[FUGSPBR] bug IPFIREWALL + natd FreeBSD 4.8-Stable

Felipe Neuwald neuwald em rudah.com.br
Sex Maio 23 16:59:12 BRT 2003


Só mais uma colocação...
agora quando eu conecto via ssh na máquina ele dá o mesmo erro... e o
processo... natd!

Abraços,

---
Felipe Neuwald
neuwald em rudah.com.br
Rudah On-Line SysAdm

On Fri, 23 May 2003 16:18:18 -0300, Felipe Neuwald wrote
> Caros Amigos,
> 
> Acredito que seja um bug, pois não vejo outras explicações para isto 
> estar acontecendo.
> 
> Estou migrando todos os NATs de uma empresa para FreeBSD + 
> IPFIREWALL + natd. Antes era utilizado linux. Estou falando de um 
> ambiente em que eu tenho um número rasoável de clientes atrás do NAT,
>  e com um tráfego grande.
> 
> Instalei o FreeBSD 4.8-RELEASE, e foi atualizado via cvsup:
> DOC;
> PORTS;
> STABLE.
> 
> copiei o kernel GENERIC para KERNEL1 e comentei as seguintes linhas:
> #cpu            I386_CPU
> #cpu            I486_CPU
> #cpu            I586_CPU
> PS: MEU PROCESSADOR É I686.
> modifiquei a linha IDENT para a seguinte:
> ident           KERNEL1
> e alterei a linha maxusers para a seguinte:
> maxusers        512
> 
> Para minimizar impacto na configuração do Firewall, apenas comentei 
> a linha que dá suporte ao protocolo IPv6:
> #options        INET6                   #IPv6 communications protocols
> 
> E para completar apenas adicionei as seguintes linhas na 
> configuração do meu kernel: options         IPFIREWALL options       
>   IPDIVERT options         IPFIREWALL_VERBOSE options        
IPFIREWALL_DEFAULT_TO_ACCEPT
> options         DUMMYNET
> 
> Até aí tudo bem. Depois disso o kernel foi compilado, instalado e funcionou
> tudo que é uma maravilha. Pronto. Já estou com o FreeBSD 4.8-STABLE.
> 
> -bash-2.05b$ uname -a
> 
> FreeBSD host.domain 4.8-STABLE FreeBSD 4.8-STABLE #0: Tue May 13 
> 18:12:54 BRT 2003     root em host.domain:/usr/src/sys/compile/KERNEL1  
> i386
> 
> Ok, aí inicialmente coloquei o NAT pra funcionar.
> Editei o meu rc.conf e adicionei as seguintes linhas:
> firewall_enable="YES"
> natd_enable="YES"
> natd_interface="xl0"
> natd_flags="-l -u -f /etc/natd.conf"
> 
> Sendo que o meu arquivo /etc/natd.conf é o seguinte:
> -bash-2.05b$ cat /etc/natd.conf
> interface xl0
> dynamic yes
> same_ports yes
> use_sockets yes
> 
> Aí criei o arquivo /usr/local/etc/rc.d/rc.fw.sh, que ficou da 
> seguinte forma:
> 
> #!/bin/sh
> ### APAGA AS REGRAS QUE JA EXISTIAM ANTERIORMENTE
> ipfw -f flush
> ### CONFIGURACAO DE NAT
> ipfw add divert natd all from any to any via xl0
> ### CONFIGURA PERMISSOES AO LOOPBACK
> ipfw add 200 allow all from any to any via lo0
> ipfw add 300 deny all from any to 127.0.0.0/8
> ipfw add 400 deny all from 127.0.0.0/8 to any
> 
> Até aí tudo bem, eureka! Tudo funcionava perfeitamente, meus 
> clientes tinham um nat simples.
> 
> Então, agora só faltava eu fazer um ajuste fino no firewall para tudo
> funcionar perfeitamente (ou não)...
