Date: Wed, 2 Jun 2010 02:40:03 GMT From: Jose M Rodriguez <josemi@freebsd.jazztel.es> To: freebsd-net@FreeBSD.org Subject: Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet Message-ID: <201006020240.o522e3sU024508@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/147191; it has been noted by GNATS.
From: Jose M Rodriguez <josemi@freebsd.jazztel.es>
To: bug-followup@FreeBSD.org
Cc:
Subject: Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet
Date: Wed, 02 Jun 2010 04:31:49 +0200
This is a multi-part message in MIME format.
--------------090100060803090709040905
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
El 02/06/2010 2:37, Jose M Rodriguez escribió:
> Seems that this must be reopen.
> ...
Seems this one worked, but I don't remember this last time I use ipfw on
FreeBSD-7
--------------090100060803090709040905
Content-Type: text/plain;
name="rc.firewall.router.4"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="rc.firewall.router.4"
#!/bin/sh -
# Copyright (c) 1996 Poul-Henning Kamp
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD: src/etc/rc.firewall,v 1.60.2.3 2010/04/14 15:03:58 ume Exp $
#
# $Log$
#
# Setup system for ipfw(4) firewall service on AHS router
#
# Configuration:
# firewall_resetports:
# List of TCP ports reset on incoming
# firewall_myservices:
# List of TCP ports on which this host offers services.
# firewall_myudpports:
# List of UDP ports on which this host offers services.
# firewall_logdeny:
# Boolean (YES/NO) specifying if the default denied packets should be
# logged (in /var/log/security).
# firewall_nologports:
# List of TCP/UDP ports for which denied incoming packets are not logged.
# firewall_oif:
# Outside IPv4 network interface, default to tun0.
# firewall_iifaces:
# Inside network interface list.
# firewall_net_${iface}
# IPv4 network definition for each of the previous interfaces.
# firewall_p2p_${iface}
# List of address ports for opened TCP/UDP ports on ${iface}
# firewall_p2p_uids
# List of uids of p2p daemons running on me
# predefined
firewall_resetports="53,113,135-139,445"
firewall_p2p_uids="mlnet transmission"
for u in ${firewall_p2p_uids}; do
eval ${u}_enable="NO"
done
mpd_enable="NO"
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
. /etc/rc.subr
. /etc/network.subr
afexists inet6
ipv6_available=$?
# macros
fwcmd="/sbin/ipfw"
ifaces=${firewall_iifaces}
if checkyesno mpd_enable ; then
oif=${firewall_oif-ng0}
else
oif=${firewall_oif-tun0}
fi
log=""
# Set quiet mode if requested
checkyesno firewall_quiet && fwcmd="${fwcmd} -q"
