Date: Sat, 24 Jun 2000 07:03:44 -0700 (PDT) From: ted@wiz.plymouth.edu To: freebsd-gnats-submit@FreeBSD.org Subject: kern/19488: Bug in 4.0-STABLE (acting as a Bridging firewall) Message-ID: <20000624140344.A487537B862@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 19488 >Category: kern >Synopsis: Bug in 4.0-STABLE (acting as a Bridging firewall) >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 24 07:10:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Ted Wisniewski >Release: 4.0-RELEASE cvsup'd to STABLE >Organization: Plymouth State College >Environment: FreeBSD firewall.plymouth.edu 4.0-STABLE FreeBSD 4.0-STABLE #0: Mon Mar 27 15:58:31 EST 2000 sysop@firewall.plymouth.edu:/usr/src/sys/compile/MYKERNEL i386 >Description: FreeBSD 4.0-RELEASE upgrading to FreeBSD 4.0-STABLE (6-22) Firewall using Dummynet (problem still occurs even with no rules) Dell 550Mhz with 128MB RAM and 2 ethernet cards xl0: <3Com 3c905B-TX Fast Etherlink XL> xl1: <3Com 3c905B-TX Fast Etherlink XL> Applicable Kernel config options: options TCP_DROP_SYNFIN options TCP_RESTRICT_RST options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPSTEALTH options BRIDGE options DUMMYNET options NMBCLUSTERS=16384startup options: bridging_enable="YES" bridging_fw_enable="YES" portmap_enable="NO" firewall_enable="YES" firewall_script="/usr/local/etc/firewall/rc.firewall" drop_synfin_enable="YES" excerpt from /etc/rc.network (I added some options): case ${drop_synfin_enable} in [Yy][Ee][Ss]) echo -n ' DROP_SYNFIN=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${bridging_enable} in [Yy][Ee][Ss]) echo -n ' BRIDGING=YES' sysctl -w net.link.ether.bridge=1 >/dev/null ;; esac case ${bridging_fw_enable} in [Yy][Ee][Ss]) echo -n ' BRIDGING_FW=YES' sysctl -w net.link.ether.bridge_ipfw=1 >/dev/null ;; esac Following upgrade, Loss of reliable RIP updates via firewall from WAN gateway to LAN routing switch. WAN gateway RIP stats confirmed outgoing packets sent. Sniffer connected via switch mirror ports on either side of firewall. On WAN side of firewall, set to filter for WAN router IP address, confirmed subnet broadcast packets (RIP packets) in transit. Sniffer on LAN side of firewall confirmed very few of those getting through. Physically patched around firewall and normal operation returned. Reverted to old kernel on firewall, put it back in line, and normal operation was maintained. (Did not happen to notice whether the opposite was also true, that LAN RIP packets failed to get through to WAN router.) >How-To-Repeat: Build kernel on 4.0-STABLE (as of 6-22) >Fix: Revert to kernel made on FreeBSD-4.0-RELEASE system. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000624140344.A487537B862>