kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw,
dummynet
Jose M Rodriguez
josemi at freebsd.jazztel.es
Wed Jun 2 00:50:04 UTC 2010
The following reply was made to PR kern/147191; it has been noted by GNATS.
From: Jose M Rodriguez <josemi at freebsd.jazztel.es>
To: bug-followup at FreeBSD.org, josemi at freebsd.jazztel.es
Cc:
Subject: Re: kern/147191: [ppp] Problems with ppp -nat [pppoe], ipfw, dummynet
Date: Wed, 02 Jun 2010 02:37:20 +0200
This is a multi-part message in MIME format.
--------------080505020803060701030501
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Seems that this must be reopen.
After redo the rules to work with one_pass=0, problems of all sort still
alive.
- ppp nat seems to consume all translated traffic 'in to out', with or
without one_pass set.
but traffic 'out to in' hit ipfw rules following specs
- after changing to mpd5 + natd, problems are even more strange, and
firewall mostly works
only if local net traffic is done LAST and not FIRST. But some NATed
apps fails (jdownloader, bitcomet file donloader), while others works
(firefox and his file downloader)
My vote is for some problem with libalias.
At the moment, I MUST put the sharper FIRST, catching the traffic coming
from local net.
I'm very busy now, but can go over this again after 2 weeks.
Attached rc.firewall mostly working with mpd5 + natd as reference
--------------080505020803060701030501
Content-Type: text/plain;
name="rc.firewall.router.1"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="rc.firewall.router.1"
#!/bin/sh -
# Copyright (c) 1996 Poul-Henning Kamp
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD: src/etc/rc.firewall,v 1.60.2.3 2010/04/14 15:03:58 ume Exp $
#
# $Log$
#
# Setup system for ipfw(4) firewall service on AHS router
#
# Configuration:
# firewall_resetports:
# List of TCP ports reset on incoming
# firewall_myservices:
# List of TCP ports on which this host offers services.
# firewall_myudpports:
# List of UDP ports on which this host offers services.
# firewall_logdeny:
# Boolean (YES/NO) specifying if the default denied packets should be
# logged (in /var/log/security).
# firewall_nologports:
# List of TCP/UDP ports for which denied incoming packets are not logged.
# firewall_oif:
# Outside IPv4 network interface, default to tun0.
# firewall_iifaces:
# Inside network interface list.
# firewall_net_${iface}
# IPv4 network definition for each of the previous interfaces.
# firewall_p2p_${iface}
# List of address ports for opened TCP/UDP ports on ${iface}
# firewall_p2p_uids
# List of uids of p2p daemons running on me
# predefined
firewall_resetports="53,113,135-139,445"
firewall_p2p_uids="mlnet transmission"
for u in ${firewall_p2p_uids}; do
eval ${u}_enable="NO"
done
mpd_enable="NO"
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
. /etc/rc.subr
. /etc/network.subr
afexists inet6
ipv6_available=$?
# macros
fwcmd="/sbin/ipfw"
ifaces=${firewall_iifaces}
if checkyesno mpd_enable ; then
oif=${firewall_oif-ng0}
else
oif=${firewall_oif-tun0}
fi
log=""
# Set quiet mode if requested
checkyesno firewall_quiet && fwcmd="${fwcmd} -q"
# Flush out the list before we begin.
${fwcmd} -f flush
# setup loopback
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny all from 127.0.0.0/8 to any
# setup ipv6 mandatory
if [ $ipv6_available -ne 0 ]; then
${fwcmd} add 400 deny all from any to ::1
${fwcmd} add 500 deny all from ::1 to any
# DAD
${fwcmd} add pass ipv6-icmp from :: to ff02::/16
# RS, RA, NS, NA, redirect...
${fwcmd} add pass ipv6-icmp from fe80::/1o to fe80::/10
${fwcmd} add pass ipv6-icmp from fe80::/1o to ff02::/16
# IMCPv6 destination unreachable, NS, NA, toobig
${fwcmd} add pass ipv6-icmp from any to any icmp6 types 1,2,135,136
fi
# setup tables
${fwcmd} table all flush
astable=1
astn=1
asln=2
aspn=3
asipv4=4
ascle=5
asmcast=6
# rfc 1912 local net
${fwcmd} table ${astable} add 0.0.0.0/8 ${asln} # this network
${fwcmd} table ${astable} add 127.0.0.0/8 ${asln} # local net
${fwcmd} table ${astable} add 255.0.0.0/8 ${asln} # local net
# rfc 1918 private nets
${fwcmd} table ${astable} add 10.0.0.0/8 ${aspn} # private net
${fwcmd} table ${astable} add 172.16.0.0/12 ${aspn} # private net
${fwcmd} table ${astable} add 192.168.0.0/16 ${aspn} # private net
# Link-local/APIPA (RFCs 3330 and 3927)
${fwcmd} table ${astable} add 169.254.0.0/16 ${aspn} # link-local/APIPA
# TEST-NET-[1-3] for Documentation (RFC 5737)
${fwcmd} table ${astable} add 192.0.0.0/24 ${astn} # IETF net
${fwcmd} table ${astable} add 192.0.2.0/24 ${astn} # test net
${fwcmd} table ${astable} add 198.51.100.0/24 ${astn} # test net
${fwcmd} table ${astable} add 203.0.113.0/24 ${astn} # test net
# Router Benchmark Testing (RFC 3330)
${fwcmd} table ${astable} add 198.18.0.0/15 ${astn} # router benchmark
# IANA Reserved - Old Class E Space
${fwcmd} table ${astable} add 240.0.0.0/5 ${ascle} # old CLASS E
${fwcmd} table ${astable} add 248.0.0.0/6 ${ascle} # old CLASS E
${fwcmd} table ${astable} add 252.0.0.0/7 ${ascle} # old CLASS E
${fwcmd} table ${astable} add 254.0.0.0/8 ${ascle} # old CLASS E
# Multicast
${fwcmd} table ${astable} add 224.0.0.0/3 ${asmcast}
# other
#${fwcmd} table ${astable} add 1.0.0.0/8 ${asipv4} # APNIC
${fwcmd} table ${astable} add 1.0.0.0/13 ${asipv4}
${fwcmd} table ${astable} add 1.8.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.10.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.20.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.32.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.37.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 1.187.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 5.0.0.0/8 ${asipv4} # Un. hamachi
${fwcmd} table ${astable} add 23.0.0.0/8 ${asipv4} # Un. bogon
#${fwcmd} table ${astable} add 31.0.0.0/8 ${asipv4} # bogon/RIPE
${fwcmd} table ${astable} add 31.0.0.0/16 ${asipv4}
${fwcmd} table ${astable} add 31.1.0.0/21 ${asipv4}
${fwcmd} table ${astable} add 31.1.24.0/24 ${asipv4}
${fwcmd} table ${astable} add 36.0.0.0/7 ${asipv4} # bogon
${fwcmd} table ${astable} add 39.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 42.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 49.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 100.0.0.0/6 ${asipv4} # bogon
${fwcmd} table ${astable} add 104.0.0.0/7 ${asipv4} # bogon
${fwcmd} table ${astable} add 106.0.0.0/8 ${asipv4} # bogon
${fwcmd} table ${astable} add 128.0.0.0/16 ${asipv4} # ARIN, rfc 3300?
${fwcmd} table ${astable} add 128.66.0.0/16 ${asipv4} # ARIN?
${fwcmd} table ${astable} add 177.0.0.0/8 ${asipv4}
${fwcmd} table ${astable} add 179.0.0.0/8 ${asipv4}
${fwcmd} table ${astable} add 181.0.0.0/8 ${asipv4}
${fwcmd} table ${astable} add 185.0.0.0/8 ${asipv4}
#${fwcmd} table ${astable} add 191.255.0.0/16 ${asipv4} # LACNIC
#${fwcmd} table ${astable} add 192.0.0.0/19 ${asipv4} # ARIN
${fwcmd} table ${astable} add 192.0.48.0/20 ${asipv4} # ARIN
${fwcmd} table ${astable} add 192.0.64.0/18 ${asipv4} # ARIN
${fwcmd} table ${astable} add 192.0.128.0/17 ${asipv4} # ARIN
#${fwcmd} table ${astable} add 197.0.0.0/8 ${asipv4} # AfriNIC
${fwcmd} table ${astable} add 204.152.64.0/23 ${asipv4}
# dummynet
if checkyesno dummynet_enable ; then
outp=1
ufq=2
ufr=8000
fq=3
fr=8400
nq=4
nr=8800
lq=5
lr=9200
ulq=6
ulr=9400
# tags, scheds, ...
p2p=1
sched=1
# sysctl
sysctl net.inet.ip.fw.one_pass=0 >/dev/null
sysctl net.inet.ip.fw.verbose=0 >/dev/null
sysctl net.inet.ip.dummynet.io_fast=1 >/dev/null
# queues
${fwcmd} pipe ${outp} config bw ${firewall_outbw-0} \
burst ${firewall_out_burst-29840}
${fwcmd} queue ${ufq} config pipe ${outp} \
weight ${firewall_ufast_weight-100} queue 90
${fwcmd} queue ${fq} config pipe ${outp} \
weight ${firewall_fast_weight-75}
${fwcmd} queue ${nq} config pipe ${outp} \
weight ${firewall_weight-40}
${fwcmd} queue ${lq} config pipe ${outp} \
weight ${firewall_lo_weight-25}
${fwcmd} queue ${ulq} config pipe ${outp} \
weight ${firewall_ulow_weight-1}
${fwcmd} sched ${sched} config type ${firewall_sched_type-QFQ}
fi
# RULES
#
# Danger Will Robinson.
# Seems that on FreeBSD 8.1 you can't pass traffic in to be forwarded, or
# queue/divert/outgoing rules can't see it. Strange.
#
#pass DHCP requests
for if in $(list_net_interfaces dhcp) ; do
${fwcmd} add pass udp from any 67 to any 68 recv ${if}
${fwcmd} add pass udp from any 68 to any 67 xmit ${if}
done
#local nets
for iif in ${ifaces}; do
# pass dhcpv4 traffic from/to our server
if checkyesno dhcpd_enable; then
${fwcmd} add pass udp from any 68 to any 67 recv ${iif}
${fwcmd} add pass udp from any 67 to any 68 xmit ${iif}
fi
# Locat net anti-spoofing
eval netif_net=\$firewall_net_${iif}
if [ -n "${netif_net}" ]; then
${fwcmd} add deny all from any to not ${netif_net} xmit ${iif}
${fwcmd} add deny all from not ${netif_net} to any recv ${iif}
fi
done
# Deny TCP fragments (use PATH mtu), allow rest
${fwcmd} add deny tcp from any to any frag
# anti spoofing
${fwcmd} add deny all from table\(${astable}\) to any recv ${oif}
${fwcmd} add deny all from any to table\(${astable}\) xmit ${oif}
# Well Known traffic not allowed: domain, smb, ...
${fwcmd} add reset tcp from any to any ${firewall_resetports} via ${oif}
${fwcmd} add reset tcp from any ${firewall_resetports} to any via ${oif}
# Outgoing queues
if checkyesno dummynet_enable ; then
# Don't queue not outgoing traffic
${fwcmd} add skipto 10000 all from any to any in
${fwcmd} add skipto 30000 all from any to any not via ${oif}
# ultra low / low
for u in ${firewall_p2p_uids}; do
if checkyesno ${u}_enable ; then
${fwcmd} add skipto ${lr} tcp from any to any \
uid ${u} established
${fwcmd} add skipto ${ulr} tcp from any to any \
uid ${u} setup
${fwcmd} add skipto ${ulr} udp from any to any \
uid ${u}
fi
done
for iif in ${ifaces} ; do
eval netif_p2p=\$firewall_p2p_${iif}
set ${netif_p2p}
while [ $# -ge 2 ]; do
${fwcmd} add skipto ${lr} tcp from $1 $2 to any established
${fwcmd} add skipto ${ulr} tcp from $1 $2 to any setup
${fwcmd} add skipto ${ulr} udp from $1 $2 to any
shift ; shift
done
done
# ultra fast
${fwcmd} add skipto ${ufr} tcp from any to any \
iptos lowdelay
${fwcmd} add skipto ${ufr} tcp from any to any \
tcpdatalen 0 established
${fwcmd} add skipto ${ufr} udp from me to any 53,123
# fast
${fwcmd} add skipto ${fr} tcp from any to any setup
${fwcmd} add skipto ${fr} tcp from any to any 22,443,2222 \
established
# rest is normal
${fwcmd} add skipto ${nr} all from any to any
# queues
# ultra fast
${fwcmd} add ${ufr} queue ${ufq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# fast
${fwcmd} add ${fr} queue ${fq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# normal
${fwcmd} add ${nr} queue ${nq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# low
${fwcmd} add ${lr} queue ${lq} all from any to any
${fwcmd} add skipto 30000 all from any to any
# ultra low
${fwcmd} add ${ulr} queue ${ulq} all from any to any
${fwcmd} add skipto 30000 all from any to any
fi
# incoming traffic
${fwcmd} add 10000 skipto 30000 all from any to any not via ${oif}
# Open ports
for port in ${firewall_myservices} ; do
${fwcmd} add pass tcp from any to me ${port} setup
done
for port in ${firewall_myudpports} ; do
${fwcmd} add pass udp from any to me ${port}
done
for user in ${firewall_p2p_uids}; do
if checkyesno ${user}_enable ; then
${fwcmd} add pass tcp from any to me setup uid ${user}
${fwcmd} add pass udp from any to me uid ${user}
fi
done
# Noise from routers
${fwcmd} add deny udp from any to any 520 recv ${oif}
#setup natd
${fwcmd} add 30000 count all from any to any
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd ip4 from any to any via ${natd_interface}
fi
;;
esac
case ${firewall_nat_enable} in
[Yy][Ee][Ss])
if [ -n "${firewall_nat_interface}" ]; then
firewall_nat_flags="${firewall_nat_interface} ${firewall_nat_flags}"
if echo "${firewall_nat_interface}" | \
grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
firewall_nat_flags="ip ${firewall_nat_flags}"
else
firewall_nat_flags="if ${firewall_nat_flags}"
fi
${fwcmd} nat 123 config log ${firewall_nat_flags}
${fwcmd} add nat 123 ip4 from any to any \
via ${firewall_nat_interface}
fi
;;
esac
# Allow no TCP fragments
${fwcmd} add pass all from any to any frag
# Allow packets for which a state has been built.
${fwcmd} add check-state
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# icmp traffic
# Allow "mandatory" ICMP in.
${fwcmd} add pass icmp from any to any icmptype 3,4,11
# Some servers will ping the IP while trying to decide
${fwcmd} add pass icmp from any to any icmptype 8
# pass outgoing traffic
${fwcmd} add pass tcp from any to any xmit ${oif} setup
${fwcmd} add pass udp from any to any xmit ${oif} keep-state
${fwcmd} add pass icmp from any to any xmit ${oif} keep-state
# incoming from outside
${fwcmd} add skipto 60000 all from any to any not recv ${oif}
# Open ports
for iif in ${ifaces} ; do
eval netif_p2p=\$firewall_p2p_${iif}
set ${netif_p2p}
while [ $# -ge 2 ]; do
${fwcmd} add pass tcp from any to $1 $2 setup
${fwcmd} add pass udp from any to $1 $2
shift ; shift
done
done
# Drop packets to ports where we don't want logging
for i in ${firewall_nologports} ; do
${fwcmd} add deny { tcp or udp } from any to any $i
done
# http connection teardowns
${fwcmd} add reset tcp from any 80,443 to any 1024-65535
# Deny and (if wanted) log the rest unconditionally.
if checkyesno firewall_logdeny ; then
log="log logamount 500"
sysctl net.inet.ip.fw.verbose=1 >/dev/null
fi
${fwcmd} add deny $log ip from any to any
# Now it's safe to do local nets in
${fwcmd} add 60000 count all from any to any
for iif in ${ifaces}; do
# pass all traffic via the internal net
eval netif_net=\$firewall_net_${iif}
if [ -n "${netif_net}" ]; then
${fwcmd} add pass all from any to any via ${iif}
else
${fwcmd} add pass all from any to any via ${iif} verrevpath
fi
done
--------------080505020803060701030501--
More information about the freebsd-net
mailing list