# Flush out the list before we begin.
${fwcmd} -f flush
# setup loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny all from 127.0.0.0/8 to any
# setup ipv6 mandatory
if [ $ipv6_available -ne 0 ]; then
${fwcmd} add 400 deny all from any to ::1
${fwcmd} add 500 deny all from ::1 to any
# DAD
${fwcmd} add pass ipv6-icmp from :: to ff02::/16
# RS, RA, NS, NA, redirect...
${fwcmd} add pass ipv6-icmp from fe80::/1o to fe80::/10
${fwcmd} add pass ipv6-icmp from fe80::/1o to ff02::/16
# IMCPv6 destination unreachable, NS, NA, toobig
${fwcmd} add pass ipv6-icmp from any to any icmp6 types 1,2,135,136
fi
# setup tables
${fwcmd} table all flush
astable=1
astn=1
asln=2
aspn=3
asipv4=4
ascle=5
asmcast=6
# rfc 1912 local net
${fwcmd} table ${astable} add 0.0.0.0/8 ${asln} # this network
${fwcmd} table ${astable} add 127.0.0.0/8 ${asln} # local net
${fwcmd} table ${astable} add 255.0.0.0/8 ${asln} # local net
# rfc 1918 private nets
${fwcmd} table ${astable} add 10.0.0.0/8 ${aspn} # private net
${fwcmd} table ${astable} add 172.16.0.0/12 ${aspn} # private net
${fwcmd} table ${astable} add 192.168.0.0/16 ${aspn} # private net
# Link-local/APIPA (RFCs 3330 and 3927)
${fwcmd} table ${astable} add 169.254.0.0/16 ${aspn} # link-local/APIPA
# TEST-NET-[1-3] for Documentation (RFC 5737)
${fwcmd} table ${astable} add 192.0.0.0/24 ${astn} # IETF net
${fwcmd} table ${astable} add 192.0.2.0/24 ${astn} # test net
${fwcmd} table ${astable} add 198.51.100.0/24 ${astn} # test net
${fwcmd} table ${astable} add 203.0.113.0/24 ${astn} # test net
# Router Benchmark Testing (RFC 3330)
${fwcmd} table ${astable} add 198.18.0.0/15 ${astn} # router benchmark
# IANA Reserved - Old Class E Space
${fwcmd} table ${astable} add 240.0.0.0/5 ${ascle} # old CLASS E
${fwcmd} table ${astable} add 248.0.0.0/6 ${ascle} # old CLASS E
${fwcmd} table ${astable} add 252.0.0.0/7 ${ascle} # old CLASS E
${fwcmd} table ${astable} add 254.0.0.0/8 ${ascle} # old CLASS E
# Multicast
${fwcmd} table ${astable} add 224.0.0.0/3 ${asmcast}
# other
#${fwcmd} table ${astable} add 1.0.0.0/8 ${asipv4} # APNIC
${fwcmd} table ${astable} add 1.0.0.0/13 ${asipv4}
${fwcmd} table ${astable} add 1.8.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.10.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.20.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.32.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.37.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.187.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 5.0.0.0/8 ${asipv4} # Un. hamachi
${fwcmd} table ${astable} add 23.0.0.0/8 ${asipv4} # Un. bogon
#${fwcmd} table ${astable} add 31.0.0.0/8 ${asipv4} # bogon/RIPE
${fwcmd} table ${astable} add 31.0.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 31.1.0.0/21 ${asipv4}
${fwcmd} table ${astable} add 31.1.24.0/24 ${asipv4}
${fwcmd} table ${astable} add 36.0.0.0/7 ${asipv4} # bogon
${fwcmd} table ${astable} add 39.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 42.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 49.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 100.0.0.0/6 ${asipv4} # bogon
${fwcmd} table ${astable} add 104.0.0.0/7 ${asipv4} # bogon
${fwcmd} table ${astable} add 106.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 128.0.0.0/16 ${asipv4} # ARIN, rfc 3300?
${fwcmd} table ${astable} add 128.66.0.0/16 ${asipv4} # ARIN?
${fwcmd} table ${astable} add 177.0.0.0/8 ${asipv4}
${fwcmd} table ${astable} add 179.0.0.0/8 ${asipv4}
${fwcmd} table ${astable} add 181.0.0.0/8 ${asipv4}
${fwcmd} table ${astable} add 185.0.0.0/8 ${asipv4}
#${fwcmd} table ${astable} add 191.255.0.0/16 ${asipv4} # LACNIC
#${fwcmd} table ${astable} add 192.0.0.0/19 ${asipv4} # ARIN
${fwcmd} table ${astable} add 192.0.48.0/20 ${asipv4} # ARIN
${fwcmd} table ${astable} add 192.0.64.0/18 ${asipv4} # ARIN
${fwcmd} table ${astable} add 192.0.128.0/17 ${asipv4} # ARIN
#${fwcmd} table ${astable} add 197.0.0.0/8 ${asipv4} # AfriNIC
${fwcmd} table ${astable} add 204.152.64.0/23 ${asipv4}
# dummynet
if checkyesno dummynet_enable ; then
outp=1
ufq=2
ufr=8000
fq=3
fr=8400
nq=4
nr=8800
lq=5
lr=9200
ulq=6
ulr=9400
# tags, scheds, ...
p2p=1
sched=1
# sysctl
sysctl net.inet.ip.fw.one_pass=0 >/dev/null
sysctl net.inet.ip.fw.verbose=0 >/dev/null
sysctl net.inet.ip.dummynet.io_fast=1 >/dev/null
# queues
${fwcmd} pipe ${outp} config bw ${firewall_outbw-0} \
burst ${firewall_out_burst-29840}
${fwcmd} queue ${ufq} config pipe ${outp} \
weight ${firewall_ufast_weight-100} queue 90
${fwcmd} queue ${fq} config pipe ${outp} \
weight ${firewall_fast_weight-75}
${fwcmd} queue ${nq} config pipe ${outp} \
weight ${firewall_weight-40}
${fwcmd} queue ${lq} config pipe ${outp} \
weight ${firewall_lo_weight-25}
${fwcmd} queue ${ulq} config pipe ${outp} \
weight ${firewall_ulow_weight-1}
${fwcmd} sched ${sched} config type ${firewall_sched_type-QFQ}
fi
# RULES
#
# Danger Will Robinson.
# Seems that on FreeBSD 8.1 you can't pass traffic in to be forwarded, or
# queue/divert/outgoing rules can't see it. Strange.
#
#pass DHCP requests
for if in $(list_net_interfaces dhcp) ; do
${fwcmd} add pass udp from any 67 to any 68 recv ${if}
${fwcmd} add pass udp from any 68 to any 67 xmit ${if}
done
#local nets
for iif in ${ifaces}; do
# pass dhcpv4 traffic from/to our server
if checkyesno dhcpd_enable; then
${fwcmd} add pass udp from any 68 to any 67 recv ${iif}
${fwcmd} add pass udp from any 67 to any 68 xmit ${iif}
fi
# Locat net anti-spoofing
eval netif_net=\$firewall_net_${iif}
if [ -n "${netif_net}" ]; then
${fwcmd} add deny all from any to not ${netif_net} xmit ${iif}
${fwcmd} add deny all from not ${netif_net} to any recv ${iif}
fi
done
# Deny TCP fragments (use PATH mtu), allow rest
${fwcmd} add deny tcp from any to any frag
# anti spoofing
${fwcmd} add deny all from table\(${astable}\) to any recv ${oif}
${fwcmd} add deny all from any to table\(${astable}\) xmit ${oif}
# Well Known traffic not allowed: domain, smb, ...
${fwcmd} add reset tcp from any to any ${firewall_resetports} via ${oif}
${fwcmd} add reset tcp from any ${firewall_resetports} to any via ${oif}
# Outgoing queues
if checkyesno dummynet_enable ; then
# incoming traffic first, ultra low/low
for iif in ${ifaces} ; do
eval netif_p2p=\$firewall_p2p_${iif}
set ${netif_p2p}
while [ $# -ge 2 ]; do
${fwcmd} add skipto ${lr} tcp from $1 $2 to not me established
${fwcmd} add skipto ${ulr} tcp from $1 $2 to not me setup
${fwcmd} add skipto ${ulr} udp from $1 $2 to not me
shift ; shift
done
${fwcmd} add skipto ${nr} all from any to not me recv ${iif}
done
# Don't queue not outgoing traffic
${fwcmd} add skipto 10000 all from any to any in
${fwcmd} add skipto 30000 all from any to any not via ${oif}
# ultra low / low
for u in ${firewall_p2p_uids}; do
if checkyesno ${u}_enable ; then
${fwcmd} add skipto ${lr} tcp from any to any \
uid ${u} established
${fwcmd} add skipto ${ulr} tcp from any to any \
uid ${u} setup
${fwcmd} add skipto ${ulr} udp from any to any \
uid ${u}
fi
done
# ultra fast
${fwcmd} add skipto ${ufr} tcp from any to any \
iptos lowdelay
${fwcmd} add skipto ${ufr} tcp from any to any \
