Date: Sun, 03 Mar 2013 16:14:54 +0100 From: Pawel Worach <pawel.worach@gmail.com> To: freebsd-net@freebsd.org Subject: ipfw NAT, keepalive from wrong source Message-ID: <513368EE.9090802@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, In the scenario below ipfw seems to be sending the keep-alive packets from the wrong source address if the traffic is NATed, on the external interface the packet is sent to the server with the original source. Did I configure my ipfw rules incorrectly ? I'm using in-kernel NAT on FreeBSD 9-STABLE r247666 with r247626 merged from head (that patch did not change the behavior). Internal client (172.16.0.31) connects to an external ssh server (192.0.2.100) with hide-nat behind a.b.c.d. tcpdump on outside interface (the second packets is likely the keepalive ACK the client sent as result of the keepalive the ipfw gateway sent on the inside which got forwarded on to the server, is that intentional ?): 15:36:28.075529 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 2804620200, win 0, length 0 15:36:28.076823 IP a.b.c.d.41731 > 192.0.2.100.22: Flags [.], ack 2625, win 1040, options [nop,nop,TS val 151519866 ecr 3275697134], length 0 15:36:33.075499 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, win 0, length 0 15:36:38.075497 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, win 0, length 0 15:36:43.075519 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, win 0, length 0 tcpdump on inside interface: 15:36:28.078015 IP 192.0.2.100.22 > 172.16.0.31.41731: Flags [.], ack 517940233, win 0, length 0 15:36:28.078040 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1, win 1040, options [nop,nop,TS val 151519866 ecr 3275697134], length 0 State table (the keepalives where send at about 20-19 seconds before expiration): 03600 27 7867 (22s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 27 7867 (21s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 27 7867 (20s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 27 7867 (19s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 28 7919 (18s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 28 7919 (17s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 28 7919 (16s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 28 7919 (15s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 03600 28 7919 (14s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22 .. continues to 1 and disappears .. Rules (em0 is the external interface): ${fwcmd} nat 10 config if em0 log same_ports unreg_only ${fwcmd} add nat 10 all from 172.16.0.0/12 to any via em0 ${fwcmd} add nat 10 all from not 172.16.0.0/12 any to me via em0 ${fwcmd} add allow tcp from 172.16.0.0/12 to any established ${fwcmd} add allow tcp from 172.16.0.0/12 to any setup keep-state # this is rule 03600) Regards Pawel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?513368EE.9090802>