From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 19 10:31:13 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 304AF1065675 for ; Mon, 19 Jul 2010 10:31:13 +0000 (UTC) (envelope-from mr.xanto@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id B573F8FC14 for ; Mon, 19 Jul 2010 10:31:12 +0000 (UTC) Received: by wyf22 with SMTP id 22so5118053wyf.13 for ; Mon, 19 Jul 2010 03:31:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:x-mailer:x-priority :message-id:to:subject:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=z3+XTf4Mesxp/gXaVUkZTiKP+aRrLJq0A36oHPE5Qx8=; b=FDIAhNL0G/ETduO4lb1DS4GD31kqXZz8eQqPvg4xHbfrjiw4gPu3BOy8INLbNgoe9F SvHbv0HD2qBzlnMLClnohme0kAUlkkEmQzcEVYhgmX8FMsCt8rFPVtYK+/Fzdj3TMpeJ h2nWjej6t3g30ASuwdJ8X0DwB6nn2QAG51y8c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:x-mailer:x-priority:message-id:to:subject:in-reply-to :references:mime-version:content-type:content-transfer-encoding; b=wZGZur7TVl78dz0I4T0s81WseLJhcK3eq9kWbn1NOW/+Bl5NPnI48PTCGuvW8zAL8p Weto1jSwo2mnIU8hr6IZYVmGd2l+HvUqVOV/hPCi29V/6PMbnXHbJ2rF2+G0CqEjFVWG rcQiiIikJYXImn62raW++2p4Xl2lq//YfMbzE= Received: by 10.227.132.129 with SMTP id b1mr3868357wbt.5.1279535471636; Mon, 19 Jul 2010 03:31:11 -0700 (PDT) Received: from RMAMONTOV ([91.202.20.14]) by mx.google.com with ESMTPS id e31sm39846746wbe.17.2010.07.19.03.31.09 (version=SSLv3 cipher=OTHER); Mon, 19 Jul 2010 03:31:10 -0700 (PDT) Date: Mon, 19 Jul 2010 14:31:04 +0400 From: Mamontov Roman X-Mailer: Voyager (v3.99.8) Professional X-Priority: 3 (Normal) Message-ID: <1207784719.20100719143104@gmail.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <20100719181208.A86988@sola.nimnet.asn.au> References: <1931583025.20100715114512@gmail.com> <20100715183743.S86988@sola.nimnet.asn.au> <893037983.20100719092644@gmail.com> <20100719181208.A86988@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Problem with ipfw nat and packet to local services X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 10:31:13 -0000 Hello, Ian. > Hi Mamontov, > What's the value of sysctl net.inet.ip.fw.one_pass ? It needs to be 0 > so that packets will re-enter the firewall after NAT processing. > Otherwise, it might help to > a) run 'ipfw zero' before any tests .. I'm wondering about all those > packets hitting rule 65535; were they from before adding rule 65000? > b) add some count rules before and after nat, to show all packets > that may be eligible for NAT translation, maybe something like: > 00020 count log ip from any to any in recv ${ext_if} > 00022 count log ip from any to any out xmit ${ext_if} > 00024 count log ip from any to any out recv ${int_if} xmit ${ext_if} > 00035 nat ... > 00040 count log ip from any to any in recv ${ext_if} > 00042 count log ip from any to any out xmit ${ext_if} > 00044 count log ip from any to any out recv ${int_if} xmit ${ext_if} > So you actually get to see the flow of packets before and after nat, > both to/from the local box and packets mapped to/rom inside addresses. > Again, an 'ipfw zero' before tests will make packet counts clearer. > Of course something like '# tcpdump -pn -i ext_if' will also show all > packets via ext_if in some detail. Be more specific if just looking for > some particular flows, like maybe appending 'udp port NNNNN' to that. > That is, try to follow packets you'd expect to be coming in for services > on the local box so if they are disappearing, you'll know where or why. > 'netstat -finet -an' will show all those services that are listening. > If that doesn't help, we'll need more information. > cheers, Ian # sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 0 # ipfw show 20-49 00020 40 2016 count log ip from any to me dst-port 22 in recv ext_if1 00021 0 0 count log ip from me 22 to any out xmit ext_if1 00035 13192 9028716 nat 1 ip from any to any via ext_if1 00040 0 0 count log ip from any to me dst-port 22 in recv ext_if1 00041 0 0 count log ip from me 22 to any out xmit ext_if1 # ipfw nat show config ipfw nat 1 config ip xxx.xxx.xxx.xxx # tcpdump -pn -i ext_if1 'host yyy.yyy.yyy.yyy' 14:12:48.885011 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]> 14:12:51.888823 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]> 14:12:54.884966 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]> 14:12:57.884090 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460], length 0 14:13:00.885131 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460], length 0 14:13:03.887094 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460], length 0 Output # netstat -finet -an | grep yyy.yyy.yyy.yyy is blank. Without rule 35 nat 1 ip from any to any via ext_if1 inbound packet to ssh (for example) pass correctly. # ipfw delete 35 tcpdump -pn -i ext_if 'host yyy.yyy.yyy.yyy' 14:21:45.467233 IP yyy.yyy.yyy.yyy.2790 > xxx.xxx.xxx.xxx.22: Flags [S], seq 376101413, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]> 14:21:45.467670 IP xxx.xxx.xxx.xxx.22 > xxx.xxx.xxx.xxx.2790: Flags [S.], seq 3270699616, ack 376101414, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS[|tcp]> 14:21:45.468960 IP yyy.yyy.yyy.yyy.2790 > xxx.xxx.xxx.xxx.22: Flags [.], ack 1, win 33304, options [nop,nop,TS val 40088404 ecr 1166915706], length 0 14:21:45.527438 IP xxx.xxx.xxx.xxx.22 > yyy.yyy.yyy.yyy.2790: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 1166915766 ecr 40088404], length 40 # netstat -finet -an | grep yyy.yyy.yyy.yyy tcp4 0 0 xxx.xxx.xxx.xxx.22 yyy.yyy.yyy.yyy.2790 FIN_WAIT_2 00020 8 1403 count log ip from any to me dst-port 22 in recv ext_if1 00021 6 2280 count log ip from me 22 to any out xmit ext_if1 00040 8 1403 count log ip from any to me dst-port 22 in recv ext_if1 00041 6 2280 count log ip from me 22 to any out xmit ext_if1 Any ideas? -- Best regards, Mamontov Roman mailto:mr.xanto@gmail.com