Date: Thu, 16 Jan 2003 17:49:33 +0100 From: jeremie le-hen <le-hen_j@epita.fr> To: freebsd-net@freebsd.org Subject: ipnat RDR rules Message-ID: <20030116164933.GA20509@carpediem.epita.fr>
next in thread | raw e-mail | index | archive | help
Hi,
I'm wondering how does ipnat RDR rules operate. I tried to get an answer
using Google, but nothing really accurate.
I have set a RDR rule like this:
rdr tun0 0.0.0.0/0 port 2245 -> 192.168.0.45 port ssh
This works perfectly, but when I try prevent theses packets to go through my
FreeBSD box (the ont which shares my connection and filter incoming packets)
with ipfilter, I encounter a strange behaviour (I cannot explain it in fact).
With the following rule,
block in quick on tun0 from any to 192.168.0.2/32
absolutly no incoming TCP SYN packet can reach my computer on the internal
network. Indeed, even if ipnat -l shows a RDR mapping, the packet seems
to be immediatly dropped after translation (RDR rules imply a destination
adress translation, in order to go through the kernel IPv4 stack, so it must
be done just after being received.)
On the other hand, when I use this rule,
block out quick on ep0 from ! 192.168.0.0/24 to 192.168.0.2/32
which should drop any packet that doesn't come from the gateway itself, just
before going out from my internal interface. With this rule, I assumed that
1) packet arrives on my external interface
2) its IP destination address is modified in order to be correctly routed
3) ipfilter then looks for any rule on tun0 interface to apply before sending
the packet to the kernel
4) packet is routed to the correct interface
5) ipfilter looks for any rule on ep0 interface to apply, it should normally
stops on the rule above, since the packet source address is not from
my internal network and its destination address as been replaced by
192.168.0.2
In my point of view, the packet should be dropped here. But in fact, the
packet is not blocked at all.
Does anyone can explain the precedence between ipfilter and ipnat,
particularly in case of a RDR rule. It seems that the following diagram is
not exactly the same than the one applied for RDR rules:
ext_if -> dnat -> ipf -> kernel -> ipf -> snat -> int_if
Thanks.
Regards,
--
Jeremie aka T{ata,t}Z
le-hen_j@epita.fr
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030116164933.GA20509>