Date: Tue, 12 Jul 2011 16:20:10 GMT From: Vadim Goncharov <vadim_nuclight@mail.ru> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd Message-ID: <201107121620.p6CGKAeb035620@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/147720; it has been noted by GNATS. From: Vadim Goncharov <vadim_nuclight@mail.ru> To: "skeletor@lissyara.su" <skeletor@lissyara.su> Cc: bug-followup@FreeBSD.org Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd Date: Tue, 12 Jul 2011 22:45:47 +0700 Hi skeletor@lissyara.su! On Tue, 21 Jun 2011 07:10:07 GMT; skeletor@lissyara.su <skeletor@lissyara.su> wrote: > I tested patch-1.diff and found several problems. When I use 2 channels > my VPN (I use mpd with connect type pptp) stop working. This problem > appears not on all servers. > > Here my results of tests: > > 1) FreeBSD 8.1 amd64 (VPN server), 2 external real IPs - doesn't work VPN > 2) FreeBSD 8.2 i386 , 1 external real IP (second - doesn't real) - > doesn't work connect on second (not real) IP > 3) FreeBSD 8.1 i386 (VPN client), 2 external real IPs - all works fine > 4) FreeBSD 8.2 i386 (VPN client), 1 external real IP (second - doesn't > real) - connect from 2 external IPs works, but doesn't work VPN. This is not really problem with the patch, as PPTP is using not only TCP connection, but also establish a GRE tunnel, independent from that TCP connection from the dynamic rules' point of view. There must be something tracking packet data payload (e.g. libalias-based NAT engine supports this) which will link two connections together. This message, still, does not provide any useful information even to conclude if there some regression with this patch. Personally I think this is the architectural problem with PPTP, and patch was just used in a non-appropriate conditions, i.e. such configuration should be avoided, and patch itself is OK. -- WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107121620.p6CGKAeb035620>