From owner-freebsd-ipfw@freebsd.org  Thu May  4 16:29:24 2017
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3A42D5DC0D
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Thu,  4 May 2017 16:29:24 +0000 (UTC)
 (envelope-from karl@denninger.net)
Received: from mail.denninger.net (denninger.net [70.169.168.7])
 by mx1.freebsd.org (Postfix) with ESMTP id AE8371774
 for <freebsd-ipfw@freebsd.org>; Thu,  4 May 2017 16:29:24 +0000 (UTC)
 (envelope-from karl@denninger.net)
Received: from [192.168.10.40] (Karl-Desktop.Denninger.net [192.168.10.40])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.denninger.net (Postfix) with ESMTPSA id ACD9A36A3F
 for <freebsd-ipfw@freebsd.org>; Thu,  4 May 2017 11:22:21 -0500 (CDT)
To: freebsd-ipfw@freebsd.org
From: Karl Denninger <karl@denninger.net>
Subject: Question that has dogged me for a while.
Message-ID: <26ccc7eb-bed3-680c-2c86-2a83684299fb@denninger.net>
Date: Thu, 4 May 2017 11:22:05 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.0.1
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
 micalg=sha-512; boundary="------------ms050505020607010608050202"
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 16:29:25 -0000

This is a cryptographically signed message in MIME format.

--------------ms050505020607010608050202
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Consider the following network configuration.


Internet ------- Gateway/Firewall ---------- Inside network (including a
web host)
            70.16.10.1/28     192.168.0.0/24 =20

The address of the outside is FICTIONAL, by the way.

For policy reasons I do NOT want the gateway machine to actually have
the host on it.  There may be a number of things running on there but
for the instant moment let's assume a standard pedestrian web host on
port 80.

I have DNS pointing at "webhost.domain" @ 70.16.10.1.

I have NAT on the gateway (NAT internal to the kernel), and a "hole
punch" in there with redirect_port tcp 192.168.1.1:80 70.16.10.1:80 as
pat of the nat configuration statement.

This works fine for anyone on the outside.  HOWEVER, anyone on the
INTERNAL network cannot see the host.

My NAT configuration looks like this:

#
# Now divert all inbound packets that should go through NAT. Since this
is NAT
# it can only match a packet that previously was NATted on the way out.
#
        ${fwcmd} add 6000 nat 100 ip4 from any to me recv ${oif}
#
# Check stateful rules; we want to go there directly if there is a match
#
        ${fwcmd} add 7000 check-state
#
# Now pick up all *outbound* packets that originated from an inside addre=
ss
# and put them through NAT.  We then have
# a packet with a local source address and we can allow it to be sent.
# Therefore, if the packet is outbound let it pass and be done with it.
#
        ${fwcmd} add 8000 nat 100 ip4 from 192.168.0.0/16 to any xmit ${o=
if}
>>    ${fwcmd} add 8001 nat 100 ip4 from 192.168.0.0/16 to ${oip}
        ${fwcmd} add 8009 deny log ip4 from 192.168.0.0/16 to any xmit
${oif}
        ${fwcmd} add 8010 pass ip4 from ${onet} to any xmit ${oif}

Without the ">>" line I get nothing; the packets get to the gateway and
disappear.

With the ">>" line I DO get the packets re-emitted on the internal
interface HOWEVER there is no translation to the internal interface IP
on the gateway box.  So what I see on the internal box is this:

11:19:16.369634 IP 192.168.10.40.60924 > 192.168.10.100.11443: Flags
[S], seq 292171178, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
11:19:16.369662 IP 192.168.10.100.11443 > 192.168.10.40.60924: Flags
[S.], seq 3088872007, ack 292171179, win 65535, options [mss
1460,nop,wscale 6,sackOK,eol], length 0

Which won't work because the internal box got and sent this:

11:19:16.369337 IP 192.168.10.40.60924 > 70.169.168.7.11443: Flags [S],
seq 292171178, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK],
length 0
11:19:16.369433 IP 192.168.10.40.60925 > 70.169.168.7.11443: Flags [S],
seq 2666765817, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
>> 11:19:16.369502 IP 192.168.10.40.60924 > 192.168.10.100.11443: Flags
[S], seq 292171178, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
>> 11:19:16.369511 IP 192.168.10.40.60925 > 192.168.10.100.11443: Flags
[S], seq 2666765817, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0

But since the gateway emitted the packet back on the wire *without*
remapping the source address (to itself) it doesn't match on the client
box 'cause there's no way back for it.

There has to be a solution to this somewhere and I'm obviously missing
it..... :)

