From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 2 11:07:04 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 372BE106566B for ; Mon, 2 Jan 2012 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1A4DE8FC24 for ; Mon, 2 Jan 2012 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q02B73RE005140 for ; Mon, 2 Jan 2012 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q02B73RX005138 for freebsd-ipfw@FreeBSD.org; Mon, 2 Jan 2012 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Jan 2012 11:07:03 GMT Message-Id: <201201021107.q02B73RX005138@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2012 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 40 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 6 12:05:32 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1347E1065694 for ; Fri, 6 Jan 2012 12:05:32 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from mail-qw0-f47.google.com (mail-qw0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id C35A48FC0A for ; Fri, 6 Jan 2012 12:05:31 +0000 (UTC) Received: by qadb17 with SMTP id b17so1089766qad.13 for ; Fri, 06 Jan 2012 04:05:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=s5ddyRWM+1Se3i0ku9PfKd4KlG+r6vC1oPbZsF0VOgk=; b=IiKuxLav28uuW0UXSX3pZqqGqWPbjm2aiAJ+G6YtFyjj8NxNSU67QoYrPsra7Y7/fZ 9gsUzggOmh8rJjT6zp+vrG1jH0uL+Q3rD0EMCK/db+PDC0hNIPwwfHlt+g13AktzJ3ZF n2kRsrWkAibetAXhi0uD65hjqNW4xBevDhYKA= MIME-Version: 1.0 Received: by 10.224.181.10 with SMTP id bw10mr6925648qab.59.1325849673009; Fri, 06 Jan 2012 03:34:33 -0800 (PST) Received: by 10.229.246.133 with HTTP; Fri, 6 Jan 2012 03:34:32 -0800 (PST) Date: Fri, 6 Jan 2012 18:34:32 +0700 Message-ID: From: budsz To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Question for Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 12:05:32 -0000 Halo, I used this rulesset over 2 years, something my ruleset like this: bwcldown="320Kbit/s" bwclup="48Kbit/s" ifint0="rl0" # Interface direct to LAN switch ${fwcmd} add 52 pipe 2 ip from not "table(2)" to "table(6)" via ${ifint0} ${fwcmd} add 53 pipe 3 ip from "table(6)" to not "table(2)" via ${ifint0} ${fwcmd} pipe 2 config bw ${bwcldown} mask dst-ip 0xffffffff ${fwcmd} pipe 3 config bw ${bwclup} mask src-ip 0xffffffff Whereis: contain of table(2) all of internal address/LAN, and table(6) contain host of my LAN. My problem is: For traffic downloading/uploading entry to rule 52 (320Kbit/s for download and upload). As far I know, if I do downloading from internet entry for rule 52 and if I do uploading to internet entry for rule 53. My idea is how to limit each host on my LAN for download=320Kbit/s and upload=48Kbit/s. IMHO, this rule working for FreeBSD 7.1 - 7.2 STABLE, 3 days ago I do "make world" and problem showing. Now, My system running FreeBSD 7.4-STABLE Thank for your time. -- budsz From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 6 21:19:15 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52481106564A; Fri, 6 Jan 2012 21:19:15 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2822A8FC13; Fri, 6 Jan 2012 21:19:15 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q06LJFeW015224; Fri, 6 Jan 2012 21:19:15 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q06LJF43015220; Fri, 6 Jan 2012 21:19:15 GMT (envelope-from linimon) Date: Fri, 6 Jan 2012 21:19:15 GMT Message-Id: <201201062119.q06LJF43015220@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/163873: [ipfw] ipfw fwd does not work with 'via interface' in rule body X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 21:19:15 -0000 Old Synopsis: ipfw fwd does not work with 'via interface' in rule body New Synopsis: [ipfw] ipfw fwd does not work with 'via interface' in rule body Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Fri Jan 6 21:18:47 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=163873 From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 6 21:30:13 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F4F8106566B for ; Fri, 6 Jan 2012 21:30:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2C6E18FC0C for ; Fri, 6 Jan 2012 21:30:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q06LUCDa024024 for ; Fri, 6 Jan 2012 21:30:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q06LUChS024021; Fri, 6 Jan 2012 21:30:12 GMT (envelope-from gnats) Date: Fri, 6 Jan 2012 21:30:12 GMT Message-Id: <201201062130.q06LUChS024021@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= Cc: Subject: Re: kern/163873: ipfw fwd does not work with 'via interface' in rule body X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2012 21:30:13 -0000 The following reply was made to PR kern/163873; it has been noted by GNATS. From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= To: