From owner-freebsd-ipfw@freebsd.org  Sat Sep  2 22:54:58 2017
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50F07E08C77
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Sat,  2 Sep 2017 22:54:58 +0000 (UTC)
 (envelope-from graham@menhennitt.com.au)
Received: from homiemail-a47.g.dreamhost.com (sub5.mail.dreamhost.com
 [208.113.200.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 380967376E
 for <freebsd-ipfw@freebsd.org>; Sat,  2 Sep 2017 22:54:57 +0000 (UTC)
 (envelope-from graham@menhennitt.com.au)
Received: from homiemail-a47.g.dreamhost.com (localhost [127.0.0.1])
 by homiemail-a47.g.dreamhost.com (Postfix) with ESMTP id 029181F3C;
 Sat,  2 Sep 2017 15:54:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=menhennitt.com.au; h=
 subject:to:cc:references:from:message-id:date:mime-version
 :in-reply-to:content-type:content-transfer-encoding; s=
 menhennitt.com.au; bh=4kdgJEBgmok3RwLHHzPFewlLmbw=; b=iLDWqbOlSa
 WvejuKEyvZjq/0qWF0J+YxhUDq/L8Abw121OICOTKIWbVnefSOqVH3ePmw/GvhGr
 ATK58Y67bYLpnJfuzT+ICvA8eFtw3uqzAMHhW7OCnGEq/vQoT49jPI/yGLqyYijl
 u/mnqyy3UjHYA05L/+ZlmEPL8inG2arns=
Received: from [203.2.73.68] (c122-107-208-156.mckinn3.vic.optusnet.com.au
 [122.107.208.156])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: graham@menhennitt.com.au)
 by homiemail-a47.g.dreamhost.com (Postfix) with ESMTPSA id 57BD81F39;
 Sat,  2 Sep 2017 15:54:55 -0700 (PDT)
Subject: Re: IPFW NAT behaviour different on 10-Stable versus 11-Stable
 [SOLVED]
To: Ian Smith <smithi@nimnet.asn.au>
Cc: freebsd-ipfw@freebsd.org
References: <e0f5f6bb-490e-ba36-25dc-c510bcae8c53@menhennitt.com.au>
 <20170902202655.T23641@sola.nimnet.asn.au>
From: Graham Menhennitt <graham@menhennitt.com.au>
Message-ID: <026e695f-4fb7-7c86-fddb-e49ccdcbdcda@menhennitt.com.au>
Date: Sun, 3 Sep 2017 08:54:53 +1000
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170902202655.T23641@sola.nimnet.asn.au>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Sep 2017 22:54:58 -0000

On 02/09/2017 20:46, Ian Smith wrote:
> On Sat, 2 Sep 2017 11:44:51 +1000, Graham Menhennitt wrote:
>
>   > I have a problem that seems to be a difference between ipfw/NAT
>   > behaviour in 10-Stable versus 11-Stable. I have two servers: one running
>   > 10-Stable and one running 11-Stable. I'm using the same rule set on both
>   > (see below). It works correctly on 10-Stable but not on 11.
>   >
>   > The problem is seen on two places: an outgoing SMTP connection on port
>   > 465, and an incoming to an IMAP server on port 993. In both cases, there
>   > are lost packets and retransmissions. See below for a tshark capture of
>   > one attempted SMTP session.
>   >
>   > Setting sysctl net.inet.ip.fw.one_pass to one or zero makes no
>   > difference. Deleting the sshguard rule (table 22) makes no difference.
>   > Deleting the nat rule makes everything work for this SMTP session (but
>   > breaks the other machines on my network obviously).
>   >
>   > I have no doubt that I have misconfigured the firewall, but I don't see
>   > what. And why is 11 different to 10? Any help would be much appreciated.
>   >
>   > Thanks in advance,
>   >
>   >      Graham
>
> Mysterious.  Unless this is some other networking issue, three thoughts:
>
> 1) given that YYY is your public IP address, are the problematic SMTP
> sessions actually going through NAT at all, or are they initiated from
> YYY directly?  If the latter, it's hard to see why removing the NAT rule
> should affect these session at all?
>
> 2) does it make any difference if you split the NAT rules into separate
> rules, as per the ipfw(8) 'NAT, REDIRECT AND LSNAT' section in EXAMPLES?
>
> 3) given the tokens used in your ruleset, it appears that you are using
> a preproceesor to substitute values rather than shell variables?  If so
> (or even if not) can you confirm that the resulting in-place rulesets
> shown by 'ipfw list' are absolutely identical on both machines?
>
> Just some long shots ..
>
> cheers, Ian

Thanks for replying, Ian.

Well I solved it. Similarly to my previous problem, the solution was to 
disable the TXCSUM option on the interface. So, now the entry in 
/etc/rc.conf says:

ifconfig_igb1="DHCP -vlanhwtso -tso4 -txcsum"

And it all works.

Thanks again,

     Graham