Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Dec 2001 13:18:16 -0500
From:      GuRU <guru@nubisci.net>
To:        ipfilter@coombs.anu.edu.au
Cc:        freebsd-questions@freebsd.org
Subject:   ipf/ipnat strangeness freebsd-current
Message-ID:  <20011224131816.A20795@nubisci.net>
In-Reply-To: <20011104171404.A25705@nubisci.net>; from guru@nubisci.net on Sun, Nov 04, 2001 at 05:14:04PM -0500
References:  <20011104171404.A25705@nubisci.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello all :).
This is a continuing problem i'm seeing on my firewall box running on a
freebsd -curent box.

ganja.nubisci.net:ipfilter# ipf -V
ipf: IP Filter: v3.4.20 (264)
Kernel: IP Filter: v3.4.20              
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0

the contents of my ipf.rules:
# ipf.rules
# interface naming: 
# fxp0 = internet, addr=198.109.166.215/32
# fxp1 = local private net, addr=192.168.0.1/24 
# 

pass in  log on fxp0 all
pass out log on fxp0 all

pass in  log on fxp1 all
pass out log on fxp1 all

the contents of my ipnat.rules:

map fxp0 192.168.0.1/24 -> 198.109.166.215/32 portmap tcp/udp 1025:65000
map fxp0 192.168.0.1/24 -> 198.109.166.215/32 

the following was generated by the following command from the client machine
(blunted) from behind the firewall (ganja)
blunted.nubisci.net:guru% traceroute -S ftp.freebsd.org
traceroute to ftp.beastie.tdk.net (62.243.72.50), 64 hops max, 40 byte packets
  1  ganja (192.168.0.1)  0.584 ms  0.421 ms  0.414 ms (0% loss)
  2  198.109.166.193 (198.109.166.193)  3.820 ms *  3.793 ms (33% loss)
  3  * com-rtr-ve61.net.msu.edu (35.12.51.1)  6.774 ms * (66% loss)
  4  cc-rtr-ge15.net.msu.edu (35.9.101.13)  3.294 ms *  6.656 ms (33% loss)
  5  * g3-0.msu4.mich.net (35.9.82.114)  3.542 ms * (66% loss)
  6  198.108.23.129 (198.108.23.129)  8.600 ms *  8.914 ms (33% loss)
  7  * 63-149-0-185.cust.qwest.net (63.149.0.185)  13.153 ms * (66% loss)
  8  chi-core-01.inet.qwest.net (205.171.20.121)  13.097 ms *  36.202 ms (33% loss)
  9  * jfk-core-02.inet.qwest.net (205.171.5.11)  35.924 ms * (66% loss)
 10  jfk-brdr-01.inet.qwest.net (205.171.30.18)  34.238 ms *  32.919 ms (33% loss)
 11  * nyk-bb1-pos3-0-0.telia.net (213.248.82.93)  36.484 ms * (66% loss)
 12  nyk-i1-pos1-0.telia.net (213.248.82.14)  38.008 ms *  32.876 ms (33% loss)
 13  * teledk-2.k.telia.net (213.248.82.114)  33.632 ms * (66% loss)
 14  pos3-0.622M.albnxg2.ip.tele.dk (195.249.2.233)  140.264 ms * 140.361 ms (33% loss)
 15  * pos6-0.2488M.albnxg1.ip.tele.dk (195.249.4.165)  142.779 ms * (66% loss)
 16  pos7-0.2488M.arcnxg1.ip.tele.dk (195.249.6.126)  183.184 ms * 150.709 ms (33% loss)
 17  * pos4-0.2488M.opanxg1.ip.tele.dk (195.249.2.162)  140.144 ms * (66% loss)
 18  ge2-2.1000M.d3.opa.tdk.net (193.163.158.169)  140.438 ms * 147.625 ms (33% loss)
 19  * vlan30.d6.opa.tdk.net (62.243.72.206)  140.845 ms * (66% loss)
 20  vlan30.d6.opa.tdk.net (62.243.72.206)  140.595 ms !X *  140.899 ms !X (33% loss)

running tcpdump on both the public and private interface yields:
fxp1 ==> private interface
ganja.nubisci.net:ipfilter# fgrep udp tcpdump-r.fxp1 | head -20
21:12:07.497662 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33435:  udp 12 [ttl 1]
21:12:07.500150 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33436:  udp 12 [ttl 1]
21:12:07.501165 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33437:  udp 12 [ttl 1]
21:12:07.502815 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33438:  udp 12
21:12:07.509313 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33439:  udp 12
21:12:12.511339 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33440:  udp 12
21:12:12.516048 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33441:  udp 12
21:12:17.521119 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33442:  udp 12
21:12:17.530678 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33443:  udp 12
21:12:22.541760 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33444:  udp 12
21:12:22.547954 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33445:  udp 12
21:12:27.551830 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33446:  udp 12
21:12:27.557562 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33447:  udp 12
21:12:32.561690 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33448:  udp 12
21:12:32.567822 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33449:  udp 12
21:12:37.572378 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33450:  udp 12
21:12:37.581144 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33451:  udp 12
21:12:42.592764 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33452:  udp 12
21:12:42.599665 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33453:  udp 12
21:12:47.602439 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33454:  udp 12

Every 5 seconds two packets come in.  Now for the other side ...

fxp0 ==> public interface
ganja.nubisci.net:ipfilter# fgrep udp tcpdump-r.fxp0 | fgrep beastie | head -20
21:12:07.502934 nubisci.net.1165 > ftp.beastie.tdk.net.33438:  udp 12 [ttl 1]
21:12:07.509326 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33439:  udp 12 [ttl 1]
21:12:12.511472 nubisci.net.1166 > ftp.beastie.tdk.net.33440:  udp 12 [ttl 1]
21:12:12.516059 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33441:  udp 12
21:12:17.521257 nubisci.net.phone > ftp.beastie.tdk.net.33442:  udp 12
21:12:17.530695 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33443:  udp 12
21:12:22.541915 nubisci.net.1168 > ftp.beastie.tdk.net.33444:  udp 12
21:12:22.547968 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33445:  udp 12
21:12:27.551968 nubisci.net.1169 > ftp.beastie.tdk.net.33446:  udp 12
21:12:27.557580 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33447:  udp 12
21:12:32.561828 nubisci.net.1170 > ftp.beastie.tdk.net.33448:  udp 12
21:12:32.567836 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33449:  udp 12
21:12:37.572533 nubisci.net.1171 > ftp.beastie.tdk.net.33450:  udp 12
21:12:37.581159 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33451:  udp 12
21:12:42.592902 nubisci.net.1172 > ftp.beastie.tdk.net.33452:  udp 12
21:12:42.599677 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33453:  udp 12
21:12:47.602583 nubisci.net.1173 > ftp.beastie.tdk.net.33454:  udp 12
21:12:47.619030 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33455:  udp 12
21:12:52.623139 nubisci.net.1174 > ftp.beastie.tdk.net.33456:  udp 12
21:12:52.642401 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33457:  udp 12

The first three packets that were seen on the inside expire on the firewall.
After that it appears that every other packet is NATed and the other is being
passed unchanged :( (Thanks to Crist J. Clark for his analysis)

Now i need to know if anyone has seen this behavior before.  Either way I need
some assistance in finding out why this is happening.  Any help would be
appreciated.  :)

#;@0
-- 
Comparing information and knowledge is like asking whether the fatness
of a pig is more or less green than the designated hitter rule."
                -- David Guaspari
<guru@nubisci.net> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011224131816.A20795>