From owner-freebsd-net@FreeBSD.ORG Wed Jun 2 00:50:04 2010 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08EE0106564A for ; Wed, 2 Jun 2010 00:50:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EAC1C8FC0C for ; Wed, 2 Jun 2010 00:50:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o520o3e1030805 for ; Wed, 2 Jun 2010 00:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o520o32E030803; Wed, 2 Jun 2010 00:50:03 GMT (envelope-from gnats) Date: Wed, 2 Jun 2010 00:50:03 GMT Message-Id: <201006020050.o520o32E030803@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Jose M Rodriguez Cc: Subject: Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jose M Rodriguez List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2010 00:50:04 -0000 The following reply was made to PR kern/147191; it has been noted by GNATS. From: Jose M Rodriguez To: bug-followup@FreeBSD.org, josemi@freebsd.jazztel.es Cc: Subject: Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet Date: Wed, 02 Jun 2010 02:37:20 +0200 This is a multi-part message in MIME format. --------------080505020803060701030501 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Seems that this must be reopen. After redo the rules to work with one_pass=0, problems of all sort still alive. - ppp nat seems to consume all translated traffic 'in to out', with or without one_pass set. but traffic 'out to in' hit ipfw rules following specs - after changing to mpd5 + natd, problems are even more strange, and firewall mostly works only if local net traffic is done LAST and not FIRST. But some NATed apps fails (jdownloader, bitcomet file donloader), while others works (firefox and his file downloader) My vote is for some problem with libalias. At the moment, I MUST put the sharper FIRST, catching the traffic coming from local net. I'm very busy now, but can go over this again after 2 weeks. Attached rc.firewall mostly working with mpd5 + natd as reference --------------080505020803060701030501 Content-Type: text/plain; name="rc.firewall.router.1" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="rc.firewall.router.1" #!/bin/sh - # Copyright (c) 1996 Poul-Henning Kamp # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: src/etc/rc.firewall,v 1.60.2.3 2010/04/14 15:03:58 ume Exp $ # # $Log$ # # Setup system for ipfw(4) firewall service on AHS router # # Configuration: # firewall_resetports: # List of TCP ports reset on incoming # firewall_myservices: # List of TCP ports on which this host offers services. # firewall_myudpports: # List of UDP ports on which this host offers services. # firewall_logdeny: # Boolean (YES/NO) specifying if the default denied packets should be # logged (in /var/log/security). # firewall_nologports: # List of TCP/UDP ports for which denied incoming packets are not logged. # firewall_oif: # Outside IPv4 network interface, default to tun0. # firewall_iifaces: # Inside network interface list. # firewall_net_${iface} # IPv4 network definition for each of the previous interfaces. # firewall_p2p_${iface} # List of address ports for opened TCP/UDP ports on ${iface} # firewall_p2p_uids # List of uids of p2p daemons running on me # predefined firewall_resetports="53,113,135-139,445" firewall_p2p_uids="mlnet transmission" for u in ${firewall_p2p_uids}; do eval ${u}_enable="NO" done mpd_enable="NO" # Suck in the configuration variables. if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi . /etc/rc.subr . /etc/network.subr afexists inet6 ipv6_available=$? # macros fwcmd="/sbin/ipfw" ifaces=${firewall_iifaces} if checkyesno mpd_enable ; then oif=${firewall_oif-ng0} else