirect_port tcp 192.168.2.19:3233 3233 redirect_port udp 192.168.2.19:416 416 redirect_port tcp 192.168.2.19:416 416 redirect_port udp 192.168.2.18:415 415 redirect_port tcp 192.168.2.18:415 415 redirect_port udp 192.168.2.17:414 414 redirect_port tcp 192.168.2.17:414 414 redirect_port udp 192.168.2.16:413 413 redirect_port tcp 192.168.2.16:413 413 redirect_port tcp 192.168.2.15:3232 3232 redirect_port udp 192.168.2.15:412 412 redirect_port tcp 192.168.2.15:412 412 Packet from local network and this box to outside network going correctly. But packet from outside network to services (udp, icmp, tcp) on this box does not pass. In /var/log/security: Jul 15 11:34:12 kernel: ipfw: 35 Nat UDP yyy.yyy.yyy.yyy:36129 xxx.xxx.xxx.xxx:33564 in via ext_if1 In tcpdump output: 11:34:17.239509 IP yyy.yyy.yyy.yyy.36129 > xxx.xxx.xxx.xxx.33565: UDP, length 12 solution# kldstat Id Refs Address Size Name 1 20 0xc0400000 7ad380 kernel 2 1 0xc0bae000 19654 geom_mirror.ko 3 1 0xc0bc8000 3148 alias_ftp.ko 4 1 0xc2d1b000 4000 ng_mppc.ko 5 1 0xc2d1f000 2000 rc4.ko 6 1 0xc303a000 5000 ng_ksocket.ko 7 1 0xc303f000 3000 ng_tee.ko 8 1 0xc3042000 7000 ng_ppp.ko solution# uname -r 8.1-PRERELEASE solution# sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 I have some mistake in my firewall rules? Any idea? -- Best regards, Mamontov Roman mailto:mr.xanto@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 15 09:12:43 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D77151065676 for ; Thu, 15 Jul 2010 09:12:43 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 299DB8FC14 for ; Thu, 15 Jul 2010 09:12:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o6F9Ceso035764; Thu, 15 Jul 2010 19:12:41 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 15 Jul 2010 19:12:40 +1000 (EST) From: Ian Smith To: Mamontov Roman In-Reply-To: <1931583025.20100715114512@gmail.com> Message-ID: <20100715183743.S86988@sola.nimnet.asn.au> References: <1931583025.20100715114512@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with ipfw nat and packet to local services X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jul 2010 09:12:43 -0000 On Thu, 15 Jul 2010, Mamontov Roman wrote: > Hello, freebsd-ipfw. > > I try to use ipfw nat with this rules: > > 00035 138 10242 nat 1 log ip from any to any via ext_if1 > 65000 6823 689594 allow ip from any to any > 65535 170 13629 deny ip from any to any > > ipfw nat 1 config ip xxx.xxx.xxx.xxx deny_in same_ports unreg_only > redirect_port udp 192.168.54.50:417 417 redirect_port tcp 192.168.54.50:417 417 > redirect_port tcp 192.168.2.19:3233 3233 redirect_port udp 192.168.2.19:416 416 > redirect_port tcp 192.168.2.19:416 416 redirect_port udp 192.168.2.18:415 415 > redirect_port tcp 192.168.2.18:415 415 redirect_port udp 192.168.2.17:414 414 > redirect_port tcp 192.168.2.17:414 414 redirect_port udp 192.168.2.16:413 413 > redirect_port tcp 192.168.2.16:413 413 redirect_port tcp 192.168.2.15:3232 3232 > redirect_port udp 192.168.2.15:412 412 redirect_port tcp 192.168.2.15:412 412 > > Packet from local network and this box to outside network going correctly. > But packet from outside network to services (udp, icmp, tcp) on this box does not pass. > > In /var/log/security: > Jul 15 11:34:12 kernel: ipfw: 35 Nat UDP yyy.yyy.yyy.yyy:36129 xxx.xxx.xxx.xxx:33564 in > via ext_if1 > > In tcpdump output: > 11:34:17.239509 IP yyy.yyy.yyy.yyy.36129 > xxx.xxx.xxx.xxx.33565: UDP, length 12 UDP port 33564 on this box (xxx.xxx.xxx.xxx) is not redirected to any other address:port, and you have specified deny_in (-deny_incoming in natd-speak) so, well, you got what you asked for .. See the description under -deny_incoming and the explanation of what happens to incoming packets under -alias_address in natd(8) .. the nat description in ipfw(8) is still a bit thin, so natd(8) is still useful. Without deny_in, new inbound packets should be passed to the local machine - so you will then need firewall rules to restrict which local ports are to be accessible for connections from the outside. cheers, Ian > solution# kldstat > Id Refs Address Size Name > 1 20 0xc0400000 7ad380 kernel > 2 1 0xc0bae000 19654 geom_mirror.ko > 3 1 0xc0bc8000 3148 alias_ftp.ko > 4 1 0xc2d1b000 4000 ng_mppc.ko > 5 1 0xc2d1f000 2000 rc4.ko > 6 1 0xc303a000 5000 ng_ksocket.ko > 7 1 0xc303f000 3000 ng_tee.ko > 8 1 0xc3042000 7000 ng_ppp.ko > > solution# uname -r > 8.1-PRERELEASE > > solution# sysctl net.inet.ip.forwarding > net.inet.ip.forwarding: 1 > > I have some mistake in my firewall rules? Any idea? > > -- > Best regards, > Mamontov Roman mailto:mr.xanto@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 16 19:30:22 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 630D51065673; Fri, 16 Jul 2010 19:30:22 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3B2FC8FC0A; Fri, 16 Jul 2010 19:30:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6GJUMhJ068055; Fri, 16 Jul 2010 19:30:22 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6GJUMxO068048; Fri, 16 Jul 2010 19:30:22 GMT (envelope-from linimon) Date: Fri, 16 Jul 2010 19:30:22 GMT Message-Id: <201007161930.o6GJUMxO068048@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/148689: [ipfw] antispoof wrongly triggers on link local IPv6 addresses X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2010 19:30:22 -0000 Old Synopsis: [ipfw2] antispoof wrongly triggers on link local IPv6 addresses New Synopsis: [ipfw] antispoof wrongly triggers on link local IPv6 addresses Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jul 16 19:29:51 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=148689