Date: Mon, 26 Dec 2005 13:41:50 +0200 From: Oleg Tarasov <subscriber@osk.com.ua> To: freebsd-net@freebsd.org Subject: Router on 6.0-stable fails to route tcp packets due to NAT?? malfunction Message-ID: <1687545235.20051226134150@osk.com.ua>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Hello, all
SYSTEM DESCRIPTION
I have built a production system based on FreeBSD 6.0-stable. The main
Internet connection is established using mpd 3.18 which is started by
attached script "mpd". It is rcorder'ed similar to ppp-user.
mpd configuration is attached in mpd.conf and mpd.links. Shortly, ng0
is a PPPoE connection on rl1 interface.
By the way user ppp failed to work with PPPoE connection correctly
usually causing "No buffer space available" error which caused all
network connections to stop working. Manual restart of ppp helped but
it is quite unacceptable for production system. I attach ppp.conf
Firewall is configured to manually divert packets to natd. I attach
rc.firewall which was simplifyed to a minimum of functions for test
purposes.
natd is configured using the following config file:
===============================================================
log no
use_sockets yes
same_ports yes
interface ng0
unregistered_only yes
log_ipfw_denied yes
log_denied yes
===============================================================
I attach kernel configuration file used to compile it.
Here is output of ifconfig:
===============================================================
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.82.253 netmask 0xffffff00 broadcast 192.168.82.255
ether 00:30:4f:1c:ed:19
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 00:30:4f:1c:ed:17
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1492
inet my.ip.add.ress --> prov.ip.add.ress netmask 0xffffffff
===============================================================
Here is output of netstat -rn:
===============================================================
Destination Gateway Flags Refs Use Netif Expire
default prov.ip.add.ress UGS 0 512334 ng0
my.ip.add.ress lo0 UHS 0 2426 lo0
127.0.0.1 127.0.0.1 UH 0 21881 lo0
192.168.82 link#1 UC 0 0 rl0
192.168.82.253 00:30:4f:1c:ed:19 UHLW 1 1162 lo0
prov.ip.add.ress my.ip.add.ress UH 1 0 ng0
===============================================================
Windows client configuration:
===============================================================
inet 192.168.82.111 netmask 255.255.255.0 192.168.82.253
===============================================================
Windows client routing table
===============================================================
0.0.0.0 0.0.0.0 192.168.82.253 192.168.82.111 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.82.204 192.168.82.111 1
192.168.82.0 255.255.255.0 192.168.82.111 192.168.82.111 30
192.168.82.111 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.82.255 255.255.255.255 192.168.82.111 192.168.82.111 30
224.0.0.0 240.0.0.0 192.168.82.111 192.168.82.111 30
255.255.255.255 255.255.255.255 192.168.82.111 192.168.82.111 1
Default gateway: 192.168.82.253
===============================================================
The system has SQUID, mail, ftp systems and usually direct packet
routing was not used so the problem was located after a month of usage
of the system.
PROBLEM DESCRIPTION
I have a number of Windows XP clients in the network which are
configured to use This machine as a default gateway. Any icmp packets
to Internet work quite normal. Web worked normally too but when using
proxy, so packet routing is not used for that.
The problem was first encountered when trying to play online game
which did not use proxy. Later it was confirmed when trying to serf
the Web with usage of proxy turned off.
Problem is that almost all data is not transmitted normally using tcp
connections. For example trying to open www.gnome.org fails completely
but packet flow seems to be normal. The most strange thing is that
this problem occurs only on some clients when other ones work quite
fine!!! From malfunctioning machines some sites can be opened too!!!
Some sites can be opened partitially - some parts like pictures can
fail to open.
You can say - "How can we be sure that you client machines are
configured normally?" - I am system administrator for some years and
have plenty of servers and clients confugured by my hands. Also I have
a production system based on 5.4p5 which is configured similarly to
this one but using kernel ppp for internet connection - but that one
had no problems.
