From owner-freebsd-ipfw@freebsd.org Sun Jan 12 08:42:55 2020 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B3EF222912D for ; Sun, 12 Jan 2020 08:42:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 47wVbg4QqSz490J for ; Sun, 12 Jan 2020 08:42:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 97EE122912A; Sun, 12 Jan 2020 08:42:55 +0000 (UTC) Delivered-To: ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 967D7229129 for ; Sun, 12 Jan 2020 08:42:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47wVbg3NNhz490G for ; Sun, 12 Jan 2020 08:42:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6F806191AE for ; Sun, 12 Jan 2020 08:42:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 00C8gtZX072976 for ; Sun, 12 Jan 2020 08:42:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 00C8gtjD072975 for ipfw@FreeBSD.org; Sun, 12 Jan 2020 08:42:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 243284] ipfw(8) skip-action not a keyword Date: Sun, 12 Jan 2020 08:42:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Documentation X-Bugzilla-Component: Manual Pages X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jan 2020 08:42:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D243284 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |ipfw@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sun Jan 12 21:00:37 2020 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BB9211EAC97 for ; Sun, 12 Jan 2020 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 47wpys4Kydz4qL5 for ; Sun, 12 Jan 2020 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 931901EAC90; Sun, 12 Jan 2020 21:00:37 +0000 (UTC) Delivered-To: ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 9297F1EAC8F for ; Sun, 12 Jan 2020 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47wpys3LH3z4qKv for ; Sun, 12 Jan 2020 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6B2862197B for ; Sun, 12 Jan 2020 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 00CL0bk0026882 for ; Sun, 12 Jan 2020 21:00:37 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 00CL0bal026881 for ipfw@FreeBSD.org; Sun, 12 Jan 2020 21:00:37 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202001122100.00CL0bal026881@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: ipfw@FreeBSD.org Subject: Problem reports for ipfw@FreeBSD.org that need special attention Date: Sun, 12 Jan 2020 21:00:37 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jan 2020 21:00:37 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- New | 215875 | [ipfw] ipfw lookup tables do not support mbuf_tag New | 232764 | [ipfw] share/examples/ipfw/change_rules.sh: Suppo 2 problems total for which you should take action. From owner-freebsd-ipfw@freebsd.org Mon Jan 13 06:48:10 2020 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C84931F8D25 for ; Mon, 13 Jan 2020 06:48:10 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47x40n3STYz456s for ; Mon, 13 Jan 2020 06:48:09 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: by mail-lj1-x235.google.com with SMTP id m26so8687249ljc.13 for ; Sun, 12 Jan 2020 22:48:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Z1iFf73bxfqtpjSCBSmpB4xPOS3uVL9QuHv1kBQkJj8=; b=eose42wJPGSN85k5LVpdxoyyzc3tYXDXwXZ2vmTkvMxKItF2kxoa7apXbIyCBsJGP5 X+smrT0FVptBjhzUT2+OtG+WKKOZ+mFUix5noJb3fgZhJcCpSmVHX+lDILkqMkUdFHlT x/0R6nDgKgj9zOplHwUHGITXcoeJ/1LYsgM6YEYt/ucZyVZ6raVgSPiUQSMUaOSECE7q DeIDXhONXcFZ7gBSOLICfwyd3TXPWjPeS3KktSlzWkccLgq59a0MfcFYMxNsmdrZLS17 tslPtWbURTCcQ+uc/LxFZ59jYpmmzCZmkG+ur7szT6Wlr4M34l5Kv4XSCPyFM3ETpqis xpQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Z1iFf73bxfqtpjSCBSmpB4xPOS3uVL9QuHv1kBQkJj8=; b=H68Kauhs8GgdUVGNNPOxCaBjl4Z+j3HXzxKcebvH4Vkfdf0Ej7bAxg3wlh/bl+4Ts8 