IPFW NAT behaviour different on 10-Stable versus 11-Stable [SOLVED]

Graham Menhennitt graham at menhennitt.com.au
Sat Sep 2 22:54:58 UTC 2017 

On 02/09/2017 20:46, Ian Smith wrote:
> On Sat, 2 Sep 2017 11:44:51 +1000, Graham Menhennitt wrote:
>
>   > I have a problem that seems to be a difference between ipfw/NAT
>   > behaviour in 10-Stable versus 11-Stable. I have two servers: one running
>   > 10-Stable and one running 11-Stable. I'm using the same rule set on both
>   > (see below). It works correctly on 10-Stable but not on 11.
>   >
>   > The problem is seen on two places: an outgoing SMTP connection on port
>   > 465, and an incoming to an IMAP server on port 993. In both cases, there
>   > are lost packets and retransmissions. See below for a tshark capture of
>   > one attempted SMTP session.
>   >
>   > Setting sysctl net.inet.ip.fw.one_pass to one or zero makes no
>   > difference. Deleting the sshguard rule (table 22) makes no difference.
>   > Deleting the nat rule makes everything work for this SMTP session (but
>   > breaks the other machines on my network obviously).
>   >
>   > I have no doubt that I have misconfigured the firewall, but I don't see
>   > what. And why is 11 different to 10? Any help would be much appreciated.
>   >
>   > Thanks in advance,
>   >
>   >      Graham
>
> Mysterious.  Unless this is some other networking issue, three thoughts:
>
> 1) given that YYY is your public IP address, are the problematic SMTP
> sessions actually going through NAT at all, or are they initiated from
> YYY directly?  If the latter, it's hard to see why removing the NAT rule
> should affect these session at all?
>
> 2) does it make any difference if you split the NAT rules into separate
> rules, as per the ipfw(8) 'NAT, REDIRECT AND LSNAT' section in EXAMPLES?
>
> 3) given the tokens used in your ruleset, it appears that you are using
> a preproceesor to substitute values rather than shell variables?  If so
> (or even if not) can you confirm that the resulting in-place rulesets
> shown by 'ipfw list' are absolutely identical on both machines?
>
> Just some long shots ..
>
> cheers, Ian

Thanks for replying, Ian.

Well I solved it. Similarly to my previous problem, the solution was to 
disable the TXCSUM option on the interface. So, now the entry in 
/etc/rc.conf says:

ifconfig_igb1="DHCP -vlanhwtso -tso4 -txcsum"

And it all works.

Thanks again,

     Graham

More information about the freebsd-ipfw mailing list