Everything in the LAN works perfectly. Also everything going through
proxy also works fine. Any connection made directly from server has no
problems. This makes me think the problem is in routing or NAT.
For test purposes I have reinstalled my own client machine (which also
has the problem described above) from scratch - no result. I changed
network card, changed IP address - no positive result.
From all above I make a conclusion that possible reason is in the NAT
malfunction. Or I dont know what...
Here is the dump on both interfaces ng0 and rl0 which are Internet and
LAN interfaces. I try to open www.gnome.org and I see this:
tcpdump on ng0
===============================================================
09:55:13.757127 IP (tos 0x0, ttl 127, id 56112, offset 0, flags [DF], proto: TCP (6), length: 48) piramida.com.ua.1140 > window.gnome.org.http: S, cksum 0x2b0b (correct), 687058407:687058407(0) win 16384 <mss 1460,nop,nop,sackOK>
09:55:13.982233 IP (tos 0x0, ttl 47, id 0, offset 0, flags [DF], proto: TCP (6), length: 48) window.gnome.org.http > piramida.com.ua.1140: S, cksum 0x6f48 (correct), 3785163588:3785163588(0) ack 687058408 win 5840 <mss 1460,nop,nop,sackOK>
09:55:13.982616 IP (tos 0x0, ttl 127, id 56115, offset 0, flags [DF], proto: TCP (6), length: 40) piramida.com.ua.1140 > window.gnome.org.http: ., cksum 0x6e6c (correct), ack 1 win 17520
09:55:13.982774 IP (tos 0x0, ttl 127, id 56116, offset 0, flags [DF], proto: TCP (6), length: 322) piramida.com.ua.1140 > window.gnome.org.http: P 1:283(282) ack 1 win 17520
09:55:14.219491 IP (tos 0x0, ttl 47, id 58466, offset 0, flags [DF], proto: TCP (6), length: 40) window.gnome.org.http > piramida.com.ua.1140: ., cksum 0x98a2 (correct), ack 283 win 6432
09:55:59.300589 IP (tos 0x0, ttl 127, id 62999, offset 0, flags [DF], proto: TCP (6), length: 40) piramida.com.ua.1140 > window.gnome.org.http: R, cksum 0xb1be (correct), 283:283(0) ack 1 win 0
09:55:59.417698 IP (tos 0x0, ttl 64, id 36993, offset 0, flags [none], proto: TCP (6), length: 40) 192.168.82.111.1140 > window.gnome.org.http: ., cksum 0x58ec (correct), ack 3785163589 win 0
^^^^^^ ^^^^^^^^^^^^^^^^^^
!!!!!! !!!!!!!!!!!!!!!!!!
===============================================================
tcpdump on rl0
===============================================================
09:55:13.756938 IP (tos 0x0, ttl 128, id 56112, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.82.111.1140 > window.gnome.org.http: S, cksum 0xd233 (correct), 687058407:687058407(0) win 16384 <mss 1460,nop,nop,sackOK>
09:55:13.982399 IP (tos 0x0, ttl 46, id 0, offset 0, flags [DF], proto: TCP (6), length: 48) window.gnome.org.http > 192.168.82.111.1140: S, cksum 0x1671 (correct), 3785163588:3785163588(0) ack 687058408 win 5840 <mss 1460,nop,nop,sackOK>
09:55:13.982538 IP (tos 0x0, ttl 128, id 56115, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.82.111.1140 > window.gnome.org.http: ., cksum 0x1595 (correct), ack 1 win 17520
09:55:13.982719 IP (tos 0x0, ttl 128, id 56116, offset 0, flags [DF], proto: TCP (6), length: 322) 192.168.82.111.1140 > window.gnome.org.http: P 1:283(282) ack 1 win 17520
09:55:14.219666 IP (tos 0x0, ttl 46, id 58466, offset 0, flags [DF], proto: TCP (6), length: 40) window.gnome.org.http > 192.168.82.111.1140: ., cksum 0x3fcb (correct), ack 283 win 6432
09:55:59.300444 IP (tos 0x0, ttl 128, id 62999, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.82.111.1140 > window.gnome.org.http: R, cksum 0x58e7 (correct), 283:283(0) ack 1 win 0
09:55:59.417786 IP (tos 0x0, ttl 64, id 36994, offset 0, flags [none], proto: TCP (6), length: 40) window.gnome.org.http > 192.168.82.111.1140: ., cksum 0x58ec (correct), ack 283 win 0
===============================================================
I am not sure what the hell is happening.
