From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 16 14:28:38 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 042F01065687 for ; Mon, 16 Feb 2009 14:28:37 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 702AA8FC2B for ; Mon, 16 Feb 2009 14:28:37 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id n1GESVNF015104; Mon, 16 Feb 2009 15:28:31 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id n1GESLvL015103; Mon, 16 Feb 2009 15:28:21 +0100 (CET) (envelope-from olli) Date: Mon, 16 Feb 2009 15:28:21 +0100 (CET) Message-Id: <200902161428.n1GESLvL015103@lurza.secnetix.de> From: Oliver Fromme To: freebsd-ipfw@FreeBSD.ORG, ozkan@mersin.edu.tr In-Reply-To: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> X-Newsgroups: list.freebsd-ipfw User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Mon, 16 Feb 2009 15:28:35 +0100 (CET) Cc: Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-ipfw@FreeBSD.ORG, ozkan@mersin.edu.tr List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 14:28:40 -0000 Hello, Unfortunately I can't help you with your actual problem, but I have a few remarks that might be helpful. Özkan KIRIK wrote: > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans via > if_vlan) . > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > interface which uses bge driver. > > My rule set is below: > > wan_intf="bge1" > ipfw nat 100 config ip X.X.X.1 reset same_ports > ipfw nat 101 config ip X.X.X.2 reset same_ports > ipfw nat 102 config ip X.X.X.3 reset same_ports > ... > ... > ipfw add 5 allow all from any to any layer2 > ipfw add 50 checkstate Note: It is spelled "check-state". Please verify that you have it correctly in your ipfw script. > ... > ... Other port forwarding and static nat rules without keep-state > ... > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state via > $wan_intf > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state via > $wan_intf > ... > ... > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > ... > ... > > About 2 Minutes later after apply this rule set, system writes that bge1 > watchdog timeout --- resetting and then system hangs, keyboard doesnt > response. No logs can be observed. > > When i remove all skipto and checkstate rules, system work properly without > problems. I suspect about stateful inpection code. If you don't have an explicit check-state rule, then there's an implicit check-state rule at the first keep-state. If you don't want any check-state at all, you musr remove all stateful rules (i.e. all "keep-state" rules). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd $ dd if=/dev/urandom of=test.pl count=1 $ file test.pl test.pl: perl script text executable