ipfw forward bug?

From: "mitrohin a.s." <swp@xxxxxxxxx>
Date: Tue, 27 Dec 2005 02:38:18 +0600

helo.

i have strangle problem with forward rule.

isp1 +----------+
<-----[fxp0:x.x.x.1/24] router_1 [re0:10.200.1.1/24]--------+
| [xl2:10.4.2.1/24]---+ |
+----------+ | |
+--------+ | |
| host_1 [10.4.2.121/24]-----------------------+ |
+--------+ |
|
isp2 +----------+ |
<-----[xl2:172.16.42.2/24] router_2 [re0:10.200.1.2/24]-----+
+----------+

router_1 propagate defaultroute via fxp0 (isp1) for local network.
router_2 have link via xl2 to isp2 and defaultroute to 10.200.1.1.
i want to lead external traffic of host_1 via isp2, but have got
trouble.

router_2 ipfw rules:

root@main# ipfw -c show
00100 321246 89176165 allow via lo0
00200 40 2000 deny { src-ip 127.0.0.0/8 or dst-ip 127.0.0.0/8 }
00400 7226 231262 allow dst-ip 224.0.0.0/4
00500 354153 88470867 allow src-ip 10.0.0.0/8 dst-ip 10.0.0.0/8
00600 0 0 check-state

00700 65 5460 skipto 50000 log proto icmp dst-ip 10.4.2.121 in keep-state
00800 0 0 skipto 50000 log proto icmp dst-ip 10.4.2.121 out keep-state
00900 0 0 skipto 50000 log proto icmp src-ip 10.4.2.121 in keep-state
01000 0 0 skipto 50000 log proto icmp src-ip 10.4.2.121 out keep-state

01800 133396 44504758 allow

50000 32 2688 fwd 172.16.42.1 log src-ip 10.4.2.121 in
50100 26445 5425866 allow

! rule 800,900,1000 for test only.

make ping from external host now.

-bash-2.05b$ ping -c 1 olymp.uni-altai.ru
PING olymp.uni-altai.ru (83.246.136.148): 56 data bytes

--- olymp.uni-altai.ru ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

! isp2 cisco make nat 83.246.136.145 to 10.4.2.121 and vise versa.

router_2 security.log contain

Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:8.0 80.71.162.250 10.4.2.121 in via xl2
Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:8.0 80.71.162.250 10.4.2.121 out via re0
Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: \
50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FORWARD !!!
Dec 27 00:52:22 main kernel: ipfw: \
700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ BUT GO TO DEFAULTROUTE !!! ... ?
why "out via re0"? i expect "out via xl2".

and loop

Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
...
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 out via re0
Dec 27 00:52:22 main kernel: ipfw: 700 SkipTo 50000 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0
Dec 27 00:52:22 main kernel: ipfw: 50000 Forward to 172.16.42.1 ICMP:0.0 10.4.2.121 80.71.162.250 in via re0

send-pr?

/swp
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: ipfw forward bug?
  - From: mitrohin a.s.

Prev by Date: DHCP oddity
Next by Date: Re: Router on 6.0-stable fails to route tcp packets due to NAT?? malfunction
Previous by thread: DHCP oddity
Next by thread: Re: ipfw forward bug?
Index(es):
- Date
- Thread

Relevant Pages

RE sniffing plaintext protocols
... Is this only in a local network possible or also in the Internet? ... The packets have to pass through your PC for them to be read, ... Download FREE whitepaper on how a managed service can ...
(Pen-Test)
Re: Iptables port 5353 -
... Logged 63 packets on interface eth0 ... Therefor you probably have an active mDNS server instance which announces your machine throughout the local network. ...
(Fedora)
Re: Iptables port 5353 -
... Logged 63 packets on interface eth0 ... DNS on your local network, you can continue to drop/ignore the ... an active mDNS server instance which announces your machine ...
(Fedora)
Re: Spoofing IP Addresses when sending emails
... configuring his router to reject packets coming from the outside world which have a source address that belongs to the local network. ... i'd double-check my assumption that the packets really aren't coming from a local machine. ... My ISP has used SSL for a long time to ID customers connecting to it's email server. ...
(comp.lang.java.programmer)
PF teething problems
... I'm informed that PF is blocking a lot of dubious packets ... from the Internet. ... interface (from local network machines). ...
(comp.unix.bsd.freebsd.misc)