The same problem occurs when trying to connect to ftp server - ftp
commands work fine but when I'm trying to download file and massive
tcp connection forms connection hangs.
I would appriciate any useful information on this topic and
information on how can I debug this more deeply.
--
Best regards,
Oleg Tarasov mailto:subscriber@osk.com.ua
[-- Attachment #2 --]
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.0-RELEASE #0: Tue Nov 29 15:32:53 EET 2005
root@gandalf.piramida.com.ua:/usr/obj/usr/src/sys/PIRAMIDA
WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
WARNING: MPSAFE network stack disabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(TM) CPU 1100MHz (1093.90-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x6b1 Stepping = 1
Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE>
real memory = 402587648 (383 MB)
avail memory = 384339968 (366 MB)
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <IntelR AWRDACPI> on motherboard
acpi0: Power Button (fixed)
pci_link0: <ACPI PCI Link LNKA> irq 9 on acpi0
pci_link1: <ACPI PCI Link LNKB> irq 11 on acpi0
pci_link2: <ACPI PCI Link LNKC> irq 11 on acpi0
pci_link3: <ACPI PCI Link LNKD> irq 5 on acpi0
pci_link4: <ACPI PCI Link LNKE> irq 0 on acpi0
pci_link5: <ACPI PCI Link LNKF> irq 0 on acpi0
pci_link6: <ACPI PCI Link LNK0> irq 0 on acpi0
pci_link7: <ACPI PCI Link LNK1> irq 11 on acpi0
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_throttle0: <ACPI CPU Throttling> on cpu0
acpi_button0: <Power Button> on acpi0
acpi_button1: <Sleep Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <Intel 82815 (i815 GMCH) host to PCI bridge> mem 0xe8000000-0xebffffff at device 0.0 on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <display, VGA> at device 0.0 (no driver attached)
pcib2: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci2: <ACPI PCI bus> on pcib2
rl0: <RealTek 8139 10/100BaseTX> port 0xc000-0xc0ff mem 0xee000000-0xee0000ff irq 11 at device 2.0 on pci2
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl0: Ethernet address: 00:30:4f:1c:ed:19
rl0: [GIANT-LOCKED]
rl1: <RealTek 8139 10/100BaseTX> port 0xc400-0xc4ff mem 0xee001000-0xee0010ff irq 5 at device 3.0 on pci2
miibus1: <MII bus> on rl1
rlphy1: <RealTek internal media interface> on miibus1
rlphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
rl1: Ethernet address: 00:30:4f:1c:ed:17
rl1: [GIANT-LOCKED]
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH2 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xf000-0xf00f at device 31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
uhci0: <Intel 82801BA/BAM (ICH2) USB controller USB-A> port 0xd000-0xd01f irq 5 at device 31.2 on pci0
uhci0: [GIANT-LOCKED]
usb0: <Intel 82801BA/BAM (ICH2) USB controller USB-A> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
uhci1: <Intel 82801BA/BAM (ICH2) USB controller USB-B> port 0xd800-0xd81f irq 11 at device 31.4 on pci0
uhci1: [GIANT-LOCKED]
usb1: <Intel 82801BA/BAM (ICH2) USB controller USB-B> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
pci0: <multimedia, audio> at device 31.5 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
ppc0: <Standard parallel printer port> port 0x378-0x37f irq 7 on acpi0
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model NetMouse/NetScroll Optical, device ID 0
pmtimer0 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 1093902442 Hz quality 800
Timecounters tick every 1.000 msec
IPsec: Initialized Security Association Processing.
