From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 25 09:57:33 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DF9E16A40F; Mon, 25 Sep 2006 09:57:33 +0000 (UTC) (envelope-from novel@yoda.fannet.ru) Received: from yoda.fannet.ru (yoda.fannet.ru [82.116.56.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0724743D7C; Mon, 25 Sep 2006 09:57:26 +0000 (GMT) (envelope-from novel@yoda.fannet.ru) Received: from yoda.fannet.ru (localhost [127.0.0.1]) by yoda.fannet.ru (Postfix) with ESMTP id 77EC445082; Mon, 25 Sep 2006 13:57:24 +0400 (MSD) Received: by yoda.fannet.ru (Postfix, from userid 1003) id 58DAF4507E; Mon, 25 Sep 2006 13:57:24 +0400 (MSD) X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on yoda.fannet.ru X-Spam-Status: No, score=-0.7 required=3.5 tests=ALL_TRUSTED=-1.44,AWL=0.737 Received: from localhost (novel.fannet.ru [82.116.56.3]) by yoda.fannet.ru (Postfix) with ESMTP id 026444507B; Mon, 25 Sep 2006 13:57:19 +0400 (MSD) Date: Mon, 25 Sep 2006 13:57:26 +0400 From: Roman Bogorodskiy To: "Andrey V. Elsukov" Message-ID: <20060925095726.GC99061@novel.fannet.ru> References: <200609211400.k8LE0uMN075069@freefall.freebsd.org> <4513641C.3010002@yandex.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="lCAWRPmW1mITcIfM" Content-Disposition: inline In-Reply-To: <4513641C.3010002@yandex.ru> X-PGP: http://people.freebsd.org/~novel/novel.key.asc X-Virus-Scanned: ClamAV Cc: freebsd-ipfw@FreeBSD.org, Gleb Smirnoff , Oleg Bulyzhin , Luigi Rizzo Subject: Re: kern/103454: [ipfw] [patch] add a facility to modify DF bit of the IP packet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 09:57:33 -0000 --lCAWRPmW1mITcIfM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Andrey V. Elsukov wrote: > Roman Bogorodskiy wrote: > > +.It Cm setdf Ar value > > +Changes > > +.Cm DF > > +bit of the IP packet. > > +Value may be 0 (May Fragment) or 1 (Don't Fragment). >=20 > May be, it would be more handy make this feature via modifier > (not an action). > Rule format: > [setdf|resetdf] >=20 > Or more extensible, use not only DF modification: > [{modip [DF|TOS|DSCP|TTL]}] Yeah, that's nice idea. However, I have already working DF bit stuff and tos/dscp stuff as well (kern/102471) implemented in another way. And since committers don't seem to show intested in these patches/functionaliy, I'm not quite sure if I need to waste time on re-implementing it because it would be pretty useless if these patches would hang in GNATS forever. > I think this is easy to pack any of an instructions into one > ipfw_insn_xx structure. >=20 > > + case O_SET_IPDF: > > + switch (cmd->arg1) { > > + case 0: > > + ip->ip_off &=3D3D ~IP_DF; > > + break; > > + case 1: > > + ip->ip_off |=3D3D IP_DF; > > + break; > > + default: > > + goto next_rule; > > + /* NOTREACHED */ >=20 > We can check cmd->arg1 for correct values in the ipfw_chk > function. Hm, sorry... could you clearify it to me please? --lCAWRPmW1mITcIfM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iQCVAwUBRReoBoB0WzgdqspGAQJtrgQAkTNQq4uLFhc2qAkhyswkSvmOCquuJ4lO 4AVZzz0Dj8IXgcs7vdkWdWjhv3SL7AuxTpSnPoh02a/MuWyeQBEhFks0UdCcBASu qxZmaCfqiELCeckNHuajbe8SR+q1GpK6errpeVAzT7MSpziZzQdD5AjTABHG4Dqq 59j13KVIZHE= =Erke -----END PGP SIGNATURE----- --lCAWRPmW1mITcIfM-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 25 10:52:17 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91B8716A416; Mon, 25 Sep 2006 10:52:17 +0000 (UTC) (envelope-from thomas@bsdunix.ch) Received: from conversation.bsdunix.ch (ns1.bsdunix.ch [82.220.1.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0221043D5C; Mon, 25 Sep 2006 10:52:16 +0000 (GMT) (envelope-from thomas@bsdunix.ch) Received: from localhost (localhost.bsdunix.ch [127.0.0.1]) by conversation.bsdunix.ch (Postfix) with ESMTP id 192785E24; Mon, 25 Sep 2006 12:52:15 +0200 (CEST) X-Virus-Scanned: by amavisd-new at mail.bsdunix.ch Received: from conversation.bsdunix.ch ([127.0.0.1]) by localhost (conversation.bsdunix.