PDjc1omliLZ3bOZaEQEnsiJwxB+n+6ngIN529Xvl5S1ILQ8G3vYhS+/uG/+GYWAsFcL1 DeQVnve8+/d1aLQZLEC+djbHV8QhMbuL/PqBxvYZdHaiX9oWL0PKqJSrbx5q5BqXrvLr +Wh/Ebfpc2NopCRBguUi1d4vhyCkTXbaVQg1RudKq6ZWNBgpDwkWz/5gH5hPBFou/vZy /VwbBSI7uIOt9fa9R20755fF9HXc/198sg8gy2+MiCY1DUXoHd86/FT57a6JW5WSRIWy 7pvQ== X-Gm-Message-State: APjAAAXYKNbGmxVqmVr+HU2t2d1xEEXH/EPy/SbUtleUhYHee3tyi5lR CQq9lc5HKcS/1De2sd5WHdmnUohbvrk7cfWw189nlDQ= X-Google-Smtp-Source: APXvYqwqrdY3jTtGKUUunHnRTfHsY3wlodnconYf/odeLCuwBvmX+TnuVbuygAd8E6RzPgWEngyWlpqQlqyJwhWLVRk= X-Received: by 2002:a2e:8551:: with SMTP id u17mr9338247ljj.165.1578898087276; Sun, 12 Jan 2020 22:48:07 -0800 (PST) MIME-Version: 1.0 From: Paul Procacci Date: Mon, 13 Jan 2020 01:47:55 -0500 Message-ID: Subject: Stateful NAT w/ record-state To: freebsd-ipfw@freebsd.org X-Rspamd-Queue-Id: 47x40n3STYz456s X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=eose42wJ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of pprocacci@gmail.com designates 2a00:1450:4864:20::235 as permitted sender) smtp.mailfrom=pprocacci@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; TO_DN_NONE(0.00)[]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(0.00)[ip: (-9.41), ipnet: 2a00:1450::/32(-2.60), asn: 15169(-1.84), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[5.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2020 06:48:10 -0000 In an attempt to setup stateful nat with a new (to me) feature (record-state), I'm running into difficulties with return packets getting denied when atttempting to leave my primary interface. My bad ascii diagram: In Kernel Nat/Firewall /---------------------\ +--------+ +-------+ +-----+ +-------+ +-------+ | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host | +--------+ +-------+ +-----+ +-------+ +-------+ Requests originate from "client", come in via "igb0", get passed to "nat", leave "igb1" reaching host .... no problem. The response leaving "host", come in via "igb1", get passed to "nat", and get clobbered by ipfw's deny rule (see below). # sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 0 I've separated my ruleset (below) in chucks to hopefully make it easier on the eyes. Note: this is only the pertinent parts of my ruleset. Rules 91-99 : Dispatch table Rules 3000-3499 : ip_output Rules 50099-* : ip_input ##################################################### 00001 reass 00092 skipto 50000 not layer2 in 00093 skipto 3000 not layer2 out recv * 00094 skipto 3500 not layer2 out // not recv * 00099 deny // first-stage dispatch problem 03000 nat 1 ip from any to any out via igb0 03001 check-state :outside 03499 deny log ip from any to any // ip_output -- forwarded 50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside defer-immediate-action 50100 nat 1 ip from any to me in via igb0 50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state :outside 59999 deny log ip from any to any // ip_input -- DENY remaining ##################################################### ** I expect rule 50099 to record the state of "client -> igb0" in the state table (ip_input) ** I expect rule 3001 to validate the state entered in rule 50099 however it is getting caught by rule 3499 Pertinent dynamic rules: 50101 3 156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2 8765 :outside 50099 6 613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31 8765 :outside I would seem to me I have everything where it needs to be to get this working, but for some reason, it simply isn't. Thanks for the help in advance. __________________ :(){ :|:& };: From owner-freebsd-ipfw@freebsd.org Tue Jan 14 02:09:40 2020 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 98F001F5C4D for ; Tue, 14 Jan 2020 02:09:40 