From owner-freebsd-net Fri Nov 2 6:55:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from mailgw.servicefactory.se (mailgw.servicefactory.se [192.71.33.33]) by hub.freebsd.org (Postfix) with ESMTP id 9754437B403 for ; Fri, 2 Nov 2001 06:55:18 -0800 (PST) Received: from ark.servicefactory.se (ark.servicefactory.se [192.71.33.5]) by mailgw.servicefactory.se (8.11.6/8.11.6) with ESMTP id fA2EtH827624 for ; Fri, 2 Nov 2001 15:55:17 +0100 (CET) Received: from servicefactory.se (ark.servicefactory.se [192.71.33.5]) by ark.servicefactory.se (8.11.6/8.11.6) with ESMTP id fA2Et2k07150 for ; Fri, 2 Nov 2001 15:55:02 +0100 (CET) Message-ID: <3BE2B3D3.EDE64681@servicefactory.se> Date: Fri, 02 Nov 2001 15:55:15 +0100 From: Jonas =?iso-8859-1?Q?B=FClow?= Organization: Service Factory X-Mailer: Mozilla 4.78 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: FreeBSD 4.4, Bug in IPFilter v3.4.20 (264), fastroute bug. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I just found out what seems to be a bug in IPFilter 3.4.20 (and .21). Using a machine with two NICs ep0 and ep1 and the filter rule: @999 block in quick on ep1 to ep0:10.0.0.42 proto tcp from any to any port = 80 Will cause a reboot on the first packet arrival on ep1 with destination port 80. I should mention that the rule above works in v3.4.17. Any hints or suggestions to solve this? Is there any more information I should mention about the problem? Another interesting problem with fastroute is that the fastroute:ed packet will get an incorrect IP-checksum if it is used together with a PAT rules like: map ep0 10.10.0.0/24 -> 10.0.0.1/32 proxy port ftp ftp/tcp map ep0 10.10.0.0/24 -> 10.0.0.1/32 portmap tcp/udp 1025:65500 map ep0 10.10.0.0/24 -> 10.0.0.1/32 I thought fastroute:ed packets were sent directly to the outgoing interface as shown in http://coombs.anu.edu.au/ipfilter/ipfil-flow.html. It seems like the NAT engine in some way corrupts fastroute:ed packets anyway. Has anyone else experienced problems similar to this? I have searched the IPFilter mail archive briefly without finding any similar problems so I hope it's not an FAQ item. :-) regards, jonas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message