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id MJdBW8viw4n6; Mon, 25 Sep 2006 12:52:14 +0200 (CEST) Received: from [192.168.1.102] (unknown [82.220.17.23]) by conversation.bsdunix.ch (Postfix) with ESMTP id AB4765E21; Mon, 25 Sep 2006 12:52:14 +0200 (CEST) Message-ID: <4517B4B1.4000803@bsdunix.ch> Date: Mon, 25 Sep 2006 12:51:29 +0200 From: Thomas Vogt User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Roman Bogorodskiy References: <200609211400.k8LE0uMN075069@freefall.freebsd.org> <4513641C.3010002@yandex.ru> <20060925095726.GC99061@novel.fannet.ru> In-Reply-To: <20060925095726.GC99061@novel.fannet.ru> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org, "Andrey V. Elsukov" , Oleg Bulyzhin , Gleb Smirnoff , Luigi Rizzo Subject: Re: kern/103454: [ipfw] [patch] add a facility to modify DF bit of the IP packet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 10:52:17 -0000 Hello Roman Bogorodskiy schrieb: > Andrey V. Elsukov wrote: > >> Roman Bogorodskiy wrote: >>> +.It Cm setdf Ar value >>> +Changes >>> +.Cm DF >>> +bit of the IP packet. >>> +Value may be 0 (May Fragment) or 1 (Don't Fragment). >> May be, it would be more handy make this feature via modifier >> (not an action). >> Rule format: >> [setdf|resetdf] >> >> Or more extensible, use not only DF modification: >> [{modip [DF|TOS|DSCP|TTL]}] > > Yeah, that's nice idea. However, I have already working DF bit stuff and > tos/dscp stuff as well (kern/102471) implemented in another way. And > since committers don't seem to show intested in these > patches/functionaliy, I'm not quite sure if I need to waste time on > re-implementing it because it would be pretty useless if these patches > would hang in GNATS forever. I hope someone will commit it. DSCP/TOS feature in ipfw is pretty useful if you're doing VOIP or QoS in generell. The days where ISPs don't do QoS because they do erything with "over-provesioning" are over. Most do MPLS QoS but thats more for the backbone. I would like to see this patch in the main tree. Of course the DF modification would be nice too. Cheers, Thomas From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 25 11:08:34 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A54316A494 for ; Mon, 25 Sep 2006 11:08:34 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A32B843D6B for ; Mon, 25 Sep 2006 11:08:20 +0000 (GMT) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8PB8Je3090575 for ; Mon, 25 Sep 2006 11:08:19 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8PB8IRd090570 for freebsd-ipfw@FreeBSD.org; Mon, 25 Sep 2006 11:08:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Sep 2006 11:08:18 GMT Message-Id: <200609251108.k8PB8IRd090570@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 11:08:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent f kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from any to any ic o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o bin/102422 ipfw [patch] ipfw & kernel problems where firewall rules ar o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the 15 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/93422 ipfw ipfw divert rule no longer works in 6.0 (regression) o bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bogus o kern/103328 ipfw sugestions about ipfw table 19 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 29 01:50:03 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BA3816A407 for ; Fri, 29 Sep 2006 01:50:03 +0000 (UTC) (envelope-from hwhartman@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id C14A343D45 for ; Fri, 29 Sep 2006 01:50:02 +0000 (GMT) (envelope-from hwhartman@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so217996uge for ; Thu, 28 Sep 2006 18:50:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=R3+DhxF5vYc0Tt5JyURcSjJ3Ax0UspmYXmppvSh7swDj77UckDnfQL7NKnSzXoXbohGKUE4oYoxQnuNVNtsailnBNtu7zWNtW6n4LFeAnkWWDIPSYh5R4iSPPPlYSuuw3GpicLTK+EOKr4a17HIWvVeM1C3d1KkJ4ab3rRZwafU= Received: by 10.66.216.6 with SMTP id o6mr1921431ugg; Thu, 28 Sep 2006 18:50:01 -0700 (PDT) Received: by 10.67.117.9 with HTTP; Thu, 28 Sep 2006 18:50:00 -0700 (PDT) Message-ID: Date: Thu, 28 Sep 2006 18:50:00 -0700 From: "Hanns Hartman" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ip address of the local user is not nat'd to its alias X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 01:50:03 -0000 Hi All, I have read through a lot of the mailing list archives and have had no success with the following problem. I have a box that is functioning as a captive portal. aka think free wifi login at starbucks or the like. I have