Re: IPFW2 verrevpath issue (IPv4 TCP, fresh kernel)

2003-11-26 Thread Sean Chittenden
  Is my expectation wrong or is there a pertinent IPFW2 bug in a current
  5.2-BETA kernel?
 
 You're alone in this, though cjc hasn't been able to reproduce this.
   ^^^
   not

 Are you on a multi-homed system?  -sc

Ack!  If ever there was a missing word to change the meaning of an
email!  What I meant to say was you're *not* alone in this... I'm
having this problem on my firewall/nat box but not my laptop.  -sc

-- 
Sean Chittenden
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: IPFW2 verrevpath issue (IPv4 TCP, fresh kernel)

2003-11-26 Thread Sam Leffler
On Wednesday 26 November 2003 01:40 pm, Sean Chittenden wrote:
   Is my expectation wrong or is there a pertinent IPFW2 bug in a current
   5.2-BETA kernel?
 
  You're alone in this, though cjc hasn't been able to reproduce this.

^^^
not

  Are you on a multi-homed system?  -sc

 Ack!  If ever there was a missing word to change the meaning of an
 email!  What I meant to say was you're *not* alone in this... I'm
 having this problem on my firewall/nat box but not my laptop.  -sc

We've got a fix coming.

Sam

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]


IPFW2 verrevpath issue (IPv4 TCP, fresh kernel)

2003-11-25 Thread Matthias Andree
Hi,

I seem to have difficulties with verrevpath in IPFW2 (current kernel,
cvsupped a few hours ago) which APPEARS to not match - or am I too
whatever to configure ipfw2 properly?

Excerpt from ipfw show:

| 0010038   3216 allow ip from any to any via lo0
| 00200 0  0 deny ip from any to 127.0.0.0/8
| 00300 0  0 deny ip from 127.0.0.0/8 to any
 0040039  12941 deny log ip from any to any not verrevpath in
| 00500 0  0 deny ip from 192.168.0.0/24 to any in via tun0
| ...

Now, when I try to connect from my machine to a remote one with
ssh [EMAIL PROTECTED] I'm getting loads of

| kernel: ipfw: 400 Deny TCP 1.2.3.4:22 217.225.230.222:49228 in via tun0
| kernel: ipfw: 400 Deny TCP 1.2.3.4:22 217.225.230.222:49228 in via tun0

in syslog and the counter of the 00400 rule increases, and I don't get a
connection.  Leaving out the 00400 rule makes my outbound TCP
connections work.  (Apparently the 00400 rule swallows the SYN|ACK
packets.)

217.225.230.222 is my IP and 1.2.3.4 is the remote IP. tun0 is a PPPoE
interface, with ppp(8). I have a default route via 217.5.*.* gateway on
tun0 (both the default route and the host route for this 217.5.*.*
gateway use device tun0).

route get 1.2.3.4 prints that 1.2.3.4 is routed via some 217.5.*.*
host which is on tun0, so this looks fine.

I'd expect that the in via tun0 matched the outbound route as returned
by route get.

To add to the confusion, NTP (that uses UDP) is fine, the machine will
synchronize to an outside server (my ISP's DCF receiver) via the same
gateway just fine.

Is my expectation wrong or is there a pertinent IPFW2 bug in a current
5.2-BETA kernel?

-- 
Matthias Andree

Encrypt your mail: my GnuPG key ID is 0x052E7D95
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: IPFW2 verrevpath issue (IPv4 TCP, fresh kernel)

2003-11-25 Thread Sean Chittenden
 Is my expectation wrong or is there a pertinent IPFW2 bug in a current
 5.2-BETA kernel?

You're alone in this, though cjc hasn't been able to reproduce this.
Are you on a multi-homed system?  -sc

-- 
Sean Chittenden
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: IPFW2 verrevpath issue (IPv4 TCP, fresh kernel)

2003-11-25 Thread Matthias Andree
On Tue, 25 Nov 2003, Sean Chittenden wrote:

  Is my expectation wrong or is there a pertinent IPFW2 bug in a current
  5.2-BETA kernel?
 
 You're alone in this, though cjc hasn't been able to reproduce this.
 Are you on a multi-homed system?  -sc

Sort of. I do have three xl(4) NICs in my system. xl0 and xl1 are
bridged via ng_bridge(*), IP 192.168.0.1 on one card, no IP on the
other; xl2 is the transport for tun0 (which is PPPoE in my case) and
doesn't have an IP either, so multi-homed might read tun0 has an
address, xl0 has another and lo0 has a third one.

These xl* cards shouldn't matter for my problem, at the time I tested my
firewall setups, the networks were idle with no other hosts attached.


I noticed that very recently there was a bug fix that made the machine
pick the right outbound address again (which it didn't for some days or
weeks, haven't compiled kernels daily) - I wonder if it's related.
Unfortunately, I don't have a 5.1-RELEASE box here to test. Would 4.9
with IPFW2 option be sufficiently similar in IPFW2 matters that it's
worthwhile testing?



(*) I have a configuration where the bridge is to have the same IP from
both xl0 and xl1. Traditional bridge code gets confused over ARP and
coughs up the MACs it would need and locks itself out,
netgraph-bridge is fine however.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to [EMAIL PROTECTED]