From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 15 08:11:31 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8BCF106566B for ; Thu, 15 Jul 2010 08:11:31 +0000 (UTC) (envelope-from mr.xanto@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 377338FC17 for ; Thu, 15 Jul 2010 08:11:30 +0000 (UTC) Received: by bwz12 with SMTP id 12so291188bwz.13 for ; Thu, 15 Jul 2010 01:11:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:x-mailer:x-priority :message-id:to:subject:mime-version:content-type :content-transfer-encoding; bh=ohdwIokE/U2SmcHGq9mJuEyxPV+d0KH80g8adSsNbZI=; b=IjKJMBj9ZbgcBpco8sQHlosSVxLN2yYPXSlnYmUKRrRoUoNLooeH69vCOH+pd6RPqy +JUBQRL4QjWsmjp77VlEe5Ib215Ap9U8nVAnX4u/rpuUCkITyKuTcl9ZMspA7pRmCuBg GgNC2XR283nLKFNH17Yk6OY+d3YJxAdhkVP/Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:x-mailer:x-priority:message-id:to:subject:mime-version :content-type:content-transfer-encoding; b=hQx8W+2z4loB/3fpJWMEbtxMy5ToX9DFsf7dcuir9TfwmpC+20RdyD2LWIl2Ixx5Th WYr3RRo8Pqwjfn+irBnsrhtl0nW8b0wWKl+zYbItTnOjGWnejN5HVOT7s2Lxtq7VAVgn Rq+kGRXssuA8ftZyDSU77GWtTaL4gHmJHLVdc= Received: by 10.204.163.70 with SMTP id z6mr4269582bkx.29.1279179930956; Thu, 15 Jul 2010 00:45:30 -0700 (PDT) Received: from RMAMONTOV ([91.202.20.10]) by mx.google.com with ESMTPS id a9sm4740284bky.11.2010.07.15.00.45.29 (version=SSLv3 cipher=OTHER); Thu, 15 Jul 2010 00:45:30 -0700 (PDT) Date: Thu, 15 Jul 2010 11:45:12 +0400 From: Mamontov Roman X-Mailer: Voyager (v3.99.8) Professional X-Priority: 3 (Normal) Message-ID: <1931583025.20100715114512@gmail.com> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Problem with ipfw nat and packet to local services X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jul 2010 08:11:31 -0000 Hello, freebsd-ipfw. I try to use ipfw nat with this rules: 00035 138 10242 nat 1 log ip from any to any via ext_if1 65000 6823 689594 allow ip from any to any 65535 170 13629 deny ip from any to any ipfw nat 1 config ip xxx.xxx.xxx.xxx deny_in same_ports unreg_only redirect_port udp 192.168.54.50:417 417 redirect_port tcp 192.168.54.50:417 417 redirect_port tcp 192.168.2.19:3233 3233 redirect_port udp 192.168.2.19:416 416 redirect_port tcp 192.168.2.19:416 416 redirect_port udp 192.168.2.18:415 415 redirect_port tcp 192.168.2.18:415 415 redirect_port udp 192.168.2.17:414 414 redirect_port tcp 192.168.2.17:414 414 redirect_port udp 192.168.2.16:413 413 redirect_port tcp 192.168.2.16:413 413 redirect_port tcp 192.168.2.15:3232 3232 redirect_port udp 192.168.2.15:412 412 redirect_port tcp 192.168.2.15:412 412 Packet from local network and this box to outside network going correctly. But packet from outside network to services (udp, icmp, tcp) on this box does not pass. In /var/log/security: Jul 15 11:34:12 kernel: ipfw: 35 Nat UDP yyy.yyy.yyy.yyy:36129 xxx.xxx.xxx.xxx:33564 in via ext_if1 In tcpdump output: 11:34:17.239509 IP yyy.yyy.yyy.yyy.36129 > xxx.xxx.xxx.xxx.33565: UDP, length 12 solution# kldstat Id Refs Address Size Name 1 20 0xc0400000 7ad380 kernel 2 1 0xc0bae000 19654 geom_mirror.ko 3 1 0xc0bc8000 3148 alias_ftp.ko 4 1 0xc2d1b000 4000 ng_mppc.ko 5 1 0xc2d1f000 2000 rc4.ko 6 1 0xc303a000 5000 ng_ksocket.ko 7 1 0xc303f000 3000 ng_tee.ko 8 1 0xc3042000 7000 ng_ppp.ko solution# uname -r 8.1-PRERELEASE solution# sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 I have some mistake in my firewall rules? Any idea? -- Best regards, Mamontov Roman mailto:mr.xanto@gmail.com