From owner-freebsd-stable@FreeBSD.ORG Wed Jul 21 19:52:33 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCCA61065675; Wed, 21 Jul 2010 19:52:33 +0000 (UTC) (envelope-from spil.oss@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 308E18FC08; Wed, 21 Jul 2010 19:52:32 +0000 (UTC) Received: by ewy26 with SMTP id 26so2962277ewy.13 for ; Wed, 21 Jul 2010 12:52:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=WNpS9LKmQfwaFON59H9hHsiDRKZda/Xfh7mwvk1eWDQ=; b=JSYYdRkVliQ65f2BGQ2l7jGbbtoVqD6TMUbtWxzYkrc2z0rMQ208MnpBSQYtbeGRQx t3s2X6R9KZY6uikttBID3/lE+II+DTt2Q3d2gHWehKH+N5Efl6NdZyHd2/dY2uZuxNa+ oemAZQQp08FFtKoFFCn0lsw8icivebS/n0yrU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:content-type:content-transfer-encoding; b=GyLDBOJPCEqXvwa0rNIyKN/HvkayD/nuC4RgM7XPNW3W9kq6yBBBgz0Fi9PyYc0fEU gZC/VEe2E/WPufMCjB9ee4e3MI8GzbfdIwde2WETBeIhEfDUHX0BXz2SVCc6+jis6WkZ AQO7xt5TAXs6Lc6b72GY7MaVnFpUTk31V6qbE= MIME-Version: 1.0 Received: by 10.227.156.202 with SMTP id y10mr705840wbw.48.1279741951683; Wed, 21 Jul 2010 12:52:31 -0700 (PDT) Received: by 10.216.138.66 with HTTP; Wed, 21 Jul 2010 12:52:31 -0700 (PDT) In-Reply-To: References: Date: Wed, 21 Jul 2010 21:52:31 +0200 Message-ID: From: Spil Oss To: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org, snasonov@bcc.ru Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Changes to ipfw in 8.1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: spil.oss@gmail.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jul 2010 19:52:33 -0000 Hi Sergey, I'm dumbstruck! Switching 'ip' to 'ip4' in both the divert rules fixed my problem. Personally I think that should go into the UPDATING file as well. I wouldn't have found it if you hadn't told me! Many thanks, Spil. On Wed, Jul 21, 2010 at 9:08 PM, Spil Oss wrote: > Hi Sergey, > > Has the change from ip to ip4 solved the problem for you? The > documentation states that proto 'ip' is the same as 'all' "Matches any > packet." > > Rule # 60 > =A0 =A0 $cmd 060 skipto 1000 ip6 from any to any > will have already skipped to the ipv6 rules block thus proto 'ip' > should always match remaining packets. > > Meanwhile I found bug 148137 [ipfw] call order of natd and ipfw startup s= cripts > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D148137&cat=3Dconf > Don't know if that's directly related, but it may be worth a try to > revert back to the RELENG_8_0 script. > > Will let you now my findings. > > Kind regards, > > Spil. > > > On Wed, Jul 21, 2010 at 2:57 PM, Sergey G Nasonov wrote= : >> Hello Spill, >> >> I have get the same trouble after updating my 8.0 Stable. I thing you ne= ed >> modify some firewall rules. >> >> Please change >> >> $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound >> >> to >> >> $cmd 100 divert natd ip4 from any to any in via $pif # Mangle inbound >> >> and >> >> $cmd 500 divert natd ip from any to any out via $pif >> >> to >> >> $cmd 500 divert natd ip4 from any to any out via $pif >> >> accordingly. >> >> -- >> >> Best Regards, >> >> Nasonov Sergey > > > On Wed, Jul 21, 2010 at 11:40 AM, Spil Oss wrote: >> Hi, >> >> Testing FreeBSD 8.1 I noticed that I seem to have routing or nat or >> firewall issues. (csupped RELENG_8_1 which was -RELEASE not -RC last >> night?) >> - 8.1 booted fine >> - connections from the system itself were fine >> - connections from my jails to the internet were not working >> - connections from my LAN/WLAN to the internet were not working >> Reverting back to 8.0-p2 with the same configuration works fine. >> >> In UPDATING I see that rc.firewall and rc.firewall6 were unified. >> >> Setup is >> - xl0 connected to internet/public IP via dhcp >> - bge0/wlan0(ath0) connected to LAN >> - jails have ip's on bge0 in the same subnet as the LAN >> - allow all from any to any via bge0|wlan0|lo0 >> - NAT using natd >> >> My guess is that something's changed to ipfw that is affecting my >> network settings. Any clues where I went wrong? >> >> Help appreciated/ Kind regards, >> >> Spil. >> >> rc.conf: >> firewall_enable=3D"YES" >> firewall_script=3D"/etc/ipfw.rules" >> >> natd.conf >> interface xl0 >> dynamic yes >> same_ports yes >> # http/https to http jail >> redirect_port tcp 192.168.2.3:80 80 >> redirect_port tcp 192.168.2.3:443 443 >> >> Part of /etc/ipfw.rules >> #!