ipfw2 (+ipv6) initialized, divert loadable, rule-based forwarding enabled, default to accept, logging limited to 300 packets/entry by default
ad0: 38204MB <SAMSUNG SP0411N TW100-08> at ata0-master UDMA100
acd0: CDROM <ASUS CD-S520/A4/1.2> at ata1-master UDMA33
Trying to mount root from ufs:/dev/ad0s1a
rl1: link state changed to UP
[-- Attachment #3 --]
#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.429.2.3.2.1 2005/10/28 19:22:41 jhb Exp $
machine i386
cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
ident PIRAMIDA
options SMP
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=300
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_FORWARD
options IPDIVERT
options IPSTEALTH
options DUMMYNET
options HZ=1000
options VESA
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
# To statically compile in device wiring instead of /boot/device.hints
#hints "GENERIC.hints" # Default places to look for devices.
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
#options SCHED_ULE # ULE scheduler
options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options NFSCLIENT # Network Filesystem Client
options NFSSERVER # Network Filesystem Server
options NFS_ROOT # NFS usable as /, requires NFSCLIENT
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
options ADAPTIVE_GIANT # Giant mutex is adaptive.
device apic # I/O APIC
# Bus support.
device eisa
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
device ahd # AHA39320/29320 and onboard AIC79xx devices
device amd # AMD 53C974 (Tekram DC-390(T))
device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
device adv # Advansys SCSI adapters
device adw # Advansys wide SCSI adapters
device aha # Adaptec 154x SCSI adapters
device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device bt # Buslogic/Mylex MultiMaster SCSI adapters
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
device amr # AMI MegaRAID
device arcmsr # Areca SATA II RAID
device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device ciss # Compaq Smart RAID 5*
device dpt # DPT Smartcache III, IV - See NOTES for options
device hptmv # Highpoint RocketRAID 182x
device iir # Intel Integrated RAID
device ips # IBM (Adaptec) ServeRAID
device mly # Mylex AcceleRAID/eXtremeRAID
device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device ida # Compaq Smart RAID
device mlx # Mylex DAC960 family
device pst # Promise Supertrak SX6000
device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
options SC_ALT_MOUSE_IMAGE
options SC_MOUSE_CHAR=0x3
#options SC_PIXEL_MODE
options SC_TWOBUTTON_MOUSE
# Enable this for the pcvt (VT220 compatible) console driver
#device vt
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
device pmtimer
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
device cbb # cardbus (yenta) bridge
device pccard # PC Card (16-bit) bus
device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device sio # 8250, 16[45]50 based serial ports
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# If you've got a "dumb" serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 adapter Gigabit Ethernet Card
device ixgb # Intel PRO/10GbE Ethernet Card
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device bfe # Broadcom BCM440x 10/100 Ethernet
device bge # Broadcom BCM570xx Gigabit Ethernet
device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device lge # Level 1 LXT1001 gigabit Ethernet
device nge # NatSemi DP83820 gigabit Ethernet
device nve # nVidia nForce MCP on-board Ethernet Networking
device pcn # AMD Am79C97x PCI 10/100(precedence over 'lnc')
device re # RealTek 8139C+/8169/8169S/8110S
device rl # RealTek 8129/8139
device sf # Adaptec AIC-6915 (``Starfire'')
device sis # Silicon Integrated Systems SiS 900/SiS 7016
device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
device ste # Sundance ST201 (D-Link DFE-550TX)
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device tl # Texas Instruments ThunderLAN
device tx # SMC EtherPower II (83c170 ``EPIC'')
device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II
device wb # Winbond W89C840F
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
device ex # Intel EtherExpress Pro/10 and Pro/10+
device ep # Etherlink III based cards
device fe # Fujitsu MB8696x based cards
device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
device lnc # NE2100, NE32-VL Lance Ethernet cards
device sn # SMC's 9000 series of Ethernet chips
device xe # Xircom pccard Ethernet
# ISA devices that use the old ISA shims
#device le
# Wireless NIC cards
device wlan # 802.11 support
device an # Aironet 4500/4800 802.11 wireless NICs.
