IPFW kernel nat problem FreeBSD 8.1 release

A

apanas

Hello
I upgraded my freebsd 8.0 box to 8.1 and now have a problem with IPFW kernel nat:
config of nat 1 is

Code: 
  ipfw nat 1 config if fxp2 log deny_in same_ports reset

sysctl -a|grep one_pass
Code: 
net.inet.ip.fw.one_pass: 1

rule body of natting:

Code: 
  ...
  20700 nat 1 ip from any to any via fxp2
  29900 deny ip from any to any

In 8.0 release these rules work fine,

Code: 
   20700 12221 1314739 nat 1 ip from any to any via fxp2
   29900     0       0 deny ip from any to any
but in 8.1 all packets matched with rule 20700 not leave firewall

and continue move to rule 29900

Code: 
   20700   0 5847 nat 1 ip from any to any via fxp2
   29900   0 6023 deny ip from any to any

Any idea?

Thanks a lot
 
I was try replace in rule body ip to ip4 (kern/148827)

Code: 
nat 1 ip4 from any to any via fxp2

all the same, not help
:q
 
hello, apanas
if Your problem is not yet solved, i could try to help You.
give us here the interfaces names and which are lan/wan. at this point it is misunderstood.
 
Not solved. fxp2 is wan interface.On lan interface all allowed.
Before nat rule i have:
allow all from any to any via em0
 
try to place the rule
allow all from any to any via em0
after the nat rule, just above the
deny ip from any to any
 
romeor said:
try to place the rule
allow all from any to any via em0
after the nat rule, just above the
deny ip from any to any
Click to expand...

This problem is not in order of rules.
This rule is not after, but before nat rule, and it is correct.
All configuration of firewall on freebsd 7.1 work correct.
 
well, its true. i could get ur configuration working too. but try this way of nat definition:

Code: 
NatIP="" (Your External card IP address)
ipfw nat 1 config ip ${NatIP} log
#ipfw add nat 1 ip from 192.168.2.0/24 to any
#ipfw add nat 1 ip from 192.168.3.0/24 to any
ipfw add nat 1 ip from ${nated_lans} to any
ipfw add nat 1 ip from any to ${NatIP}

this way i managed to get it working
it seems some kind of a bug, as i didnt manage to get it working with this kind of nat definition:

Code: 
ipfw nat 1 config if em1 log deny_in
ipfw add nat 1 ip from ${nated_lans) to any via em1
these 2 definitions are generally same, but 2nd way seems to be not working
 
Code: 
ipfw nat 1 show conf
ipfw nat 1 config ip xxx.xxx.xxx.xxx log same_ports reset
without deny_in, instead of name of interface-ip address and... not working

Code: 
20700  2  137 nat 1 ip from any to any via fxp2  
29900  2  137 deny ip from any to any
 
sorry, i cant help you anymore, as i've got it working. i think you should try to review Your rules to find a bug.
 
romeor said:
sorry, i cant help you anymore, as i've got it working. i think you should try to review Your rules to find a bug.
Click to expand...

If this set of rules work on freebsd 7.2 and 8.0 absolutely correct...what kind of bug i can find? :)

Thank you.
 
apanas said:
If this set of rules work on freebsd 7.2 and 8.0 absolutely correct...what kind of bug i can find? :)

Thank you.
Click to expand...
It only means, that after update there were some logical changes, so re-viewing own rules is always a good idea after update :)
 
It may be a problem related to sysctl one_pass in 8.1 - it do not works with nat (and other sybsystems as well) as expected... I'm to got this king of troubles after upgrading from 7 to 8.

There is a couple of bugreports in maillists, so people in ipfw@ team should be aware of this bug... I hope...
 
hi
Yes I too recently find this "feature" in 8.1. So, solution is

Code: 
01370  967282663  551608705853 nat tablearg ip from table(22) to any via em0 out
01380 1093220611 1011316253622 nat tablearg ip from any to table(23) via em0 in
[B]01400 2059912550 1562662531102 allow ip from any to any via em0[/B]
 
ipfw kernel nat sux in freebsd :( if you make more than 19 port forwards, you will receive an error in log about fulled buf mem and to solve this, you have to hack ipfw source and recompile the ipfw self and the kernel once more. i find this problematic, if you use some kind of amd k6 650 mhz, 64 kb cache and 160 ram for routing. i had to refuse using it until this "feature" is fixed.
 
You must log in or register to reply here.
Back
Top