two interfaces fxp0 and fxp1 that point to two different networks that have staticly assigned ipaddrs. and a third fxp2 which is the internal network. (BTW I am running freebsd 4.11 on this box.) I have two instances of natd running on the box one assigned to each of the two external interfaces with options -snup enabled and each instance has its own port number. So the problem is that when I try to send traffic via an ipfw divert rule out one of the interfaces and I look at an ethereal trace on the box of the webserver that is the destination I am trying to get to, the source ip address is not nat'd to the interface's ip address that points to that network. so when the destination box tries to send a responce it doesn't know where to send the packets since its trying to send them to an ip on the internal network. Do any of you have any idea why the source address of the initial [SYN] would be the internal network and not the ip address of the interface that is on that network. I enabled loging on natd and I think its working because whenever I try to connect to the website I see the natd stats in the log file increase in number. thanks in advance for the help Hanns KERNEL_CONFIG ... options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options IPDIVERT options IPFW2 IPFW_rules /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in /sbin/ipfw add 600 set 2 allow ip from any to any in natd starting /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 29 08:01:59 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CD0416A412; Fri, 29 Sep 2006 08:01:59 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0BBB43D6E; Fri, 29 Sep 2006 08:01:58 +0000 (GMT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8T81w7A056337; Fri, 29 Sep 2006 08:01:58 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8T81wFH056333; Fri, 29 Sep 2006 08:01:58 GMT (envelope-from maxim) Date: Fri, 29 Sep 2006 08:01:58 GMT From: Maxim Konovalov Message-Id: <200609290801.k8T81wFH056333@freefall.freebsd.org> To: candy-sendpr@kgc.co.jp, maxim@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/95146: [ipfw][patch]ipfw -p option handler is bogus X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 08:01:59 -0000 Synopsis: [ipfw][patch]ipfw -p option handler is bogus State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Fri Sep 29 08:01:06 UTC 2006 State-Changed-Why: A slightly modified patch was committed to HEAD. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=95146 From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 29 08:10:32 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A506616A528 for ; Fri, 29 Sep 2006 08:10:32 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6500443D5F for ; Fri, 29 Sep 2006 08:10:26 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8T8APns056595 for ; Fri, 29 Sep 2006 08:10:25 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8T8APsg056594; Fri, 29 Sep 2006 08:10:25 GMT (envelope-from gnats) Date: Fri, 29 Sep 2006 08:10:25 GMT Message-Id: <200609290810.k8T8APsg056594@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/95146: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 08:10:32 -0000 The following reply was made to PR bin/95146; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/95146: commit references a PR Date: Fri, 29 Sep 2006 08:00:55 +0000 (UTC) maxim 2006-09-29 08:00:40 UTC FreeBSD src repository Modified files: sbin/ipfw ipfw2.c Log: o Check for a required "pathname" argument presence. PR: bin/95146 Submitted by: candy-sendpr@kgc.co.jp MFC after: 3 weeks Revision Changes Path 1.99 +2 -0 src/sbin/ipfw/ipfw2.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 30 13:13:30 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCAF116A417 for ; Sat, 30 Sep 2006 13:13:29 +0000 (UTC) (envelope-from neca@boox.co.yu) Received: from server.boox.co.yu (server.boox.co.yu [194.247.202.