From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 17 17:36:11 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC142106564A for ; Tue, 17 Feb 2009 17:36:11 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 3B6128FC0C for ; Tue, 17 Feb 2009 17:36:11 +0000 (UTC) (envelope-from nino80@gmail.com) Received: by ug-out-1314.google.com with SMTP id j40so156906ugd.39 for ; Tue, 17 Feb 2009 09:36:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=SJXaxIR574lRxuen+WbPa4ZxdSozDlVILvTUTACLdn8=; b=Ra6SOKAsvHe1PeG1Vp1ghXKGDLOJmIwy12ZvmBFoeBQYauZX4+6ZpcqVsJVFzZAZiP 6uELCi7zxMt4nx25y6YajFtGa0K5VxOaMLlxC2qc0lm+igSXDNhn56jKJy5LQFpTSSGk 11rN/Abwq3Y6QldpyvW5HoC9IpSp89eo6l2tM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=dUXsdoSyBi45jYE+3ZzRA4xKG/wCOQCNyGWKWv09U3LYPlpaYhf2xlb0m3bAgTBnnc DFeYjrDDMQPzutijAFzmZdU5yFKxP+Pi59cFm+d+f4djJD1j6Czcizf0qX/DrAgErppM 0rd5XZURDfT7KhUyQeZG/AlTlBChAhx14Wtos= MIME-Version: 1.0 Received: by 10.210.76.4 with SMTP id y4mr5498919eba.11.1234891715947; Tue, 17 Feb 2009 09:28:35 -0800 (PST) In-Reply-To: <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> References: <1d3a1860902160108j372b4446pd21760984d253627@mail.gmail.com> <200902161428.n1GESLvL015103@lurza.secnetix.de> <1d3a1860902161412w2225734do71939efd32346a23@mail.gmail.com> <92bcbda50902170924h167125f2vf054ffd481ec1831@mail.gmail.com> Date: Tue, 17 Feb 2009 18:28:35 +0100 Message-ID: <92bcbda50902170928gd0fc74bs7b7836fe92c4609b@mail.gmail.com> From: n j To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: in-kernel nat and stateful inspection hangs system 7.1 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 17:36:11 -0000 Sorry, hit the wrong key combo and message went before I finished it :( ... > Here is the rule that after a short while (probably the first packet > to match the rule) freezes the machine: > ipfw -q flush ipfw -q nat 123 config ip a.b.c.d log ipfw -q disable one_pass ... > ipfw add 00003 nat 123 log ip from x.x.x.0/24 to > a.b.c.0/24,a.b.d.0/24,a.b.e.0/24 out # keep-state here causes freeze > ... further down the chain... ipfw add 00900 check-state If anyone else experienced similar cases, I invite them to share. Regards, -- nino