From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 3 23:17:57 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD07A16A412 for ; Fri, 3 Nov 2006 23:17:56 +0000 (UTC) (envelope-from cdavis@aspv.edu.mx) Received: from host24.webserver1010.com (host24.webserver1010.com [65.109.239.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3306343D78 for ; Fri, 3 Nov 2006 23:17:55 +0000 (GMT) (envelope-from cdavis@aspv.edu.mx) Received: from aspv.edu.mx (localhost [127.0.0.1]) by host24.webserver1010.com (8.12.11.20060614/8.12.10) with ESMTP id kA3NHsQN022816 for ; Fri, 3 Nov 2006 18:17:55 -0500 From: "cdavis" To: freebsd-ipfw@freebsd.org Date: Fri, 3 Nov 2006 18:17:54 -0500 Message-Id: <20061103231642.M61391@aspv.edu.mx> X-Mailer: Open WebMail 2.51 20050228 X-OriginatingIP: 189.164.99.16 (cdavis) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: FreeBSD 5.5 - stable IPFW FWD to {another ip} doesn't work even with 5.3 beta patch X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Nov 2006 23:17:57 -0000 I have had the same thing happen to me. I cvsupped to 5.5 stable and now my redirects don't work. I'm in a pickel. I think it has something to do with the ipfw2 and natd not being in the same boat. For documentations sake here is my simplist case and not the production case. When logged in to my gateway box that used to do the redirects I can see both inside and outside. My webserver on the inside works just fine. Other workstations on the inside get natted just fine. That is they can surf the web and ssh out and all. my kernconf has ######ipfw stuff options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_FORWARD_EXTENDED options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options LIBMCHAIN #mbuf management library options LIBICONV #Kernel side iconv library ############# #rc.conf defaultrouter="201.116.xxx.xxx" hostname="chipotle.xxx.xxx" network_interfaces="fxp0 em0 em1" ifconfig_fxp0="inet 192.168.0.4 netmask 255.255.255.0" ifconfig_em1="inet 201.116.226.229 netmask 255.255.255.240" ifconfig_em0="inet 192.168.1.1 netmask 255.255.255.0" routed_enable="YES" kern_securelevel_enable="NO" linux_enable="YES" sshd_enable="YES" natd_interface="em1" inside_interface="em0" other_inside_interface="fxp0" firewall_enable="YES" firewall_logging="YES" gateway_enable="YES" firewall_type="OPEN" natd_enable="yes" natd_flags="-f /etc/natd.conf" ################# #rc.firewall /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any em1 ################################# I have also tried the statefull fire walls from http://www.freebsdwiki.net/index.php/Firewall%2C_Configuring and the standard "OPEN" from /usr/src/etc/rc.firewall All of which work fine as far as natting local traffic but none of which let the redirects out. ######################### #natd.conf interface em1 unregistered_only yes deny_incoming no use_sockets yes same_ports yes dynamic yes redirect_port tcp 192.168.0.2:80 8080 redirect_port tcp 192.168.0.3:80 5040 ############################## As I said this box was working like a champ and after the cvsup, buildworld, buildkernel, install kernel, installworld, mergemaster it stopped redirecting my ports 8080 and 5040. >From what I can tell on the net, ipfw2 natd don't use libalias the same way. I know there was some talk of making all of them modules. I have tried building with NO_MODULES=yes and with modules. This is a PAE machine with 2 gigs of memory so I took PAE out. Thanks for the consideration. Not to bore all of you but here is my dmesg As you can see I've rebuilt this kernel a few time trying to figure out what the problem is. Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.5-STABLE #19: Fri Nov 3 13:59:27 CST 2006 cdavis@chipotle.xxx.xxx:/usr/obj/usr/src/sys/CHIPOTLE ACPI APIC Table: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(TM) CPU 3.20GHz (3192.22-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf41 Stepping = 1 Features=0xbfebfbff Hyperthreading: 2 logical CPUs real memory = 2147221504 (2047 MB) avail memory = 2099965952 (2002 MB) ioapic0: Changing APIC ID to 2 ioapic1: Changing APIC ID to 3 ioapic1: WARNING: intbase 32 != expected base 24 ioapic2: Changing APIC ID to 4 ioapic2: WARNING: intbase 64 != expected base 56 ioapic3: Changing APIC ID to 5 ioapic3: WARNING: intbase 96 != expected base 88 ioapic0 irqs 0-23 on motherboard ioapic1 irqs 32-55 on motherboard ioapic2 irqs 64-87 on motherboard ioapic3 irqs 96-119 on motherboard netsmb_dev: loaded acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0 cpu0: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: at device 2.0 on pci0 pci1: on pcib1 pcib2: at device 0.0 on pci1 pci2: on pcib2 amr0: mem 0xdfec0000-0xdfefffff,0xda0f0000-0xda0fffff irq 46 at device 14.0 on pci2 amr0: Firmware 516A, BIOS H418, 256MB RAM pcib3: at device 0.2 on pci1 pci3: on pcib3 pcib4: at device 3.0 on pci0 pci4: on pcib4 pcib5: at device 0.0 on pci4 pci5: on pcib5 fxp0: port 0xecc0-0xecff mem 0xdfbc0000-0xdfbdffff,0xdfbff000-0xdfbfffff irq 106 at device 4.0 on pci5 miibus0: on fxp0 inphy0: on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:0e:0c:75:df:a8 pcib6: at device 0.2 on pci4 pci6: on pcib6 pcib7: at device 4.0 on pci0 pci7: on pcib7 pcib8: at device 5.0 on pci0 pci10: on pcib8 pcib9: at device 0.0 on pci10 pci11: on pcib9 em0: port 0xccc0-0xccff mem 0xdf7e0000-0xdf7fffff irq 64 at device 7.0 on pci11 em0: Ethernet address: 00:11:43:ef:c5:76 pcib10: at device 0.2 on pci10 pci12: on pcib10 em1: port 0xbcc0-0xbcff mem 0xdf5e0000-0xdf5fffff irq 65 at device 8.0 on pci12 em1: Ethernet address: 00:11:43:ef:c5:77 pcib11: at device 6.0 on pci0 pci13: on pcib11 pcib12: at device 30.0 on pci0 pci16: on pcib12 pci16: at device 13.0 (no driver attached) isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0xfc00-0xfc0f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0 ata0: channel #0 on atapci0 ata1: channel #1 on atapci0 fdc0: port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on acpi0 fd0: <1440-KB 3.5" drive> on fdc0 drive 0 atkbdc0: port 0x64,0x60 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 psm0: irq 12 on atkbdc0 psm0: model IntelliMouse, device ID 3 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A npx0: on motherboard npx0: INT 16 interface orm0: at iomem 0xec000-0xeffff,0xce800-0xcf7ff,0xcb000-0xcbfff,0xc0000-0xcafff on isa0 pmtimer0 on isa0 ppc0: parallel port not found. sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 3192224640 Hz quality 800 Timecounters tick every 10.000 msec ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to accept, logging unlimited acd0: CDROM at ata0-master PIO4 amrd0: on amr0 amrd0: 34680MB (71024640 sectors) RAID 1 (optimal) amrd1: on amr0 amrd1: 209640MB (429342720 sectors) RAID 5 (optimal) ses0 at amr0 bus 0 target 6 lun 0 ses0: Fixed Processor SCSI-2 device ses0: SAF-TE Compliant Device ses1 at amr0 bus 1 target 6 lun 0 ses1: Fixed Processor SCSI-2 device ses1: SAF-TE Compliant Device Mounting root from ufs:/dev/amrd0s3a em0: Link is up 100 Mbps Full Duplex em1: Link is up 100 Mbps Full Duplex ############################################################ Thanks again, Chris Davis