Date: Thu, 21 Aug 2008 11:35:44 -0700 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: Javier Ubillos <jav@sics.se> Cc: freebsd-net@freebsd.org Subject: Re: erride default ICMP (and other protocols) default replies. Message-ID: <20080821183544.GE25990@hal.rescomp.berkeley.edu> In-Reply-To: <1219265061.9118.29.camel@dib> References: <1219265061.9118.29.camel@dib>
next in thread | previous in thread | raw e-mail | index | archive | help
--ZRyEpB+iJ+qUx0kp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Javier Ubillos wrote:
> Hi freebsd-net.
> (Sorry for cross posting. This time I think I found the right forum for
> my question)
>=20
> I'm implementing a NAT (1 ip - 1 ip) like router. (it's not actually
> NAT, but it's a good analogy for this case).
>=20
> I have chosen to use pcaplib to pick up the packets. I have an
> implementation which picks up the packets, inspects them, rewrites the
> destination/source ip-addresses and sends them out on the repective
> interface.
>=20
> The problem I'm facing however is that my interfaces are answering to
> e.g. icmp-echo (ping) automatically, and I don't know how to turn this
> behaviour off.
>=20
> What I want to happen is that if A pings C, my router B in between
> should simply forward the packets w/o any automatic reactions.
>=20
> A --> B --> C
>=20
> So that if e.g. C is down, no echo-reply is sent back (or if C is up,
> that C is actually sending the echo-reply.
>=20
> Does any one know how to turn off the automatic replies (ICMP and
> whatever else I haven't forseen yet) or does any one know where I can
> find out more about the issue?
I'm using ipfw(8), ng_ipfw(4), ng_nat(4), and arp(8) to acheive these
results. I have a transparent HTTP proxy via squid that dynamically runs
code to setup 1-to-1 NAT rules for users who authenticate to our
wireless network. I have a clean 7.0 build, except I patched ng_nat to
7-STABLE to get the functionality of the 'redirectaddr' message.
Some relevant code snippets from the system:
$onatid and $inatid are deterministic identifiers for numbering the
netgraph nodes (they're a function of the public IP assigned).=20
On setup:
| ngctl mkpeer ipfw: nat $onatid out
| ngctl name ipfw:$onatid $name
| ngctl connect ipfw: ${name}: $inatid in
| ngctl msg ${name}: setaliasaddr $public_ip
| ngctl msg ${name}: redirectaddr '{' \
| "local_addr=3D$private_ip" \
| "alias_addr=3D$public_ip" \
| 'description=3D"Static NAT"' \
| '}'
|
| # Clear any arp entries for this IP that might be in the table, just
| # to keep things consistent
| arp -d "$public_ip" >/dev/null 2>&1
|
| # Use arp(8) to claim this public IP address
| arp -s $public_ip $aux_mac pub 2>&1 | nac_log
|
| ipfw table $private_table add $private_ip $onatid
| ipfw table $public_table add $public_ip $inatid
On teardown:
| arp -d "$public_ip"
| ngctl shutdown ipfw:${onatid}
| for table in $PRIVATE_TABLES ; do
| ipfw -q table $table delete $private_ip $onatid
| done
| for table in $PUBLIC_TABLES ; do
| ipfw -q table $table delete $public_ip $inatid
| done
This corresponds with the following in ipfw.rules (note by this point in
the ruleset, all "management" traffic has been dealt with):
| # NAT all traffic coming in from authenticated users
| $cmd netgraph tablearg all from "table($TABLE_WIFI_PRIV_AUTH)" to any in
| for net in $NAC_PUBLIC_NETS ; do
|=20
| # NAT all traffic coming in to authenticated users
| $cmd netgraph tablearg all from any to "table($TABLE_WIFI_PUB_AUTH)" \
| in via $(nac_if "$net")
|=20
| # We must set interface and direction on these fwd rules. If not, they
| # will match traffic from any other hosts on these subnets (including
| # the router) and deflect traffic in the wrong direction.
| for privnet in $NAC_PRIVATE_NETS ; do
| $cmd fwd $(nac_router "$net") ip from $(nac_subnet "$net") to not=
\
| $(nac_subnet "$net") in via $(nac_if "$privnet")
| done
| done
| $cmd allow all from any to "table($TABLE_WIFI_PRIV_AUTH)"
| $cmd allow all from "table($TABLE_WIFI_PUB_AUTH)" to any
For each subnet I'm using, I assign an IP to this FreeBSD box so that it
knows how to get to the gateway. The published arp entries take care of
"claiming" the addresses that are in-use and getting the IP traffic
passed up the stack. ipfw intercepts, does the packet-munging, and
forwards the results.
The hosts behind this box (dubbed an "aux-router" internally) see all IP
traffic destined for them -- incoming ICMP or TCP or UDP all gets where
it's supposed to go. There is no state across reboots.
You may be able to get things working the way you want by *not* using
ifconfig to assign address, but instead using this arp(8) trick. You may
find the use of ng_nat suits your needs though. Let me know if any of
this is unclear.
--=20
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
--ZRyEpB+iJ+qUx0kp
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iQIcBAEBAwAGBQJIrbWAAAoJEIGh6j3cHUNPS3oQALGw0cxnv5QMND6PmCEre00o
xgdtkEboIdw8BOK28roARkTN7daXNV7L3dQFtL97kkUM6eesQITZvGk96oTLQkbx
wsxAqV1Gy/0G+9T+IqYkLL4CIwf99pFN9yMnPwoxAVCT3WboWixonklj/q3iugo7
xA8QywAHaHNczEgH2oR2dwmmlcZzVzu/cqXCjEmxAczOmv3x1EsdqpZc7/j8DKwb
kJh/0+4QBnJ5qj7MuAsbg+Po5N1TKPl8FWgHNpXmhqZsHG3HZWRipGukj/sIUolX
CM9WUqQHiUzfhNLLp5mJ3VX3LIk29cf1hi1dpDZE+qKpLmqbzp6HEcKMpBK4DzkO
jwF8Dn+2Kma6ySXQK98O9r/EczyT4vFYDkMw/jTA2j/4N1hbUau0KXKpMbjz5wJl
Q3XsAvrmbjuTB9YY6+BH7SGaODNNs+2fwn6Jj+tg/AN6IfNIxuVxhhInGqUGZvRh
WNXIoi212I3FrjbK7nfP0XVUY/O+pFufX8NNZGBK4GrqubBVAChuSu+t6ue9u5DX
reCApsnec6Z+qiK4Lrve7rBWF32AKMRmybwN66kJE+ypgJ7XdKGoXUxKPAcFBuTN
Od53KX3gyt6x8wEiv7jPUmB1+zf3SA85Q4BTpD4UsFlwuHTTXl0kz557zBxaLfQo
9csrvBge1Cchp8nNQ0O+
=Eo8z
-----END PGP SIGNATURE-----
--ZRyEpB+iJ+qUx0kp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080821183544.GE25990>