From owner-freebsd-bugs Sat Jun 24 7:10: 7 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8372937BAAB for ; Sat, 24 Jun 2000 07:10:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id HAA35809; Sat, 24 Jun 2000 07:10:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id A487537B862; Sat, 24 Jun 2000 07:03:44 -0700 (PDT) Message-Id: <20000624140344.A487537B862@hub.freebsd.org> Date: Sat, 24 Jun 2000 07:03:44 -0700 (PDT) From: ted@wiz.plymouth.edu To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/19488: Bug in 4.0-STABLE (acting as a Bridging firewall) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19488 >Category: kern >Synopsis: Bug in 4.0-STABLE (acting as a Bridging firewall) >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 24 07:10:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Ted Wisniewski >Release: 4.0-RELEASE cvsup'd to STABLE >Organization: Plymouth State College >Environment: FreeBSD firewall.plymouth.edu 4.0-STABLE FreeBSD 4.0-STABLE #0: Mon Mar 27 15:58:31 EST 2000 sysop@firewall.plymouth.edu:/usr/src/sys/compile/MYKERNEL i386 >Description: FreeBSD 4.0-RELEASE upgrading to FreeBSD 4.0-STABLE (6-22) Firewall using Dummynet (problem still occurs even with no rules) Dell 550Mhz with 128MB RAM and 2 ethernet cards xl0: <3Com 3c905B-TX Fast Etherlink XL> xl1: <3Com 3c905B-TX Fast Etherlink XL> Applicable Kernel config options: options TCP_DROP_SYNFIN options TCP_RESTRICT_RST options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPSTEALTH options BRIDGE options DUMMYNET options NMBCLUSTERS=16384startup options: bridging_enable="YES" bridging_fw_enable="YES" portmap_enable="NO" firewall_enable="YES" firewall_script="/usr/local/etc/firewall/rc.firewall" drop_synfin_enable="YES" excerpt from /etc/rc.network (I added some options): case ${drop_synfin_enable} in [Yy][Ee][Ss]) echo -n ' DROP_SYNFIN=YES' sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null ;; esac case ${bridging_enable} in [Yy][Ee][Ss]) echo -n ' BRIDGING=YES' sysctl -w net.link.ether.bridge=1 >/dev/null ;; esac case ${bridging_fw_enable} in [Yy][Ee][Ss]) echo -n ' BRIDGING_FW=YES' sysctl -w net.link.ether.bridge_ipfw=1 >/dev/null ;; esac Following upgrade, Loss of reliable RIP updates via firewall from WAN gateway to LAN routing switch. WAN gateway RIP stats confirmed outgoing packets sent. Sniffer connected via switch mirror ports on either side of firewall. On WAN side of firewall, set to filter for WAN router IP address, confirmed subnet broadcast packets (RIP packets) in transit. Sniffer on LAN side of firewall confirmed very few of those getting through. Physically patched around firewall and normal operation returned. Reverted to old kernel on firewall, put it back in line, and normal operation was maintained. (Did not happen to notice whether the opposite was also true, that LAN RIP packets failed to get through to WAN router.) >How-To-Repeat: Build kernel on 4.0-STABLE (as of 6-22) >Fix: Revert to kernel made on FreeBSD-4.0-RELEASE system. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message