From owner-freebsd-net Mon Mar 10 22:11:11 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AE8937B401 for ; Mon, 10 Mar 2003 22:11:09 -0800 (PST) Received: from inton.ninja-assassin.com (ninja-assassin.com [198.78.65.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E6CE43F75 for ; Mon, 10 Mar 2003 22:11:09 -0800 (PST) (envelope-from static@ninja-assassin.com) Received: from localhost (inton [198.78.65.149]) by inton.ninja-assassin.com (Postfix) with ESMTP id 400C346433 for ; Mon, 10 Mar 2003 22:09:13 -0800 (PST) Date: Mon, 10 Mar 2003 22:09:13 -0800 (PST) From: Static To: net@freebsd.org Subject: Weird ipnat behaviour Message-ID: <20030310220509.D60582@inton.Ninja-assassin.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello List, I just recently did a buildworld on my gateway machine and now ipnat appears to not want to cooperate. I'm trying to nat port 80 from my outside interface into an apache server on my network. uname -a FreeBSD PITA.ninja-assassin.com 4.7-STABLE FreeBSD 4.7-STABLE #2: Thu Jan 30 09:54:50 CST 2003 root@PITA.ninja-assassin.com:/usr/src/sys/compile/FIREWALL i386 PITA# For the sake of testing this is my 1st ipf rule in /etc/ipf.rules pass in log quick on tun0 proto tcp from any to any port = 80 here is my /etc/ipnat.rules file map tun0 192.168.1.0/24 -> 0.0.0.0/32 map tun0 0/0 -> 192.168.1.0/24 proxy port ftp ftp/tcp rdr tun0 0/0 port 80 -> 192.168.1.20 port 80 tcp if I put in 192.168.1.20/32 when I run the reload script (included below) it sits and hangs. There is an entry for this IP in /etc/hosts, if for whatever reason it was trying to do a lookup. Here is what I'm currently seeing in my firewall from the "log" option in the above ipf rule Mar 10 07:28:44 PITA ipmon[60]: 07:28:44.038335 tun0 @0:1 p $WORK_HOSTNAME[$WORK_IP],61250 -> $MY_HOSTNAME[$MY_IP],http PR tcp len 20 60 -S 4134496816 0 32120 IN I believe that this is an ipnat issue. The p right before $WORK_HOSTNAME should signify that this rule is passed (IIRC). What strikes me as weird is when I run ipnat -l I receive PITA# ipnat -l List of active MAP/Redirect filters: map tun0 192.168.1.0/0 -> 0.0.0.0/32 map tun0 0.0.0.0/0 -> 192.168.1.0/24 proxy port 21 ftp/ip rdr tun0 0.0.0.0/0 port 0- 16 -> 192.168.1.20 port 80 tcp List of active sessions: PITA# The last line strikes me as weird, particulary the "port 0- 16" section of this. This worked fine before I ran makeworld with the lastest batch of ipf/ipnat code that came down the pipe the other week. Here is the script I'm using to flush and reload my ruleset. PITA# cat /root/ipf /sbin/ipf -Fa -f /etc/ipf.rules && /sbin/ipnat -CF -f /etc/ipnat.rules Any suggestions and/or thoughts as to why this my be occuring would be appreciated. Static To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message