oif=${firewall_oif-tun0} fi log="" # Set quiet mode if requested checkyesno firewall_quiet && fwcmd="${fwcmd} -q" # Flush out the list before we begin. ${fwcmd} -f flush # setup loopback ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny all from 127.0.0.0/8 to any # setup ipv6 mandatory if [ $ipv6_available -ne 0 ]; then ${fwcmd} add 400 deny all from any to ::1 ${fwcmd} add 500 deny all from ::1 to any # DAD ${fwcmd} add pass ipv6-icmp from :: to ff02::/16 # RS, RA, NS, NA, redirect... ${fwcmd} add pass ipv6-icmp from fe80::/1o to fe80::/10 ${fwcmd} add pass ipv6-icmp from fe80::/1o to ff02::/16 # IMCPv6 destination unreachable, NS, NA, toobig ${fwcmd} add pass ipv6-icmp from any to any icmp6 types 1,2,135,136 fi # setup tables ${fwcmd} table all flush astable=1 astn=1 asln=2 aspn=3 asipv4=4 ascle=5 asmcast=6 # rfc 1912 local net ${fwcmd} table ${astable} add 0.0.0.0/8 ${asln} # this network ${fwcmd} table ${astable} add 127.0.0.0/8 ${asln} # local net ${fwcmd} table ${astable} add 255.0.0.0/8 ${asln} # local net # rfc 1918 private nets ${fwcmd} table ${astable} add 10.0.0.0/8 ${aspn} # private net ${fwcmd} table ${astable} add 172.16.0.0/12 ${aspn} # private net ${fwcmd} table ${astable} add 192.168.0.0/16 ${aspn} # private net # Link-local/APIPA (RFCs 3330 and 3927) ${fwcmd} table ${astable} add 169.254.0.0/16 ${aspn} # link-local/APIPA # TEST-NET-[1-3] for Documentation (RFC 5737) ${fwcmd} table ${astable} add 192.0.0.0/24 ${astn} # IETF net ${fwcmd} table ${astable} add 192.0.2.0/24 ${astn} # test net ${fwcmd} table ${astable} add 198.51.100.0/24 ${astn} # test net ${fwcmd} table ${astable} add 203.0.113.0/24 ${astn} # test net # Router Benchmark Testing (RFC 3330) ${fwcmd} table ${astable} add 198.18.0.0/15 ${astn} # router benchmark # IANA Reserved - Old Class E Space ${fwcmd} table ${astable} add 240.0.0.0/5 ${ascle} # old CLASS E ${fwcmd} table ${astable} add 248.0.0.0/6 ${ascle} # old CLASS E ${fwcmd} table ${astable} add 252.0.0.0/7 ${ascle} # old CLASS E ${fwcmd} table ${astable} add 254.0.0.0/8 ${ascle} # old CLASS E # Multicast ${fwcmd} table ${astable} add 224.0.0.0/3 ${asmcast} # other #${fwcmd} table ${astable} add 1.0.0.0/8 ${asipv4} # APNIC ${fwcmd} table ${astable} add 1.0.0.0/13 ${asipv4} ${fwcmd} table ${astable} add 1.8.0.0/16 ${asipv4} ${fwcmd} table ${astable} add 1.10.0.0/16 ${asipv4} ${fwcmd} table ${astable} add 1.20.0.0/16 ${asipv4} ${fwcmd} table ${astable} add 1.32.0.0/16 ${asipv4} ${fwcmd} table ${astable} add 1.37.0.0/16 ${asipv4} ${fwcmd} table ${astable} add 1.187.0.0/16 ${asipv4} ${fwcmd} table ${astable} add 5.0.0.0/8 ${asipv4} # Un. hamachi ${fwcmd} table ${astable} add 23.0.0.0/8 ${asipv4} # Un. bogon #${fwcmd} table ${astable} add 31.0.0.0/8 ${asipv4} # bogon/RIPE ${fwcmd} table ${astable} add 31.0.0.0/16 ${asipv4} ${fwcmd} table ${astable} add 31.1.0.0/21 ${asipv4} ${fwcmd} table ${astable} add 31.1.24.0/24 ${asipv4} ${fwcmd} table ${astable} add 36.0.0.0/7 ${asipv4} # bogon ${fwcmd} table ${astable} add 39.0.0.0/8 ${asipv4} # bogon ${fwcmd} table ${astable} add 42.0.0.0/8 ${asipv4} # bogon ${fwcmd} table ${astable} add 49.0.0.0/8 ${asipv4} # bogon ${fwcmd} table ${astable} add 100.0.0.0/6 ${asipv4} # bogon ${fwcmd} table ${astable} add 104.0.0.0/7 ${asipv4} # bogon ${fwcmd} table ${astable} add 106.0.0.0/8 ${asipv4} # bogon ${fwcmd} table ${astable} add 128.0.0.0/16 ${asipv4} # ARIN, rfc 3300? ${fwcmd} table ${astable} add 128.66.0.0/16 ${asipv4} # ARIN? ${fwcmd} table ${astable} add 177.0.0.0/8 ${asipv4} ${fwcmd} table ${astable} add 179.0.0.0/8 ${asipv4} ${fwcmd} table ${astable} add 181.0.0.0/8 ${asipv4} ${fwcmd} table ${astable} add 185.0.0.0/8 ${asipv4} #${fwcmd} table ${astable} add 191.255.0.0/16 ${asipv4} # LACNIC #${fwcmd} table ${astable} add 192.0.0.0/19 ${asipv4} # ARIN ${fwcmd} table ${astable} add 192.0.48.0/20 ${asipv4} # ARIN ${fwcmd} table ${astable} add 192.0.64.0/18 ${asipv4} # ARIN ${fwcmd} table ${astable} add 192.0.128.0/17 ${asipv4} # ARIN #${fwcmd} table ${astable} add 197.0.0.0/8 ${asipv4} # AfriNIC ${fwcmd} table ${astable} add 204.152.64.0/23 ${asipv4} # dummynet if checkyesno dummynet_enable ; then outp=1 ufq=2 ufr=8000 fq=3 fr=8400 nq=4 nr=8800 lq=5 lr=9200 ulq=6 ulr=9400 # tags, scheds, ... p2p=1 sched=1 # sysctl sysctl net.inet.ip.fw.one_pass=0 >/dev/null sysctl net.inet.ip.fw.verbose=0 >/dev/null sysctl net.inet.ip.dummynet.io_fast=1 >/dev/null # queues ${fwcmd} pipe ${outp} config bw ${firewall_outbw-0} \ burst ${firewall_out_burst-29840} ${fwcmd} queue ${ufq} config pipe ${outp} \ weight ${firewall_ufast_weight-100} queue 90 ${fwcmd} queue ${fq} config pipe ${outp} \ weight ${firewall_fast_weight-75} ${fwcmd} queue ${nq} config pipe ${outp} \ weight ${firewall_weight-40} ${fwcmd} queue ${lq} config pipe ${outp} \ weight ${firewall_lo_weight-25} ${fwcmd} queue ${ulq} config pipe ${outp} \ weight ${firewall_ulow_weight-1} ${fwcmd} sched ${sched} config type ${firewall_sched_type-QFQ} fi # RULES # # Danger Will Robinson. # Seems that on FreeBSD 8.1 you can't pass traffic in to be forwarded, or # queue/divert/outgoing rules can't see it. Strange. # #pass DHCP requests for if in $(list_net_interfaces dhcp) ; do ${fwcmd} add pass udp from any 67 to any 68 recv ${if} ${fwcmd} add pass udp from any 68 to any 67 xmit ${if} done #local nets for iif in ${ifaces}; do # pass dhcpv4 traffic from/to our server if checkyesno dhcpd_enable; then ${fwcmd} add pass udp from any 68 to any 67 recv ${iif} ${fwcmd} add pass udp from any 67 to any 68 xmit ${iif} fi # Locat net anti-spoofing eval netif_net=\$firewall_net_${iif} if [ -n "${netif_net}" ]; then ${fwcmd} add deny all from any to not ${netif_net} xmit ${iif} ${fwcmd} add deny all from not ${netif_net} to any recv ${iif} fi done # Deny TCP fragments (use PATH mtu), allow rest ${fwcmd} add deny tcp from any to any frag # anti spoofing ${fwcmd} add deny all from table\(${astable}\) to any recv ${oif} ${fwcmd} add deny all from any to table\(${astable}\) xmit ${oif} # Well Known traffic not allowed: domain, smb, ... ${fwcmd} add reset tcp from any to any ${firewall_resetports} via ${oif} ${fwcmd} add reset tcp from any ${firewall_resetports} to any via ${oif} # Outgoing queues if checkyesno dummynet_enable ; then # Don't queue not outgoing traffic ${fwcmd} add skipto 10000 all from any to any in ${fwcmd} add skipto 30000 all from any to any not via ${oif} # ultra low / low for u in ${firewall_p2p_uids}; do if checkyesno ${u}_enable ; then ${fwcmd} add skipto ${lr} tcp from any to any \ uid ${u} established ${fwcmd} add skipto ${ulr} tcp from any to any \ uid ${u} setup ${fwcmd} add skipto ${ulr} udp from any to any \ uid ${u} fi done for iif in ${ifaces} ; do eval netif_p2p=\$firewall_p2p_${iif} set ${netif_p2p} while [ $# -ge 2 ]; do ${fwcmd} add skipto ${lr} tcp from $1 $2 to any established ${fwcmd} add skipto ${ulr} tcp from $1 $2 to any setup ${fwcmd} add skipto ${ulr} udp from $1 $2 to any shift ; shift done done # ultra fast ${fwcmd} add skipto ${ufr} tcp from any to any \ iptos lowdelay ${fwcmd} add skipto ${ufr} tcp from any to any \ tcpdatalen 0 established ${fwcmd} add skipto ${ufr} udp from me to any 53,123 # fast ${fwcmd} add skipto ${fr} tcp from any to any setup ${fwcmd} add