From owner-freebsd-questions@FreeBSD.ORG Thu Jun 23 12:05:54 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (unknown [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86C41106566B for ; Thu, 23 Jun 2011 12:05:54 +0000 (UTC) (envelope-from theultramage@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 101188FC08 for ; Thu, 23 Jun 2011 12:05:52 +0000 (UTC) Received: by fxm11 with SMTP id 11so1834685fxm.13 for ; Thu, 23 Jun 2011 05:05:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=kqEgVL04FNGyEQvjUJdJKsrAmZL7CFt5d9HFwVv2ghI=; b=CGykiyun4GURaxbzuh6EY13vXxFuyBfrk9OFfxUecEFHXrIHtxlrnXU5kKCGrCh/2I t0rYOJI3KZ7qTVvxAUitGbjwd4tqHHtu78jvJT49Sfj9O/7yqoxMC3PFGwGKilvuO1O4 o9RfL25af9AkhozPLGsfATzKYW1ukKvlh3gVI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=TLpHN4YlEphV5tGy/j2zEZf+Xz+HqoWM52R9lnXtoXekGDXUqUHhi+zJs/A33fhXM2 hWnTTn2m9HNotQ883p7VeirbBg8F023U4I7pyzVxD8sx9NI3krHzAQ9mPL/jBP3+DOh7 T2FrTIAUq3V/GAr9W94AKyjzUh401kON3XyAg= Received: by 10.223.27.195 with SMTP id j3mr2621267fac.83.1308830752084; Thu, 23 Jun 2011 05:05:52 -0700 (PDT) Received: from [10.0.0.2] (chello089173013225.chello.sk [89.173.13.225]) by mx.google.com with ESMTPS id q10sm944799fan.8.2011.06.23.05.05.50 (version=SSLv3 cipher=OTHER); Thu, 23 Jun 2011 05:05:51 -0700 (PDT) Message-ID: <4E032C1A.9000707@gmail.com> Date: Thu, 23 Jun 2011 14:05:46 +0200 From: umage User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110616 Lightning/1.0b3pre Thunderbird/3.1.11 MIME-Version: 1.0 To: Ian Smith References: <20110621223335.2C145106579B@hub.freebsd.org> <20110623205741.K34951@sola.nimnet.asn.au> In-Reply-To: <20110623205741.K34951@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jun 2011 12:05:54 -0000 Some points: 1) I did use the handbook as reference, and my ruleset mimics the layout used there. 2) Handbook uses divert natd, which I used until I switched to the kernel nat approach. 3) I did not find any concrete examples of ipfw nat rule usage, so I'm using them the old natd way. I did some more experiments, and noticed that for example, an inbound connection can still communicate both ways after the initial state table rule expires (20 seconds for some reason). If they communicate while the state entry is alive, the timeout resets, but it seems like it doesn't matter at all. This leads me to believe that 'ipfw nat' keeps an internal state table, which cannot be viewed, but is checked when doing check-state. Or something... which I have no way of knowing. Here's a pruned version of the ruleset I used. Rule 600 is the one that adds that remote <--> local state table entry that messes everything up. If I omit keep-state on it, then traffic from the local side will be the one creating the states when replying, with a 5-second timeout. -------------------- $fw add 100 allow all from any to any via $lan_if $fw nat 1 config if $wan_if redirect_port 192.168.0.55:12345 12345 $fw add 200 nat 1 ip4 from any to any in via $wan_if $fw add 300 check-state $fw add 400 skipto 800 ip4 from any to any out via $wan_if keep-state $fw add 500 allow all from any to any out keep-state $fw add 600 allow all from any to any dst-port 12345 in keep-state $fw add 700 deny all from any to any in $fw add 800 nat 1 ip4 from any to any out $fw add 900 allow all from any to any