Hi Sergey,
Has the change from ip to ip4 solved the problem for you? The
documentation states that proto 'ip' is the same as 'all'
"Matches any
packet."
Rule # 60
$cmd 060 skipto 1000 ip6 from any to any
will have already skipped to the ipv6 rules block thus proto 'ip'
should always match remaining packets.
Meanwhile I found bug 148137 [ipfw] call order of natd and ipfw startup scripts
http://www.freebsd.org/cgi/query-pr.cgi?pr=148137&cat=conf
Don't know if that's directly related, but it may be worth a try to
revert back to the RELENG_8_0 script.
Will let you now my findings.
Kind regards,
Spil.
On Wed, Jul 21, 2010 at 2:57 PM, Sergey G Nasonov <snasonov@bcc.ru>
wrote:> Hello Spill,
>
> I have get the same trouble after updating my 8.0 Stable. I thing you need
> modify some firewall rules.
>
> Please change
>
> $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound
>
> to
>
> $cmd 100 divert natd ip4 from any to any in via $pif # Mangle inbound
>
> and
>
> $cmd 500 divert natd ip from any to any out via $pif
>
> to
>
> $cmd 500 divert natd ip4 from any to any out via $pif
>
> accordingly.
>
> --
>
> Best Regards,
>
> Nasonov Sergey
On Wed, Jul 21, 2010 at 11:40 AM, Spil Oss <spil.oss@gmail.com>
wrote:> Hi,
>
> Testing FreeBSD 8.1 I noticed that I seem to have routing or nat or
> firewall issues. (csupped RELENG_8_1 which was -RELEASE not -RC last
> night?)
> - 8.1 booted fine
> - connections from the system itself were fine
> - connections from my jails to the internet were not working
> - connections from my LAN/WLAN to the internet were not working
> Reverting back to 8.0-p2 with the same configuration works fine.
>
> In UPDATING I see that rc.firewall and rc.firewall6 were unified.
>
> Setup is
> - xl0 connected to internet/public IP via dhcp
> - bge0/wlan0(ath0) connected to LAN
> - jails have ip's on bge0 in the same subnet as the LAN
> - allow all from any to any via bge0|wlan0|lo0
> - NAT using natd
>
> My guess is that something's changed to ipfw that is affecting my
> network settings. Any clues where I went wrong?
>
> Help appreciated/ Kind regards,
>
> Spil.
>
> rc.conf:
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rules"
>
> natd.conf
> interface xl0
> dynamic yes
> same_ports yes
> # http/https to http jail
> redirect_port tcp 192.168.2.3:80 80
> redirect_port tcp 192.168.2.3:443 443
>
> Part of /etc/ipfw.rules
> #!/bin/sh
> cmd="ipfw -q add"
> skip="skipto 500"
> pif=xl0
> pif6=gif0
> ext6="2001:dead:beef:1::1"
> ks="keep-state"
>
> ipfw -q -f flush
>
> # Allow internal traffic
> $cmd 002 allow all from any to any via bge0 # exclude LAN traffic
> $cmd 003 allow all from any to any via lo0 ?# exclude loopback traffic
> $cmd 004 allow all from any to any via wlan0 # exclude WLAN traffic
> $cmd 005 allow all from any to any via bridge0 # exclude WLAN traffic
> $cmd 006 allow all from any to any via tun0 # exclude WLAN traffic
>
> # Allow all encapulated IPv6 to/from tunnel PoP
> $cmd 010 allow ip4 from <tunnel-provider-ipv4> to me via $pif
> $cmd 010 allow ip4 from me to <tunnel-provider-ipv4> via $pif
>
> # Black-hole some stuff using tables
> $cmd 050 drop ip from "table(17)" to any in via $pif
> $cmd 050 drop ip from any to "table(17)" out via $pif
>
> # Separate IPv6 rules (no NAT!)
> $cmd 060 skipto 1000 ip6 from any to any
>
> $cmd 100 divert natd ip from any to any in via $pif # Mangle inbound
> packets from external
> $cmd 101 check-state
>
> # Authorized outbound packets
> $cmd 130 $skip icmp from any to any out via $pif $ks
> $cmd 150 $skip tcp from any to any out via $pif $ks
> $cmd 151 $skip udp from any to any out via $pif $ks
>
> $cmd 200 allow udp from 10.50.0.1 to me 68 in $ks
>
> # Deny all inbound traffic from non-routable reserved address spaces
> $cmd 300 unreach host all from 192.168.0.0/16 ?to any in via $pif
> #RFC 1918 private IP
> $cmd 301 unreach host all from 172.16.0.0/12 ? to any in via $pif
> #RFC 1918 private IP
> $cmd 302 unreach host all from 10.0.0.0/8 ? ? ?to any in via $pif
> #RFC 1918 private IP
> $cmd 303 unreach host all from 127.0.0.0/8 ? ? to any in via $pif
?#loopback
> $cmd 304 unreach host all from 0.0.0.0/8 ? ? ? to any in via $pif
?#loopback
> $cmd 305 unreach host all from 169.254.0.0/16 ?to any in via $pif
> #DHCP auto-config
> $cmd 306 unreach host all from 192.0.2.0/24 ? ?to any in via $pif
> #reserved for docs
> $cmd 307 unreach host all from 204.152.64.0/23 to any in via $pif ?#Sun
cluster
> $cmd 308 unreach host all from 224.0.0.0/3 ? ? to any in via $pif
> #Class D & E multicast
>
> # Deny packets that did not match the dynamic rule table
> #$cmd 330 deny all from any to any frag in via $pif # All late fragments
> #$cmd 332 deny tcp from any to any established in via $pif # Deny ACK
>
> # Authorized inbound packets
> $cmd 400 allow icmp from any to any icmptypes 0,11 # echo reply and
TTL-exceeded
> $cmd 420 allow tcp from any to me ssh in via $pif setup $ks
> $cmd 421 allow tcp from any to me smtp in via $pif
> $cmd 422 allow tcp from any to me http in via $pif
> $cmd 423 allow tcp from any to me https in via $pif
> $cmd 424 allow tcp from any to me imaps in via $pif
>
> #$cmd 449 unreach host ip from any to any in via $pif
> $cmd 448 reject log all from any to any in via $pif
> $cmd 449 reject log all from any to any out via $pif
> $cmd 450 reject log ip from any to any
>
> # This is skipto location for outbound stateful rules
> $cmd 500 divert natd ip from any to any out via $pif
> $cmd 510 allow ip from any to any
>