Greg Radzykewycz Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/163873: ipfw fwd does not work with 'via interface' in rule body Date: Fri, 6 Jan 2012 23:25:27 +0200 Здравствуйте, Greg. Вы писали 6 января 2012 г., 23:07:40: >>Number: 163873 >>Category: kern >>Synopsis: ipfw fwd does not work with 'via interface' in rule body >>Confidential: no >>Severity: non-critical >>Priority: low >>Responsible: freebsd-bugs >>State: open >>Quarter: >>Keywords: >>Date-Required: >>Class: sw-bug >>Submitter-Id: current-users >>Arrival-Date: Fri Jan 06 21:10:09 UTC 2012 >>Closed-Date: >>Last-Modified: >>Originator: Greg Radzykewycz >>Release: 8.2-RELEASE >>Organization: GR> Inland Networks >>Environment: GR> FreeBSD pandora.inlandnet.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: GR> Wed Dec 21 09:06:00 PST 2011 GR> root@pandora.inlandnet.com:/usr/src/sys/i386/compile/PANDORA i386 >>Description: GR> This PR may be related to the following PRs. GR> kern/129036 GR> kern/122963 GR> In upgrading a firewall from FreeBSD 4.11 to 8.2 there was a GR> problem with the firewall not forwarding DNS queries to a DNS GR> proxy server running on another box. The firewall rules were GR> identical between 4.11 and 8.2. Sample rule follows. GR> ${fwcmd} add fwd ${dnsproxy} udp from any to ${atldns1} domain in via ${iif1} try to add before your rule this one: ${fwcmd} add log fwd ${dnsproxy} udp from any to ${atldns1} domain and see /var/log/security to obtain how kernel see that packet Also notice that when you receive 'via rl0' and you try to fwd to address that is reachable on rl3 the packet will have state 'out xmit rl3' and not 'via rl0', as you expect, maybe. GR> While this worked on 4.11, it did not on 8.2. GR> After a Google search turned up nothing pertinent, testing GR> different variations of the firewall rule was done. The box was GR> taken out of service and reconfigured for testing. Testing was done with TCP for simplicity. GR> The following worked. GR> ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53 GR> With tcpdump running on 192.168.0.10, packets to 10.10.10.10 TCP GR> port 53 were seen when the command "telnet 10.10.10.10 53" was run on the firewall box. GR> The following did not work. GR> ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53 via em0 GR> Interface em0 was the only interface connected and configured at GR> the time and also was the default route (192.168.0.1). Any GR> external IP traffic would pass through em0 regardless. Doing the GR> same test with tcpdump running on 192.168.0.10, packets to GR> 10.10.10.10 TCP port 53 were not seen on 192.168.0.10 when the GR> command "telnet 10.10.10.10 53" was run on the firewall box. GR> The firewall box was reconfigured for production use. The GR> firewall rules associated with proxying DNS requess were all GR> changed to remove 'in via ${iif}' and the box was put back in GR> service. Without the 'in via' in the rules, it functioned as GR> expected proxying the DNS queries. >>How-To-Repeat: GR> See description. The problem was consistent and repeatable. >>Fix: GR> Unknown. >>Release-Note: >>Audit-Trail: >>Unformatted: GR> _______________________________________________ GR> freebsd-bugs@freebsd.org mailing list GR> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs GR> To unsubscribe, send any mail to GR> "freebsd-bugs-unsubscribe@freebsd.org" -- С уважением, Коньков mailto:kes-kes@yandex.ru From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 7 07:42:56 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10E31106564A for ; Sat, 7 Jan 2012 07:42:56 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id B719C8FC14 for ; Sat, 7 Jan 2012 07:42:55 +0000 (UTC) Received: by qabg14 with SMTP id g14so1597810qab.13 for ; Fri, 06 Jan 2012 23:42:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=Ooaho3D+gSgFvkCASTKCTCVojHWTqLBLrjc6sKAJN/w=; b=sfB52b+fa+vrIvMROx8nQhRHbG4+36YiONL9BYuSkLeLC9SUe6TcIy2BLoUtmaFAqk S2zy/KSFel9ak/FxhpTiBRjokfO5OMJmH009ru9WGqo4xaP0W/BIr3IwO0YZFgO+l2cN AAvdkhHJu4+F7OA90/LpZXIAAxg1gSS8yCmUY= MIME-Version: 1.0 Received: by 10.224.189.136 with SMTP id de8mr805727qab.85.1325922175121; Fri, 06 Jan 2012 23:42:55 -0800 (PST) Received: by 10.229.246.133 with HTTP; Fri, 6 Jan 2012 23:42:55 -0800 (PST) Date: Sat, 7 Jan 2012 14:42:55 +0700 Message-ID: From: budsz To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: IPFW transparent VS dummynet rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2012 07:42:56 -0000 Hi folks, I already found the mistake of my ruleset sequence on my box, for ex: ${fwcmd} add 30 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to any dst-port ${porthttp} in via ${ifint0} ${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via ${ifint0} ${fwcmd} add 53 pipe 3 ip from ${ipclient} to any via ${ifint0} ${fwcmd} pipe 2 config bw ${bwcldown} mask dst-ip 0xffffffff ${fwcmd} pipe 3 config bw ${bwclup} mask src-ip 0xffffffff With this ruleset sequence, the limiter didn't work but fwd rules working. If I switching like: ${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via ${ifint0} ${fwcmd} add 53 pipe 3 ip from ${ipclient} to any via ${ifint0} ${fwcmd} pipe 2 config bw ${bwcldown} mask dst-ip 0xffffffff ${fwcmd} pipe 3 config bw ${bwclup} mask src-ip 0xffffffff ${fwcmd} add 70 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to any dst-port ${porthttp} in via ${ifint0} The limiter working but fwd didn't work. Anyone have a clue for fix this dilemma? Thank You -- budsz From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 7 09:27:47 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F42B106566B; Sat, 7 Jan 2012 09:27:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id CA3518FC13; Sat, 7 Jan 2012 09:27:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q079Rix5001170; Sat, 7 Jan 2012 20:27:45 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 7 Jan 2012 20:27:44 +1100 (EST) From: Ian Smith To: budsz In-Reply-To: Message-ID: <20120107201823.H3704@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: IPFW transparent VS dummynet rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2012 09:27:47 -0000 On Sat, 7 Jan 2012, budsz wrote: > Hi folks, > > I already found the mistake of my ruleset sequence on my box, for ex: > > ${fwcmd} add 30 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to > any dst-port ${porthttp} in via ${ifint0} > > ${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via ${ifint0} > ${fwcmd} add 53 pipe 3 ip from ${ipclient} to any via ${ifint0} > ${fwcmd} pipe 2 config bw ${bwcldown} mask dst-ip 0xffffffff > ${fwcmd} pipe 3 config bw ${bwclup} mask src-ip 0xffffffff > > With this ruleset sequence, the limiter didn't work but fwd rules working. > If I switching like: > > ${fwcmd} add 52 pipe 2 ip from any to ${ipclient} via ${ifint0} > ${fwcmd} add 53 pipe 3 ip from ${ipclient} to any via ${ifint0} > ${fwcmd} pipe 2 config bw ${bwcldown} mask dst-ip 0xffffffff > ${fwcmd} pipe 3 config bw ${bwclup} mask src-ip 0xffffffff > > ${fwcmd} add 70 fwd ${ipproxy},${portproxy} tcp from ${ipclproxy} to > any dst-port ${porthttp} in via ${ifint0} > > The limiter working but fwd didn't work. Anyone have a clue for fix > this dilemma? Quoting ipfw(8): fwd | forward ipaddr | tablearg[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address or a host name. The next hop can also be supplied by the last table looked up for the packet by using the tablearg keyword instead of an explicit address. The search terminates if this rule matches. Note particularly the last sentence. You'll have to do your dummynet piping first, if it is to apply also to forwarded packets. (sysctl) net.inet.ip.fw.one_pass: 1 When set, the packet exiting from the dummynet pipe or from ng_ipfw(4) node is not passed though the firewall again. Other- wise, after an action, the packet is reinjected into the firewall at the next rule. It seems that you may have one_pass set to 1. Set to 0, packets will continue through the ruleset on exit from pipe/s, so to your fwd rule. cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 7 20:20:11 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A459106564A for ; Sat, 7 Jan 2012 20:20:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 547E28FC12 for ; Sat, 7 Jan 2012 20:20:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q07KKB7E022833 for ; Sat, 7 Jan 2012 20:20:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q07KKB7G022832; Sat, 7 Jan 2012 20:20:11 GMT (envelope-from gnats) Date: Sat, 7 Jan 2012 20:20:11 GMT Message-Id: <201201072020.q07KKB7G022832@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Greg Radzykewycz Cc: Subject: Re: kern/163873: ipfw fwd does not work with 'via interface' in rule body X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Greg Radzykewycz List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2012 20:20:11 -0000 The following reply was made to PR kern/163873; it has been noted by GNATS. From: Greg Radzykewycz To: =?windows-1251?b?yu7t/Oru4iDF4uPl7ejp?