From sysop@orb.plymouth.edu  Fri Jun 23 20:24:09 2000
Return-Path: <sysop@orb.plymouth.edu>
Received: from orb.plymouth.edu (orb.plymouth.edu [158.136.1.16])
	by hub.freebsd.org (Postfix) with ESMTP id E2E2237B733
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 23 Jun 2000 20:24:03 -0700 (PDT)
	(envelope-from sysop@orb.plymouth.edu)
Received: (from sysop@localhost)
	by orb.plymouth.edu (8.9.3/8.9.3) id XAA00606;
	Fri, 23 Jun 2000 23:24:02 -0400 (EDT)
	(envelope-from sysop)
Message-Id: <200006240324.XAA00606@orb.plymouth.edu>
Date: Fri, 23 Jun 2000 23:24:02 -0400 (EDT)
From: ted@wiz.plymouth.edu
Sender: sysop@orb.plymouth.edu
Reply-To: ted@wiz.plymouth.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: Bug in 4.0-STABLE (acting as a Bridging firewall)
X-Send-Pr-Version: 3.2

>Number:         19482
>Category:       kern
>Synopsis:       Upgrade from 4.0-RELEASE to 4.0-STABLE causes RIP packets to be dropped
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 23 20:30:00 PDT 2000
>Closed-Date:    Fri Jan 18 08:14:39 PST 2002
>Last-Modified:  Fri Jan 18 08:15:47 PST 2002
>Originator:     Ted Wisniewski
>Release:        FreeBSD 4.0-RELEASE i386
>Organization:
Plymouth State College
>Environment:
 
 	FreeBSD 4.0-RELEASE upgrading to FreeBSD 4.0-STABLE (6-22)
 	Firewall using Dummynet (problem still occurs even with no rules)
 
 	Dell 550Mhz with 128MB RAM and 2 ethernet cards
 		xl0: <3Com 3c905B-TX Fast Etherlink XL> 
 		xl1: <3Com 3c905B-TX Fast Etherlink XL> 
 
 Applicable Kernel config options:
 
 	options         TCP_DROP_SYNFIN  
 	options         TCP_RESTRICT_RST
 	 
 	options         IPFIREWALL              
 	options         IPFIREWALL_VERBOSE      
 	options         IPFIREWALL_DEFAULT_TO_ACCEPT    
 	 
 	options         IPSTEALTH
 	options         BRIDGE
 	options         DUMMYNET
 		 
 	options         NMBCLUSTERS=16384     
 
 startup options:
 
 	bridging_enable="YES"
 	bridging_fw_enable="YES"
 	portmap_enable="NO"
 	firewall_enable="YES"    
 	firewall_script="/usr/local/etc/firewall/rc.firewall" 
 	drop_synfin_enable="YES"
 
 excerpt from /etc/rc.network (I added some options):
 
  	case ${drop_synfin_enable} in
         [Yy][Ee][Ss])
                 echo -n ' DROP_SYNFIN=YES'
                 sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
                 ;;
         esac
  
         case ${bridging_enable} in
         [Yy][Ee][Ss])
                 echo -n ' BRIDGING=YES'
                 sysctl -w net.link.ether.bridge=1 >/dev/null
                 ;;
         esac
  
         case ${bridging_fw_enable} in
         [Yy][Ee][Ss])
                 echo -n ' BRIDGING_FW=YES'
                 sysctl -w net.link.ether.bridge_ipfw=1 >/dev/null
                 ;;
         esac                                                       
 
 
 
 Description: 
 
 Following upgrade, Loss of reliable RIP updates via firewall from WAN
 gateway to LAN routing switch.
  
 WAN gateway RIP stats confirmed outgoing packets sent.
  
 Sniffer connected via switch mirror ports on either side of firewall.
 On WAN side of firewall, set to filter for WAN router IP address,
 confirmed subnet broadcast packets (RIP packets) in transit.
  
 Sniffer on LAN side of firewall confirmed very few of those getting
 through.
  
 Physically patched around firewall and normal operation returned.
  
 Reverted to old kernel on firewall, put it back in line, and normal
 operation was maintained.
  
 (Did not happen to notice whether the opposite was also true, that LAN
 RIP packets failed to get through to WAN router.)                 
 
>Description:
>How-To-Repeat:
 	
 	Build kernel on 4.0-STABLE (as of 6-22)
 
 
>Fix:
 
 	Revert to kernel made on FreeBSD-4.0-RELEASE system.
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: asmodai 
Responsible-Changed-When: Tue Jul 11 02:46:37 PDT 2000 
Responsible-Changed-Why:  
Fix botched PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19482 
State-Changed-From-To: open->feedback 
State-Changed-By: mike 
State-Changed-When: Sat Jul 21 21:25:39 PDT 2001 
State-Changed-Why:  

Does this problem still occur in newer versions of FreeBSD, 
such as 4.3-RELEASE? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=19482 
State-Changed-From-To: feedback->closed 
State-Changed-By: sheldonh 
State-Changed-When: Fri Jan 18 08:14:39 PST 2002 
State-Changed-Why:  
Automatic feedback timeout.  If additional feedback that warrants 
the re-opening of this PR is available but not included in the 
audit trail, please include the feedback in a reply to this message 
(preserving the Subject line) and ask that the PR be re-opened. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19482 
>Unformatted:
