From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 8 05:31:00 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82491106564A for ; Sun, 8 Aug 2010 05:31:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id D7A208FC13 for ; Sun, 8 Aug 2010 05:30:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o785UvWX085260; Sun, 8 Aug 2010 15:30:57 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 8 Aug 2010 15:30:57 +1000 (EST) From: Ian Smith To: Michael In-Reply-To: <4C5A58FE.2050704@gmail.com> Message-ID: <20100808144342.U66749@sola.nimnet.asn.au> References: <4C5A58FE.2050704@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: nat and dynamic external address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Aug 2010 05:31:00 -0000 On Thu, 5 Aug 2010, Michael wrote: > Am I right thinking that "if interface" and "reset" parameters should be > enough to handle changing address (DHCP) on external interface? In theory. > My rules: > > ipfw -q nat 1 config reset if $if_ext log same_ports > ipfw -q add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid > ipfw -q add nat 1 udp from $dns to me in recv $if_ext > > They works fine only when $if_ext gets it's IP address during system boot-up. > If DHCP server is unavailable at the time of rules loading then ipfw says: > > ipfw: cannot get interface name > > (The same happens without "SYNDHCP" option for ipfw in rc.conf) > It loads all rules anyway. Now after DHCP becomes available and $ext_if gets > it's IP address it turns out that NAT is still not working. I have to > manually reload the same ruleset. > > Any ideas how to solve that problem? Michael, you're only releasin snippets of information at a time. This came from a discussion in freebsd-jail, and it was my advice to post to -ipfw rather than -jail if became more complicated: http://lists.freebsd.org/pipermail/freebsd-jail/2010-August/001348.html Only in your later message to -jail and your post to -questions quoted below here did you reveal that this involved a wlan interface, and your issue with your access point / DHCP server being offline when you boot (which perhaps suggests a "then don't do it that way" solution?) ======= from freebsd-questions digest ======= Date: Wed, 04 Aug 2010 20:25:42 +0100 From: Michael Subject: ipfw and changing IP address (dhcp) To: freebsd-questions@freebsd.org Message-ID: <4C59BEB6.8050101@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Hello, I'm using ipfw on my laptop running 8.1R amd64. IP address of it's external interface (wlan0) is assigned by DHCP server on home broadband access point. Everything works fine when access point is up and running but if I boot my FreeBSD laptop when access point (DHCP server) is down then obviously my laptop gets no IP. ipfw complains that it "cannot get interface name" and loads firewall rules anyway. Now after some time access point becomes available and freebsd gets IP address automatically but I still have to manually reload the same ipfw ruleset to get internet access. I am using "me" in all of my firewall rules for example: $cmd 20010 allow icmp from me to any out via $if_ext keep-state Is there anything I have forgotten about? Or ipfw simply can't handle such situations? ======= I know only what I've read about setting up wlan interfaces (no wireless here since FreeBSD 5.5 days) so I can't say whether or not you could successfully configure it with an initial IP address before DHCP assigns one as you can with a normal ethernet interface, which might address the issue of wlan0 having no address while loading your ipfw ruleset? So whether this really points to a bug in ipfw nat (re not resetting NAT rules when interface address changes) or whether this is some issue with wlan, or wlan config (possibly involving what we haven't yet seen, maybe either dhclient and/or wpa_supplicant config) I won't dare to speculate. I _can_ say that if you provide specific information (relevant rc.conf settings, all wlan and dhclient config, ifconfig and netstat information at the time the problem occurs) as well as purely verbal descriptions, you'll have a better chance of someone spotting the problem, which while not discounting the possibility of a bug, seems likely a config issue. cheers, Ian