/bin/sh >> cmd=3D"ipfw -q add" >> skip=3D"skipto 500" >> pif=3Dxl0 >> pif6=3Dgif0 >> ext6=3D"2001:dead:beef:1::1" >> ks=3D"keep-state" >> >> ipfw -q -f flush >> >> # Allow internal traffic >> $cmd 002 allow all from any to any via bge0 # exclude LAN traffic >> $cmd 003 allow all from any to any via lo0 =A0# exclude loopback traffic >> $cmd 004 allow all from any to any via wlan0 # exclude WLAN traffic >> $cmd 005 allow all from any to any via bridge0 # exclude WLAN traffic >> $cmd 006 allow all from any to any via tun0 # exclude WLAN traffic >> >> # Allow all encapulated IPv6 to/from tunnel PoP >> $cmd 010 allow ip4 from to me via $pif >> $cmd 010 allow ip4 from me to via $pif >> >> # Black-hole some stuff using tables >> $cmd 050 drop ip from "table(17)" to any in via $pif >> $cmd 050 drop ip from any to "table(17)" out via $pif >> >> # Separate IPv6 rules (no NAT!) >> $cmd 060 skipto 1000 ip6 from any to any >> >> $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound >> packets from external >> $cmd 101 check-state >> >> # Authorized outbound packets >> $cmd 130 $skip icmp from any to any out via $pif $ks >> $cmd 150 $skip tcp from any to any out via $pif $ks >> $cmd 151 $skip udp from any to any out via $pif $ks >> >> $cmd 200 allow udp from 10.50.0.1 to me 68 in $ks >> >> # Deny all inbound traffic from non-routable reserved address spaces >> $cmd 300 unreach host all from 192.168.0.0/16 =A0to any in via $pif >> #RFC 1918 private IP >> $cmd 301 unreach host all from 172.16.0.0/12 =A0 to any in via $pif >> #RFC 1918 private IP >> $cmd 302 unreach host all from 10.0.0.0/8 =A0 =A0 =A0to any in via $pif >> #RFC 1918 private IP >> $cmd 303 unreach host all from 127.0.0.0/8 =A0 =A0 to any in via $pif = =A0#loopback >> $cmd 304 unreach host all from 0.0.0.0/8 =A0 =A0 =A0 to any in via $pif = =A0#loopback >> $cmd 305 unreach host all from 169.254.0.0/16 =A0to any in via $pif >> #DHCP auto-config >> $cmd 306 unreach host all from 192.0.2.0/24 =A0 =A0to any in via $pif >> #reserved for docs >> $cmd 307 unreach host all from 204.152.64.0/23 to any in via $pif =A0#Su= n cluster >> $cmd 308 unreach host all from 224.0.0.0/3 =A0 =A0 to any in via $pif >> #Class D & E multicast >> >> # Deny packets that did not match the dynamic rule table >> #$cmd 330 deny all from any to any frag in via $pif # All late fragments >> #$cmd 332 deny tcp from any to any established in via $pif # Deny ACK >> >> # Authorized inbound packets >> $cmd 400 allow icmp from any to any icmptypes 0,11 # echo reply and TTL-= exceeded >> $cmd 420 allow tcp from any to me ssh in via $pif setup $ks >> $cmd 421 allow tcp from any to me smtp in via $pif >> $cmd 422 allow tcp from any to me http in via $pif >> $cmd 423 allow tcp from any to me https in via $pif >> $cmd 424 allow tcp from any to me imaps in via $pif >> >> #$cmd 449 unreach host ip from any to any in via $pif >> $cmd 448 reject log all from any to any in via $pif >> $cmd 449 reject log all from any to any out via $pif >> $cmd 450 reject log ip from any to any >> >> # This is skipto location for outbound stateful rules >> $cmd 500 divert natd ip from any to any out via $pif >> $cmd 510 allow ip from any to any >> >