From owner-freebsd-ipfw@freebsd.org  Mon Jan 13 06:48:10 2020
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id C84931F8D25
 for <freebsd-ipfw@mailman.nyi.freebsd.org>;
 Mon, 13 Jan 2020 06:48:10 +0000 (UTC)
 (envelope-from pprocacci@gmail.com)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com
 [IPv6:2a00:1450:4864:20::235])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47x40n3STYz456s
 for <freebsd-ipfw@freebsd.org>; Mon, 13 Jan 2020 06:48:09 +0000 (UTC)
 (envelope-from pprocacci@gmail.com)
Received: by mail-lj1-x235.google.com with SMTP id m26so8687249ljc.13
 for <freebsd-ipfw@freebsd.org>; Sun, 12 Jan 2020 22:48:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=Z1iFf73bxfqtpjSCBSmpB4xPOS3uVL9QuHv1kBQkJj8=;
 b=eose42wJPGSN85k5LVpdxoyyzc3tYXDXwXZ2vmTkvMxKItF2kxoa7apXbIyCBsJGP5
 X+smrT0FVptBjhzUT2+OtG+WKKOZ+mFUix5noJb3fgZhJcCpSmVHX+lDILkqMkUdFHlT
 x/0R6nDgKgj9zOplHwUHGITXcoeJ/1LYsgM6YEYt/ucZyVZ6raVgSPiUQSMUaOSECE7q
 DeIDXhONXcFZ7gBSOLICfwyd3TXPWjPeS3KktSlzWkccLgq59a0MfcFYMxNsmdrZLS17
 tslPtWbURTCcQ+uc/LxFZ59jYpmmzCZmkG+ur7szT6Wlr4M34l5Kv4XSCPyFM3ETpqis
 xpQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=Z1iFf73bxfqtpjSCBSmpB4xPOS3uVL9QuHv1kBQkJj8=;
 b=H68Kauhs8GgdUVGNNPOxCaBjl4Z+j3HXzxKcebvH4Vkfdf0Ej7bAxg3wlh/bl+4Ts8
 PDjc1omliLZ3bOZaEQEnsiJwxB+n+6ngIN529Xvl5S1ILQ8G3vYhS+/uG/+GYWAsFcL1
 DeQVnve8+/d1aLQZLEC+djbHV8QhMbuL/PqBxvYZdHaiX9oWL0PKqJSrbx5q5BqXrvLr
 +Wh/Ebfpc2NopCRBguUi1d4vhyCkTXbaVQg1RudKq6ZWNBgpDwkWz/5gH5hPBFou/vZy
 /VwbBSI7uIOt9fa9R20755fF9HXc/198sg8gy2+MiCY1DUXoHd86/FT57a6JW5WSRIWy
 7pvQ==
X-Gm-Message-State: APjAAAXYKNbGmxVqmVr+HU2t2d1xEEXH/EPy/SbUtleUhYHee3tyi5lR
 CQq9lc5HKcS/1De2sd5WHdmnUohbvrk7cfWw189nlDQ=
X-Google-Smtp-Source: APXvYqwqrdY3jTtGKUUunHnRTfHsY3wlodnconYf/odeLCuwBvmX+TnuVbuygAd8E6RzPgWEngyWlpqQlqyJwhWLVRk=
X-Received: by 2002:a2e:8551:: with SMTP id u17mr9338247ljj.165.1578898087276; 
 Sun, 12 Jan 2020 22:48:07 -0800 (PST)
MIME-Version: 1.0
From: Paul Procacci <pprocacci@gmail.com>
Date: Mon, 13 Jan 2020 01:47:55 -0500
Message-ID: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw+O5hio_Out92g@mail.gmail.com>
Subject: Stateful NAT w/ record-state
To: freebsd-ipfw@freebsd.org
X-Rspamd-Queue-Id: 47x40n3STYz456s
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=eose42wJ;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of pprocacci@gmail.com designates
 2a00:1450:4864:20::235 as permitted sender) smtp.mailfrom=pprocacci@gmail.com
X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org];
 TO_DN_NONE(0.00)[]; IP_SCORE_FREEMAIL(0.00)[];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(0.00)[ip: (-9.41), ipnet: 2a00:1450::/32(-2.60), asn: 15169(-1.84),
 country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[5.3.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org
 : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 06:48:10 -0000

In an attempt to setup stateful nat with a new (to me) feature
(record-state), I'm running into difficulties with return packets getting
denied when atttempting to leave my primary interface.

My bad ascii diagram:

                      In Kernel Nat/Firewall
                        /---------------------\
+--------+     +-------+    +-----+    +-------+    +-------+
| Client | --- |  igb0 | --- | Nat | --- | igb1 | --- | Host |
+--------+     +-------+    +-----+    +-------+    +-------+

Requests originate from "client", come in via "igb0", get passed to "nat",
leave "igb1" reaching host .... no problem.
The response leaving "host", come in via "igb1", get passed to "nat", and
get clobbered by ipfw's deny rule (see below).

# sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 0

I've separated my ruleset (below) in chucks to hopefully make it easier on
the eyes.
Note: this is only the pertinent parts of my ruleset.

Rules 91-99 : Dispatch table
Rules 3000-3499 : ip_output
Rules 50099-* : ip_input

#####################################################
00001 reass
00092 skipto 50000 not layer2 in
00093 skipto 3000 not layer2 out recv *
00094 skipto 3500 not layer2 out // not recv *
00099 deny // first-stage dispatch problem

03000 nat 1 ip from any to any out via igb0
03001 check-state :outside
03499 deny log ip from any to any // ip_output -- forwarded

50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside
defer-immediate-action
50100 nat 1 ip from any to me in via igb0
50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state
:outside
59999 deny log ip from any to any // ip_input -- DENY remaining
#####################################################

** I expect rule 50099 to record the state of "client -> igb0" in the state
table (ip_input)
** I expect rule 3001 to validate the state entered in rule 50099 however
it is getting caught by rule 3499

Pertinent dynamic rules:

50101      3      156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2
8765 :outside
50099      6      613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31
8765 :outside


I would seem to me I have everything where it needs to be to get this
working, but for some reason, it simply isn't.

Thanks for the help in advance.

__________________

:(){ :|:& };: