From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 2 11:07:03 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D3671065672 for ; Mon, 2 Aug 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2A38B8FC1D for ; Mon, 2 Aug 2010 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o72B73FH035126 for ; Mon, 2 Aug 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o72B72Z7035124 for freebsd-ipfw@FreeBSD.org; Mon, 2 Aug 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Aug 2010 11:07:02 GMT Message-Id: <201008021107.o72B72Z7035124@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148429 ipfw net.inet.ip.dummynet.io_fast broken or documentation i o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 80 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 4 13:38:32 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C3A7106566B; Wed, 4 Aug 2010 13:38:32 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 7E7D88FC08; Wed, 4 Aug 2010 13:38:31 +0000 (UTC) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id o74DcE8u027094; Wed, 4 Aug 2010 15:38:30 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id o74DcDG0027088; Wed, 4 Aug 2010 15:38:13 +0200 (CEST) (envelope-from olli) From: Oliver Fromme Message-Id: <201008041338.o74DcDG0027088@lurza.secnetix.de> To: bug-followup@FreeBSD.org, freebsd-ipfw@FreeBSD.org, marcelo_vt@hotmail.com (Marcelo Machado) Date: Wed, 4 Aug 2010 15:38:13 +0200 (CEST) X-Mailer: ELM [version 2.5 PL8] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.4 (lurza.secnetix.de [127.0.0.1]); Wed, 04 Aug 2010 15:38:30 +0200 (CEST) Cc: Subject: Re: kern/97504: [ipfw] IPFW Rules bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 13:38:32 -0000 Hello Marcelo, I just stumbled across this old PR which is still open. Apparently the problem was caused by missing DNS access, not a bug in IPFW itself. Note that DNS queries often happen "behind the scenes". Even if you use IP numbers only, many programs will try to perform reverse-lookup. Do you agree that the PR can be closed? Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd C++: "an octopus made by nailing extra legs onto a dog" -- Steve Taylor, 1998 From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 4 13:40:10 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06E961065673 for ; Wed, 4 Aug 2010 13:40:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E9C548FC23 for ; Wed, 4 Aug 2010 13:40:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o74De9OI077203 for ; Wed, 4 Aug 2010 13:40:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o74De9hM077202; Wed, 4 Aug 2010 13:40:09 GMT (envelope-from gnats) Date: Wed, 4 Aug 2010 13:40:09 GMT Message-Id: <201008041340.o74De9hM077202@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Oliver Fromme Cc: Subject: Re: kern/97504: [ipfw] IPFW Rules bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Oliver Fromme List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 13:40:10 -0000 The following reply was made to PR kern/97504; it has been noted by GNATS. From: Oliver Fromme To: bug-followup@FreeBSD.org, freebsd-ipfw@FreeBSD.org, marcelo_vt@hotmail.com (Marcelo Machado) Cc: Subject: Re: kern/97504: [ipfw] IPFW Rules bug Date: Wed, 4 Aug 2010 15:38:13 +0200 (CEST) Hello Marcelo, I just stumbled across this old PR which is still open. Apparently the problem was caused by missing DNS access, not a bug in IPFW itself. Note that DNS queries often happen "behind the scenes". Even if you use IP numbers only, many programs will try to perform reverse-lookup. Do you agree that the PR can be closed? Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd C++: "an octopus made by nailing extra legs onto a dog" -- Steve Taylor, 1998 From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 4 15:08:21 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99C011065677; Wed, 4 Aug 2010 15:08:21 +0000 (UTC) (envelope-from olli@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 700BE8FC0A; Wed, 4 Aug 2010 15:08:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o74F8LvO063957; Wed, 4 Aug 2010 15:08:21 GMT (envelope-from olli@freefall.freebsd.org) Received: (from olli@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o74F8LQk063953; Wed, 4 Aug 2010 15:08:21 GMT (envelope-from olli) Date: Wed, 4 Aug 2010 15:08:21 GMT Message-Id: <201008041508.o74F8LQk063953@freefall.freebsd.org> To: marcelo_vt@hotmail.com, olli@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: olli@FreeBSD.org Cc: Subject: Re: kern/97504: [ipfw] IPFW Rules bug X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 15:08:21 -0000 Synopsis: [ipfw] IPFW Rules bug State-Changed-From-To: open->closed State-Changed-By: olli State-Changed-When: Wed Aug 4 15:07:12 UTC 2010 State-Changed-Why: According to the originator, this PR can be closed. http://www.freebsd.org/cgi/query-pr.cgi?pr=97504 From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 5 06:22:57 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9986B1065672 for ; Thu, 5 Aug 2010 06:22:57 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 270C58FC0C for ; Thu, 5 Aug 2010 06:22:56 +0000 (UTC) Received: by bwz12 with SMTP id 12so3647070bwz.13 for ; Wed, 04 Aug 2010 23:22:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=ZIk6AXz0DxKRd/Uroal+C9UmmuyGdYb5dIYdu3+Vkeg=; b=iXHqWcv7dfjnpPzvoJ9WDUVjEqd4/Y6y9nJI+4ZWvyioutxNpCQp94xYFI19idZhAA 1p5uqwZf2xdZC6NmhMNUFPCKiiKymxfDUUjtsuiJSmqaBSbWC4q0APocOkcbV2935Mik As5IHUFq4grqpKHgoyKyAgfWw6PY+Y0x9lJUo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=vS4SAx6KTu1BZ0DjFwP6W6C2HWFPIItgIg0dw25Y1DZXIZf6tN1UECFfnlJVvJ0lvt BES6l+sLFOWw/4NzGkkKXDnnvJNyPFuK7cAN6fES+7QSVlevMTqU/2IlqJhe2z2u7uX0 tmYKEH+m/4XFsN4+qmYNUJxB2h2guU4/claE0= Received: by 10.204.160.146 with SMTP id n18mr7033506bkx.116.1280989375908; Wed, 04 Aug 2010 23:22:55 -0700 (PDT) Received: from prime.nonspace (94-193-57-116.zone7.bethere.co.uk [94.193.57.116]) by mx.google.com with ESMTPS id s34sm6571170bkk.1.2010.08.04.23.22.55 (version=SSLv3 cipher=RC4-MD5); Wed, 04 Aug 2010 23:22:55 -0700 (PDT) Message-ID: <4C5A58FE.2050704@gmail.com> Date: Thu, 05 Aug 2010 07:23:58 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100721 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: nat and dynamic external address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2010 06:22:57 -0000 Hello. Am I right thinking that "if interface" and "reset" parameters should be enough to handle changing address (DHCP) on external interface? My rules: ipfw -q nat 1 config reset if $if_ext log same_ports ipfw -q add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid ipfw -q add nat 1 udp from $dns to me in recv $if_ext They works fine only when $if_ext gets it's IP address during system boot-up. If DHCP server is unavailable at the time of rules loading then ipfw says: ipfw: cannot get interface name (The same happens without "SYNDHCP" option for ipfw in rc.conf) It loads all rules anyway. Now after DHCP becomes available and $ext_if gets it's IP address it turns out that NAT is still not working. I have to manually reload the same ruleset. Any ideas how to solve that problem? Michael From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 5 18:48:04 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19B201065673 for ; Thu, 5 Aug 2010 18:48:04 +0000 (UTC) (envelope-from ricardogross@hotmail.com) Received: from bay0-omc1-s19.bay0.hotmail.com (bay0-omc1-s19.bay0.hotmail.com [65.54.190.30]) by mx1.freebsd.org (Postfix) with ESMTP id 057618FC15 for ; Thu, 5 Aug 2010 18:48:03 +0000 (UTC) Received: from BAY147-W59 ([65.54.190.61]) by bay0-omc1-s19.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 5 Aug 2010 11:36:03 -0700 Message-ID: X-Originating-IP: [187.52.157.23] From: Ricardo Gross To: Date: Thu, 5 Aug 2010 18:36:03 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 05 Aug 2010 18:36:03.0477 (UTC) FILETIME=[0EFFB450:01CB34CD] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: dummynet + burst X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2010 18:48:04 -0000 Hello=20 fellow freebsd.org=2C I would like to know how to implement the system in m= y ipfw=20 burst limit=2C currently I'm using dummynet for bandwidth control.and=20 together with the dummynet would like to implement the burst be limited to= =20 shipping only after a certain time. Today=20 the rules I use for bandwidth control are these: $fwcmd add 101 pipe 103 ip from any to 192.168.12.2 out layer2 $fwcmd add 102 pipe 104 ip from 192.168.12.2 to any in layer2 $fwcmd pipe 103 config bw 300Kbit/s queue 20KBytes $fwcmd pipe 104 config bw 150Kbit/s queue 10KBytes thanks for any help you can=20 provide me=2C thanks! =