From owner-freebsd-stable@FreeBSD.ORG Wed Jul 21 09:40:31 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 637161065677 for ; Wed, 21 Jul 2010 09:40:31 +0000 (UTC) (envelope-from spil.oss@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id C816A8FC08 for ; Wed, 21 Jul 2010 09:40:30 +0000 (UTC) Received: by wwe15 with SMTP id 15so1644621wwe.31 for ; Wed, 21 Jul 2010 02:40:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to:date :message-id:subject:from:to:content-type; bh=Z5lVmtyA96nepvHyB7xBHxFq7wVMVUnQxmKcOtxavPU=; b=cLBksue4L4XXxggxzWNFYwccnxZ48O0r07JmbIRYY0tCwHMi1adkijQMmLMZ0+Cvl+ yhFpcV1FnyUeIDd07+kSCmuajT++zVkxojn0UILvFGe1fsPNXz3hEsb+XuTS2LESzH4S Khm6IY8GDUhcBp5eiXeeFf8wP7UZ7IdiGbImA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; b=pm7UgCBoe1DR2EwIykgyFRd9M1OfZ98NEm6M0kCizD1wq2EKO0CmEmo442MeccIMmT Dt3i29MBOUyYrdj7vzd8nadbXNE6TkEndeJG1ilZTaS5faNtz75YgXOsSrIKvsPnDYeK xmS6vAtEY/4hWI1Ow6qvV5Ej76U9jGn5/LAvg= MIME-Version: 1.0 Received: by 10.216.178.135 with SMTP id f7mr6402586wem.63.1279705229518; Wed, 21 Jul 2010 02:40:29 -0700 (PDT) Received: by 10.216.138.66 with HTTP; Wed, 21 Jul 2010 02:40:29 -0700 (PDT) Date: Wed, 21 Jul 2010 11:40:29 +0200 Message-ID: From: Spil Oss To: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Changes to ipfw in 8.1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: spil.oss@gmail.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2010 09:40:31 -0000 Hi, Testing FreeBSD 8.1 I noticed that I seem to have routing or nat or firewall issues. (csupped RELENG_8_1 which was -RELEASE not -RC last night?) - 8.1 booted fine - connections from the system itself were fine - connections from my jails to the internet were not working - connections from my LAN/WLAN to the internet were not working Reverting back to 8.0-p2 with the same configuration works fine. In UPDATING I see that rc.firewall and rc.firewall6 were unified. Setup is - xl0 connected to internet/public IP via dhcp - bge0/wlan0(ath0) connected to LAN - jails have ip's on bge0 in the same subnet as the LAN - allow all from any to any via bge0|wlan0|lo0 - NAT using natd My guess is that something's changed to ipfw that is affecting my network settings. Any clues where I went wrong? Help appreciated/ Kind regards, Spil. rc.conf: firewall_enable="YES" firewall_script="/etc/ipfw.rules" natd.conf interface xl0 dynamic yes same_ports yes # http/https to http jail redirect_port tcp 192.168.2.3:80 80 redirect_port tcp 192.168.2.3:443 443 Part of /etc/ipfw.rules #!/bin/sh cmd="ipfw -q add" skip="skipto 500" pif=xl0 pif6=gif0 ext6="2001:dead:beef:1::1" ks="keep-state" ipfw -q -f flush # Allow internal traffic $cmd 002 allow all from any to any via bge0 # exclude LAN traffic $cmd 003 allow all from any to any via lo0 # exclude loopback traffic $cmd 004 allow all from any to any via wlan0 # exclude WLAN traffic $cmd 005 allow all from any to any via bridge0 # exclude WLAN traffic $cmd 006 allow all from any to any via tun0 # exclude WLAN traffic # Allow all encapulated IPv6 to/from tunnel PoP $cmd 010 allow ip4 from to me via $pif $cmd 010 allow ip4 from me to via $pif # Black-hole some stuff using tables $cmd 050 drop ip from "table(17)" to any in via $pif $cmd 050 drop ip from any to "table(17)" out via $pif # Separate IPv6 rules (no NAT!) $cmd 060 skipto 1000 ip6 from any to any $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound packets from external $cmd 101 check-state # Authorized outbound packets $cmd 130 $skip icmp from any to any out via $pif $ks $cmd 150 $skip tcp from any to any out via $pif $ks $cmd 151 $skip udp from any to any out via $pif $ks $cmd 200 allow udp from 10.50.0.1 to me 68 in $ks # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 unreach host all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 unreach host all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 unreach host all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 unreach host all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 unreach host all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 unreach host all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 unreach host all from 192.0.2.0/24 to any in via $pif #reserved for docs $cmd 307 unreach host all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 unreach host all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny packets that did not match the dynamic rule table #$cmd 330 deny all from any to any frag in via $pif # All late fragments #$cmd 332 deny tcp from any to any established in via $pif # Deny ACK # Authorized inbound packets $cmd 400 allow icmp from any to any icmptypes 0,11 # echo reply and TTL-exceeded $cmd 420 allow tcp from any to me ssh in via $pif setup $ks $cmd 421 allow tcp from any to me smtp in via $pif $cmd 422 allow tcp from any to me http in via $pif $cmd 423 allow tcp from any to me https in via $pif $cmd 424 allow tcp from any to me imaps in via $pif #$cmd 449 unreach host ip from any to any in via $pif $cmd 448 reject log all from any to any in via $pif $cmd 449 reject log all from any to any out via $pif $cmd 450 reject log ip from any to any # This is skipto location for outbound stateful rules $cmd 500 divert natd ip from any to any out via $pif $cmd 510 allow ip from any to any