From owner-freebsd-net@FreeBSD.ORG  Sun Mar  3 15:20:53 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id D040EA0B
 for <freebsd-net@freebsd.org>; Sun,  3 Mar 2013 15:20:53 +0000 (UTC)
 (envelope-from pawel.worach@gmail.com)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com
 [IPv6:2a00:1450:4010:c03::229])
 by mx1.freebsd.org (Postfix) with ESMTP id 4F5A6B61
 for <freebsd-net@freebsd.org>; Sun,  3 Mar 2013 15:20:53 +0000 (UTC)
Received: by mail-la0-f41.google.com with SMTP id fo12so4281115lab.14
 for <freebsd-net@freebsd.org>; Sun, 03 Mar 2013 07:20:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=x-received:message-id:date:from:user-agent:mime-version:to:subject
 :content-type:content-transfer-encoding;
 bh=hpLalTKDGz/GLk4+w9mlrfqY4aJchhfOG0teBmUnrwE=;
 b=rjHmshf9bIF7OjShNmweU0OgAcCJL38ZhJTbt3KwPduGq39NgBzs6Iy5eeg7kwzfjH
 U6XakKlPDSsxFACdYuR9eVDdUi6D8qe5GTNeycKKRUH3mYTl1y3CJUtWstvL3PJ+tKC5
 kblDDABmAcu995viuuTePHklN42vd5hHtD5tZwf3ne2jKm9kv+Mrt4zl0/XkncA7NzRk
 s5Rf+4jXdwkdYTTffmyPUGIdcrCzL3RpRHs7M6SWEo6c5TQrMx3OSX+jiYC+QnC0+Qd+
 LVlRbzyOLHYD8+ZpVV1+DgzDdMgpIdfDGC0jwMpbja0DPXTtvVR1CF5nZr+3WlPG9Pd+
 EJGQ==
X-Received: by 10.152.131.233 with SMTP id op9mr15142771lab.3.1362323696254;
 Sun, 03 Mar 2013 07:14:56 -0800 (PST)
Received: from one.local ([2001:16d8:ffce:0:5586:8f94:1e64:77f6])
 by mx.google.com with ESMTPS id j2sm6282510lbd.16.2013.03.03.07.14.54
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sun, 03 Mar 2013 07:14:55 -0800 (PST)
Message-ID: <513368EE.9090802@gmail.com>
Date: Sun, 03 Mar 2013 16:14:54 +0100
From: Pawel Worach <pawel.worach@gmail.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130222 Thunderbird/17.0.3
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: ipfw NAT, keepalive from wrong source
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2013 15:20:53 -0000

Hi,

In the scenario below ipfw seems to be sending the keep-alive packets 
from the wrong source address if the traffic is NATed, on the external 
interface the packet is sent to the server with the original source. Did 
I configure my ipfw rules incorrectly ? I'm using in-kernel NAT on 
FreeBSD 9-STABLE r247666 with r247626 merged from head (that patch did 
not change the behavior).

Internal client (172.16.0.31) connects to an external ssh server 
(192.0.2.100) with hide-nat behind a.b.c.d.

tcpdump on outside interface (the second packets is likely the keepalive 
ACK the client sent as result of the keepalive the ipfw gateway sent on 
the inside which got forwarded on to the server, is that intentional ?):
15:36:28.075529 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 
2804620200, win 0, length 0
15:36:28.076823 IP a.b.c.d.41731 > 192.0.2.100.22: Flags [.], ack 2625, 
win 1040, options [nop,nop,TS val 151519866 ecr 3275697134], length 0
15:36:33.075499 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, 
win 0, length 0
15:36:38.075497 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, 
win 0, length 0
15:36:43.075519 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, 
win 0, length 0

tcpdump on inside interface:
15:36:28.078015 IP 192.0.2.100.22 > 172.16.0.31.41731: Flags [.], ack 
517940233, win 0, length 0
15:36:28.078040 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, 
win 1040, options [nop,nop,TS val 151519866 ecr 3275697134], length 0

State table (the keepalives where send at about 20-19 seconds before 
expiration):
03600     27      7867 (22s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     27      7867 (21s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     27      7867 (20s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     27      7867 (19s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     28      7919 (18s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     28      7919 (17s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     28      7919 (16s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     28      7919 (15s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600     28      7919 (14s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
.. continues to 1 and disappears ..

Rules (em0 is the external interface):
${fwcmd} nat 10 config if em0 log same_ports unreg_only
${fwcmd} add nat 10 all from 172.16.0.0/12 to any via em0
${fwcmd} add nat 10 all from not 172.16.0.0/12 any to me via em0
${fwcmd} add allow tcp from 172.16.0.0/12 to any established
${fwcmd} add allow tcp from 172.16.0.0/12 to any setup keep-state # this 
is rule 03600)

Regards
Pawel