> 
> Bom, então meu script de Firewall ficou da seguinte forma:
> 
> #!/bin/sh
> ### APAGA AS REGRAS QUE JA EXISTIAM ANTERIORMENTE
> ipfw -f flush
> ### CONFIGURA VARIAVEIS DO SISTEMA
> sysctl net.inet.ip.fw.one_pass=0
> sysctl net.inet.ip.fw.dyn_max=102400
> sysctl net.inet.ip.fw.dyn_buckets=102400
> ### CONFIGURACAO DE NAT
> ipfw add divert natd all from any to any via xl0
> ### CONFIGURA PERMISSOES AO LOOPBACK
> ipfw add 200 allow all from any to any via lo0
> ipfw add 300 deny all from any to 127.0.0.0/8
> ipfw add 400 deny all from 127.0.0.0/8 to any
> ### CRIA CONTAGEM DOS PACOTES
> ipfw add 500 count all from any to any in via xl1
> ipfw add 600 count all from any to any out via xl1
> ipfw add 700 count all from any to any in via xl0
> ipfw add 800 count all from any to any out via xl0
> ### CRIA TUNEL PARA A REDE 192.168.0.0/16 DE 1024KBIT/S
> ipfw pipe 10 config bw 1024Kbit/s queue 160Kbytes
> ipfw pipe 20 config bw 1024Kbit/s queue 160Kbytes
> ipfw add 1500 pipe 10 all from 192.168.0.0/16 to any in via xl1
> ipfw add 1510 pipe 20 all from any to 192.168.0.0/16 out via xl1
> ### CONFIGURACAO DINAMICA
> ipfw add 2010 check-state
> ipfw add 2020 allow udp from myip to mydns1 53 keep-state
> ipfw add 2030 allow udp from mydns1 53 to myip keep-state
> ipfw add 2040 allow udp from myip to mydns2 53 keep-state
> ipfw add 2050 allow udp from mydns2 53 to myip keep-state
> ipfw add 2060 allow tcp from mynetwork to myip 22,10000,443 keep-
> state ipfw add 2065 allow tcp from mynetwork2 to myip 22,10000,443 
> keep-state ipfw add 2070 allow icmp from lan to any icmptypes 8 keep-
> state ipfw add 2080 allow icmp from mynetwork to myip icmptypes 8 
> keep-state ipfw add 2090 allow icmp from mylanip to lan keep-state 
> ipfw add 2100 allow icmp from myip to any icmptypes 8 via xl0 keep-state
> ipfw add 2110 allow all from myip to any out via xl0 keep-state
> ipfw add 2120 deny log tcp from any to myip 22,10000,443
> ipfw add 2130 deny log tcp from any to mylanip 22,10000,443
> ### ACESSO DOS CLIENTES
> # Contrato 2757
> ipfw add allow all from 192.168.208.3 to any keep-state
> ipfw add allow all from 192.168.208.4 to any keep-state
> ipfw add allow all from 192.168.208.5 to any keep-state
> # Contrato 2763
> ipfw add allow all from 192.168.212.2 to any keep-state
> ipfw add allow all from 192.168.212.3 to any keep-state
> # Contrato 2829
> ipfw add allow all from 192.168.205.2 to any keep-state
> ipfw add allow all from 192.168.205.3 to any keep-state
> # Contrato 2945
> ipfw add allow all from 192.168.215.2 to any keep-state
> ipfw add allow all from 192.168.215.3 to any keep-state
> ipfw add allow all from 192.168.215.4 to any keep-state
> # Contrato 3213
> ipfw add allow all from 192.168.216.1 to any keep-state
> ipfw add allow all from 192.168.216.2 to any keep-state
> ipfw add allow all from 192.168.216.3 to any keep-state
> # Contrato 0023
> ipfw add allow all from 192.168.220.1 to any keep-state
> ipfw add allow all from 192.168.220.2 to any keep-state
> ipfw add allow all from 192.168.220.3 to any keep-state
> ipfw add allow all from 192.168.220.4 to any keep-state
> ipfw add allow all from 192.168.220.5 to any keep-state
> ipfw add allow all from 192.168.220.6 to any keep-state
> ipfw add allow all from 192.168.220.7 to any keep-state
> ipfw add allow all from 192.168.220.8 to any keep-state
> ipfw add allow all from 192.168.220.9 to any keep-state
> ipfw add allow all from 192.168.220.10 to any keep-state
> ipfw add allow all from 192.168.220.15 to any keep-state
> ipfw add allow all from 192.168.220.16 to any keep-state
> # Contrato 0024
> ipfw add allow all from 192.168.217.2 to any keep-state
