Jonas Bülow
2009-Apr-25 14:34 UTC
ipfilter seems to be broken on 7.2-PRERELEASE as of April 25:th 2009.
Hi, Today I updated one of my servers tracking freebsd 7-stable. (7.2- PRERELEASE #3: Sat Apr 25 10:01:00 CEST 2009). After reboot it was not reachable from the network. After some troubleshooting I found that ipfilter seems to be the problem. Returning traffic originating from my host (XXX) is blocked: Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.766972 fxp0 @0:1 b 193.13.15.11,53 -> 10.1.0.254,62539 PR udp len 20 72 IN bad NAT Apr 25 15:15:23 jongel ipmon[624]: 15:15:23.804447 fxp0 @0:1 b 193.13.15.11,53 -> 10.1.0.254,57266 PR udp len 20 534 IN bad NAT Comparing the ipfilter-log from before the upgrade, there were no "IN bad NAT" log entries before the upgrade. My active ipfilter rules are: block in log on fxp0 all pass out quick on fxp0 proto tcp from XXX/32 to any flags S/SAFR keep state pass out quick on fxp0 proto udp from XXX/32 to any keep state pass out quick on fxp0 proto icmp from XXX/32 to any keep state My NAT rules are: map fxp0 10.1.0.0/24 -> XXX/32 proxy port ftp ftp/tcp map fxp0 10.1.0.0/24 -> XXX/32 portmap tcp/udp 1025:65500 map fxp0 10.1.0.0/24 -> XXX/32 Anyone seen this behaviour? Regards, Jonas
Jason Chambers
2009-May-11 20:08 UTC
ipfilter seems to be broken on 7.2-PRERELEASE as of April 25:th 2009.
Jonas B?low wrote:> > After reboot it was not reachable from the network. After some > troubleshooting I found that ipfilter seems to be the problem. Returning > traffic originating from my host (XXX) is blocked: >(... snip ...)> > Anyone seen this behaviour? >Yes. This appears to have made it to the RELEASE as well. I believe it is due to updates to the FXP driver that allow checksumming for tx/rx. My guess is checksumming is enabled by default and you (and I) happen to have the cards recognized by FXP that do not support it. (The BAD in the ipf log represents bad checksum) If you do "ifconfig fxp0 -txcsum -rxcsum" your problem should go away. For /etc/rc.conf, just add -txcsum -rxcsum to the interface definition. Regards, --Jason