From MAILER-DAEMON@wetteronline.de  Sat Nov 13 16:51:48 2004
Return-Path: <MAILER-DAEMON@wetteronline.de>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E804B16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 13 Nov 2004 16:51:47 +0000 (GMT)
Received: from mailomat.net (f-1.mailomat.net [217.110.117.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id ED81443D1F
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 13 Nov 2004 16:51:46 +0000 (GMT)
	(envelope-from MAILER-DAEMON@wetteronline.de)
Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO bnc.net)
  by mailomat.net (CommuniGate Pro SMTP 4.2)
  with ESMTP-TLS id 2587554 for FreeBSD-gnats-submit@freebsd.org; Sat, 13 Nov 2004 17:51:40 +0100
Received: by bnc.net (CommuniGate Pro PIPE 4.2b2)
  with PIPE id 779346; Sat, 13 Nov 2004 17:51:39 +0100
Received: from [194.39.192.247] (account ap HELO [194.39.192.247])
  by bnc.net (CommuniGate Pro SMTP 4.2b2)
  with ESMTP-TLS id 779344 for FreeBSD-gnats-submit@freebsd.org; Sat, 13 Nov 2004 17:51:22 +0100
Message-Id: <3F15AC00-3594-11D9-8872-000A95A0BB90@wetteronline.de>
Date: Sat, 13 Nov 2004 17:46:41 +0100 (CET)
From: Mail Delivery Subsystem <MAILER-DAEMON@wetteronline.de>
To: <ap@gw-1.wetteronline.de>
Subject: =?ISO-8859-1?Q?=28ipfw2=29_serious_bug_on_forwarding_of_packets_?=
 =?ISO-8859-1?Q?after_NAT_=28Ge=E4ndert_von_<ap@bnc.net>=29?=

>Number:         73910
>Category:       kern
>Synopsis:       [ipfw] serious bug on forwarding of packets after NAT
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 13 17:00:46 GMT 2004
>Closed-Date:    Wed Jun 22 04:58:24 UTC 2011
>Last-Modified:  Wed Jun 22 04:58:24 UTC 2011
>Originator:     Achim Patzner
>Release:        FreeBSD 5.3-RELEASE i386
>Organization:
>Environment:
 System: FreeBSD gw-2.wetteronline.de 5.3-RELEASE #2: Sat Nov 13 
 17:12:09 CET 2004 root@gw-2.wetteronline.de:/space/obj/space/src/sys/GW 
 i386

 Installation out-of-the-box.
>Description:
 	ipfw2 fwd rules are not working on packets coming out of NAT; the rule 
 is taken (counters are incremented) but the original next hop as 
 specified in the routing table is chosen. The identical ruleset on 
 4.10-STABLE is doing what is expected from it
 	
>How-To-Repeat:
 	Use a ruleset like this:
 
 ------
 $fwcmd add pass all from ${DMZ}			to ${all_local_nets} via ${if_DMZ}
 $fwcmd add pass all from ${all_local_nets}	to ${DMZ} via ${if_DMZ}
 
 $fwcmd add divert ${NAT_Provider_1} all from any to any in recv 
 ${if_Provider_1}
 $fwcmd add divert ${NAT_Provider_2} all from any to any in recv 
 ${if_Provider_2}
 
 $fwcmd add skipto 5000 all from any		to ${all_local_nets} out
 
 # Routing-Entscheidungen
 #  LAN area 0 to Provider_1
 $fwcmd add divert ${NAT_Provider_1} all from ${LAN_0}	to any out
 
 $fwcmd add fwd ${Provider_1} all from ${Provider_1_NET}	to any out
 # NAT is using the outgoing interface towards Provider_1
 $fwcmd add fwd ${Provider_1} all from ${Provider_1_PTP}	to any out
 
 #  LAN area 1 to Provider_2
 $fwcmd add divert ${NAT_Provider_2} all from ${LAN_1}	to any out
 # die folgende Regel ist witzlos, da der natd die Absendeadresse hier 
 schon verbogen hat:
 $fwcmd add fwd ${Provider_2} all from ${Provider_2_NET}	to any out
 $fwcmd add fwd ${Provider_2} all from ${Provider_2_PTP}	to any out
 
 $fwcmd add 5000 count all from any		to any
 
 ------
 
 All packets coming from internal address ranges are processed by nat 
 and - depending on their origin - forwarded to one of many providers. 
 The same happens to the routed address space these providers assigned 
 to the customer (without the fertilization by natd) - and these packets 
 are forwarded correctly).
 