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47xYmz5TTFz4STT for ; Tue, 14 Jan 2020 02:09:39 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: by mail-lf1-x131.google.com with SMTP id 9so8483600lfq.10 for ; Mon, 13 Jan 2020 18:09:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vVC1Rlcpo9QVjwyckao58NXTJxf+4XwFo0VFni4mZeY=; b=BxTFpZNLxaF+/SAM/9g2ysLEU9y2jqSEbGE4Oo/pphNwavAyEYhXvGkgDe+z9nQSx6 MlNZrbdOH9AUU5NK0hPdQHxZnx5SWTOjKfSH15EtcvhbukkE24mx4uBLf5eHr7D31TdQ rlV+R23ErqaBQzrd/kvr7MqFtdOOAyvQ8RP+alarZDE/jORlcGPfiAqm7cXhHuhYZTz/ 31XFIyCAUaC6TEpraMU69x6urdoxXQOta8bOk++FNXOPlAaDbH4B0yazVRiV+3+i5P2p lbf49KH6OLhUNCx9F2ldIROc6mkiYgvnXU4V3D1SX5z5sA5BN+bNrilsdAp04rs+dSOH 6UcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vVC1Rlcpo9QVjwyckao58NXTJxf+4XwFo0VFni4mZeY=; b=uEcgOC22pOxwp/hLnC6AoAo0Z382fCabO9yAV3TX9aCAqBmt2V8GQQldx2PAUZPx2Z C+7wK8rHfZ+R5kAsSWCW/1VI8GKCYqA+xZeOE6FeGXMM3dudtxdaO5dBt5+XPMyd2tSo iPMTRVGG7q83lIF4BwjRH4U82hS+HZKTx1YZwy5Xa5XGJtlL8LDUjIQb3LX6Ik1CAoZJ DIyvF5CR8IJ4y4RxZvfpsufYYeERogwtjK0tUhG508Pznm87L95ta6RhzSm66Ph647nO rDGYhDD0KFoR586c6cOwQ3+a0DVyajCSWjSWHQiWNNvEHBVEwAgd9TuDHaM0j9zTV6+O 7NUQ== X-Gm-Message-State: APjAAAVzedHMLC5XrS2f200y6SikXEGvyerh1Ru4qIzNo/LBUczh/2Pv Ye3iJg2tKNE4k/SL8Bbyq8KsEtf8GLVJgPt/rcHl X-Google-Smtp-Source: APXvYqxZ0TXinbeLB6ukd++axgWBKEvZ7/X2qfLBeGrELVDIT0NwyRaYbKPHphcp9nrlDIJydpbNd89S8ImaeaDS914= X-Received: by 2002:a19:5057:: with SMTP id z23mr233078lfj.132.1578967776966; Mon, 13 Jan 2020 18:09:36 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Paul Procacci Date: Mon, 13 Jan 2020 21:09:25 -0500 Message-ID: Subject: Re: Stateful NAT w/ record-state To: freebsd-ipfw@freebsd.org X-Rspamd-Queue-Id: 47xYmz5TTFz4STT X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=BxTFpZNL; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of pprocacci@gmail.com designates 2a00:1450:4864:20::131 as permitted sender) smtp.mailfrom=pprocacci@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; TO_DN_NONE(0.00)[]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE(0.00)[ip: (-8.83), ipnet: 2a00:1450::/32(-2.60), asn: 15169(-1.83), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[1.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2020 02:09:40 -0000 Welp, I ended up using an intermediary (nginx) to proxy the request. I would have liked to avoid passing packets to userland though. If anyone find this, and knows anything about the record-state keyword and knows how to use it "properly", I'd love to hear about it. Take care On Mon, Jan 13, 2020 at 1:47 AM Paul Procacci wrote: > In an attempt to setup stateful nat with a new (to me) feature > (record-state), I'm running into difficulties with return packets getting > denied when atttempting to leave my primary interface. > > My bad ascii diagram: > > In Kernel Nat/Firewall > /---------------------\ > +--------+ +-------+ +-----+ +-------+ +-------+ > | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host | > +--------+ +-------+ +-----+ +-------+ +-------+ > > Requests originate from "client", come in via "igb0", get passed to "nat", > leave "igb1" reaching host .... no problem. > The response leaving "host", come in via "igb1", get passed to "nat", and > get clobbered by ipfw's deny rule (see below). > > # sysctl net.inet.ip.fw.one_pass > net.inet.ip.fw.one_pass: 0 > > I've separated my ruleset (below) in chucks to hopefully make it easier on > the eyes. > Note: this is only the pertinent parts of my ruleset. > > Rules 91-99 : Dispatch table > Rules 3000-3499 : ip_output > Rules 50099-* : ip_input > > ##################################################### > 00001 reass > 00092 skipto 50000 not layer2 in > 00093 skipto 3000 not layer2 out recv * > 00094 skipto 3500 not layer2 out // not recv * > 00099 deny // first-stage dispatch problem > > 03000 nat 1 ip from any to any out via igb0 > 03001 check-state :outside > 03499 deny log ip from any to any // ip_output -- forwarded > > 50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside > defer-immediate-action > 50100 nat 1 ip from any to me in via igb0 > 50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state > :outside > 59999 deny log ip from any to any // ip_input -- DENY remaining > ##################################################### > > ** I expect rule 50099 to record the state of "client -> igb0" in the > state table (ip_input) > ** I expect rule 3001 to validate the state entered in rule 50099 however > it is getting caught by rule 3499 > > Pertinent dynamic rules: > > 50101 3 156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2 > 8765 :outside > 50099 6 613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31 > 8765 :outside > > > I would seem to me I have everything where it needs to be to get this > working, but for some reason, it simply isn't. > > Thanks for the help in advance. > > __________________ > > :(){ :|:& };: > -- __________________ :(){ :|:& };: From owner-freebsd-ipfw@freebsd.org Fri Jan 17 15:53:40 2020 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C66CB1F2664 for ; Fri, 17 Jan 2020 15:53:40 +0000 (UTC) (envelope-from lutz@donnerhacke.de) Received: from annwfn.iks-jena.de (annwfn.iks-jena.de [IPv6:2001:4bd8::19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47zlwM3K4Wz4fBc for ; Fri, 17 Jan 2020 15:53:38 +0000 (UTC) (envelope-from lutz@donnerhacke.de) X-SMTP-Sender: IPv6:2001:4bd8:59:1:172:27:107:102 Received: from lyoness (lyoness.intern.iks-service.de [IPv6:2001:4bd8:59:1:172:27:107:102]) by annwfn.iks-jena.de (8.15.2/8.15.2) with ESMTP id 00HFrYEx014084; Fri, 17 Jan 2020 16:53:34 +0100 From: "Lutz Donnerhacke" To: "'Paul Procacci'" , References: In-Reply-To: Subject: AW: Stateful NAT w/ record-state Date: Fri, 17 Jan 2020 16:53:33 +0100 Message-ID: <008201d5cd4e$45e49890$d1adc9b0$@donnerhacke.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Content-Language: de Thread-Index: AQFzT04RaTDHPcBSNc0s7ntmVtjUbQMDtdzDqJvgHJA= X-Rspamd-Queue-Id: 47zlwM3K4Wz4fBc X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of lutz@donnerhacke.de has no SPF policy when checking 2001:4bd8::19) smtp.mailfrom=lutz@donnerhacke.de X-Spamd-Result: default: False [1.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.15)[-0.148,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[donnerhacke.de]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[9.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.d.b.4.1.0.0.2.list.dnswl.org : 127.0.5.0]; NEURAL_SPAM_LONG(0.25)[0.251,0]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:15725, ipnet:2001:4bd8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-0.00)[country: DE(-0.02)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jan 2020 15:53:40 -0000 > > In Kernel Nat/Firewall > > /---------------------\ > > +--------+ +-------+ +-----+ +-------+ +-------+ > > | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host | > > +--------+ +-------+ +-----+ +-------+ +-------+ > > > > Requests originate from "client", come in via "igb0", get passed to "nat", > > leave "igb1" reaching host .... no problem. > > > > 03000 nat 1 ip from any to any out via igb0 Jup. > > The response leaving "host", come in via "igb1", get passed to "nat", and > > get clobbered by ipfw's deny rule (see below). > > > > 50100 nat 1 ip from any to me in via igb0 igb1 != igb0 I'd suggest to apply nat any traffic on igb1 in both direction. So routing is much easier (you never see the public NAT IP).