device awi # BayStack 660 and others
device ral # Ralink Technology RT2500 wireless NICs.
device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
device ural # Ralink Technology RT2500USB wireless NICs
device urio # Diamond Rio 500 MP3 player
device uscanner # Scanners
# USB Ethernet, requires miibus
device aue # ADMtek USB Ethernet
device axe # ASIX Electronics USB Ethernet
device cdce # Generic USB over Ethernet
device cue # CATC USB Ethernet
device kue # Kawasaki LSI USB Ethernet
device rue # RealTek RTL8150 USB Ethernet
# FireWire support
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)
[-- Attachment #4 --]
#!/bin/sh
#
# $FreeBSD: ports/net/mpd/files/mpd.sh,v 1.2 2005/02/14 21:46:57 archie Exp $
#
# PROVIDE: mpd
# REQUIRE: netif isdnd
# KEYWORD: nojail
# Add the following line to /etc/rc.conf to enable mpd:
#
# mpd_enable="YES"
#
mpd_flags="-b"
#mpd_enable="NO"
. /etc/rc.subr
name=mpd
rcvar=`set_rcvar`
prefix=/usr/local
procname=${prefix}/sbin/mpd
pidfile=/var/run/mpd.pid
#required_files="${prefix}/etc/mpd/mpd.conf ${prefix}/etc/mpd/mpd.links"
command="${prefix}/sbin/mpd"
start_postcmd="mpd_postcmd"
mpd_postcmd ()
{
echo "Waiting for ng0 to be created"
until ifconfig | grep ng0 > nul
do
wait
done
echo "ng0 successfully created"
ifconfig ng0 inet ?my.ip.add.ress? netmask 0xffffffff ?prov.ip.add.ress? mtu 1492
}
load_rc_config ${name}
run_rc_command "$1"
[-- Attachment #5 --]
default:
load ukrtel
ukrtel:
new -i ng0 Ukrtel_PPPoE Ukrtel_PPPoE_link
set iface addrs my.ip.add.ress prov.ip.add.ress
set iface disable on-demand
set iface idle 0
set iface route default
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set bundle disable multilink
set bundle authname "??????????"
set bundle password "??????????"
set link no acfcomp protocomp
set link disable pap chap
set link accept chap
set link mtu 1492
set link keep-alive 10 60
open iface
[-- Attachment #6 --]
Ukrtel_PPPoE_link:
set link type pppoe
set pppoe iface rl1
set pppoe service "Ukrtelekom"
set pppoe disable incoming
set pppoe enable originate
[-- Attachment #7 --]
#################################################################
# PPP Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.10 2004/11/19 17:12:56 obrien Exp $
#################################################################
default:
enable force-scripts
set device PPPoE:rl1
set speed sync
set mru 1492
set mtu 1492
enable lqr
set cd 5
set dial
set login
set redial 0 0
# set reconnect 0 0
set timeout 0
set ctsrts off
ukrtel:
set authname "??????????"
set authkey "?????????"
add default HISADDR # Add a (sticky) default route
[-- Attachment #8 --]
#!/bin/sh -
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
if [ -n "${1}" ]; then
firewall_type="${1}"
fi
############
# Set quiet mode if requested
#
case ${firewall_quiet} in
[Yy][Ee][Ss])
fwcmd="/sbin/ipfw -q"
;;
*)
fwcmd="/sbin/ipfw"
;;
esac
############
# Flush out the list before we begin.
#
${fwcmd} -f flush
case ${firewall_type} in
[Mm][Yy][Ss][Ii][Mm][Pp][Ll][Ee])
# ==============================================================
# This is my ruleset for ipfw(8). 20 March 2005
# ==============================================================
# Set these to your outside interface network and netmask and ip
oif="ng0"
oip="my.ip.add.ress"
# Set these to your inside interface network and netmask and ip
iif="rl0"
iip="192.168.82.253"
inet="192.168.82.0/24"
# Setup Loopback
${fwcmd} add 110 set 0 pass all from any to any via lo0
${fwcmd} add 120 set 0 deny all from any to 127.0.0.0/8
${fwcmd} add 130 set 0 deny ip from 127.0.0.0/8 to any
${fwcmd} add 200 set 1 deny log ip from any to any
${fwcmd} add 5000 set 0 skipto 10000 all from any to any in recv ${oif}
${fwcmd} add 5010 set 0 skipto 20000 all from any to any out xmit ${oif}
${fwcmd} add 5020 set 0 skipto 30000 all from any to any in recv ${iif}
${fwcmd} add 5030 set 0 skipto 40000 all from any to any out xmit ${iif}
${fwcmd} add 5080 set 0 allow all from any to any via rl1
${fwcmd} add 5100 set 0 deny log all from any to any
#########################################################
# Process packets in via ${oif} #########################
#########################################################
${fwcmd} add 10000 set 0 count all from any to any in recv ${oif}
# Spoofing
${fwcmd} add 10100 set 0 deny all from any to 192.168.0.0/16 in via ${oif}
${fwcmd} add 10110 set 0 deny all from 192.168.0.0/16 to any in via ${oif}
# Reset ident incoming connections
${fwcmd} add 10200 set 0 deny log tcp from any to me 113 in recv ${oif} setup
# Deny & log suspicious packets (like nmap scans)
${fwcmd} add 10210 set 0 deny log tcp from any to any in tcpflags syn,fin
# Here comes NAT ************************
${fwcmd} add 15000 set 0 divert natd all from any to me in via ${oif}
#****************************************
# Here come the dynamic rules
# NOTE: check-state here will also process rules created by
# keep-state from "in recv ${iif}" !
${fwcmd} add 16000 set 0 check-state
${fwcmd} add 16010 set 0 deny tcp from any to me established
# NOTE: limit src-addr dst-addr N is for DoS protection
# Allow access to our FTP (20,21), SSH (22), SMTP (25), DNS (53), POP3-ssl (995)
${fwcmd} set disable 11
${fwcmd} add 16100 set 11 pass tcp from any to me 20,21 in recv ${oif} setup limit src-addr 4
${fwcmd} add 16200 set 12 pass tcp from any to me 22 in recv ${oif} setup limit src-addr 4
${fwcmd} add 16300 set 13 pass tcp from any to me 25 in recv ${oif} setup keep-state
${fwcmd} add 16400 set 14 pass tcp from any to me 53 in recv ${oif} setup keep-state
${fwcmd} add 16500 set 15 pass tcp from any to me 995 in recv ${oif} setup limit src-addr 4
