From owner-freebsd-stable Sat May 20 17:39:42 2000 Delivered-To: freebsd-stable@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C86EB37B7B2; Sat, 20 May 2000 17:39:32 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA12494; Sat, 20 May 2000 17:39:22 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda12492; Sat May 20 17:39:11 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id RAA08912; Sat, 20 May 2000 17:39:10 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdKE8910; Sat May 20 17:38:30 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e4L0cTx00858; Sat, 20 May 2000 17:38:29 -0700 (PDT) Message-Id: <200005210038.e4L0cTx00858@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdrUo853; Sat May 20 17:37:58 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: darrenr@reed.wattle.id.au, jlemon@freebsd.org Cc: ipfilter@coombs.anu.edu.au, freebsd-stable@freebsd.org, ps@freebsd.org Subject: Re: FTP proxy without translation no longer working? (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 20 May 2000 17:37:57 -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I've managed to track down the problem to a FreeBSD commit. Where in the commit, I'm not sure yet. Restoring the files in the commit to their previous versions on a -stable system as of May 17 definitely fixes the problem. jlemon 2000/05/05 06:37:06 PDT Modified files: (Branch: RELENG_4) sys/netinet ip_input.c ip_output.c tcp_input.c tcp_output.c tcp_subr.c udp_usrreq.c sys/sys mbuf.h param.h sys/pci if_ti.c sys/i386/i386 in_cksum.c sys/i386/include in_cksum.h param.h sys/alpha/alpha in_cksum.c sys/alpha/include in_cksum.h sys/net if.h if_var.h slcompress.h Log: MFC: delayed checksum work. This also brings the mbuf size up to 256. Revision Changes Path 1.130.2.1 +15 -4 src/sys/netinet/ip_input.c 1.99.2.1 +110 -29 src/sys/netinet/ip_output.c 1.107.2.2 +23 -11 src/sys/netinet/tcp_input.c 1.39.2.1 +12 -9 src/sys/netinet/tcp_output.c 1.73.2.1 +20 -22 src/sys/netinet/tcp_subr.c 1.64.2.1 +26 -11 src/sys/netinet/udp_usrreq.c 1.44.2.3 +22 -6 src/sys/sys/mbuf.h 1.61.2.4 +2 -2 src/sys/sys/param.h 1.25.2.1 +63 -38 src/sys/pci/if_ti.c 1.17.2.1 +191 -2 src/sys/i386/i386/in_cksum.c 1.7.2.1 +26 -1 src/sys/i386/include/in_cksum.h 1.54.2.1 +2 -2 src/sys/i386/include/param.h 1.2.2.1 +67 -1 src/sys/alpha/alpha/in_cksum.c 1.3.2.1 +4 -1 src/sys/alpha/include/in_cksum.h 1.58.2.1 +3 -3 src/sys/net/if.h 1.18.2.1 +2 -1 src/sys/net/if_var.h 1.14.2.1 +2 -2 src/sys/net/slcompress.h Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message Return-Path: cschuber@osg.gov.bc.ca Delivery-Date: Sat May 20 09:30:45 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e4KGUiI00525 for ; Sat, 20 May 2000 09:30:44 -0700 (PDT) Received: from passer9.cwsent.com(10.2.2.2), claiming to be "passer.osg.gov.bc.ca" via SMTP by cwsys9.cwsent.com, id smtpdbTv523; Sat May 20 09:30:02 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id JAA07822 for ; Sat, 20 May 2000 09:30:01 -0700 (PDT) Resent-Message-Id: <200005201630.JAA07822@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdHk7808; Sat May 20 09:29:01 2000 Delivery-Date: Sat, 20 May 2000 09:29:01 -0700 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id JAA07800 for ; Sat, 20 May 2000 09:29:01 -0700 (PDT) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdFT7798; Sat May 20 09:28:29 2000 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA11748 for ; Sat, 20 May 2000 09:28:29 -0700 Received: from cairo.anu.edu.au(150.203.224.11) via SMTP by point.osg.gov.bc.ca, id smtpda11746; Sat May 20 09:28:26 2000 Received: from localhost (majordomo@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) with SMTP id CAA27491; Sun, 21 May 2000 02:20:29 +1000 (EST) Received: by cairo.anu.edu.au (bulk_mailer v1.5); Sun, 21 May 2000 02:20:29 +1000 Received: (from majordomo@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id CAA27481 for ipfilter-outgoing; Sun, 21 May 2000 02:20:28 +1000 (EST) X-Authentication-Warning: cairo.anu.edu.au: majordomo set sender to owner-ipfilter@coombs.anu.edu.au using -f Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by cairo.anu.edu.au (8.9.3/8.9.3) with ESMTP id CAA27475 for ; Sun, 21 May 2000 02:20:25 +1000 (EST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id JAA11729; Sat, 20 May 2000 09:20:09 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11727; Sat May 20 09:20:03 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id JAA07771; Sat, 20 May 2000 09:20:01 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdMc7761; Sat May 20 09:19:14 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e4KGJEL03648; Sat, 20 May 2000 09:19:14 -0700 (PDT) Message-Id: <200005201619.e4KGJEL03648@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdvm3644; Sat