--=20
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

--------------ms050505020607010608050202
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC
BlwwggZYMIIEQKADAgECAgE9MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G
A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl
bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND
dWRhIFN5c3RlbXMgTExDIENBMB4XDTE2MTIxODE5NDUzNVoXDTIxMTIxNzE5NDUzNVowVzEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM
TEMxGzAZBgNVBAMUEmthcmxAZGVubmluZ2VyLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAM2N5maxs7NkoY9g5NMxFWll0TYiO7gXrGZTo3q25ZJgNdPMwrntLz/5ewE9
07TEbwJ3ah/Ep9BfZm7JF9vTtE1HkgKtXNKi0pawNGm1Yn26Dz5AbUr1byby6dFtDJr14E07
trzDCtRRvTkOVSBj6PQPal0fAnDtkIYQBVcuMkXkuMCtyfE95pjm8g4K9l7lAcKii3T1/3rE
hCc1o2nBnb7EN1/XwBeCDGB+I2SN/ftZDbKQqGAF5q9dUn+iXU7Z/CVSfUWmhVh6cVZA4Ftv
TglUqj410OuPx+cUQch3h1kFgsuhQR63HiJc3HbRJllHsV0rihvL1CjeARQkhnA6uY9NLFST
p5I/PfzBzW2MSmtN/tGZvmfKKnmtbfUNgkzbIR1K3lsum+yEL71kB93Xtz/4f1demEx5c8TJ
RBIniDHjDeLGK1aoBu8nfnvXAvgthFNTWBOEoR49AHEPjC3kZj0l8JQml1Y8bTQD5gtC5txl
klO60WV0EufU7Hy9CmynMuFtjiA2v71pm097rXeCdrAKgisdYeEESB+SFrlY65rLiLv4n8o1
PX7DqRfqKkOYIakZ0ug/yHVKcq2EM3RiJxwzls5gT70CoOBlKbrC98O8TA6teON0Jq30M06t
NTI2HhvNbJDLbBH+Awf4h1UKB+0ufENwjVvF5Jfz8Ww/FaSDAgMBAAGjgfQwgfEwNwYIKwYB
BQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgwCQYD
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf
Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpfAI3y+751pp9A0w
6vJHx8RoR/MwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYwFIES
a2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBiB6MlugxYJdccD8boZ/u8
d8VxmLkJCtbfyYHRjYdyoABLW5hE3k3xSpYCM9L7vzWyV/UWwDYKi4ZzxHo4g+jG/GQZfKhx
v38BQjL2G9xD0Hn2d+cygOq3UPjVYlbbfQoew6JbyCFXrrZ7/0jvRMLAN2+bRC7ynaFUixPH
Whnj9JSH7ieYdzak8KN+G2coIC2t2iyfXVKehzi5gdNQ0vJ7+ypbGsRm4gE8Mdo9N/WgFPvZ
HPFqR9Dwas7Z+aHwOabpk5r/336SyjOaZsn3MqKJQZL6GqDKusVOCWt+9uFAD8kadg7FetZe
atIoD9I+zbp59oVoMnkMDMx7Hi85faU03csusqMGsjSsAzWSI1N8PJytZlchLiykokLKc3OL
G87QKlErotlou7cfPX2BbEAH5wmkj9oiqZhxIL/wwAUA+PkiTbEmksKBNompSjUq/6UsR8EA
s74gnu17lmijv8mrg2qMlwRirE7qG8pnE8egLtCDxcjd0Of9WMi2NJskn0/ovC7P+J60Napl
m3ZIgPJst1piYSE0Zc1FIat4fFphMfK5v4iLblo1tFSlkdx1UNDGdg/U+LaXkNVXlMp8fyPm
R80V6cIrCAlEWnBJNxG1UyfbbsvNMCCZBM4faGGsR/hhQOiydlruxhjL6P8J2WV8p11DdeGx
KymWoil2s1J5WTGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxv
cmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRww
GgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5c3Rl
bXMgTExDIENBAgE9MA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA1MDQxNjIyMDlaME8GCSqGSIb3DQEJBDFCBEDu9r4j
m25U+1fOeziaNsGRD6XSosPEQAnCLGUvzWVI7Z1RP594aA+T0DbJrHkmPy+dY10LI2mn+nwD
UrL9fmBBMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq
hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI
hvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExM
QzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3VkYSBT
eXN0ZW1zIExMQyBDQQIBPTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYTAlVT
MRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEg
U3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0B
CQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECAT0wDQYJKoZIhvcNAQEBBQAEggIAp3KYphTYle5+
80+qyM4ke0EKifRkgR53KZPCJNmEHT6+21rENxtt3CXKhtUHs3cIZDVkDoj8IEfOvKEJTjZ3
NXwXKqtl4QVBvLjUTiiemhp8TG6xwkBdq7rm0zwGDMlHRqk0W9nQDNgnhlLvBav9h4f9YvHr
GCarKVsUWPGVTCbvbikm9LVejDPQxddNt5oNAysiB0IYauIUICbtm92SGDWWauS7mDS/TwZ0
pjwr+qaBYexbsmkpJSQOSpaq8xWo4c3FcEP4wM1PN4vDyYUNBefwz+Zhar+LL8xivfg+/NAS
IN5HPjqqzwaJke91dsd/BFfm3KvzKV5k3uLsYJgk6wqcg+HopRnLzCfJBbwBJwIt/bxTVkvF
0d3GYpv3ARqlZ1z8jHmm+xEcuLIr3VxyCCzsdoEbJJPJoOnrGgOljuPV/alSwRGpdpsRGACg
z98mAmuZxBZR3gVsDynE/KxQq5hyf+IQjRTS5FGTgd/7a3pHnkuajmoqgPYpMJYT/RTwBz1O
LldMX9YjniFrffIINc9OoF8BSPuNJbMRYwaaqf44h0dPfQzbYzv6OqqSq/QBsne2eMyt3/0E
aHrLNHY0pZNf6mLwKc5we5RG5XS1Kl1jNcTHpuYaQI0P0JTHyStrqgboG9TOdUrcd4tZF4mY
wdc+cvZmOcNt3+Wr03eqROwAAAAAAAA=
--------------ms050505020607010608050202--