From owner-freebsd-net@FreeBSD.ORG Tue Dec 27 05:24:49 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A818616A41F for ; Tue, 27 Dec 2005 05:24:49 +0000 (GMT) (envelope-from swp@swp.pp.ru) Received: from bspu.ab.ru (bspu.ab.ru [212.94.100.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83F8843D80 for ; Tue, 27 Dec 2005 05:24:38 +0000 (GMT) (envelope-from swp@swp.pp.ru) Received: from bspu.ab.ru (localhost.bspu.ab.ru [127.0.0.1]) by bspu.ab.ru (8.13.1/8.13.1) with ESMTP id jBR5OanN035536 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 27 Dec 2005 11:24:36 +0600 (NOVT) (envelope-from swp@swp.pp.ru) Received: from swp.pp.ru (uucp@localhost) by bspu.ab.ru (8.13.1/8.13.1/Submit) with UUCP id jBR5OaUB035535 for freebsd-net@freebsd.org; Tue, 27 Dec 2005 11:24:36 +0600 (NOVT) (envelope-from swp@swp.pp.ru) Received: from swp.pp.ru (swp.bspu.secna.ru [212.192.2.73]) by bspu.secna.ru (8.13.4/8.13.4) with ESMTP id jBR5NNw4084240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Tue, 27 Dec 2005 11:23:23 +0600 (NOVT) (envelope-from swp@swp.pp.ru) Received: from swp.pp.ru (localhost [127.0.0.1]) by swp.pp.ru (8.13.4/8.13.4) with ESMTP id jBR5NMiC028943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 27 Dec 2005 11:23:22 +0600 (NOVT) (envelope-from swp@swp.pp.ru) Received: (from swp@localhost) by swp.pp.ru (8.13.4/8.13.4/Submit) id jBR5NMiT028942 for freebsd-net@freebsd.org; Tue, 27 Dec 2005 11:23:22 +0600 (NOVT) (envelope-from swp) Date: Tue, 27 Dec 2005 11:23:22 +0600 From: "mitrohin a.s." To: freebsd-net@freebsd.org Message-ID: <20051227052322.GB28685@swp.pp.ru> Mail-Followup-To: freebsd-net@freebsd.org References: <20051226203817.GA27151@swp.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051226203817.GA27151@swp.pp.ru> User-Agent: Mutt/1.5.9i Subject: Re: ipfw forward bug? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: swp@swp.pp.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Dec 2005 05:24:49 -0000 On Tue, Dec 27, 2005 at 02:38:18AM +0600, mitrohin a.s. wrote: > helo. > > i have strangle problem with forward rule. > > isp1 +----------+ > <-----[fxp0:x.x.x.1/24] router_1 [re0:10.200.1.1/24]--------+ > | [xl2:10.4.2.1/24]---+ | > +----------+ | | > +--------+ | | > | host_1 [10.4.2.121/24]-----------------------+ | > +--------+ | > | > isp2 +----------+ | > <-----[xl2:172.16.42.2/24] router_2 [re0:10.200.1.2/24]-----+ > +----------+ > > router_1 propagate defaultroute via fxp0 (isp1) for local network. > router_2 have link via xl2 to isp2 and defaultroute to 10.200.1.1. > i want to lead external traffic of host_1 via isp2, but have got > trouble. > > > router_2 ipfw rules: > > root@main# ipfw -c show > 00100 321246 89176165 allow via lo0 > 00200 40 2000 deny { src-ip 127.0.0.0/8 or dst-ip 127.0.0.0/8 } > 00400 7226 231262 allow dst-ip 224.0.0.0/4 > 00500 354153 88470867 allow src-ip 10.0.0.0/8 dst-ip 10.0.0.0/8 > 00600 0 0 check-state > > 00700 65 5460 skipto 50000 log proto icmp dst-ip 10.4.2.121 in keep-state > 00800 0 0 skipto 50000 log proto icmp dst-ip 10.4.2.121 out keep-state > 00900 0 0 skipto 50000 log proto icmp src-ip 10.4.2.121 in keep-state > 01000 0 0 skipto 50000 log proto icmp src-ip 10.4.2.121 out keep-state > > 01800 133396 44504758 allow > > 50000 32 2688 fwd 172.16.42.1 log src-ip 10.4.2.121 in > 50100 26445 5425866 allow > > ! rule 800,900,1000 for test only. > > > make ping from external host now. > > -bash-2.05b$ ping -c 1 olymp.uni-altai.ru > PING olymp.uni-altai.ru (83.246.136.148): 56 data bytes > > --- olymp.uni-altai.ru ping statistics --- > 1 packets transmitted, 0 packets received, 100% packet loss > > ! isp2 cisco make nat 83.246.136.145 to 10.4.2.121 and vise versa. > > > router_2 security.log contain > > Dec 27 00:52:22 main kernel: ipfw: \ > 700 SkipTo 50000 ICMP:8.0 80.71.162.250 10.4.2.121 in via xl2 > Dec 27 00:52:22 main kernel: ipfw: \ > 700 SkipTo 50000 ICMP:8.0 80.71.162.250 10.4.2.121 out via re0 > Dec 27 00:52:22 main kernel: ipfw: \ > 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: \ > 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FORWARD !!! > Dec 27 00:52:22 main kernel: ipfw: \ > 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ BUT GO TO DEFAULTROUTE !!! ... ? > why "out via re0"? i expect "out via xl2". > > and loop > > Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0 > ... > Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0 > Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0 > Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0 > > send-pr? and more interesting things here... router_2 ipfw rules: table 1 - internal networks root@main# ipfw table 1 list 10.0.0.0/8 0 83.246.130.168/32 0 83.246.136.144/28 0 172.16.0.0/12 0 192.168.0.0/16 0 table 2 - hosts routed via isp2 1 - allow make connection to external world self root@main# ipfw table 2 list 10.1.3.23/32 1 10.1.3.68/32 1 10.1.3.69/32 1 10.1.3.87/32 0 10.1.3.100/32 1 10.1.3.199/32 1 10.1.3.200/32 1 10.4.2.121/32 0 this is transit hosts for router_2 and traverse chain "in" of rules. root@main# ipfw -c show allow via lo0 deny { src-ip 127.0.0.0/8 or dst-ip 127.0.0.0/8 } allow dst-ip 224.0.0.0/4 allow src-ip table(1) dst-ip table(1) check-state skipto 50000 proto icmp dst-ip table(2) in keep-state skipto 50000 src-ip table(2,1) in keep-state skipto 50000 proto tcp dst-ip 10.1.3.87 dst-port 21,25,80,110,143 in keep-state skipto 50000 proto tcp dst-ip 10.4.2.121 dst-port 80,443 in keep-state deny dst-ip table(2) in allow fwd 172.16.42.1 src-ip table(2) in allow deny ip from any to any this is work for host 10.1.3.83 but not work for host 10.4.2.121. i dont see difference between 10.1.3.87 and 10.4.2.121. may be defaultroute overlap route with 10.4.2.121 only. root@main# uname -a FreeBSD main.uni-altai.ru 6.0-RC1 FreeBSD 6.0-RC1 #0: Sun Oct 16 19:37:36 OMSST 2005 swp@main.uni-altai.ru:/usr/obj/usr/src/sys/ea_kernel i386 sorry for my terrible english. /swp