[FUGSPBR] bug IPFIREWALL + natd FreeBSD 4.8-Stable
Felipe Neuwald
neuwald em rudah.com.br
Sex Maio 23 16:18:18 BRT 2003
Caros Amigos,
Acredito que seja um bug, pois não vejo outras explicações para isto estar
acontecendo.
Estou migrando todos os NATs de uma empresa para FreeBSD + IPFIREWALL + natd.
Antes era utilizado linux.
Estou falando de um ambiente em que eu tenho um número rasoável de clientes
atrás do NAT, e com um tráfego grande.
Instalei o FreeBSD 4.8-RELEASE, e foi atualizado via cvsup:
DOC;
PORTS;
STABLE.
copiei o kernel GENERIC para KERNEL1 e comentei as seguintes linhas:
#cpu I386_CPU
#cpu I486_CPU
#cpu I586_CPU
PS: MEU PROCESSADOR É I686.
modifiquei a linha IDENT para a seguinte:
ident KERNEL1
e alterei a linha maxusers para a seguinte:
maxusers 512
Para minimizar impacto na configuração do Firewall, apenas comentei a linha
que dá suporte ao protocolo IPv6:
#options INET6 #IPv6 communications protocols
E para completar apenas adicionei as seguintes linhas na configuração do meu
kernel:
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_VERBOSE
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
Até aí tudo bem. Depois disso o kernel foi compilado, instalado e funcionou
tudo que é uma maravilha. Pronto. Já estou com o FreeBSD 4.8-STABLE.
-bash-2.05b$ uname -a
FreeBSD host.domain 4.8-STABLE FreeBSD 4.8-STABLE #0: Tue May 13 18:12:54 BRT
2003 root em host.domain:/usr/src/sys/compile/KERNEL1 i386
Ok, aí inicialmente coloquei o NAT pra funcionar.
Editei o meu rc.conf e adicionei as seguintes linhas:
firewall_enable="YES"
natd_enable="YES"
natd_interface="xl0"
natd_flags="-l -u -f /etc/natd.conf"
Sendo que o meu arquivo /etc/natd.conf é o seguinte:
-bash-2.05b$ cat /etc/natd.conf
interface xl0
dynamic yes
same_ports yes
use_sockets yes
Aí criei o arquivo /usr/local/etc/rc.d/rc.fw.sh, que ficou da seguinte forma:
#!/bin/sh
### APAGA AS REGRAS QUE JA EXISTIAM ANTERIORMENTE
ipfw -f flush
### CONFIGURACAO DE NAT
ipfw add divert natd all from any to any via xl0
### CONFIGURA PERMISSOES AO LOOPBACK
ipfw add 200 allow all from any to any via lo0
ipfw add 300 deny all from any to 127.0.0.0/8
ipfw add 400 deny all from 127.0.0.0/8 to any
Até aí tudo bem, eureka! Tudo funcionava perfeitamente, meus clientes tinham
um nat simples.
Então, agora só faltava eu fazer um ajuste fino no firewall para tudo
funcionar perfeitamente (ou não)...
Bom, então meu script de Firewall ficou da seguinte forma:
#!/bin/sh
### APAGA AS REGRAS QUE JA EXISTIAM ANTERIORMENTE
ipfw -f flush
### CONFIGURA VARIAVEIS DO SISTEMA
sysctl net.inet.ip.fw.one_pass=0
sysctl net.inet.ip.fw.dyn_max=102400
sysctl net.inet.ip.fw.dyn_buckets=102400
### CONFIGURACAO DE NAT
ipfw add divert natd all from any to any via xl0
### CONFIGURA PERMISSOES AO LOOPBACK
ipfw add 200 allow all from any to any via lo0
ipfw add 300 deny all from any to 127.0.0.0/8
ipfw add 400 deny all from 127.0.0.0/8 to any
### CRIA CONTAGEM DOS PACOTES
ipfw add 500 count all from any to any in via xl1
ipfw add 600 count all from any to any out via xl1
ipfw add 700 count all from any to any in via xl0
ipfw add 800 count all from any to any out via xl0
### CRIA TUNEL PARA A REDE 192.168.0.0/16 DE 1024KBIT/S
ipfw pipe 10 config bw 1024Kbit/s queue 160Kbytes
ipfw pipe 20 config bw 1024Kbit/s queue 160Kbytes
ipfw add 1500 pipe 10 all from 192.168.0.0/16 to any in via xl1
ipfw add 1510 pipe 20 all from any to 192.168.0.0/16 out via xl1
### CONFIGURACAO DINAMICA
ipfw add 2010 check-state
ipfw add 2020 allow udp from myip to mydns1 53 keep-state
ipfw add 2030 allow udp from mydns1 53 to myip keep-state
ipfw add 2040 allow udp from myip to mydns2 53 keep-state
ipfw add 2050 allow udp from mydns2 53 to myip keep-state
ipfw add 2060 allow tcp from mynetwork to myip 22,10000,443 keep-state
ipfw add 2065 allow tcp from mynetwork2 to myip 22,10000,443 keep-state
ipfw add 2070 allow icmp from lan to any icmptypes 8 keep-state
ipfw add 2080 allow icmp from mynetwork to myip icmptypes 8 keep-state
