From owner-freebsd-ipfw@FreeBSD.ORG  Sat Feb 12 03:02:12 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 012681065670
	for <freebsd-ipfw@freebsd.org>; Sat, 12 Feb 2011 03:02:12 +0000 (UTC)
	(envelope-from jmattax@storytotell.org)
Received: from mail.clanspum.net (twopir-2-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:1b9::2])
	by mx1.freebsd.org (Postfix) with ESMTP id A81A28FC15
	for <freebsd-ipfw@freebsd.org>; Sat, 12 Feb 2011 03:02:11 +0000 (UTC)
Received: from [192.168.0.15] (71-37-153-101.albq.qwest.net [71.37.153.101])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.clanspum.net (Postfix) with ESMTPSA id 40F1F17C2CF
	for <freebsd-ipfw@freebsd.org>; Fri, 11 Feb 2011 21:03:35 -0600 (CST)
Message-ID: <4D55F832.7010604@storytotell.org>
Date: Fri, 11 Feb 2011 20:02:10 -0700
From: Jason Mattax <jmattax@storytotell.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.13) Gecko/20110108 Lightning/1.0b3pre Thunderbird/3.1.7
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Strange problem
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Feb 2011 03:02:12 -0000

I'm currently running 8.1-RELEASE-p2 and attempting to set up a firewall
with natd and ipfw. I was trying a more complicated ipfw script and had
some problems. I reduced my rule set to the smallest sets I could manage
to find the exact rule that causes problems. xl0 is my world facing
interface and re0 faces my internal network. The working ruleset is

$ipfw list

00050 allow ip from any to any via lo0
00100 divert 8668 log ip from any to any in via xl0
10000 divert 8668 log ip from any to any out via xl0
10005 allow ip from any to any
65535 allow ip from any to any

With this I get a log containing

$tail ipfw.log
Feb 10 20:37:53 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 10000 Divert 8668 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:37:54 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0

Both of the diverts are working and machines attached to the internal nic can communicate through the computer. Now because I would like to be able to drop some packets I'm going to add a skip, since eventually that will get me where I want to be. This just adds rule 00310 which skips over no rules all the time

$ipfw list
00050 allow ip from any to any via lo0
00100 divert 8668 log ip from any to any in via xl0
00310 skipto 9999 log ip from any to any
10000 divert 8668 log ip from any to any out via xl0
10005 allow ip from any to any
65535 allow ip from any to any

Now the log contains
$tail ipfw.log
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.10:22 192.168.0.15:60569 out via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 100 Divert 8668 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0
Feb 10 20:36:45 stilgar kernel: ipfw: 310 SkipTo 9999 TCP
192.168.0.15:60569 192.168.0.10:22 in via xl0

Rules 100 and 310 are being hit, but rule 10000 is no longer triggering. This means that my outgoing packets aren't having their source address rewritten so I don't get responses (and put unrouteable traffic on the internet.) Can anyone explain to me what I'm doing wrong here?

Jason Mattax








-- 
Jason Mattax
575-418-1791
jmattax@storytotell.org