 After two days of trying to resolve the problem the gateway was 
 downgraded to FreeBSD 4.10; now it is working as advertised.
 
 
>Fix:
 	Downgrade to 4.10, building a kernel with IPFW2
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Nov 14 17:03:11 GMT 2004 
Responsible-Changed-Why:  
Try to salvage this mangled PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73910 
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: arved 
Responsible-Changed-When: Fri Nov 19 11:21:24 GMT 2004 
Responsible-Changed-Why:  
over to ipfw mailinglist 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73910 

From: Gleb Smirnoff <glebius@freebsd.org>
To: ap@gw-1.wetteronline.de
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT
Date: Mon, 22 Nov 2004 13:43:46 +0300

  Can you show your kernel configuration, pls?
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: Gleb Smirnoff <glebius@freebsd.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT
Date: Mon, 22 Nov 2004 13:49:05 +0300

 Note to audit-trail: email to submitter address bounces.
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: Achim Patzner <ap@bnc.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:  
Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT
Date: Mon, 22 Nov 2004 12:22:14 +0100

 (I guess someone should adjust his AV engine... My Mac is ROTFLing.)
 
 glebius@bestcom.ru>: host relay.bestcom.ru[217.72.144.5] said: 550 
 5.7.1 Error
      HD77: Virus Sobig found
 Reporting-MTA: dns; mx2.freebsd.org
 Arrival-Date: Mon, 22 Nov 2004 11:15:12 +0000 (GMT)
 
 Final-Recipient: rfc822; glebius@bestcom.ru
 Action: failed
 Status: 5.0.0
 Diagnostic-Code: X-Postfix; host relay.bestcom.ru[217.72.144.5] said: 
 550 5.7.1
      Error HD77: Virus Sobig found
 
 Von: Achim Patzner <ap@bnc.net>
 Datum: 22. November 2004 12:15:00 MEZ
 An: Gleb Smirnoff <glebius@freebsd.org>
 Betreff: Re: kern/73910: [ipfw] serious bug on forwarding of packets 
 after NAT
 
 
 
 >   Can you show your kernel configuration, pls?
 
 GENERIC + all IPFW-options.
 
 Sorry, I can't get at the machine because it is deactivated but I used 
 a 5.3 GENERIC and added
 
 options         IPFIREWALL              #firewall
 options         IPFIREWALL_VERBOSE      #print information about 
 dropped packets
 options         IPFIREWALL_FORWARD      #enable transparent proxy 
 support
 options         IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by 
 default
 options         IPDIVERT                #divert sockets
 options         IPSTEALTH               #support for stealth forwarding
 options         IPSEC                   #IP security
 options         IPSEC_ESP               #IP security (crypto; define 
 w/IPSEC)
 options         DUMMYNET
 
 
 Achim
 

From: Gleb Smirnoff <glebius@cell.sick.ru>
To: Achim Patzner <ap@bnc.net>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/73910: [ipfw] serious bug on forwarding of packets after NAT
Date: Wed, 1 Dec 2004 16:32:00 +0300

   Achim,
 
   can you check whether patch from kern/71910 helps in your case?
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE
State-Changed-From-To: open->feedback 
State-Changed-By: ae 
State-Changed-When: Wed Jun 1 12:51:53 UTC 2011 
State-Changed-Why:  
Can you still reproduce this on a supported release?  

http://www.freebsd.org/cgi/query-pr.cgi?pr=73910 
State-Changed-From-To: feedback->closed 
State-Changed-By: ae 
State-Changed-When: Wed Jun 22 04:58:07 UTC 2011 
State-Changed-Why:  
Feedback timeout. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=73910 
>Unformatted:
