I have a problem that seems to be a difference between ipfw/NAT
behaviour in 10-Stable versus 11-Stable. I have two servers: one running
10-Stable and one running 11-Stable. I'm using the same rule set on both
(see below). It works correctly on 10-Stable but not on 11.
The problem is seen on two places: an outgoing SMTP connection on port
465, and an incoming to an IMAP server on port 993. In both cases, there
are lost packets and retransmissions. See below for a tshark capture of
one attempted SMTP session.
Setting sysctl net.inet.ip.fw.one_pass to one or zero makes no
difference. Deleting the sshguard rule (table 22) makes no difference.
Deleting the nat rule makes everything work for this SMTP session (but
breaks the other machines on my network obviously).
I have no doubt that I have misconfigured the firewall, but I don't see
what. And why is 11 different to 10? Any help would be much appreciated.
Thanks in advance,
Graham
Tshark:
(XXX is the SMTP server, YYY is my public IP address)
root# tshark -Y tcp.port==465 -i igb1
Capturing on 'igb1'
4 0.722919 YYY → XXX TLSv1.2 180 Client Key Exchange, Change
Cipher Spec, Encrypted Handshake Message
527 17.822843 YYY → XXX TCP 180 [TCP Retransmission] 63024 → 465
[PSH, ACK] Seq=1 Ack=1 Win=65535 Len=126
1335 51.814540 YYY → XXX TCP 180 [TCP Retransmission] 63024 → 465
[PSH, ACK] Seq=1 Ack=1 Win=65535 Len=126
1393 85.806537 YYY → XXX TCP 180 [TCP Retransmission] 63024 → 465
[PSH, ACK] Seq=1 Ack=1 Win=65535 Len=126
2142 107.799346 XXX → YYY TCP 60 465 → 63024 [FIN, ACK] Seq=1 Ack=1
Win=15544 Len=0
2143 107.799393 YYY → XXX TCP 54 63024 → 465 [ACK] Seq=127 Ack=2
Win=65535 Len=0
2144 107.800135 YYY → XXX TCP 54 63024 → 465 [FIN, ACK] Seq=127 Ack=2
Win=65535 Len=0
2145 107.822047 YYY → XXX TCP 74 53762 → 465 [SYN] Seq=0 Win=65535
Len=0 MSS=1460 WS=64 SACK_PERM=1 TSval=2591962 TSecr=0
2146 107.977234 XXX → YYY TCP 60 465 → 63024 [RST] Seq=2 Win=0 Len=0
2149 108.001214 XXX → YYY TCP 62 465 → 53762 [SYN, ACK] Seq=0 Ack=1
Win=14600 Len=0 MSS=1460 SACK_PERM=1
2150 108.001270 YYY → XXX TCP 54 53762 → 465 [ACK] Seq=1 Ack=1
Win=65535 Len=0
2151 108.009014 YYY → XXX TLSv1 323 Client Hello
2160 108.187708 XXX → YYY TCP 60 465 → 53762 [ACK] Seq=1 Ack=270
Win=15544 Len=0
2176 108.687644 XXX → YYY TLSv1.2 1514 Server Hello
2177 108.687884 XXX → YYY TCP 1514 465 → 53762 [PSH, ACK] Seq=1461
Ack=270 Win=15544 Len=1460 [TCP segment of a reassembled PDU]
2178 108.687949 YYY → XXX TCP 54 53762 → 465 [ACK] Seq=270 Ack=2921
Win=62874 Len=0
2179 108.688175 XXX → YYY TCP 1230 465 → 53762 [PSH, ACK] Seq=2921
Ack=270 Win=15544 Len=1176 [TCP segment of a reassembled PDU]
2180 108.704012 XXX → YYY TCP 1514 465 → 53762 [ACK] Seq=4097 Ack=270
Win=15544 Len=1460 [TCP segment of a reassembled PDU]
2181 108.704052 YYY → XXX TCP 54 53762 → 465 [ACK] Seq=270 Ack=5557
Win=64240 Len=0
2182 108.704625 XXX → YYY TLSv1.2 969 Certificate, Server Key
Exchange, Server Hello Done
2183 108.715222 YYY → XXX TLSv1.2 180 Client Key Exchange, Change
Cipher Spec, Encrypted Handshake Message
2211 109.133829 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2238 109.443030 XXX → YYY TCP 969 [TCP Spurious Retransmission] 465 →
53762 [PSH, ACK] Seq=5557 Ack=270 Win=15544 Len=915[Reassembly error,
protocol TCP: New fragment overlaps old data (retransmission?)]
2239 109.443099 YYY → XXX TCP 54 [TCP Dup ACK 2183#1] 53762 → 465
[ACK] Seq=396 Ack=6472 Win=65535 Len=0
2244 109.772021 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2301 110.827331 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2402 112.770796 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2612 116.391551 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2711 119.018591 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2737 123.957850 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2789 133.632511 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
2859 152.776509 YYY → XXX TCP 180 [TCP Retransmission] 53762 → 465
[PSH, ACK] Seq=270 Ack=6472 Win=65535 Len=126
^C32 packets captured
root#
Rules:
# stop spoofing
add deny all from LAN_NET to any in via OUTSIDE_IF
add deny all from WIFI_NET to any in via OUTSIDE_IF
# allow anything on the LAN
add allow all from any to any via LAN_IF
# and from the VPN
add allow all from any to any via VPN_IF
# allow anything from the wireless network to the outside world (but not
to the LAN)
add allow ip from any to not LAN_NET via WIFI_IF
# create a table of addresses to block
#table 1 destroy
#table 1 create type addr
table 1 flush
# add