ipfw add 2090 allow icmp from mylanip to lan keep-state
ipfw add 2100 allow icmp from myip to any icmptypes 8 via xl0 keep-state
ipfw add 2110 allow all from myip to any out via xl0 keep-state
ipfw add 2120 deny log tcp from any to myip 22,10000,443
ipfw add 2130 deny log tcp from any to mylanip 22,10000,443
### ACESSO DOS CLIENTES
# Contrato 2757
ipfw add allow all from 192.168.208.3 to any keep-state
ipfw add allow all from 192.168.208.4 to any keep-state
ipfw add allow all from 192.168.208.5 to any keep-state
# Contrato 2763
ipfw add allow all from 192.168.212.2 to any keep-state
ipfw add allow all from 192.168.212.3 to any keep-state
# Contrato 2829
ipfw add allow all from 192.168.205.2 to any keep-state
ipfw add allow all from 192.168.205.3 to any keep-state
# Contrato 2945
ipfw add allow all from 192.168.215.2 to any keep-state
ipfw add allow all from 192.168.215.3 to any keep-state
ipfw add allow all from 192.168.215.4 to any keep-state
# Contrato 3213
ipfw add allow all from 192.168.216.1 to any keep-state
ipfw add allow all from 192.168.216.2 to any keep-state
ipfw add allow all from 192.168.216.3 to any keep-state
# Contrato 0023
ipfw add allow all from 192.168.220.1 to any keep-state
ipfw add allow all from 192.168.220.2 to any keep-state
ipfw add allow all from 192.168.220.3 to any keep-state
ipfw add allow all from 192.168.220.4 to any keep-state
ipfw add allow all from 192.168.220.5 to any keep-state
ipfw add allow all from 192.168.220.6 to any keep-state
ipfw add allow all from 192.168.220.7 to any keep-state
ipfw add allow all from 192.168.220.8 to any keep-state
ipfw add allow all from 192.168.220.9 to any keep-state
ipfw add allow all from 192.168.220.10 to any keep-state
ipfw add allow all from 192.168.220.15 to any keep-state
ipfw add allow all from 192.168.220.16 to any keep-state
# Contrato 0024
ipfw add allow all from 192.168.217.2 to any keep-state
ipfw add allow all from 192.168.217.3 to any keep-state
ipfw add allow all from 192.168.217.4 to any keep-state
ipfw add allow all from 192.168.217.5 to any keep-state
ipfw add allow all from 192.168.217.6 to any keep-state
# Contrato 1013
ipfw add allow all from 192.168.223.2 to any keep-state
ipfw add allow all from 192.168.223.3 to any keep-state
ipfw add allow all from 192.168.223.4 to any keep-state
ipfw add allow all from 192.168.223.6 to any keep-state
# Contrato 10134
ipfw add allow all from 192.168.224.2 to any keep-state
# Contrato 1002
ipfw add allow all from 192.168.225.2 to any keep-state
# Contrato 1001
ipfw add allow all from 192.168.227.2 to any keep-state
ipfw add allow all from 192.168.227.3 to any keep-state
# Contrato 3094
ipfw add allow all from 192.168.231.3 to any keep-state
# Contrato 1004
ipfw add allow all from 192.168.232.2 to any keep-state
# Contrato 1005
ipfw add allow all from 192.168.233.2 to any keep-state
# Contrato 3119
ipfw add allow all from 192.168.237.2 to any keep-state
# Contrato 1011
ipfw add allow all from 192.168.242.2 to any keep-state
# Contrato 1015
ipfw add allow all from 192.168.248.2 to any keep-state
# Contrato 1019
ipfw add allow all from 192.168.253.2 to any keep-state
# Contrato 1020
ipfw add allow all from 192.168.35.2 to any keep-state
# Contrato 3207
ipfw add allow all from 192.168.16.2 to any keep-state
# Contrato 3225
ipfw add allow all from 192.168.23.3 to any keep-state
# Contrato 3228
ipfw add allow all from 192.168.24.2 to any keep-state
# Contrato 3227
ipfw add allow all from 192.168.100.2 to any keep-state
ipfw add allow all from 192.168.100.3 to any keep-state
ipfw add allow all from 192.168.100.4 to any keep-state
ipfw add allow all from 192.168.100.5 to any keep-state
ipfw add allow all from 192.168.100.6 to any keep-state
ipfw add allow all from 192.168.100.7 to any keep-state
ipfw add allow all from 192.168.100.8 to any keep-state
ipfw add allow all from 192.168.100.9 to any keep-state
ipfw add allow all from 192.168.100.10 to any keep-state
ipfw add allow all from 192.168.100.11 to any keep-state
