Re: IPv6 NAT

2016-04-30 Thread Jason Lewis 
Folks have said that IPv6 does not support NAT, so I believe they will
not be putting it into IPFW.  I do know that pf has supported IPv6 NAT
or NAT6 since 2006 and it has been working great for me for more than
five years.

On 4/30/16, Georgios Amanakis via freebsd-ipfw  wrote:
> Does anyone know if someone works on implementing IPv6 NAT (like IPv4
> NAT, not prefix translation only) in IPFW? As far as I can tell
> FreeBSD's pf has this functionality. Linux implemented this since
> kernel 3.9, too.
> ___
> freebsd-ipfw@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
>
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: [RFC][patch] Two new actions: state-allow and state-deny

2015-02-04 Thread Jason Lewis 
The possible issue is is that once NAT changes the IP address and
possibly the port number, state tracking can no longer be applied.
AKA, the packet headers before the NAT is different than the packet
headers after.  This is why NAT needs to track the state instead of
ipfw.
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

RE: IPFW Problem

2007-11-04 Thread Jason Lewis 
Greg,

My guess would be to look at rule 00800.  I suspect that the network that
you are having problems with is on BGE0.  NAT and keep-state do not play
well with each other.

Jason

On Sun, November 4, 2007 4:14 pm, [EMAIL PROTECTED] wrote:
 Hmm, I may well be missing something very obvious but rule 01000 seems
 to be doing exactly what it says it will.  Are you sure you meant deny
 rather than allow on rule 01000 ? It seems very unfreindly to allow
 outgoing TCP connections and then the minute they are established deny
 any return traffic !! Usually the established test is there to detect
 valid incoming traffic associated with your own outgoing safe
 connections.

 Cheers

 John

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of ext Gardner Bell
 Sent: Sunday, November 04, 2007 8:51 AM
 To: freebsd-ipfw@freebsd.org
 Subject: IPFW Problem

 I'm hoping some of you can help me out with the problem that I'm having
 as I'm not very good when it comes to networking..

 I've recently configured 6.3-PRERELEASE with IPFW/NATD to act as my
 LAN's firewall/router.  After I initially access certain http sites,
 particularly google groups and yahoo web mail I'm noticing subsequent
 attempts take  2mins to resolve the next link that I am interested in
 reading.

 This appears to be caused by rule 01000 as the counter increases each
 time I access one of the above mentioned sites.

 Short of removing this rule, is there any other way that I can fix this
 issue?  Below is a listing of my present ruleset and a tcpdump of a
 Windows XP machine trying to access a link on google groups.

 regards,

 Gardner

 mx1# ipfw show
 00100   76  11134 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
 002000  0 deny log logamount 10 ip from 127.0.0.1 to any
 003000  0 deny log logamount 10 ip from any to 127.0.0.1
 004000  0 deny log logamount 10 ip from any to any not
 verrevpath in
 005000  0 deny log logamount 10 ip from any to any ipoptions
 ssrr,lsrr,rr,ts in
 006000  0 deny ip from any to any frag
 007000  0 allow icmp from any to any icmptypes 0,3,11,12
 00800 1081 452405 divert 8668 ip from any to any via bge0
 009000  0 check-state
 01000   36  17682 deny tcp from any to any established
 01100 2704 853904 allow ip from any to any via bge1 keep-state 01200
 262  57586 allow tcp from any to any dst-port 80 keep-state
 013000  0 allow tcp from any to any dst-port 443 keep-state
 01400  102   7752 allow udp from me to any dst-port 123 keep-state
 015000  0 allow tcp from me to any dst-port 53 setup keep-state
 01600  169  30563 allow udp from me to any dst-port 53 keep-state
 017000  0 allow tcp from any to any dst-port 1863 setup
 keep-state
 018000  0 allow log logamount 10 udp from any to
 255.255.255.255 dst-port 68 in via bge0
 019000  0 allow tcp from x.x.x.x to x.x.x.x dst-port 22
 keep-state
 020000  0 deny log logamount 10 ip from any to any
 655351396 deny ip from any to any

 131219 00:e0:81:2e:c1:aa  00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
 length 54: (tos 0x0, ttl  63, id 55490, offset 0, flags  [DF], proto:
 TCP (6), length: 40, bad cksum 0 (-4d44)!) x.x.x.x.2471
 64.233.179.99.80: ., cksum 0x2bf0 (correct), a
 ck 26946 win 64330
 046227 00:e0:81:2e:c1:aa  00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
 length 62: (tos 0x0, ttl  63, id 55493, offset 0, flags  [DF], proto:
 TCP (6), length: 48, bad cksum 0 (-2a14)!) x.x.x.x.2474
 72.14.207.99.80: S, cksum 0xf365 (correct), 22
 96693740:2296693740(0) win 65535 mss 1460,nop,nop,sackOK
 007127 00:13:5f:04:bd:05  00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
 length 62: (tos 0x0, ttl  56, id 48846, offset 0, flags  [none], proto:
 TCP (6), length: 48) 72.14.207.99.80  x.x.x.x.2474: S, cksum 0x8043
 (correct), 2154814567:2154814567(0
 ) ack 2296693741 win 5720 mss 1430,nop,nop,sackOK
 000323 00:e0:81:2e:c1:aa  00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
 length 54: (tos 0x0, ttl  63, id 55494, offset 0, flags  [DF], proto:
 TCP (6), length: 40, bad cksum 0 (-2a1b)!) x.x.x.x.2474
 72.14.207.99.80: ., cksum 0xc341 (correct), ac
 k 1 win 65535
 000293 00:e0:81:2e:c1:aa  00:13:5f:04:bd:05, ethertype IPv4 (0x0800),
 length 1155: (tos 0x0, ttl  63, id 55495, offset 0, fla gs [DF], proto:
 TCP (6), length: 1141, bad cksum 0 (-25cd)!)
 x.x.x.x.2474  72.14.207.99.80: P 1:1102(1101) ack 1 win
 65535
 015474 00:13:5f:04:bd:05  00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
 length 60: (tos 0x0, ttl  56, id 48847, offset 0, flags  [none], proto:
 TCP (6), length: 40) 72.14.207.99.80  x.x.x.x.2474: ., cksum 0xa0d9
 (correct), ack 1102 win 7707
 000879 00:13:5f:04:bd:05  00:e0:81:2e:c1:aa, ethertype IPv4 (0x0800),
 length 383: (tos 0x0, ttl  56, id 48848, offset 0, flag s [none], proto:
 TCP (6), length: 369) 72.14.207.99.80  x.x.x.x.2474:
 P 1:330(329) ack 1102 win 7707
 003365 00:13:5f:04:bd:05  00:e0:81:2e:c1:aa, ethertype IPv4