tcpdatalen 0 established
${fwcmd} add skipto ${ufr} udp from me to any 53,123
# fast
${fwcmd} add skipto ${fr} tcp from any to any setup
${fwcmd} add skipto ${fr} tcp from any to any 22,443,2222 \
established
# rest is normal
${fwcmd} add skipto ${nr} all from any to any
# queues
# ultra fast
${fwcmd} add ${ufr} queue ${ufq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# fast
${fwcmd} add ${fr} queue ${fq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# normal
${fwcmd} add ${nr} queue ${nq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# low
${fwcmd} add ${lr} queue ${lq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# ultra low
${fwcmd} add ${ulr} queue ${ulq} all from any to any
${fwcmd} add skipto 30000 all from any to any
fi
# incoming traffic, from iif not for me
${fwcmd} add 10000 skipto 20000 all from any to any not via ${oif}
# Open ports
for port in ${firewall_myservices} ; do
${fwcmd} add pass tcp from any to me ${port} setup
done
for port in ${firewall_myudpports} ; do
${fwcmd} add pass udp from any to me ${port}
done
for user in ${firewall_p2p_uids}; do
if checkyesno ${user}_enable ; then
${fwcmd} add pass tcp from any to me setup uid ${user}
${fwcmd} add pass udp from any to me uid ${user}
fi
done
# Noise from routers
${fwcmd} add deny udp from any to any 520 recv ${oif}
#setup natd
${fwcmd} add 30000 count all from any to any
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
case ${firewall_nat_enable} in
[Yy][Ee][Ss])
if [ -n "${firewall_nat_interface}" ]; then
firewall_nat_flags="${firewall_nat_interface} ${firewall_nat_flags}"
if echo "${firewall_nat_interface}" | \
grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
firewall_nat_flags="ip ${firewall_nat_flags}"
else
firewall_nat_flags="if ${firewall_nat_flags}"
fi
${fwcmd} nat 123 config log ${firewall_nat_flags}
${fwcmd} add nat 123 ip4 from any to any \
via ${firewall_nat_interface}
fi
;;
esac
# Allow no TCP fragments
${fwcmd} add pass all from any to any frag
# Allow packets for which a state has been built.
${fwcmd} add check-state
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# icmp traffic
# Allow "mandatory" ICMP in.
${fwcmd} add pass icmp from any to any icmptype 3,4,11
# Some servers will ping the IP while trying to decide
${fwcmd} add pass icmp from any to any icmptype 8
# pass outgoing traffic
${fwcmd} add pass tcp from any to any xmit ${oif} setup
${fwcmd} add pass udp from any to any xmit ${oif} keep-state
${fwcmd} add pass icmp from any to any xmit ${oif} keep-state
# incoming from outside
${fwcmd} add skipto 60000 all from any to any not recv ${oif}
# Open ports
for iif in ${ifaces} ; do
eval netif_p2p=\$firewall_p2p_${iif}
set ${netif_p2p}
while [ $# -ge 2 ]; do
${fwcmd} add pass tcp from any to $1 $2 setup
${fwcmd} add pass udp from any to $1 $2
shift ; shift
done
done
# Drop packets to ports where we don't want logging
for i in ${firewall_nologports} ; do
${fwcmd} add deny { tcp or udp } from any to any $i
done
# http connection teardowns
${fwcmd} add reset tcp from any 80,443 to any 1024-65535
# Deny and (if wanted) log the rest unconditionally.
if checkyesno firewall_logdeny ; then
log="log logamount 500"
sysctl net.inet.ip.fw.verbose=1 >/dev/null
fi
${fwcmd} add deny $log ip from any to any
# Now it's safe to do local nets in
${fwcmd} add 60000 count all from any to any
for iif in ${ifaces}; do
# pass all traffic via the internal net
eval netif_net=\$firewall_net_${iif}
if [ -n "${netif_net}" ]; then
${fwcmd} add pass all from any to any via ${iif}
else
${fwcmd} add pass all from any to any via ${iif} verrevpath
fi
done
--------------090100060803090709040905--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006020240.o522e3sU024508>