Date: Thu, 15 Jul 2010 19:12:40 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Mamontov Roman <mr.xanto@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with ipfw nat and packet to local services Message-ID: <20100715183743.S86988@sola.nimnet.asn.au> In-Reply-To: <1931583025.20100715114512@gmail.com> References: <1931583025.20100715114512@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Jul 2010, Mamontov Roman wrote: > Hello, freebsd-ipfw. > > I try to use ipfw nat with this rules: > > 00035 138 10242 nat 1 log ip from any to any via ext_if1 > 65000 6823 689594 allow ip from any to any > 65535 170 13629 deny ip from any to any > > ipfw nat 1 config ip xxx.xxx.xxx.xxx deny_in same_ports unreg_only > redirect_port udp 192.168.54.50:417 417 redirect_port tcp 192.168.54.50:417 417 > redirect_port tcp 192.168.2.19:3233 3233 redirect_port udp 192.168.2.19:416 416 > redirect_port tcp 192.168.2.19:416 416 redirect_port udp 192.168.2.18:415 415 > redirect_port tcp 192.168.2.18:415 415 redirect_port udp 192.168.2.17:414 414 > redirect_port tcp 192.168.2.17:414 414 redirect_port udp 192.168.2.16:413 413 > redirect_port tcp 192.168.2.16:413 413 redirect_port tcp 192.168.2.15:3232 3232 > redirect_port udp 192.168.2.15:412 412 redirect_port tcp 192.168.2.15:412 412 > > Packet from local network and this box to outside network going correctly. > But packet from outside network to services (udp, icmp, tcp) on this box does not pass. > > In /var/log/security: > Jul 15 11:34:12 kernel: ipfw: 35 Nat UDP yyy.yyy.yyy.yyy:36129 xxx.xxx.xxx.xxx:33564 in > via ext_if1 > > In tcpdump output: > 11:34:17.239509 IP yyy.yyy.yyy.yyy.36129 > xxx.xxx.xxx.xxx.33565: UDP, length 12 UDP port 33564 on this box (xxx.xxx.xxx.xxx) is not redirected to any other address:port, and you have specified deny_in (-deny_incoming in natd-speak) so, well, you got what you asked for .. See the description under -deny_incoming and the explanation of what happens to incoming packets under -alias_address in natd(8) .. the nat description in ipfw(8) is still a bit thin, so natd(8) is still useful. Without deny_in, new inbound packets should be passed to the local machine - so you will then need firewall rules to restrict which local ports are to be accessible for connections from the outside. cheers, Ian > solution# kldstat > Id Refs Address Size Name > 1 20 0xc0400000 7ad380 kernel > 2 1 0xc0bae000 19654 geom_mirror.ko > 3 1 0xc0bc8000 3148 alias_ftp.ko > 4 1 0xc2d1b000 4000 ng_mppc.ko > 5 1 0xc2d1f000 2000 rc4.ko > 6 1 0xc303a000 5000 ng_ksocket.ko > 7 1 0xc303f000 3000 ng_tee.ko > 8 1 0xc3042000 7000 ng_ppp.ko > > solution# uname -r > 8.1-PRERELEASE > > solution# sysctl net.inet.ip.forwarding > net.inet.ip.forwarding: 1 > > I have some mistake in my firewall rules? Any idea? > > -- > Best regards, > Mamontov Roman mailto:mr.xanto@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100715183743.S86988>