> ipfw add allow all from 192.168.217.3 to any keep-state
> ipfw add allow all from 192.168.217.4 to any keep-state
> ipfw add allow all from 192.168.217.5 to any keep-state
> ipfw add allow all from 192.168.217.6 to any keep-state
> # Contrato 1013
> ipfw add allow all from 192.168.223.2 to any keep-state
> ipfw add allow all from 192.168.223.3 to any keep-state
> ipfw add allow all from 192.168.223.4 to any keep-state
> ipfw add allow all from 192.168.223.6 to any keep-state
> # Contrato 10134
> ipfw add allow all from 192.168.224.2 to any keep-state
> # Contrato 1002
> ipfw add allow all from 192.168.225.2 to any keep-state
> # Contrato 1001
> ipfw add allow all from 192.168.227.2 to any keep-state
> ipfw add allow all from 192.168.227.3 to any keep-state
> # Contrato 3094
> ipfw add allow all from 192.168.231.3 to any keep-state
> # Contrato 1004
> ipfw add allow all from 192.168.232.2 to any keep-state
> # Contrato 1005
> ipfw add allow all from 192.168.233.2 to any keep-state
> # Contrato 3119
> ipfw add allow all from 192.168.237.2 to any keep-state
> # Contrato 1011
> ipfw add allow all from 192.168.242.2 to any keep-state
> # Contrato 1015
> ipfw add allow all from 192.168.248.2 to any keep-state
> # Contrato 1019
> ipfw add allow all from 192.168.253.2 to any keep-state
> # Contrato 1020
> ipfw add allow all from 192.168.35.2 to any keep-state
> # Contrato 3207
> ipfw add allow all from 192.168.16.2 to any keep-state
> # Contrato 3225
> ipfw add allow all from 192.168.23.3 to any keep-state
> # Contrato 3228
> ipfw add allow all from 192.168.24.2 to any keep-state
> # Contrato 3227
> ipfw add allow all from 192.168.100.2 to any keep-state
> ipfw add allow all from 192.168.100.3 to any keep-state
> ipfw add allow all from 192.168.100.4 to any keep-state
> ipfw add allow all from 192.168.100.5 to any keep-state
> ipfw add allow all from 192.168.100.6 to any keep-state
> ipfw add allow all from 192.168.100.7 to any keep-state
> ipfw add allow all from 192.168.100.8 to any keep-state
> ipfw add allow all from 192.168.100.9 to any keep-state
> ipfw add allow all from 192.168.100.10 to any keep-state
> ipfw add allow all from 192.168.100.11 to any keep-state
> ipfw add allow all from 192.168.100.12 to any keep-state
> ipfw add allow all from 192.168.100.13 to any keep-state
> ipfw add allow all from 192.168.100.14 to any keep-state
> ipfw add allow all from 192.168.100.15 to any keep-state
> ipfw add allow all from 192.168.100.16 to any keep-state
> ipfw add allow all from 192.168.100.17 to any keep-state
> ipfw add allow all from 192.168.100.18 to any keep-state
> ipfw add allow all from 192.168.100.19 to any keep-state
> ipfw add allow all from 192.168.100.20 to any keep-state
> ipfw add allow all from 192.168.100.21 to any keep-state
> ipfw add allow all from 192.168.100.22 to any keep-state
> ipfw add allow all from 192.168.100.23 to any keep-state
> ipfw add allow all from 192.168.100.24 to any keep-state
> ipfw add allow all from 192.168.99.2 to any keep-state
> ipfw add allow all from 192.168.100.25 to any keep-state
> ipfw add allow all from 192.168.100.26 to any keep-state
> # Contrato 3242
> ipfw add allow all from 192.168.25.2 to any keep-state
> # Contrato 3247
> ipfw add allow all from 192.168.26.2 to any keep-state
> ipfw add allow all from 192.168.26.3 to any keep-state
> ipfw add allow all from 192.168.26.4 to any keep-state
> # Contrato 1024
> ipfw add allow all from 192.168.27.2 to any keep-state
> ipfw add allow all from 192.168.27.3 to any keep-state
> ipfw add allow all from 192.168.27.4 to any keep-state
> ipfw add allow all from 192.168.27.5 to any keep-state
