From owner-freebsd-questions@FreeBSD.ORG  Sun Mar  1 18:43:27 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B289F1065674
	for <freebsd-questions@freebsd.org>;
	Sun,  1 Mar 2009 18:43:27 +0000 (UTC) (envelope-from dc@dcoder.net)
Received: from ns2.dcoder.net (207-126-122-62.ip.openhosting.com
	[207.126.122.62])
	by mx1.freebsd.org (Postfix) with ESMTP id 8F6148FC1C
	for <freebsd-questions@freebsd.org>;
	Sun,  1 Mar 2009 18:43:27 +0000 (UTC) (envelope-from dc@dcoder.net)
Received: by ns2.dcoder.net (Postfix, from userid 500)
	id B9C9A13301E7; Sun,  1 Mar 2009 13:17:08 -0500 (EST)
Date: Sun, 1 Mar 2009 13:17:08 -0500
From: dacoder <dc@dcoder.net>
To: freebsd-questions@freebsd.org
Message-ID: <20090301181708.GF7007@mail2.dcoder.net>
Mail-Followup-To: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Subject: ipfilter, ipnat, and if driver ath:  what's just changed?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2009 18:43:27 -0000

updating my system friday from the feb 7 version of 7.1 to the latest broke
tcp and udp (but *not* icmp) over ipnat, which had worked forever with my
current ipfilter rules and ipnat mapping rules, which are pretty simple.
what has changed?

/etc/ipnat.rules:

	map age0 10.0.0.0/24 -> <external ip>/32

@ the top of /etc/ipf.rules:

	pass out quick on age0 proto tcp/udp from any to any keep state keep frags
	pass out quick on age0 proto icmp from any to any keep state keep frags

that used to work.  now it doesn't, witness ipmon:

01/03/2009 13:07:46.274707 age0 @0:28 b 74.125.93.102,80 -> 10.0.0.253,2914
PR tcp len 20 48 -AS IN NAT

what's changed?  ipf?  ipnat?  age?  am i using an obsolete & therefore
unworkable set of ipfilter rules?  icmp still works, btw.

i'd be grateful for any help.

thx.

david coder
network engineer emeritus
ntt/verio