${fwcmd} add 16600 set 16 pass udp from any to me 53 in recv ${oif} keep-state
# Allow some icmp
# echo reply (0), destination unreachable (3), source quench (4), echo request
# (8), time-to-live exceeded (11), IP header bad (12)
#${fwcmd} add 17100 set 0 pass icmp from any to any icmptype 0,3,4,8,11,12
#${fwcmd} add 17101 set 0 deny icmp from any to any
${fwcmd} add 17100 set 0 pass icmp from any to any
# Allow IP fragments to pass through
${fwcmd} add 17200 set 0 pass all from any to any frag
# And enough
${fwcmd} add 19000 set 0 skipto 65000 all from any to any in recv ${oif}
#########################################################
# Process packets out via ${oif} ########################
#########################################################
${fwcmd} add 20000 set 0 count all from any to any out xmit ${oif}
# Spoofing
${fwcmd} add 20100 set 0 deny all from any to 192.168.0.0/16 out xmit ${oif}
# Here comes NAT********************
${fwcmd} add 25000 set 0 divert natd all from ${inet} to any out xmit ${oif}
# **********************************
# NOTE: check-state here does nothing.
# keep-state is only for ME. Local net will not use created rules.
${fwcmd} add 26000 set 0 check-state
${fwcmd} add 26100 set 0 allow tcp from me to any out xmit ${oif} keep-state
${fwcmd} add 26200 set 0 allow udp from me to any out xmit ${oif} keep-state
# Allow some icmp
# echo reply (0), destination unreachable (3), source quench (4), echo request
# (8), time-to-live exceeded (11), IP header bad (12)
#${fwcmd} add 26300 set 0 pass icmp from any to any icmptype 0,3,4,8,11,12
#${fwcmd} add 26301 set 0 deny icmp from any to any
${fwcmd} add 26300 set 0 pass icmp from any to any
# Allow IP fragments to pass through
${fwcmd} add 26400 set 0 pass all from any to any frag
# Enough
${fwcmd} add 29000 set 0 skipto 65000 all from any to any out xmit ${oif}
#########################################################
# Process packets in via ${iif} #########################
#########################################################
${fwcmd} add 30000 set 0 count all from any to any in recv ${iif}
${fwcmd} add 35000 set 0 check-state
${fwcmd} add 35100 set 0 deny tcp from any to me established in recv ${iif}
${fwcmd} add 35200 set 0 allow tcp from ${inet} to any in recv ${iif} setup keep-state
${fwcmd} add 35300 set 0 allow udp from ${inet} to any in recv ${iif} keep-state
# Allow some icmp
# echo reply (0), destination unreachable (3), source quench (4), echo request
# (8), time-to-live exceeded (11), IP header bad (12)
#${fwcmd} add 36000 set 0 pass icmp from any to any icmptype 0,3,4,8,11,12
#${fwcmd} add 36001 set 0 deny icmp from any to any
${fwcmd} add 36000 set 0 pass icmp from any to any
# Allow IP fragments to pass through
${fwcmd} add 36100 set 0 pass all from any to any frag
# Enough
${fwcmd} add 39000 set 0 skipto 65000 all from any to any in recv ${iif}
#########################################################
# Process packets out via ${iif} ########################
#########################################################
${fwcmd} add 40000 set 0 count all from any to any out xmit ${iif}
# NOTE: only packets from ME have no dynamicly formed rules now
${fwcmd} add 45000 set 0 check-state
${fwcmd} add 45100 set 0 allow tcp from me to any keep-state
${fwcmd} add 45200 set 0 allow udp from me to any keep-state
${fwcmd} add 45250 set 0 allow all from any to ${emule}
${fwcmd} add 45300 set 0 allow all from 192.168.0.0/16 to ${inet} keep-state
# Client-bank. No sense. Make it clear.
#${fwcmd} add 47300 set 30 allow log tcp from any 20 to ${inet}
# And this one is on passive mode? Packets come from ports 30000+
#${fwcmd} add 47310 set 30 allow log tcp from 80.249.225.110 to ${inet}
# Allow some icmp
# echo reply (0), destination unreachable (3), source quench (4), echo request
# (8), time-to-live exceeded (11), IP header bad (12)
#${fwcmd} add 48000 set 0 pass icmp from any to any icmptype 0,3,4,8,11,12
#${fwcmd} add 48001 set 0 deny icmp from any to any
${fwcmd} add 48000 set 0 pass icmp from any to any
# Allow IP fragments to pass through
${fwcmd} add 48100 set 0 pass all from any to any frag
########################################################
# That's all, folks deny and log everything ############
########################################################
# Reject & log all other udp connections
${fwcmd} add 65000 set 5 deny log udp from any to any
# Reject & log everything else
${fwcmd} add 65100 set 5 deny log all from any to any
# Disable rule 200, open firewall for work
${fwcmd} set disable 1
#======================================================================
;;
*)
if [ -r "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
fi
;;
esac
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1687545235.20051226134150>