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 2452D43D58 for ; Sat, 30 Sep 2006 13:13:27 +0000 (GMT) (envelope-from neca@boox.co.yu) Received: (qmail 27789 invoked by uid 0); 30 Sep 2006 12:52:12 -0000 Received: from neca.boox.co.yu (HELO ?194.247.202.241?) (194.247.202.241) by server.boox.co.yu with SMTP; 30 Sep 2006 12:52:12 -0000 Message-ID: <451E6D79.2070208@boox.co.yu> Date: Sat, 30 Sep 2006 15:13:29 +0200 From: Nenad Gavrilovic User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: ip address of the local user is not nat'd to its alias X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Sep 2006 13:13:30 -0000 Hanns Hartman wrote: > Hi All, > I have read through a lot of the mailing list archives and have had > no success with the following problem. I have a box that is > functioning as a captive portal. aka think free wifi login at > starbucks or the like. > I have two interfaces fxp0 and fxp1 that point to two different > networks that have staticly assigned ipaddrs. and a third fxp2 which > is the internal network. (BTW I am running freebsd 4.11 on this box.) > I have two instances of natd running on the box one assigned to each > of the two external interfaces with options -snup enabled and each > instance has its own port number. > So the problem is that when I try to send traffic via an ipfw > divert rule out one of the interfaces and I look at an ethereal trace > on the box of the webserver that is the destination I am trying to get > to, the source ip address is not nat'd to the interface's ip address > that points to that network. so when the destination box tries to send > a responce it doesn't know where to send the packets since its trying > to send them to an ip on the internal network. Do any of you have any > idea why the source address of the initial [SYN] would be the > internal network and not the ip address of the interface that is on > that network. I enabled loging on natd and I think its working > because whenever I try to connect to the website I see the natd stats > in the log file increase in number. > thanks in advance for the help > Hanns > > KERNEL_CONFIG > > ... > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_FORWARD > options IPDIVERT > options IPFW2 > > > IPFW_rules > > /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in > /sbin/ipfw add 600 set 2 allow ip from any to any in > > natd starting > /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid > /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > You have to have two rules for natd as folows: (from ) natd_enable="YES" # Enable NATD function natd_interface="rl0" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible pif="rl0" # public interface name of NIC # facing the public Internet 1. $cmd 500 divert natd ip from any to any out via $pif 2. $cmd 100 divert natd ip from any to any in via $pif The 1st rule triger when package go OUT via $pif and natd store informatio of package and change source ip from original to $pif. The 2nd rule triger when package get IN via $pif and natd chech informarion from package and if have stored information that he was change source ip he change source ip from $pif to original. You have to have one set rules for natd and another set rules for natd2. From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 30 14:17:19 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 157B916A5A7; Sat, 30 Sep 2006 14:17:19 +0000 (UTC) (envelope-from jhay@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2F1D43D49; Sat, 30 Sep 2006 14:17:18 +0000 (GMT) (envelope-from jhay@FreeBSD.org) Received: from freefall.freebsd.org (jhay@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8UEHIat036339; Sat, 30 Sep 2006 14:17:18 GMT (envelope-from jhay@freefall.freebsd.org) Received: (from jhay@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8UEHIrb036335; Sat, 30 Sep 2006 14:17:18 GMT (envelope-from jhay) Date: Sat, 30 Sep 2006 14:17:18 GMT From: John Hay Message-Id: <200609301417.k8UEHIrb036335@freefall.freebsd.org> To: seh-10lzx4@mail.quadrizen.com, jhay@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/102422: [patch] ipfw & kernel problems where firewall rules aren't interpreted correctly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Sep 2006 14:17:19 -0000 Synopsis: [patch] ipfw & kernel problems where firewall rules aren't interpreted correctly State-Changed-From-To: open->closed State-Changed-By: jhay State-Changed-When: Sat Sep 30 14:15:01 UTC 2006 State-Changed-Why: Committed the fixes by Andrey for parts 1 and 3. Part 2 was already fixed. Also merged it to RELENG_6. http://www.freebsd.org/cgi/query-pr.cgi?pr=102422