> ipfw add allow all from 192.168.27.6 to any keep-state
> # Contrato 1025
> ipfw add allow all from 192.168.28.2 to any keep-state
> ipfw add allow all from 192.168.28.3 to any keep-state
> # Contrato 2803
> ipfw add allow all from 192.168.30.2 to any keep-state
> # Contrato 3257
> ipfw add allow all from 192.168.32.2 to any keep-state
> ipfw add allow all from 192.168.32.3 to any keep-state
> ipfw add allow all from 192.168.32.4 to any keep-state
> # Contrato 1027
> ipfw add allow all from 192.168.33.2 to any keep-state
> # Contrato 3259
> ipfw add allow all from 192.168.34.2 to any keep-state
> # Contrato 3261
> ipfw add allow all from 192.168.36.2 to any keep-state
> # Contrato 1028
> ipfw add allow all from 192.168.37.2 to any keep-state
> # Contrato 1032
> ipfw add allow all from 192.168.38.2 to any keep-state
> ipfw add allow all from 192.168.38.3 to any keep-state
> # Contrato 3268
> ipfw add allow all from 192.168.39.1 to any keep-state
> ipfw add allow all from 192.168.39.2 to any keep-state
> ipfw add allow all from 192.168.39.3 to any keep-state
> ipfw add allow all from 192.168.39.4 to any keep-state
> ipfw add allow all from 192.168.39.5 to any keep-state
> ipfw add allow all from 192.168.39.6 to any keep-state
> ipfw add allow all from 192.168.39.7 to any keep-state
> # Contrato 1030
> ipfw add allow all from 192.168.40.2 to any keep-state
> # Contrato 1031
> ipfw add allow all from 192.168.208.2 to any keep-state
> # Contrato 3280
> ipfw add allow all from 192.168.41.2 to any keep-state
> # Contrato 9934
> ipfw add allow all from 192.168.50.2 to any keep-state
> ipfw add allow all from 192.168.50.3 to any keep-state
> ipfw add allow all from 192.168.50.4 to any keep-state
> ipfw add allow all from 192.168.50.5 to any keep-state
> ipfw add allow all from 192.168.50.6 to any keep-state
> ipfw add allow all from 192.168.50.7 to any keep-state
> ipfw add allow all from 192.168.50.8 to any keep-state
> ipfw add allow all from 192.168.50.9 to any keep-state
> ipfw add allow all from 192.168.50.10 to any keep-state
> ipfw add allow all from 192.168.50.11 to any keep-state
> ipfw add allow all from 192.168.1.101 to any keep-state
> # Contrato 9955
> ipfw add allow all from 192.168.51.2 to any keep-state
> ipfw add allow all from 192.168.51.3 to any keep-state
> # Contrato 33412
> ipfw add allow all from 192.168.21.2 to any keep-state
> ipfw add allow all from 192.168.21.3 to any keep-state
> ### DEFINE CONFIGURACAO DE FIREWALL CLOSED
> ipfw add 65500 deny all from any to any
> 
> Ok. Eureka! Meus clientes estão funcionando e a máquina está 100%, 
> com um uptime de 8 dias e tenho cerca de 99% de processador idle. (É 
> uma baita duma máquina só pra nat... amd 1.8, 512mb ram...) Ok,
>  tenho instalado agora apache e mrtg, onde faço contagem dos pacotes 
> e posso verificar como anda minha banda... até aí mais uma vez digo 
> que está tudo bem. Então, resolvi rodar um servidor DNS nesta 
> máquina, onde meus clientes utilizarão o próprio gateway como DNS. 
> Este meu servidor DNS seria apenas um forward do meu servidor DNS 
> principal. Tudo ok, bind9 instalado, funcionando, aí teste final... 
> boot na máquina!
> 
> Aí a máquina não subiu!
> Travava toda hora quando carregava o rc.fw.sh. Na maioria das vezes 
> o processo que dava 'panic: page fault' era o natd, mas algumas 
> vezes dava com o sshd e até o httpd. Tirei tudo da máquina, só 
> deixei funcionando o firewall + nat. Nada. não subia, dava o mesmo erro.
> Troquei processador, placa mae, placa de video, placa de rede, 
> memoria, cabo flat... tudo menos o hd, pois teria que refazer a máquina.
