From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 16 11:07:20 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 867E41065672 for ; Mon, 16 Apr 2012 11:07:20 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 709388FC14 for ; Mon, 16 Apr 2012 11:07:20 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q3GB7KxW022422 for ; Mon, 16 Apr 2012 11:07:20 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q3GB7JH5022420 for freebsd-ipfw@FreeBSD.org; Mon, 16 Apr 2012 11:07:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Apr 2012 11:07:19 GMT Message-Id: <201204161107.q3GB7JH5022420@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2012 11:07:20 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 43 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 21 06:20:08 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2761A106564A for ; Sat, 21 Apr 2012 06:20:08 +0000 (UTC) (envelope-from crapsh@monkeybrains.net) Received: from lavash.monkeybrains.net (mail.monkeybrains.net [208.69.40.9]) by mx1.freebsd.org (Postfix) with ESMTP id 0183E8FC08 for ; Sat, 21 Apr 2012 06:20:07 +0000 (UTC) Received: from Computer-of-Penelope.local (199-83-222-51.PUBLIC.monkeybrains.net [199.83.222.51]) (authenticated bits=0) by lavash.monkeybrains.net (8.14.4/8.14.4) with ESMTP id q3L5mHgA036657 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 20 Apr 2012 22:48:17 -0700 (PDT) (envelope-from crapsh@monkeybrains.net) Message-ID: <4F9249CA.8030208@monkeybrains.net> Date: Fri, 20 Apr 2012 22:46:50 -0700 From: "Rudy (bulk)" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.3 at lavash.monkeybrains.net X-Virus-Status: Clean Subject: [ipfw_nat] How do I view active NAT sessions? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Apr 2012 06:20:08 -0000 [1] How do I see active sessions? The summary is great for graphing sessions over time: # ipfw nat 123 show nat 123: icmp=0, udp=173, tcp=876, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=1049 But I am interested in seeing a list of all the active sessions -- in ipnat, you would run 'ipnat -l' to see a list of the current NAT table. Is there an equivalent for ipfw? [2] Why are my local (from router box) requests incrementing the nat counters (shouldn't my local ip should be skipped as it is not unreg_only)? # ipfw nat 123 config ip 1.1.1.123 same_ports reset log unreg_only # ipfw add nat 123 all from any to any # fping -g 1.1.1.1 1.1.4.255 # ipfw nat 123 show nat 123: icmp=302, udp=179, tcp=825, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=1447 What the heck is being shown by 'ipfw nat show'? ;) [3] Man page recommendations for ipfw(8) Shouldn't the external interface be recommended in the EXAMPLES section? I didn't even try to set it up without a 'via'... - ipfw add nat 123 all from any to any + Assuming em0 is your external interface: + ipfw add nat 123 all from any to any via em0 For people stumbling ipnat to ipfw, how will they know about 'redirect_address' unless they have used natd? There is no reference to redirect_address in the man page -- which is internal, which external? All the options from natd(8) need to be dumped into ipfw(8). Yes, there is the curt reference to natd(8) many lines earlier than the EXAMPLES section, but a reference to natd(8) next to the example or explicit documentation within the man page for ipfw would make for better documentation. Put together a 'working' nat example... illustrate that with "net.inet.ip.fw.one_pass: 1" you need to specify IPs on the nat lines or ipfw will stop at that nat rule. 1.1.1.5,1.1.1.123 <-- em0 + em1 --> 10.0.0.1 (external) (internal) # basic example that allows a SSH access, a one-to-one mapping and a many-to-one mapping ipfw add 10 allow ip from any to me 22 in // allow SSH here as nat will stop the packet later (one_pass:1) ipfw add 20 allow ip from me 22 to any out ipfw add 1000 allow ip from any to any via em1 // we trust the internal network ipfw add nat 101 all from 10.0.0.5 to any out via em0 // map Luigi's desktop ipfw add nat 101 all from any to 1.1.1.5 in via em0 // map Luigi's desktop ipfw add nat 123 all from any to any out via em0 // map for Archie, Alex, Ugen, and Poul-Henning ipfw add nat 123 all from any to any in via em0 // map for Archie, Alex, Ugen, and Poul-Henning ipfw add allow ip from any to any via em0 // this rule will never be reached while one_pass: 1 # define your nat mappings ipfw nat 101 config redirect_addr 10.0.0.5 1.1.1.5 ipfw nat 123 config ip 1.1.1.123 same_ports reset deny_in log unreg_only Some questions and 2 cents based on usability, Rudy I just moved from ipnat to ipfw_nat as ipnat was making my box 'Fatal 12'. The man page for ipfw could use some work on the NAT section, IMHO.