From owner-freebsd-ipfw@freebsd.org Tue Oct 13 02:31:06 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96C0D9D2F65 for ; Tue, 13 Oct 2015 02:31:06 +0000 (UTC) (envelope-from nathan@reddog.com.au) Received: from mail.7sq.com.au (mail.7sq.com.au [119.148.74.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 40F7F1201 for ; Tue, 13 Oct 2015 02:31:05 +0000 (UTC) (envelope-from nathan@reddog.com.au) Received: from localhost (localhost [127.0.0.1]) by mail.7sq.com.au (Postfix) with ESMTP id 2186A2C3230 for ; Tue, 13 Oct 2015 12:22:09 +1000 (AEST) Received: from mail.7sq.com.au ([127.0.0.1]) by localhost (mail.7sq.com.au [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id LM2MXX6ExgjG for ; Tue, 13 Oct 2015 12:22:08 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by mail.7sq.com.au (Postfix) with ESMTP id E3A852C3232 for ; Tue, 13 Oct 2015 12:22:08 +1000 (AEST) X-Virus-Scanned: amavisd-new at mail.7sq.com.au Received: from mail.7sq.com.au ([127.0.0.1]) by localhost (mail.7sq.com.au [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 1cqVwm_-RVFD for ; Tue, 13 Oct 2015 12:22:08 +1000 (AEST) Received: from [192.168.156.153] (reddog2.lnk.telstra.net [110.142.196.96]) by mail.7sq.com.au (Postfix) with ESMTPSA id 9BCFB2C3230 for ; Tue, 13 Oct 2015 12:22:08 +1000 (AEST) From: Nathan Aherne Subject: Kernel NAT issues Message-Id: <94B91F98-DE01-4A10-8AB5-4193FE11AF3F@reddog.com.au> Date: Tue, 13 Oct 2015 12:23:52 +1000 To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) X-Mailer: Apple Mail (2.2102) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2015 02:31:06 -0000 I sent through a question to this list a little while ago and have been = trying to get IPFW NAT working since then. I have had some success but = not the success I need, everything is working correctly except NAT rules = for my particular use case.=20 I have read every Google result on the first 50 pages when searching for = =E2=80=9CIPFW NAT=E2=80=9D or =E2=80=9CIPFW kernel NAT=E2=80=9D. I would = really appreciate it if someone could help me out. My use case is as follows: 1. I need to use hairpin NAT - I am using Jails behind a http proxy and = some jails need to be able to communicate with each other but only over = the WAN IP. This is why I have not use PF. 2. Some jails need to be able to communicate with each other on the = private interface (lo1) 3. IPFW is configured as default deny 4. Each jail has a list of allowed ports for incoming and outgoing = connections, these are set on the jails private IP (10.0.0.0/16) 5. I am using a stateful firewall. At the moment I am testing my IPFW ruleset using =E2=80=9Chost = google.com =E2=80=9D I can see the traffic leave the = Jail, get natted, the response come back from 8.8.8.8 and the traffic is = then denied. It seems like the state is not being checked or my rules = are in the wrong place. I feel that I should be able to fix this but I = am obviously misunderstanding is how NAT works.=20 I was under the assumption that traffic flowed like this: 1. Traffic comes from Jail 10.0.0.1 on lo1 interface, if traffic is for = public IP, the traffic is natted, it goes out the WAN interface, comes = back, is natted and switched to lo1 interface, state is checked and it = passes as returning traffic. 2. Traffic comes from Jail 10.0.0.1 on lo1 interface, if traffic is for = private IP, the traffic is not natted, it stays on the lo1 interface and = goes directly to the 10.0.0.2 Jail. I know I could answer my last question if =E2=80=9CI read the code=E2=80=9D= and I have tried but am not getting it. Is my understanding of IPFW = kernel NAT correct? Regards, Nathan