Date: Tue, 17 Feb 2009 00:12:55 +0200 From: =?ISO-8859-1?Q?=D6zkan_KIRIK?= <ozkan@mersin.edu.tr> To: freebsd-ipfw@freebsd.org Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE Message-ID: <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> In-Reply-To: <200902161428.n1GESLvL015103@lurza.secnetix.de> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for you reply, it is only a typo. at real rule set it is correctly written. i wanna use stateful inspection. On Mon, Feb 16, 2009 at 4:28 PM, Oliver Fromme <olli@lurza.secnetix.de>wrot= e: > Hello, > > Unfortunately I can't help you with your actual problem, > but I have a few remarks that might be helpful. > > =D6zkan KIRIK wrote: > > i am using FreeBSD 7.1 RELEASE as gateway (about 2000 clients 90vlans > via > > if_vlan) . > > My Server is HP DL380 G4. I am using the on board gigabit nic as wan > > interface which uses bge driver. > > > > My rule set is below: > > > > wan_intf=3D"bge1" > > ipfw nat 100 config ip X.X.X.1 reset same_ports > > ipfw nat 101 config ip X.X.X.2 reset same_ports > > ipfw nat 102 config ip X.X.X.3 reset same_ports > > ... > > ... > > ipfw add 5 allow all from any to any layer2 > > ipfw add 50 checkstate > > Note: It is spelled "check-state". Please verify that you > have it correctly in your ipfw script. > > > ... > > ... Other port forwarding and static nat rules without keep-state > > ... > > ipfw add 50000 nat 100 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.1 to any setup keep-state v= ia > > $wan_intf > > ipfw add 50000 nat 101 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.2 to any setup keep-state v= ia > > $wan_intf > > ipfw add 50000 nat 102 all from 10.1.0.0/16 to any via $wan_intf > > ipfw add 50000 skipto 51000 all from X.X.X.3 to any setup keep-state v= ia > > $wan_intf > > ... > > ... > > ipfw add 51000 nat 100 all from any to X.X.X.1 via $wan_intf > > ipfw add 51000 nat 101 all from any to X.X.X.2 via $wan_intf > > ipfw add 51000 nat 102 all from any to X.X.X.3 via $wan_intf > > ... > > ... > > > > About 2 Minutes later after apply this rule set, system writes that bg= e1 > > watchdog timeout --- resetting and then system hangs, keyboard doesnt > > response. No logs can be observed. > > > > When i remove all skipto and checkstate rules, system work properly > without > > problems. I suspect about stateful inpection code. > > If you don't have an explicit check-state rule, then there's > an implicit check-state rule at the first keep-state. > If you don't want any check-state at all, you musr remove > all stateful rules (i.e. all "keep-state" rules). > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. > Handelsregister: Registergericht Muenchen, HRA 74606, Gesch=E4ftsfuehrun= g: > secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M=FC= n- > chen, HRB 125758, Gesch=E4ftsf=FChrer: Maik Bachmann, Olaf Erb, Ralf Geb= hart > > FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd > > $ dd if=3D/dev/urandom of=3Dtest.pl count=3D1 > $ file test.pl > test.pl: perl script text executable > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1d3a1860902161412w2225734do71939efd32346a23>