Date: Sat, 13 Apr 2013 15:34:39 +0200 From: Spil Oss <spil.oss@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Problems with ipfw/natd and axe(4) Message-ID: <CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi All, I can't use ipfw with natd with my ASIX AX88772B USB NIC ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) 00010 allow ip from any to me dst-port 22 recv ue0 00010 allow tcp from me 22 to any xmit ue0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 01100 deny ip from 10.16.2.1 to any in via ue0 01200 deny ip from 172.17.2.111 to any in via re0 01300 deny ip from any to 10.0.0.0/8 via ue0 01500 deny ip from any to 192.168.0.0/16 via ue0 01600 deny ip from any to 0.0.0.0/8 via ue0 01700 deny ip from any to 169.254.0.0/16 via ue0 01800 deny ip from any to 192.0.2.0/24 via ue0 01900 deny ip from any to 224.0.0.0/4 via ue0 02000 deny ip from any to 240.0.0.0/4 via ue0 02100 divert 8668 ip4 from any to any via ue0 02200 deny ip from 10.0.0.0/8 to any via ue0 02400 deny ip from 192.168.0.0/16 to any via ue0 02500 deny ip from 0.0.0.0/8 to any via ue0 02600 deny ip from 169.254.0.0/16 to any via ue0 02700 deny ip from 192.0.2.0/24 to any via ue0 02800 deny ip from 224.0.0.0/4 to any via ue0 02900 deny ip from 240.0.0.0/4 to any via ue0 03000 allow tcp from any to any established 03100 allow ip from any to any frag 03200 allow tcp from any to me dst-port 22 setup 03300 allow tcp from any to me dst-port 25 setup 03400 allow tcp from any to me dst-port 465 setup 03500 allow tcp from any to me dst-port 587 setup 03600 allow tcp from any to me dst-port 80 setup 03700 allow tcp from any to me dst-port 443 setup 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp 03900 allow tcp from any to any setup 04000 allow udp from me to any dst-port 53 keep-state 04100 allow udp from me to any dst-port 123 keep-state 04200 allow ip from any to any dst-port 22 recv ue0 65535 deny ip from any to any If I remove rule 10 it will NOT work with ue0, the same ruleset without rule 10 DOES work with re0 on the same machine (re0 as external and ue0 as internal NIC). If I connect from the gateway on 172.17.2.1 to the ssh server on this machine, I can see the ACK and SYN+ACK but there's no ACK from the client to the server to establish the tcp session. Only difference I could find was that the checksum was incorrect. Found an older PR kern/170081 about fxp having trouble with nat when rxcsum/txcsum was enabled, that is why I started fiddling with rxcsum/txcsum and found that the NIC is unusable/dead without rxcsum/txcsum enabled so this was not an option. # ifconfig ue0 ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE> ether 00:60:6e:42:5b:53 inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (100baseTX <full-duplex>) status: active Any suggestions or pointers? Kind regards, Spil.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw>