Re: fwd in ipfw module

[timp]

Do you know solution (for GENERIC kernel) that can port forwarding?
I found /usr/ports/net/rinetd

--
View this message in context: 
http://freebsd.1045724.n5.nabble.com/fwd-in-ipfw-module-tp4642321p4661905.html
Sent from the freebsd-ipfw mailing list archive at Nabble.com.
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: fwd in ipfw module

[Andrey V. Elsukov]

On 03.08.2011 14:28, timp wrote:
> Do you know solution (for GENERIC kernel) that can port forwarding? I found
> /usr/ports/net/rinetd

You can use pf(4).

-- 
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: fwd in ipfw module

[timp]

Thanks! Спасибо, будем посмотреть

2011/8/3 Andrey V. Elsukov [via FreeBSD] <
ml-node+4661936-176988-160...@n5.nabble.com>

> On 03.08.2011 14:28, timp wrote:
> > Do you know solution (for GENERIC kernel) that can port forwarding? I
> found
> > /usr/ports/net/rinetd
>
> You can use pf(4).
>
> --
> WBR, Andrey V. Elsukov
> ___
> [hidden email] mailing 
> list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "[hidden 
> email]"
>
>
>
> --
>  If you reply to this email, your message will be added to the discussion
> below:
>
> http://freebsd.1045724.n5.nabble.com/fwd-in-ipfw-module-tp4642321p4661936.html
>  To unsubscribe from fwd in ipfw module, click 
> here.
>
>


--
View this message in context: 
http://freebsd.1045724.n5.nabble.com/fwd-in-ipfw-module-tp4642321p4661969.html
Sent from the freebsd-ipfw mailing list archive at Nabble.com.
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

weird results while ipsec + ipfv_nat (nat before vpn)

[Zeus V Panchenko]

Hi,

i faced weird for me situation, may somebody agree to help to win it,
please?

we need to see some http/s resources behind the Cisco PIX IPSEC

i'm trying to get working this schema:


SCHEMA (`nat before vpn' as i believe):
--

+-> a.a.0.1/16 LAN
|
+-> a.a.a.2/24 FreeBSD b.b.b.1 <-> c.c.c.1/24 IPSEC PEER PIX
  |   |
  + x.x.x.x <---> y.y.y.y +


CONFIGURATION:
--
> uname -a
FreeBSD 8.2-STABLE #3: Tue Aug  2 15:39:33 EEST 2011 i386


> cat /etc/rc.conf
...
gateway_enable="YES"
cloned_interfaces="gif0"
ifconfig_bge0="inet x.x.x.x/25"
ifconfig_bge1="inet a.a.a.2/24"
ifconfig_gif0="inet b.b.b.1 c.c.c.1 tunnel x.x.x.x y.y.y.y"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
ipfw_enable="YES"
ipfw_nat_enable="YES"
...

in kernel i have:
options IPSEC
options IPSEC_DEBUG
device  crypto

options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=200
options IPDIVERT
options LIBALIAS



> cat /usr/local/etc/racoon/setkey.conf
flush;
spdflush;

spdadd b.b.b.1  c.c.c.0/24 any -P out ipsec \
   esp/tunnel/x.x.x.x-y.y.y.y/require;

spdadd  c.c.c.0/24 b.b.b.1 any -P  in ipsec \
   esp/tunnel/y.y.y.y-x.x.x.x/require;



> cat /etc/ipfw.conf
...

add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x

add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
nat 100 config log if bge1 ip b.b.b.1 reverse



WHAT I DO:
--
1)
trying to ping IPSEC PEER from LAN

user@a.a.a.20> ping c.c.c.1

c.c.c.1 reply packets are coming in and are decrypted but replies doesn't reach
ping initiator a.a.a.20

box a.a.a.20 reports ping statistics:
450 packets transmitted, 0 packets received, 100.0% packet loss


at FreeBSD box i see:
user@FreeBSD> tcpdump -n -i gif0 host c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
...
13:27:18.122542 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2903, 
length 64
13:27:19.123275 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2904, 
length 64
13:27:20.124517 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2905, 
length 64
13:27:21.125568 IP c.c.c.1 > b.b.b.1: ICMP echo request, id 39050, seq 2906, 
length 64

on WAN i see this
user@FreeBSD> tcpdump -n -i bge0 esp
...
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: 
ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: 
ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: 
ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: 
ESP(spi=0x060bc3e3,seq=0x8), length 132
00:00:00.636724 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: 
ESP(spi=0xad597f86,seq=0x9), length 132
00:00:00.024286 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: 
ESP(spi=0x060bc3e3,seq=0x9), length 132

so, ipsec and ipfw_nat out works, but where are reply packets disappearing to 
after coming to gif0 interface?
why no backward divert occures? 

2)
  trying to ping IPSEC PEER from FreeBSD box
  user@b.b.b.1> ping c.c.c.1
  everything works since no nat occures ...

  user@b.b.b.1> tcpdump -n -i gif0 host  c.c.c.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
13:45:56.759567 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 213, 
length 64
13:45:57.760745 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 214, 
length 64
13:45:58.762787 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 215, 
length 64
13:45:59.765493 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 216, 
length 64
13:46:00.764619 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 217, 
length 64
13:46:01.765676 IP  c.c.c.1 > b.b.b.1: ICMP echo reply, id 53484, seq 218, 
length 64

  user@b.b.b.1> tcpdump -n -ettt -s0 -i bge0 host y.y.y.y
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan11, link-type EN10MB (Ethernet), capture size 65535 bytes
00:00:00.635862 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: 
ESP(spi=0xad597f86,seq=0x7), length 132
00:00:00.024467 ethertype IPv4 (0x0800), length 166: y.y.y.y > x.x.x.x: 
ESP(spi=0x060bc3e3,seq=0x7), length 132
00:00:00.635567 ethertype IPv4 (0x0800), length 166: x.x.x.x > y.y.y.y: 
ESP(spi=0xad597f86,seq=0x8), length 132
00:00:00.024689 ethertype IPv4 (0x0800), 

Re: weird results while ipsec + ipfv_nat (nat before vpn)

[Ian Smith]

On Wed, 3 Aug 2011, Zeus V Panchenko wrote:

[..]

I can't comment on your ipsec setup at all, but:

 > > cat /etc/ipfw.conf
 > ...
 > 
 > add 000401 allow udp from x.x.x.x to y.y.y.y isakmp
 > add 000402 allow udp from y.y.y.y to x.x.x.x isakmp
 > add 000403 allow { esp or ipencap } from x.x.x.x to y.y.y.y
 > add 000404 allow { esp or ipencap } from y.y.y.y to x.x.x.x
 > 
 > add 00502 nat 100 all from { a.a.1.0/24 or a.a.2.0/24 } to c.c.c.0/24
 > nat 100 config log if bge1 ip b.b.b.1 reverse

Although ipfw(8) doesn't explicitly say so - unlike natd(8) - I believe 
that you need to specify either 'if bge1' or 'ip b.b.b.1', but not both.

 > so, ipsec and ipfw_nat out works, but where are reply packets 
 > disappearing to after coming to gif0 interface? why no backward 
 > divert occures?

Try 'ipfw nat show config' to see how ipfw thinks nat is configured, and 
maybe 'ipfw show' to check that all your other rules match ipfw.conf

cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"