From owner-freebsd-stable Wed Jan 29 1:26: 0 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 334E337B401 for ; Wed, 29 Jan 2003 01:25:58 -0800 (PST) Received: from 12-234-22-23.client.attbi.com (12-234-22-23.client.attbi.com [12.234.22.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB68743E4A for ; Wed, 29 Jan 2003 01:25:57 -0800 (PST) (envelope-from DougB@FreeBSD.org) Received: from slave.gorean.org (ial9go3pr2rxnawj@slave.gorean.org [10.0.0.1]) by 12-234-22-23.client.attbi.com (8.12.6/8.12.6) with ESMTP id h0T9PupP001982 for ; Wed, 29 Jan 2003 01:25:57 -0800 (PST) (envelope-from DougB@FreeBSD.org) Date: Wed, 29 Jan 2003 01:25:56 -0800 (PST) From: Doug Barton To: freebsd-stable@FreeBSD.org Subject: ipfw/natd problem with tonight's releng_4 Message-ID: <20030129010515.C1559@12-234-22-23.pyvrag.nggov.pbz> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm not ready to push the big red button yet, but I definitely had a problem with natd tonight on my -stable firewall box. I've had ipfw and natd running on this box for years... so I'm sure it's not my configuration. My last set of sources was from november 10. I did recently change from having ipfw in the kernel config to loading it in a module (since I'm currently experimenting with ipfilter too). However, the nov. 10 sources worked fine with ipfw loaded as a module. I had to twiddle /sys/modules/ipfw/Makefile first to add the divert stuff, etc: more /sys/modules/ipfw/Makefile # $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.11 1999/08/28 00:47:21 peter Exp $ .PATH: ${.CURDIR}/../../netinet KMOD= ipfw SRCS= ip_fw.c NOMAN= CFLAGS+= -DIPFIREWALL # #If you want it verbose CFLAGS+= -DIPFIREWALL_VERBOSE CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=10000 # #If you want it to pass all packets by default CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT -DIPFIREWALL_FORWARD -DIPDIVERT # .include I'm sure that this is ok, since when I kldload this module, I get the following: /kernel: IP packet filtering initialized, divert enabled, rule-based forwarding enabled, default to accept, logging limited to 10000 packets/entry by default All of my other rules work, and natd starts without errors. However, as soon as I load the natd rule in ipfw, no packets can leave the box. The good news is that ipnat works just fine, so at least I'm functional. But I thought that the ipfw folks would want to know about this.... hopefully one of the recent updates to ipfw will suggest itself as a candidate for this problem. Doug -- If it's moving, encrypt it. If it's not moving, encrypt it till it moves, then encrypt it some more. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message