ipfw add allow all from 192.168.100.12 to any keep-state
ipfw add allow all from 192.168.100.13 to any keep-state
ipfw add allow all from 192.168.100.14 to any keep-state
ipfw add allow all from 192.168.100.15 to any keep-state
ipfw add allow all from 192.168.100.16 to any keep-state
ipfw add allow all from 192.168.100.17 to any keep-state
ipfw add allow all from 192.168.100.18 to any keep-state
ipfw add allow all from 192.168.100.19 to any keep-state
ipfw add allow all from 192.168.100.20 to any keep-state
ipfw add allow all from 192.168.100.21 to any keep-state
ipfw add allow all from 192.168.100.22 to any keep-state
ipfw add allow all from 192.168.100.23 to any keep-state
ipfw add allow all from 192.168.100.24 to any keep-state
ipfw add allow all from 192.168.99.2 to any keep-state
ipfw add allow all from 192.168.100.25 to any keep-state
ipfw add allow all from 192.168.100.26 to any keep-state
# Contrato 3242
ipfw add allow all from 192.168.25.2 to any keep-state
# Contrato 3247
ipfw add allow all from 192.168.26.2 to any keep-state
ipfw add allow all from 192.168.26.3 to any keep-state
ipfw add allow all from 192.168.26.4 to any keep-state
# Contrato 1024
ipfw add allow all from 192.168.27.2 to any keep-state
ipfw add allow all from 192.168.27.3 to any keep-state
ipfw add allow all from 192.168.27.4 to any keep-state
ipfw add allow all from 192.168.27.5 to any keep-state
ipfw add allow all from 192.168.27.6 to any keep-state
# Contrato 1025
ipfw add allow all from 192.168.28.2 to any keep-state
ipfw add allow all from 192.168.28.3 to any keep-state
# Contrato 2803
ipfw add allow all from 192.168.30.2 to any keep-state
# Contrato 3257
ipfw add allow all from 192.168.32.2 to any keep-state
ipfw add allow all from 192.168.32.3 to any keep-state
ipfw add allow all from 192.168.32.4 to any keep-state
# Contrato 1027
ipfw add allow all from 192.168.33.2 to any keep-state
# Contrato 3259
ipfw add allow all from 192.168.34.2 to any keep-state
# Contrato 3261
ipfw add allow all from 192.168.36.2 to any keep-state
# Contrato 1028
ipfw add allow all from 192.168.37.2 to any keep-state
# Contrato 1032
ipfw add allow all from 192.168.38.2 to any keep-state
ipfw add allow all from 192.168.38.3 to any keep-state
# Contrato 3268
ipfw add allow all from 192.168.39.1 to any keep-state
ipfw add allow all from 192.168.39.2 to any keep-state
ipfw add allow all from 192.168.39.3 to any keep-state
ipfw add allow all from 192.168.39.4 to any keep-state
ipfw add allow all from 192.168.39.5 to any keep-state
ipfw add allow all from 192.168.39.6 to any keep-state
ipfw add allow all from 192.168.39.7 to any keep-state
# Contrato 1030
ipfw add allow all from 192.168.40.2 to any keep-state
# Contrato 1031
ipfw add allow all from 192.168.208.2 to any keep-state
# Contrato 3280
ipfw add allow all from 192.168.41.2 to any keep-state
# Contrato 9934
ipfw add allow all from 192.168.50.2 to any keep-state
ipfw add allow all from 192.168.50.3 to any keep-state
ipfw add allow all from 192.168.50.4 to any keep-state
ipfw add allow all from 192.168.50.5 to any keep-state
ipfw add allow all from 192.168.50.6 to any keep-state
ipfw add allow all from 192.168.50.7 to any keep-state
ipfw add allow all from 192.168.50.8 to any keep-state
ipfw add allow all from 192.168.50.9 to any keep-state
ipfw add allow all from 192.168.50.10 to any keep-state
ipfw add allow all from 192.168.50.11 to any keep-state
ipfw add allow all from 192.168.1.101 to any keep-state
# Contrato 9955
ipfw add allow all from 192.168.51.2 to any keep-state
ipfw add allow all from 192.168.51.3 to any keep-state
# Contrato 33412
ipfw add allow all from 192.168.21.2 to any keep-state
ipfw add allow all from 192.168.21.3 to any keep-state
### DEFINE CONFIGURACAO DE FIREWALL CLOSED
ipfw add 65500 deny all from any to any
Ok. Eureka! Meus clientes estão funcionando e a máquina está 100%, com um
uptime de 8 dias e tenho cerca de 99% de processador idle. (É uma baita duma
máquina só pra nat... amd 1.8, 512mb ram...)