> 
> Ok, crente que era um problema de hardware, fiz o mesmo processo 
> acima em outra máquina, um celeron 300mhz, para deixar funcionando
temporariamente
> enquanto eu consertava esta outra máquina. Ok, FreeBSD 4.8-Stable 
> rodando no celeron.
> 
> Dessa vez instalei só natd + ipfirewall, não instalei mrtg nem 
> apache e outros. Ok, quando coloquei o Firewall pra iniciar, dei um 
> boot na máquina, com as mesmas regras acima, e tive o mesmo erro,
>  panic: page fault, com o natd.
> 
> Anotei o erro que apareceu na tela:
> 
> Fatal trap 12: page fault while in kernel mode 
> fault virtual address		= 0x16c 
> fault code			= supervisor read, page not present 
> instruction pointer		= 0x8:0xc027e9a6 
> stack pointer			= 0x10:0xd243ac94 
> frame pointer			= 0x10:0xd243aca4 
> code segment			= base 0x0, limit 0xfffff, type 0x1b 
> 				= DPL 0, pres 1, def32 1, gran 1 
> processor eflags		= interrupt enabled, resume, IOPL = 0 
> current process			= 66 (natd) 
> interrupt mask			= 
> trap number			= 12 
> panic: page fault 
>  
> syncing disks... 10 1 
> done 
> Uptime: 55s 
> Automatic reboot in 15 seconds - press a key on the console to abort
> 
> Aí dei boot na máquina, e subiu!
> e até agora não tive mais o mesmo erro...
> 
> HELP! Anybody seen my baby?
> 
> Mais informações sobre o sistema:
> 
> -bash-2.05b$ sysctl -a | grep net.inet.ip
> net.inet.ip.portrange.lowfirst: 1023
> net.inet.ip.portrange.lowlast: 600
> net.inet.ip.portrange.first: 1024
> net.inet.ip.portrange.last: 5000
> net.inet.ip.portrange.hifirst: 49152
> net.inet.ip.portrange.hilast: 65535
> net.inet.ip.forwarding: 1
> net.inet.ip.redirect: 1
> net.inet.ip.ttl: 64
> net.inet.ip.rtexpire: 3600
> net.inet.ip.rtminexpire: 10
> net.inet.ip.rtmaxcache: 128
> net.inet.ip.sourceroute: 0
> net.inet.ip.intr_queue_maxlen: 50
> net.inet.ip.intr_queue_drops: 0
> net.inet.ip.accept_sourceroute: 0
> net.inet.ip.fastforwarding: 0
> net.inet.ip.keepfaith: 0
> net.inet.ip.gifttl: 30
> net.inet.ip.subnets_are_local: 0
> net.inet.ip.dummynet.hash_size: 64
> net.inet.ip.dummynet.curr_time: 24072732
> net.inet.ip.dummynet.ready_heap: 0
> net.inet.ip.dummynet.extract_heap: 0
> net.inet.ip.dummynet.searches: 0
> net.inet.ip.dummynet.search_steps: 0
> net.inet.ip.dummynet.expire: 1
> net.inet.ip.dummynet.max_chain_len: 16
> net.inet.ip.dummynet.red_lookup_depth: 256
> net.inet.ip.dummynet.red_avg_pkt_size: 512
> net.inet.ip.dummynet.red_max_pkt_size: 1500
> net.inet.ip.fw.enable: 1
> net.inet.ip.fw.one_pass: 1
> net.inet.ip.fw.debug: 1
> net.inet.ip.fw.verbose: 1
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_count: 0
> net.inet.ip.fw.dyn_max: 1000
> net.inet.ip.fw.static_count: 2
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_grace_time: 10
> net.inet.ip.maxfragpackets: 272
> net.inet.ip.maxfragsperpacket: 16
> net.inet.ip.sendsourcequench: 0
> net.inet.ip.check_interface: 0
> 
> Well... é isso...
> Comentários? :|
> 
> Grande abraço,
> 
> ---
> Felipe Neuwald
> neuwald em rudah.com.br
> Rudah On-Line SysAdm
> _______________________________________________________________
> Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
> Historico: http://www4.fugspbr.org/lista/html/FUG-BR/



_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/



Mais detalhes sobre a lista de discussão freebsd