May 20 09:18:30 2000 X-Mailer: exmh version 2.1.1 10/15/1999 X-Exmh-Isig-CompType: repl X-Exmh-Isig-Folder: security/IP-Filter Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: Gert-Jan Vons cc: ipfilter@coombs.anu.edu.au, freebsd-stable@freebsd.org Subject: Re: FTP proxy without translation no longer working? In-reply-to: Your message of "Fri, 19 May 2000 09:37:28 +0200." <4.3.1.2.20000519092049.00b809e0@mail.vons.local> Mime-Version: 1.0 Content-Type: text/plain Date: Sat, 20 May 2000 09:18:29 -0700 Sender: owner-ipfilter@coombs.anu.edu.au Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Sat, 20 May 2000 09:29:01 -0700 Resent-From: Cy Schubert Added freebsd-stable@freebsd.org to the cc list, as the solution may be found there as well as on the IP Filter mailing list. In message <4.3.1.2.20000519092049.00b809e0@mail.vons.local>, Gert-Jan Vons wri tes: > At 02:43 19/05/2000 +1000, Darren Reed wrote: > > >In some email I received from Jefferson Ogata, sie wrote: > >[...] > > > Well, I'm having a really insane problem, and it's not making me happy. > > > ... > > > All IP Filter filtering and NAT features appear to work on both types, > > > with the exception of FTP proxying. I haven't tested rdr. > > > >Both sets of rules are equivalent, with: > > > >map foo0 1.2.3.4/32 -> 5.6.7.8/32 proxy port ftp ftp/tcp > > > >(there is a bug with 0/32 on the RHS in 3.3.14) > > Can you tell me more about that bug? (do you have a work-around or a fix?) > > I am seeing problems with NAT and I do have a 0/32 on the RHS. Actually it's the 0/0 part of the rule. For example: map xl0 10.1.1.0/24 -> 0.0.0.0/32 proxy port ... works map xl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ... doesn't map xl0 10.1.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 works map xl0 0.0.0.0/0 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 doesn't > > I started with FreeBSD 4.0-Release, ipfilter 3.3.13, and ppp from 11-4-2000. > > I updated in steps to 3.3.14 and then 3.4.2 (for those who mailed me about > the -Werror, thanks for your help!), then installed the latest ppp of > 11-5-2000, and was preparing to install a 4.0-Stable kernel. > > I haven't a clear description of the problem. Once I saw a SYN go out but > nothing coming back, another time I didn't even see a SYN going out. I once > got the impression that an "ipnat -CF -f /etc/ipnat.rules" made things > work, but that may have been a coincidence. > > I don't have much time at the moment to investigate further (maybe in a > week or two), so if this corresponds to a known problem... I think that something in FreeBSD has changed. -stable as of April 22 had no problems with the commented out rules under 3.3.x and 3.4.3: # map xl0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp map xl0 10.1.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp map xl0 10.1.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 map xl0 10.1.1.0/24 -> 0.0.0.0/32 map tun0 10.1.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 map tun0 10.1.1.0/24 -> 0.0.0.0/32 map ppp0 10.1.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 map ppp0 10.1.1.0/24 -> 0.0.0.0/32 map tun3 10.1.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 map tun3 10.1.1.0/24 -> 0.0.0.0/32 # map tun3 0.0.0.0/0 -> 0.0.0.0/32 proxy port ekshell rcmd/tcp # map tun3 0.0.0.0/0 -> 0.0.0.0/32 proxy port kshell rcmd/tcp # map tun3 0.0.0.0/0 -> 0.0.0.0/32 proxy port shell rcmd/tcp tun3 is a VPN (IPSec) session to my employer's site. As of FreeBSD-stable from May 17 the 0/0 rules no longer work under either IPF 3.3.15 or IPF 3.4.3. I think that the FreeBSD IP stack was either broken or the FreeBSD IP stack is evolving in some way that is incompatible with IP Filter (nobody's fault). The symptoms using FreeBSD-4.0-STABLE as of May 17 are: - - No route to host messages or hung sessions, depending on the protocol. Yet pings and traceroutes work. - - Adding the rule: map tun3 0.0.0.0/0 -> 0.0.0.0/32 portmap tcp/udp 40000:60000 causes outbound telnet sessions to hang. This is not a proxy problem but is related to NAT. - - NAT from systems on the LAN, through the gateway, e.g. the uncommented NAT rules, work. In other words only NAT (proxy or otherwise) sessions from the gateway itself fail. This seems to indicate that FreeBSD's routing code has changed since a month ago, as IPF injects the NATed packets back into the IP stack for the routing tables to route (e.g. not Darren's fault). I can see two paths to the solution: 1. FreeBSD IP stack is regressed or fixed to allow IP Filter to inject packets into the stack (routing) as it did in April, or 2. Darren finds out what has changed, how it affects IP Filter and adjusts IP Filter. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message