From owner-freebsd-pf@FreeBSD.ORG Wed Nov 3 22:39:52 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E7D616A4D3 for ; Wed, 3 Nov 2004 22:39:52 +0000 (GMT) Received: from spoolo3.tiscali.be (spoolo3.tiscali.be [62.235.13.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CC3543D5C for ; Wed, 3 Nov 2004 22:39:51 +0000 (GMT) (envelope-from cedric@virtual-globe.net) Received: from [83.134.147.184] (helo=note01.echo.decemplex.loc) by spoolo3.tiscali.be with esmtp (Tiscali.be http://www.tiscali.be) id 1CPTnB-0008Mz-JZ; Wed, 03 Nov 2004 23:39:49 +0100 Date: Wed, 3 Nov 2004 23:39:50 +0100 From: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= X-Mailer: The Bat! (v2.11.02) X-Priority: 3 (Normal) Message-ID: <1152216131.20041103233950@virtual-globe.net> To: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= , freebsd-pf In-Reply-To: <938471846.20041102145316@virtual-globe.net> References: <938471846.20041102145316@virtual-globe.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Subject: Re: NAT Loopback X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: =?ISO-8859-15?B?Q+lkcmljIEpvbmFz?= List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Nov 2004 22:39:52 -0000 Bonjour Cédric Jonas, Le mardi 2 novembre 2004 à 14:53:16, vous écriviez : Cédric Jonas> Hi freebsd-pf, Cédric Jonas> Since 5 days, I try to install PF on my Cédric Jonas> Server, to replace my old Cédric Jonas> hardware router... Until now, Cédric Jonas> everything was ok, better als the old Cédric Jonas> router - BUT, what I miss is the NAT Cédric Jonas> Loopback functionnality (so Cédric Jonas> that IP packets which comes from the Cédric Jonas> LAN and are destined to my WAN Cédric Jonas> IP, leaves effectively the WAN Cédric Jonas> interface and come back through the Cédric Jonas> WAN interface => the packet is Cédric Jonas> subjected to the filter rulesets for Cédric Jonas> incoming packets on my WAN interface = NAT Loopback) Cédric Jonas> I found this in the OpenBSD PF FAQ: Cédric Jonas> Cédric Jonas> http://www.openbsd.org/faq/pf/rdr.html#rdrnat, but it Cédric Jonas> isn't what I Cédric Jonas> search, because the packets don't leave and reentry the WAN Cédric Jonas> interface. Cédric Jonas> So I try following: I blocked incoming Cédric Jonas> Telnet connections on my WAN Cédric Jonas> interface, and start a telnet to my WAN Cédric Jonas> IP from a host on my LAN, Cédric Jonas> telnet was successfull... so that isn't what I want. Cédric Jonas> After a tcpdump on my 2 WAN and LAN Cédric Jonas> interface (fxp0 and tun0 on the FreeBSD Cédric Jonas> router), I noted that the server Cédric Jonas> accepts already the telnet Cédric Jonas> connection at fxp0, so I can see an Cédric Jonas> incoming packet to my WAN IP, Cédric Jonas> but nothing more, because it's already Cédric Jonas> accepted here. Why? After Cédric Jonas> some researchs, I found out that the Cédric Jonas> TCP/IP stack on the router Cédric Jonas> compares the destination address with Cédric Jonas> his own interfaces and aliases Cédric Jonas> - if one agrees, he accept the connection. Cédric Jonas> Next test: with the same ruleset, I Cédric Jonas> start a telnet on my WAN IP from Cédric Jonas> the router, here the connection was Cédric Jonas> blocked, and thanks tcpdump I Cédric Jonas> see that the IP packet leaves tun0, Cédric Jonas> come back - and was successfully Cédric Jonas> blocked (packet had the WAN IP as Cédric Jonas> source AND destination address). Cédric Jonas> So, in conclusion, I try a nat rule on Cédric Jonas> fxp0, the LAN interface: Cédric Jonas> nat on fxp0 inet from fxp0:network to (tun0) -> (tun0) Cédric Jonas> So that incoming connection on this Cédric Jonas> interface, out the LAN, get the Cédric Jonas> WAN IP was source address... but one Cédric Jonas> more time, telnet from the LAN Cédric Jonas> was successfull, the packet doesn't Cédric Jonas> leave tun0, and was already Cédric Jonas> accepted on fxp0. Cédric Jonas> I don't know if it's really possible to Cédric Jonas> realize NAT Loopback with Cédric Jonas> PF, if yes, do you have experience with it? Cédric Jonas> Or is it possible to oblige FreeBSD/PF Cédric Jonas> to only accept connections Cédric Jonas> with the same destination address as Cédric Jonas> the IP address from the Cédric Jonas> interface where the packet comes in (so Cédric Jonas> that a comparison with every Cédric Jonas> interface IP does not take place)? Cédric Jonas> In resume, that's what I want: Cédric Jonas> 000509 rule 2/0(match): pass out on Cédric Jonas> tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S Cédric Jonas> 1094509118:1094509118(0) win 65535 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp Cédric Jonas> 13450428 0> Cédric Jonas> 000249 rule 0/0(match): block in on Cédric Jonas> tun0: IP 83.134.149.196.63347 > 83.134.149.196.23: S Cédric Jonas> 1094509118:1094509118(0) win 65535 1452,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp Cédric Jonas> 13450428 0> Cédric Jonas> That's from a tcpdump after a telnet Cédric Jonas> connection to my WAN IP from Cédric Jonas> the router... but in case of a telnet Cédric Jonas> from a LAN host to the WAN IP, Cédric Jonas> the only thing I was able to log was: Cédric Jonas> 555257 rule 5/0(match): pass in on Cédric Jonas> fxp0: IP 192.168.0.99.1547 > 83.134.149.196.23: S Cédric Jonas> 377131760:377131760(0) win 16384 1460,nop,nop,sackOK> Cédric Jonas> ... and the connection was accepted Cédric Jonas> here - I wish to have the same Cédric Jonas> "effect" here as above... a NAT Loopback. Cédric Jonas> I hope that one will be able to help me Cédric Jonas> here (and that I described Cédric Jonas> it understandably), it's my last Cédric Jonas> possibility I think. Cédric Jonas> Sorry for my bad englisch, but I do what I can ;-) The solution is: pass in on $internal_if route-to ($external_if $external_ip) \ from any to $external_ip keep state Thx to Max Laier for the excellent help ;) -- Best regards, Cédric Jonas Courriel : cedric@virtual-globe.net