Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Mar 2003 22:09:13 -0800 (PST)
From:      Static <static@ninja-assassin.com>
To:        net@freebsd.org
Subject:   Weird ipnat behaviour
Message-ID:  <20030310220509.D60582@inton.Ninja-assassin.com>
next in thread | raw e-mail | index | archive | help 
Hello List,

I just recently did a buildworld on my gateway machine and now ipnat
appears to not want to cooperate.  I'm trying to nat port 80 from my
outside interface into an apache server on my network.

uname -a

FreeBSD PITA.ninja-assassin.com 4.7-STABLE FreeBSD 4.7-STABLE #2: Thu Jan
30 09:54:50 CST 2003
root@PITA.ninja-assassin.com:/usr/src/sys/compile/FIREWALL  i386
PITA#

For the sake of testing this is my 1st ipf rule in /etc/ipf.rules

pass in log quick on tun0 proto tcp from any to any port = 80

here is my /etc/ipnat.rules file
map tun0 192.168.1.0/24 -> 0.0.0.0/32
map tun0 0/0 -> 192.168.1.0/24 proxy port ftp ftp/tcp
rdr tun0 0/0 port 80 -> 192.168.1.20 port 80 tcp

if I put in 192.168.1.20/32 when I run the reload script (included below)
it sits and hangs.  There is an entry for this IP in /etc/hosts, if for
whatever reason it was trying to do a lookup.

Here is what I'm currently seeing in my firewall from the "log" option in
the above ipf rule

Mar 10 07:28:44 PITA ipmon[60]: 07:28:44.038335 tun0 @0:1 p
$WORK_HOSTNAME[$WORK_IP],61250 ->
$MY_HOSTNAME[$MY_IP],http PR tcp len 20 60
-S 4134496816 0 32120 IN


I believe that this is an ipnat issue.  The p right before $WORK_HOSTNAME
should signify that this rule is passed (IIRC).  What strikes me as weird
is when I run ipnat -l I receive

PITA# ipnat -l
List of active MAP/Redirect filters:
map tun0 192.168.1.0/0 -> 0.0.0.0/32
map tun0 0.0.0.0/0 -> 192.168.1.0/24 proxy port 21 ftp/ip
rdr tun0 0.0.0.0/0 port 0- 16 -> 192.168.1.20 port 80 tcp

List of active sessions:

PITA#

The last line strikes me as weird, particulary the "port 0- 16"  section
of this.  This worked fine before I ran makeworld with the lastest batch
of ipf/ipnat code that came down the pipe the other week.

Here is the script I'm using to flush and reload my ruleset.

PITA# cat /root/ipf
/sbin/ipf -Fa -f /etc/ipf.rules &&
/sbin/ipnat -CF -f /etc/ipnat.rules


Any suggestions and/or thoughts as to why this my be
occuring would be appreciated.


Static


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030310220509.D60582>