From owner-freebsd-questions Wed Feb 21 13:40:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 7A78637B401 for ; Wed, 21 Feb 2001 13:40:31 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA99258; Thu, 22 Feb 2001 08:40:25 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA25168; Thu, 22 Feb 2001 08:40:24 +1100 (EST) Message-Id: <200102212140.IAA25168@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: greg@nova.fqdn.com Cc: freebsd-questions@FreeBSD.ORG, greg@fqdn.com Subject: Re: NAT and keep-state issue. In-Reply-To: Message from greg@nova.fqdn.com of "Wed, 21 Feb 2001 15:04:44 CDT." <200102212004.PAA42475@nova.fqdn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Feb 2001 08:40:24 +1100 From: Tony Landells Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Please keep your lines a bit shorter--a couple of them were, um, quite long... > When I do not use keep-state and use 'allow established' all works well. > When I remove 'allow established" and add keep state to out bound connections > that are NAT'd, it stops working. I think this is because packets returning > from the internet are translated, so the internal dest IP is swapped in. > This fails as there isn't a dynamic rule to match. The rule created with > the outbound connection would create a rule with the alias'd IP and dest IP. > Returning packets would be checked by the rules after the IP swap has > happened. > Am I missing something here or is there a trick? Any help would be great. > Thanks much. I may be going blind, but I can't see where you're doing a "check-state"... Without that you'll never check the dynamic rules. > Here is the output of ipfw -a list. > 222.222.222.222 is the external interface that faces the Internet. > 333.333.333.333 is the ftp server I'm trying to reach. (or web both act the same) > 192.168.50.50 is the internal proxy server where all connections heading out > to the Internet orginate from. > > I've changed the IPs. > > 00500 391 30606 deny udp from any 137 to any > 00502 289 69180 deny udp from any 138 to any > 01040 0 0 allow ip from any to any via lo0 > 01050 0 0 deny ip from any to 127.0.0.0/8 > 01060 2969 3314153 divert 8668 tcp from any to any via fxp0 > 02055 456 18248 allow tcp from 222.222.222.222 1025-65000 to any 1025-65000 keep-state setup > 02060 118 5192 allow tcp from any to any 20-21 keep-state setup > 02070 2 88 allow tcp from 192.168.50.50 to any in recv xl0 setup > 03030 149 8276 deny log logamount 100 ip from any to any in recv fxp0 > 03040 0 0 deny log logamount 100 ip from any to any in recv fxp1 > 03050 1250 155979 deny log logamount 100 ip from any to any in recv xl0 > 09000 72 2888 deny log logamount 100 ip from any to any > 65535 0 0 deny ip from any to any > ## Dynamic rules: > 02055 3 120 (T 0, # 28) ty 0 tcp, 222.222.222.222 2018 <-> 333.333.333.333 51962 > 02060 12 606 (T 7, # 50) ty 0 tcp, 222.222.222.222 2083 <-> 333.333.333.333 21 > 02060 12 606 (T 11, # 52) ty 0 tcp, 222.222.222.222 2085 <-> 333.333.333.333 21 > 02060 1 40 (T 17, # 54) ty 0 tcp, 222.222.222.222 2087 <-> 333.333.333.333 21 > 02055 3 120 (T 0, # 62) ty 0 tcp, 222.222.222.222 2036 <-> 333.333.333.333 33998 > 02055 3 120 (T 0, # 74) ty 0 tcp, 222.222.222.222 2039 <-> 333.333.333.333 46521 > 02055 3 120 (T 0, # 116) ty 0 tcp, 222.222.222.222 2041 <-> 333.333.333.333 49033 > 02055 2 88 (T 20, # 117) ty 0 tcp, 222.222.222.222 2086 <-> 333.333.333.333 52311 > 02055 2 88 (T 16, # 125) ty 0 tcp, 222.222.222.222 2084 <-> 333.333.333.333 48733 > 02060 38 5690 (T 291, # 152) ty 0 tcp, 192.168.50.50 2085 <-> 333.333.333.333 21 > 02060 5 364 (T 300, # 154) ty 0 tcp, 192.168.50.50 2087 <-> 333.333.333.333 21 > 02060 38 5690 (T 287, # 158) ty 0 tcp, 192.168.50.50 2083 <-> 333.333.333.333 21 > 02055 1007 40280 (T 0, # 204) ty 0 tcp, 222.222.222.222 2038 <-> 333.333.333.333 11582 > 02055 255 10200 (T 0, # 205) ty 0 tcp, 222.222.222.222 2068 <-> 333.333.333.333 42717 Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message