From owner-freebsd-hackers@FreeBSD.ORG Wed Dec 24 05:39:47 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 700D916A4CE for ; Wed, 24 Dec 2003 05:39:47 -0800 (PST) Received: from ussenterprise.ufp.org (ussenterprise.ufp.org [208.185.30.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D16E43D45 for ; Wed, 24 Dec 2003 05:39:45 -0800 (PST) (envelope-from bicknell@ussenterprise.ufp.org) Received: from ussenterprise.ufp.org (bicknell@localhost [127.0.0.1]) by ussenterprise.ufp.org (8.12.9/8.12.9) with ESMTP id hBODdjeC075058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 24 Dec 2003 08:39:45 -0500 (EST) Received: (from bicknell@localhost) by ussenterprise.ufp.org (8.12.9/8.12.9/Submit) id hBODdjDB075057 for freebsd-hackers@freebsd.org; Wed, 24 Dec 2003 08:39:45 -0500 (EST) Date: Wed, 24 Dec 2003 08:39:45 -0500 From: Leo Bicknell To: freebsd-hackers@freebsd.org Message-ID: <20031224133945.GA74426@ussenterprise.ufp.org> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> <20031223122808.A7604@xorpc.icir.org> <20031223165439.GA23721@ussenterprise.ufp.org> <20031223201712.GA33497@ussenterprise.ufp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline In-Reply-To: <20031223122808.A7604@xorpc.icir.org> <20031223201712.GA33497@ussenterprise.ufp.org> Organization: United Federation of Planets X-PGP-Key: http://www.ufp.org/~bicknell/ Subject: Re: natd + ipfw question X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2003 13:39:47 -0000 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Original broken case: In a message written on Tue, Dec 23, 2003 at 03:17:12PM -0500, Leo Bicknell= wrote: > > ipfw add 1000 divert natd ip from any to any recv fxp0 > > ipfw add 1001 divert natd ip from any to any xmit fxp0 In a message written on Tue, Dec 23, 2003 at 12:28:09PM -0800, Luigi Rizzo = wrote: > The names are reasonably intuitive... [snip] > the flow diagram near the beginning of the ipfw manpage should > clarify things a bit (i agree that the wording of 'recv/xmit/via' > section is a bit confusing, so if you have better suggestions they > are welcome) I did some more poking with my broken rules above. With them natd appears to get the packet each way once (based on nat debugging turned on), so it's not my first fear that the packets would go through twice without in and out with these rules. Natd simply (per it's debugging) doesn't change anything. 1918 space in, 1918 space out. If I add the "in" and "out" keywords it magically starts working. Now, if I understand the diagram right a packet might be processed by rule 1000 twice, since recv matches on input or output, but I don't actually ever see received packets (I think) since the xmit side isn't doing the outbound part of the nat (if the packet leaves with 1918 space source, insted of my outside source, I'll never get it back). Now that I've used IPFW2 for something more complicated than simple host filtering I see that the syntax and structure makes something like a firewall/nat box for any moderately interesting config way too complicated with way too many pitfalls. This whole "the packet may hit your rule between 0 and 4 times, depending on a pile of stuff" just doesn't fly, and add in the need for "one_pass=3D0" to make dummynet traffic shaping work right, which adds some complication to the firewall rules and things are just all kinds of strange. That's no knock on the authors, backwards compatability is important, and a lot has been grafted onto IPFW since it started (like divert/nat and the dummynet stuff). I'll strongly recomend though that IPFW3 have a whole new, from the ground up, redesigned config language. :) And yes, I'm willing to help. --=20 Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/6ZcgNh6mMG5yMTYRAhcdAJ0QYYB+XmmE2F4xMkhAXx0XZ6MgzwCdG96Z 5sXZP1l/jIY5FReA/p6K4t8= =qHsl -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3--