Ok, tenho instalado agora apache e mrtg, onde faço contagem dos pacotes e
posso verificar como anda minha banda... até aí mais uma vez digo que está
tudo bem.
Então, resolvi rodar um servidor DNS nesta máquina, onde meus clientes
utilizarão o próprio gateway como DNS. Este meu servidor DNS seria apenas um
forward do meu servidor DNS principal. Tudo ok, bind9 instalado, funcionando,
aí teste final... boot na máquina!
Aí a máquina não subiu!
Travava toda hora quando carregava o rc.fw.sh. Na maioria das vezes o processo
que dava 'panic: page fault' era o natd, mas algumas vezes dava com o sshd e
até o httpd. Tirei tudo da máquina, só deixei funcionando o firewall + nat.
Nada. não subia, dava o mesmo erro.
Troquei processador, placa mae, placa de video, placa de rede, memoria, cabo
flat... tudo menos o hd, pois teria que refazer a máquina.
Ok, crente que era um problema de hardware, fiz o mesmo processo acima em
outra máquina, um celeron 300mhz, para deixar funcionando temporariamente
enquanto eu consertava esta outra máquina. Ok, FreeBSD 4.8-Stable rodando no
celeron.
Dessa vez instalei só natd + ipfirewall, não instalei mrtg nem apache e outros.
Ok, quando coloquei o Firewall pra iniciar, dei um boot na máquina, com as
mesmas regras acima, e tive o mesmo erro, panic: page fault, com o natd.
Anotei o erro que apareceu na tela:
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x16c
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc027e9a6
stack pointer = 0x10:0xd243ac94
frame pointer = 0x10:0xd243aca4
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 66 (natd)
interrupt mask =
trap number = 12
panic: page fault
syncing disks... 10 1
done
Uptime: 55s
Automatic reboot in 15 seconds - press a key on the console to abort
Aí dei boot na máquina, e subiu!
e até agora não tive mais o mesmo erro...
HELP! Anybody seen my baby?
Mais informações sobre o sistema:
-bash-2.05b$ sysctl -a | grep net.inet.ip
net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 1024
net.inet.ip.portrange.last: 5000
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
net.inet.ip.forwarding: 1
net.inet.ip.redirect: 1
net.inet.ip.ttl: 64
net.inet.ip.rtexpire: 3600
net.inet.ip.rtminexpire: 10
net.inet.ip.rtmaxcache: 128
net.inet.ip.sourceroute: 0
net.inet.ip.intr_queue_maxlen: 50
net.inet.ip.intr_queue_drops: 0
net.inet.ip.accept_sourceroute: 0
net.inet.ip.fastforwarding: 0
net.inet.ip.keepfaith: 0
net.inet.ip.gifttl: 30
net.inet.ip.subnets_are_local: 0
net.inet.ip.dummynet.hash_size: 64
net.inet.ip.dummynet.curr_time: 24072732
net.inet.ip.dummynet.ready_heap: 0
net.inet.ip.dummynet.extract_heap: 0
net.inet.ip.dummynet.searches: 0
net.inet.ip.dummynet.search_steps: 0
net.inet.ip.dummynet.expire: 1
net.inet.ip.dummynet.max_chain_len: 16
net.inet.ip.dummynet.red_lookup_depth: 256
net.inet.ip.dummynet.red_avg_pkt_size: 512
net.inet.ip.dummynet.red_max_pkt_size: 1500
net.inet.ip.fw.enable: 1
net.inet.ip.fw.one_pass: 1
net.inet.ip.fw.debug: 1
net.inet.ip.fw.verbose: 1
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 0
net.inet.ip.fw.dyn_max: 1000
net.inet.ip.fw.static_count: 2
net.inet.ip.fw.dyn_ack_lifetime: 300
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 10
net.inet.ip.fw.dyn_short_lifetime: 5
net.inet.ip.fw.dyn_grace_time: 10
net.inet.ip.maxfragpackets: 272
net.inet.ip.maxfragsperpacket: 16
net.inet.ip.sendsourcequench: 0
net.inet.ip.check_interface: 0
Well... é isso...
Comentários? :|
Grande abraço,
---
Felipe Neuwald
neuwald em rudah.com.br
Rudah On-Line SysAdm
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd