Problems with ipfw/natd and axe(4)

Spil Oss spil.oss at gmail.com
Mon Apr 15 19:04:33 UTC 2013 

Hi all,

Network dumps as promised
On 172.17.2.1:
      tcpdump -p -i bridge0 -s 0 -w ssh-fail.pcap host not 172.17.2.167
>From 172.17.2.1 I ran
      telnet 172.17.2.111/157 22
In Wireshark I trimmed the capture a bit further with expression
      'not stp and not http'

Initial setup (ue0 ext, re0 int, rule 10 to allow ssh)
     -> ue0-ssh-success.pcap
Removed rule 10
     -> ue0-ssh-fail.pcap
Switched re0 and ue0, default ruleset (without 10)
     -> re0-ssh-success.pcap

According to YungHyeong the sample ASIX NIC he has works normally when
checksumming is disabled.

Kind regards,

Spil.




On Mon, Apr 15, 2013 at 8:25 AM, Ian Smith <smithi at nimnet.asn.au> wrote:

> On Sun, 14 Apr 2013 10:34:06 -0700, Michael Sierchio wrote:
>  > On Sun, Apr 14, 2013 at 10:26 AM, Ian Smith <smithi at nimnet.asn.au>
> wrote:
>  >
>  > > 'allow ip' aka 'allow all' doesn't usually take a port number, which
>  > > applies only to tcp and udp.
>  >
>  > It does in ipfw - in which case it means ( udp | tcp )
>
> You're quite right, and my assumption that it would also permit icmp
> was quite wrong, after a quick test.
>
> Which appears to leave the bypassed divert not working with rx/txcsum
> the only viable suspect.  The ruleset is otherwise 'out of the box'.
>
> Does anyone know whether this is an issue with libalias(3) generally -
> in which case using nat instead of divert shouldn't help - or just with
> natd in particular?
>
> cheers, Ian
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ue0-ssh-success.pcap
Type: application/octet-stream
Size: 825 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20130415/d9555349/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ue0-ssh-fail.pcap
Type: application/octet-stream
Size: 994 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20130415/d9555349/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: re0-ssh-success.pcap
Type: application/octet-stream
Size: 825 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20130415/d9555349/attachment-0002.obj>

More information about the freebsd-ipfw mailing list