Date: Tue, 31 Aug 2010 05:35:02 GMT From: Vladimir <Vladimir_tmail@mail.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/150141: Not working kernel nat freeBSD 8.1 Message-ID: <201008310535.o7V5Z2k9063182@www.freebsd.org> Resent-Message-ID: <201008310540.o7V5e2fk017519@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 150141
>Category: i386
>Synopsis: Not working kernel nat freeBSD 8.1
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue Aug 31 05:40:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Vladimir
>Release: FreeBSD 8.1
>Organization:
>Environment:
FreeBSD Stancia.mydomain.local 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Wed Jul 28 22:17:06 NOVST 2010 wowan@Stancia.mydomain.local:/usr/obj/usr/src/sys/MYKERNEL i386
>Description:
There are rules:
9:38 [stat]#cat /etc/ipfw.rules
###################### start ipfw rules script ######################
# Delete all rules
#####################################################################
/sbin/ipfw -q -f flush
#Set default
cmd="/sbin/ipfw -q "
ks="keep-state"
pppOut="tun0"
LanIn="vr1"
####################################################################
# restriction allow all
####################################################################
#$cmd add 00005 allow all from any to any
####################################################################
# restriction on Loopback Interface
####################################################################
$cmd add 00010 allow all from any to any via lo0
####################################################################
#Allow the packet through if it has previous been added to the
#the "dynamic" rules table by allow keep-state statement.
####################################################################
$cmd add 00025 check-state
####################################################################
# Deny 127.0.0.0/8 to any and deny to 127.0.0.0/8
####################################################################
$cmd add 00020 deny all from any to 127.0.0.0/8
$cmd add 00021 deny all from 127.0.0.0/8 to any
####################################################################
#Deny all inbound traffic from non-routable reserved address space
####################################################################
#$cmd add 00030 deny all from any to 10.0.0.0/8 in via ${pppOut}
$cmd add 00031 deny all from any to 172.16.0.0/12 in via ${pppOut}
#$cmd add 00032 deny all from any to 192.168.0.0/16 in via ${pppOut}
$cmd add 00033 deny all from any to 0.0.0.0/8 in via ${pppOut}
$cmd add 00034 deny all from any to 169.254.0.0/16 in via ${pppOut}
$cmd add 00035 deny all from any to 240.0.0.0/4 in via ${pppOut}
$cmd add 00036 deny icmp from any to any frag
$cmd add 00037 deny log icmp from any to 255.255.255.255 in via ${pppOut}
$cmd add 00038 deny log icmp from any to 255.255.255.255 out via ${pppOut}
####################################################################
# Deny all inound traffic
####################################################################
#$cmd add 00040 deny all from 10.0.0.0/8 to any out via ${pppOut}
$cmd add 00041 deny all from 172.16.0.0/12 to any out via ${pppOut}
#$cmd add 00042 deny all from 192.168.0.0/16 to any out via ${pppOut}
$cmd add 00043 deny all from 0.0.0.0/8 to any out via ${pppOut}
$cmd add 00044 deny all from 169.254.0.0/16 to any out via ${pppOut}
$cmd add 00045 deny all from 240.0.0.0/4i to any out via ${pppOut}
####################################################################
#Allow Established connect
####################################################################
#$cmd add 00050 allow tcp from any to any established
###################################################################
#Allow Server Internet
###################################################################
#$cmd add 00060 allow all from me to any out xmit ${pppOut}
$cmd add 00060 allow all from me to any out via ${pppOut} setup ${ks}
####################################################################
#Allow DNS Server
####################################################################
$cmd add 00050 allow udp from any 53 to any via ${pppOut}
$cmd add 00051 allow udp from any to any 53 via ${pppOut}
####################################################################
#Allow NTP Server
####################################################################
$cmd add 00060 allow udp from any to any 123 via ${pppOut}
$cmd add 00061 allow udp from any 123 to any via ${pppOut}
####################################################################
#Allow SSH Server
####################################################################
$cmd add 00070 allow tcp from any to me 22 in via ${pppOut} setup limit src-addr 2
####################################################################
# Allow ICMP traffic
####################################################################
$cmd add 00080 allow icmp from any to any icmptypes 0,8,11
####################################################################
# Allow traffic LAN
####################################################################
$cmd add 00100 allow tcp from any to any via ${LanIn}
$cmd add 00101 allow udp from any to any via ${LanIn}
$cmd add 00102 allow icmp from any to any via ${LanIn}
####################################################################
# NAT Kernel
####################################################################
$cmd nat 1 config log if ${pppOut} reset same_ports deny_in
$cmd add 00110 nat 1 ip from any to any via ${pppOut}
9:37 [stat]#ipfw show
00010 230 29972 allow ip from any to any via lo0
00020 0 0 deny ip from any to 127.0.0.0/8
00021 0 0 deny ip from 127.0.0.0/8 to any
00025 0 0 check-state
00031 0 0 deny ip from any to 172.16.0.0/12 in via tun0
00033 0 0 deny ip from any to 0.0.0.0/8 in via tun0
00034 0 0 deny ip from any to 169.254.0.0/16 in via tun0
00035 0 0 deny ip from any to 240.0.0.0/4 in via tun0
00036 0 0 deny icmp from any to any frag
00037 0 0 deny log logamount 5 icmp from any to 255.255.255.255 in via tun0
00038 0 0 deny log logamount 5 icmp from any to 255.255.255.255 out via tun0
00041 0 0 deny ip from 172.16.0.0/12 to any out via tun0
00043 0 0 deny ip from 0.0.0.0/8 to any out via tun0
00044 0 0 deny ip from 169.254.0.0/16 to any out via tun0
00045 0 0 deny ip from 240.0.0.0/4 to any out via tun0
00050 129 27348 allow udp from any 53 to any via tun0
00051 135 9816 allow udp from any to any dst-port 53 via tun0
00060 2070 920422 allow ip from me to any out via tun0 setup keep-state
00060 0 0 allow udp from any to any dst-port 123 via tun0
00061 0 0 allow udp from any 123 to any via tun0
00070 0 0 allow tcp from any to me dst-port 22 in via tun0 setup limit src-addr 2
00080 4 132 allow icmp from any to any icmptypes 0,8,11
00100 2314 925004 allow tcp from any to any via vr1
00101 62 6873 allow udp from any to any via vr1
00102 0 0 allow icmp from any to any via vr1
00110 326 16496 nat 1 ip from any to any via tun0
65535 278 13816 deny ip from any to any
one_pass set :1
/etc/ppp/ppp.conf:
u3g:
nat enable yes
set device /dev/cuaU0.0
set speed 460800
set timeout 0
set phone "*99***1#"
set authname
set authkey
set dial "ABORT BUSY TIMEOUT 2 \
\"\" \
AT OK-AT-OK \
AT+CFUN=1 OK-AT-OK \
AT+CMEE=2 OK-AT-OK \
AT+CSQ OK \
AT+CGDCONT=1,\\\"IP\\\",\\\"internet\\\" OK \
AT+CGACT? OK-AT-OK \
AT+CGATT? OK \
AT+CGCLASS? OK \
AT+COPS? OK \
ATD*99***1# CONNECT"
set vj slotcomp off
set crtscts on
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
/etc/rc.conf
hostname="*******"
ifconfig_vr1="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="YES"
ppp_profile="u3g"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
named_enable="YES"
named_program="/usr/sbin/named"
named_flags=" -4 -u bind -c /etc/namedb/named.conf"
.......
not working kernel nat,with these rules, it works in FreeBSD 8.0
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008310535.o7V5Z2k9063182>