skipto ${fr} tcp from any to any 22,443,2222 \ established # rest is normal ${fwcmd} add skipto ${nr} all from any to any # queues # ultra fast ${fwcmd} add ${ufr} queue ${ufq} all from any to any ${fwcmd} add skipto 30000 all from any to any # fast ${fwcmd} add ${fr} queue ${fq} all from any to any ${fwcmd} add skipto 30000 all from any to any # normal ${fwcmd} add ${nr} queue ${nq} all from any to any ${fwcmd} add skipto 30000 all from any to any # low ${fwcmd} add ${lr} queue ${lq} all from any to any ${fwcmd} add skipto 30000 all from any to any # ultra low ${fwcmd} add ${ulr} queue ${ulq} all from any to any ${fwcmd} add skipto 30000 all from any to any fi # incoming traffic ${fwcmd} add 10000 skipto 30000 all from any to any not via ${oif} # Open ports for port in ${firewall_myservices} ; do ${fwcmd} add pass tcp from any to me ${port} setup done for port in ${firewall_myudpports} ; do ${fwcmd} add pass udp from any to me ${port} done for user in ${firewall_p2p_uids}; do if checkyesno ${user}_enable ; then ${fwcmd} add pass tcp from any to me setup uid ${user} ${fwcmd} add pass udp from any to me uid ${user} fi done # Noise from routers ${fwcmd} add deny udp from any to any 520 recv ${oif} #setup natd ${fwcmd} add 30000 count all from any to any case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add divert natd ip4 from any to any via ${natd_interface} fi ;; esac case ${firewall_nat_enable} in [Yy][Ee][Ss]) if [ -n "${firewall_nat_interface}" ]; then firewall_nat_flags="${firewall_nat_interface} ${firewall_nat_flags}" if echo "${firewall_nat_interface}" | \ grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then firewall_nat_flags="ip ${firewall_nat_flags}" else firewall_nat_flags="if ${firewall_nat_flags}" fi ${fwcmd} nat 123 config log ${firewall_nat_flags} ${fwcmd} add nat 123 ip4 from any to any \ via ${firewall_nat_interface} fi ;; esac # Allow no TCP fragments ${fwcmd} add pass all from any to any frag # Allow packets for which a state has been built. ${fwcmd} add check-state # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # icmp traffic # Allow "mandatory" ICMP in. ${fwcmd} add pass icmp from any to any icmptype 3,4,11 # Some servers will ping the IP while trying to decide ${fwcmd} add pass icmp from any to any icmptype 8 # pass outgoing traffic ${fwcmd} add pass tcp from any to any xmit ${oif} setup ${fwcmd} add pass udp from any to any xmit ${oif} keep-state ${fwcmd} add pass icmp from any to any xmit ${oif} keep-state # incoming from outside ${fwcmd} add skipto 60000 all from any to any not recv ${oif} # Open ports for iif in ${ifaces} ; do eval netif_p2p=\$firewall_p2p_${iif} set ${netif_p2p} while [ $# -ge 2 ]; do ${fwcmd} add pass tcp from any to $1 $2 setup ${fwcmd} add pass udp from any to $1 $2 shift ; shift done done # Drop packets to ports where we don't want logging for i in ${firewall_nologports} ; do ${fwcmd} add deny { tcp or udp } from any to any $i done # http connection teardowns ${fwcmd} add reset tcp from any 80,443 to any 1024-65535 # Deny and (if wanted) log the rest unconditionally. if checkyesno firewall_logdeny ; then log="log logamount 500" sysctl net.inet.ip.fw.verbose=1 >/dev/null fi ${fwcmd} add deny $log ip from any to any # Now it's safe to do local nets in ${fwcmd} add 60000 count all from any to any for iif in ${ifaces}; do # pass all traffic via the internal net eval netif_net=\$firewall_net_${iif} if [ -n "${netif_net}" ]; then ${fwcmd} add pass all from any to any via ${iif} else ${fwcmd} add pass all from any to any via ${iif} verrevpath fi done --------------080505020803060701030501--