= Cc: freebsd-gnats-submit@freebsd.org Subject: Re: kern/163873: ipfw fwd does not work with 'via interface' in rule body Date: Sat, 7 Jan 2012 11:35:27 -0800 Greetings =CA=EE=ED=FC=EA=EE=E2, Thank you for looking into this and your response. If you will note though = and=20 even with traffic originated locally and only a single functioning interfac= e,=20 forwarding fails to occur when the ipfw rule contains "via interface". According to the ipfw man page. fwd | forward ipaddr | tablearg[,port] Change the next-hop on matching packets to ipaddr ... If ipaddr is not a local address, then the port number (if specifed) is=20 ignored, and the packet will be forwarded to the remote address, using the= =20 route as found in the local routing table for that IP. In the testing that was done where there was only one active interface, em0= ,=20 when "via em0" was added to the ipfw rule, forwarding failed. Without "via= =20 em0" in the rule, forwarding worked. That was the only difference. Perhaps it is important to note that in both the production and test=20 evnironments the IP address that was being forwarded to was on a local=20 Ethernet network. In the test environment, the firewall's IP address=20 (192.168.0.34), the default route (192.168.0.1) and the forward IP address= =20 (192.168.0.10) were on the same em0 interface and in the same /24 network. I hope this help. And thanks again! =2D-=20 Warmest Regards Greg Radzykewycz Manager of Information Systems Inland Cellular / Inland Networks On Friday 06 January 2012 13:25:27 you wrote: > =C7=E4=F0=E0=E2=F1=F2=E2=F3=E9=F2=E5, Greg. >=20 > =C2=FB =EF=E8=F1=E0=EB=E8 6 =FF=ED=E2=E0=F0=FF 2012 =E3., 23:07:40: > >>Number: 163873 > >>Category: kern > >>Synopsis: ipfw fwd does not work with 'via interface' in rule body > >>Confidential: no > >>Severity: non-critical > >>Priority: low > >>Responsible: freebsd-bugs > >>State: open > >>Quarter: > >>Keywords: > >>Date-Required: > >>Class: sw-bug > >>Submitter-Id: current-users > >>Arrival-Date: Fri Jan 06 21:10:09 UTC 2012 > >>Closed-Date: > >>Last-Modified: > >>Originator: Greg Radzykewycz > >>Release: 8.2-RELEASE >=20 > >>Organization: > GR> Inland Networks >=20 > >>Environment: > GR> FreeBSD pandora.inlandnet.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: > GR> Wed Dec 21 09:06:00 PST 2011 > GR> root@pandora.inlandnet.com:/usr/src/sys/i386/compile/PANDORA i386 >=20 > >>Description: > GR> This PR may be related to the following PRs. > GR> kern/129036 > GR> kern/122963 >=20 > GR> In upgrading a firewall from FreeBSD 4.11 to 8.2 there was a > GR> problem with the firewall not forwarding DNS queries to a DNS > GR> proxy server running on another box. The firewall rules were > GR> identical between 4.11 and 8.2. Sample rule follows. >=20 > GR> ${fwcmd} add fwd ${dnsproxy} udp from any to ${atldns1} domain in via > ${iif1} try to add before your rule this one: > ${fwcmd} add log fwd ${dnsproxy} udp from any to ${atldns1} domain >=20 > and see /var/log/security to obtain how kernel see that packet >=20 > Also notice that when you receive 'via rl0' and you try to fwd to > address that is reachable on rl3 the packet will have state 'out xmit rl3' > and not 'via rl0', as you expect, maybe. >=20 > GR> While this worked on 4.11, it did not on 8.2. >=20 > GR> After a Google search turned up nothing pertinent, testing > GR> different variations of the firewall rule was done. The box was > GR> taken out of service and reconfigured for testing. Testing was done > with TCP for simplicity. >=20 > GR> The following worked. > GR> ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53 >=20 > GR> With tcpdump running on 192.168.0.10, packets to 10.10.10.10 TCP > GR> port 53 were seen when the command "telnet 10.10.10.10 53" was run on > the firewall box. >=20 > GR> The following did not work. > GR> ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53 via em0 >=20 > GR> Interface em0 was the only interface connected and configured at > GR> the time and also was the default route (192.168.0.1). Any > GR> external IP traffic would pass through em0 regardless. Doing the > GR> same test with tcpdump running on 192.168.0.10, packets to > GR> 10.10.10.10 TCP port 53 were not seen on 192.168.0.10 when the > GR> command "telnet 10.10.10.10 53" was run on the firewall box. >=20 > GR> The firewall box was reconfigured for production use. The > GR> firewall rules associated with proxying DNS requess were all > GR> changed to remove 'in via ${iif}' and the box was put back in > GR> service. Without the 'in via' in the rules, it functioned as > GR> expected proxying the DNS queries. >=20 > >>How-To-Repeat: > GR> See description. The problem was consistent and repeatable. >=20 > >>Fix: > GR> Unknown. >=20 > >>Release-Note: > >>Audit-Trail: >=20 > >>Unformatted: > GR> _______________________________________________ > GR> freebsd-bugs@freebsd.org mailing list > GR> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > GR> To unsubscribe, send any mail to > GR> "freebsd-bugs-unsubscribe@freebsd.org"