Date: Sat, 13 Apr 2013 11:01:38 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: spil.oss@gmail.com Cc: freebsd-ipfw@freebsd.org Subject: Re: Problems with ipfw/natd and axe(4) Message-ID: <CAHu1Y71kKcMRTHeknGYi0rWU-u8HzzELakef4YiUd3krJjDbtA@mail.gmail.com> In-Reply-To: <CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw@mail.gmail.com> References: <CAEJyAvOZ6fW0i3yT_D4fH1huje-qsJwA7GGeXqAO1PKzge-YNw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
There are some things about this ruleset that are confused. Multiple deny rules where one will do, et. > 01100 deny ip from 10.16.2.1 to any in via ue0 > 01200 deny ip from 172.17.2.111 to any in via re0 > 01300 deny ip from any to 10.0.0.0/8 via ue0 > 01500 deny ip from any to 192.168.0.0/16 via ue0 > 01600 deny ip from any to 0.0.0.0/8 via ue0 > 01700 deny ip from any to 169.254.0.0/16 via ue0 > 01800 deny ip from any to 192.0.2.0/24 via ue0 > 01900 deny ip from any to 224.0.0.0/4 via ue0 > 02000 deny ip from any to 240.0.0.0/4 via ue0 and you need to think about inbound and outbound traffic, and a few other things. You have keep-state rules way down the ruleset and a divert natd in the middle. This won't do. 1. State what the requirements and intent are. I'm reluctant to dive into the solution space for an ill-defined problem. You conclude that the problem is with the NIC, and I think it's with your ruleset. For example, which interfaces are external, what's the topology, do external interfaces have public or private addresses, etc? Is this a firewall or a standalone box? Note that if you do a tcpdump, the checksums will look wrong because they're offloaded onto the NIC. That's normal. 2. Until you understand the interaction of NAT + stateful rules, don't use them. 3. Start with a small ruleset and nat config (show us your natd config) that is permissive, then gradually add protection. natd by itself is stateful, and will probably provide all you need. - M On Sat, Apr 13, 2013 at 6:34 AM, Spil Oss <spil.oss@gmail.com> wrote: > Hi All, > > I can't use ipfw with natd with my ASIX AX88772B USB NIC > > ipfw ruleset (slightly modified /etc/rc.firewall simple ruleset) > 00010 allow ip from any to me dst-port 22 recv ue0 > 00010 allow tcp from me 22 to any xmit ue0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > 01100 deny ip from 10.16.2.1 to any in via ue0 > 01200 deny ip from 172.17.2.111 to any in via re0 > 01300 deny ip from any to 10.0.0.0/8 via ue0 > 01500 deny ip from any to 192.168.0.0/16 via ue0 > 01600 deny ip from any to 0.0.0.0/8 via ue0 > 01700 deny ip from any to 169.254.0.0/16 via ue0 > 01800 deny ip from any to 192.0.2.0/24 via ue0 > 01900 deny ip from any to 224.0.0.0/4 via ue0 > 02000 deny ip from any to 240.0.0.0/4 via ue0 > 02100 divert 8668 ip4 from any to any via ue0 > 02200 deny ip from 10.0.0.0/8 to any via ue0 > 02400 deny ip from 192.168.0.0/16 to any via ue0 > 02500 deny ip from 0.0.0.0/8 to any via ue0 > 02600 deny ip from 169.254.0.0/16 to any via ue0 > 02700 deny ip from 192.0.2.0/24 to any via ue0 > 02800 deny ip from 224.0.0.0/4 to any via ue0 > 02900 deny ip from 240.0.0.0/4 to any via ue0 > 03000 allow tcp from any to any established > 03100 allow ip from any to any frag > 03200 allow tcp from any to me dst-port 22 setup > 03300 allow tcp from any to me dst-port 25 setup > 03400 allow tcp from any to me dst-port 465 setup > 03500 allow tcp from any to me dst-port 587 setup > 03600 allow tcp from any to me dst-port 80 setup > 03700 allow tcp from any to me dst-port 443 setup > 03800 deny log logamount 5 ip4 from any to any in via ue0 setup proto tcp > 03900 allow tcp from any to any setup > 04000 allow udp from me to any dst-port 53 keep-state > 04100 allow udp from me to any dst-port 123 keep-state > 04200 allow ip from any to any dst-port 22 recv ue0 > 65535 deny ip from any to any > > If I remove rule 10 it will NOT work with ue0, the same ruleset without > rule 10 DOES work with re0 on the same machine (re0 as external and ue0 as > internal NIC). > > If I connect from the gateway on 172.17.2.1 to the ssh server on this > machine, I can see the ACK and SYN+ACK but there's no ACK from the client > to the server to establish the tcp session. Only difference I could find > was that the checksum was incorrect. > > Found an older PR kern/170081 about fxp having trouble with nat when > rxcsum/txcsum was enabled, that is why I started fiddling with > rxcsum/txcsum and found that the NIC is unusable/dead without rxcsum/txcsum > enabled so this was not an option. > > # ifconfig ue0 > ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE> > ether 00:60:6e:42:5b:53 > inet6 fe80::260:6eff:fe42:5b53%ue0 prefixlen 64 scopeid 0x7 > inet 172.17.2.111 netmask 0xffffff00 broadcast 172.17.2.255 > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > > Any suggestions or pointers? > > Kind regards, > > Spil. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71kKcMRTHeknGYi0rWU-u8HzzELakef4YiUd3krJjDbtA>