From owner-freebsd-net Thu Jan 16 8:49:47 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7817D37B401 for ; Thu, 16 Jan 2003 08:49:45 -0800 (PST) Received: from epita.fr (hermes.epita.fr [163.5.255.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CB6D43F1E for ; Thu, 16 Jan 2003 08:49:44 -0800 (PST) (envelope-from le-hen_j@epita.fr) Received: from carpediem (carpediem [10.42.42.5]) by epita.fr id h0GGnXG04229 for freebsd-net@freebsd.org EPITA Paris France Thu, 16 Jan 2003 17:49:34 +0100 (MET) Date: Thu, 16 Jan 2003 17:49:33 +0100 From: jeremie le-hen To: freebsd-net@freebsd.org Subject: ipnat RDR rules Message-ID: <20030116164933.GA20509@carpediem.epita.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm wondering how does ipnat RDR rules operate. I tried to get an answer using Google, but nothing really accurate. I have set a RDR rule like this: rdr tun0 0.0.0.0/0 port 2245 -> 192.168.0.45 port ssh This works perfectly, but when I try prevent theses packets to go through my FreeBSD box (the ont which shares my connection and filter incoming packets) with ipfilter, I encounter a strange behaviour (I cannot explain it in fact). With the following rule, block in quick on tun0 from any to 192.168.0.2/32 absolutly no incoming TCP SYN packet can reach my computer on the internal network. Indeed, even if ipnat -l shows a RDR mapping, the packet seems to be immediatly dropped after translation (RDR rules imply a destination adress translation, in order to go through the kernel IPv4 stack, so it must be done just after being received.) On the other hand, when I use this rule, block out quick on ep0 from ! 192.168.0.0/24 to 192.168.0.2/32 which should drop any packet that doesn't come from the gateway itself, just before going out from my internal interface. With this rule, I assumed that 1) packet arrives on my external interface 2) its IP destination address is modified in order to be correctly routed 3) ipfilter then looks for any rule on tun0 interface to apply before sending the packet to the kernel 4) packet is routed to the correct interface 5) ipfilter looks for any rule on ep0 interface to apply, it should normally stops on the rule above, since the packet source address is not from my internal network and its destination address as been replaced by 192.168.0.2 In my point of view, the packet should be dropped here. But in fact, the packet is not blocked at all. Does anyone can explain the precedence between ipfilter and ipnat, particularly in case of a RDR rule. It seems that the following diagram is not exactly the same than the one applied for RDR rules: ext_if -> dnat -> ipf -> kernel -> ipf -> snat -> int_if Thanks. Regards, -- Jeremie aka T{ata,t}Z le-hen_j@epita.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message