From owner-freebsd-ipfw@FreeBSD.ORG  Mon Jul 19 10:31:13 2010
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 304AF1065675
	for <freebsd-ipfw@freebsd.org>; Mon, 19 Jul 2010 10:31:13 +0000 (UTC)
	(envelope-from mr.xanto@gmail.com)
Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id B573F8FC14
	for <freebsd-ipfw@freebsd.org>; Mon, 19 Jul 2010 10:31:12 +0000 (UTC)
Received: by wyf22 with SMTP id 22so5118053wyf.13
	for <freebsd-ipfw@freebsd.org>; Mon, 19 Jul 2010 03:31:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:x-mailer:x-priority
	:message-id:to:subject:in-reply-to:references:mime-version
	:content-type:content-transfer-encoding;
	bh=z3+XTf4Mesxp/gXaVUkZTiKP+aRrLJq0A36oHPE5Qx8=;
	b=FDIAhNL0G/ETduO4lb1DS4GD31kqXZz8eQqPvg4xHbfrjiw4gPu3BOy8INLbNgoe9F
	SvHbv0HD2qBzlnMLClnohme0kAUlkkEmQzcEVYhgmX8FMsCt8rFPVtYK+/Fzdj3TMpeJ
	h2nWjej6t3g30ASuwdJ8X0DwB6nn2QAG51y8c=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:x-mailer:x-priority:message-id:to:subject:in-reply-to
	:references:mime-version:content-type:content-transfer-encoding;
	b=wZGZur7TVl78dz0I4T0s81WseLJhcK3eq9kWbn1NOW/+Bl5NPnI48PTCGuvW8zAL8p
	Weto1jSwo2mnIU8hr6IZYVmGd2l+HvUqVOV/hPCi29V/6PMbnXHbJ2rF2+G0CqEjFVWG
	rcQiiIikJYXImn62raW++2p4Xl2lq//YfMbzE=
Received: by 10.227.132.129 with SMTP id b1mr3868357wbt.5.1279535471636;
	Mon, 19 Jul 2010 03:31:11 -0700 (PDT)
Received: from RMAMONTOV ([91.202.20.14])
	by mx.google.com with ESMTPS id e31sm39846746wbe.17.2010.07.19.03.31.09
	(version=SSLv3 cipher=OTHER); Mon, 19 Jul 2010 03:31:10 -0700 (PDT)
Date: Mon, 19 Jul 2010 14:31:04 +0400
From: Mamontov Roman <mr.xanto@gmail.com>
X-Mailer: Voyager (v3.99.8) Professional
X-Priority: 3 (Normal)
Message-ID: <1207784719.20100719143104@gmail.com>
To: freebsd-ipfw@freebsd.org
In-Reply-To: <20100719181208.A86988@sola.nimnet.asn.au>
References: <1931583025.20100715114512@gmail.com>
	<20100715183743.S86988@sola.nimnet.asn.au>
	<893037983.20100719092644@gmail.com>
	<20100719181208.A86988@sola.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Problem with ipfw nat and packet to local services
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2010 10:31:13 -0000

Hello, Ian.

> Hi Mamontov,

> What's the value of sysctl net.inet.ip.fw.one_pass ?  It needs to be 0 
> so that packets will re-enter the firewall after NAT processing.

> Otherwise, it might help to

> a) run 'ipfw zero' before any tests .. I'm wondering about all those 
> packets hitting rule 65535; were they from before adding rule 65000?

> b) add some count rules before and after nat, to show all packets 
> that may be eligible for NAT translation, maybe something like:

> 00020 count log ip from any to any in recv ${ext_if}
> 00022 count log ip from any to any out xmit ${ext_if}
> 00024 count log ip from any to any out recv ${int_if} xmit ${ext_if}

> 00035 nat ...

> 00040 count log ip from any to any in recv ${ext_if}
> 00042 count log ip from any to any out xmit ${ext_if}
> 00044 count log ip from any to any out recv ${int_if} xmit ${ext_if}

> So you actually get to see the flow of packets before and after nat, 
> both to/from the local box and packets mapped to/rom inside addresses.
> Again, an 'ipfw zero' before tests will make packet counts clearer.

> Of course something like '# tcpdump -pn -i ext_if' will also show all 
> packets via ext_if in some detail.  Be more specific if just looking for 
> some particular flows, like maybe appending 'udp port NNNNN' to that.

> That is, try to follow packets you'd expect to be coming in for services 
> on the local box so if they are disappearing, you'll know where or why.  
> 'netstat -finet -an' will show all those services that are listening.

> If that doesn't help, we'll need more information.

> cheers, Ian

# sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 0

# ipfw show 20-49
00020    40    2016 count log ip from any to me dst-port 22 in recv ext_if1
00021     0       0 count log ip from me 22 to any out xmit ext_if1
00035 13192 9028716 nat 1 ip from any to any via ext_if1
00040     0       0 count log ip from any to me dst-port 22 in recv ext_if1
00041     0       0 count log ip from me 22 to any out xmit ext_if1

# ipfw nat show config
ipfw nat 1 config ip xxx.xxx.xxx.xxx

# tcpdump -pn -i ext_if1 'host yyy.yyy.yyy.yyy'
14:12:48.885011 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]>
14:12:51.888823 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]>
14:12:54.884966 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]>
14:12:57.884090 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460], length 0
14:13:00.885131 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460], length 0
14:13:03.887094 IP yyy.yyy.yyy.yyy.2777 > xxx.xxx.xxx.xxx.22: Flags [S], seq 2880611174, win 65535, options [mss 1460], length 0

Output
# netstat -finet -an | grep yyy.yyy.yyy.yyy
is blank.

Without rule 35 nat 1 ip from any to any via ext_if1 inbound packet to ssh (for example)
pass correctly.

# ipfw delete 35
tcpdump -pn -i ext_if 'host yyy.yyy.yyy.yyy'
14:21:45.467233 IP yyy.yyy.yyy.yyy.2790 > xxx.xxx.xxx.xxx.22: Flags [S], seq 376101413, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS[|tcp]>
14:21:45.467670 IP xxx.xxx.xxx.xxx.22 > xxx.xxx.xxx.xxx.2790: Flags [S.], seq 3270699616, ack 376101414, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS[|tcp]>
14:21:45.468960 IP yyy.yyy.yyy.yyy.2790 > xxx.xxx.xxx.xxx.22: Flags [.], ack 1, win 33304, options [nop,nop,TS val 40088404 ecr 1166915706], length 0
14:21:45.527438 IP xxx.xxx.xxx.xxx.22 > yyy.yyy.yyy.yyy.2790: Flags [P.], ack 1, win 8326, options [nop,nop,TS val 1166915766 ecr 40088404], length 40

# netstat -finet -an | grep yyy.yyy.yyy.yyy
tcp4       0      0 xxx.xxx.xxx.xxx.22        yyy.yyy.yyy.yyy.2790    FIN_WAIT_2

00020  8 1403 count log ip from any to me dst-port 22 in recv ext_if1
00021  6 2280 count log ip from me 22 to any out xmit ext_if1
00040  8 1403 count log ip from any to me dst-port 22 in recv ext_if1
00041  6 2280 count log ip from me 22 to any out xmit ext_if1

Any ideas?

-- 
Best regards,
 Mamontov Roman                          mailto:mr.xanto@gmail.com