From owner-freebsd-questions Mon Dec 24 10:18:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ganja.nubisci.net (ikhala.tcimet.net [198.109.166.215]) by hub.freebsd.org (Postfix) with ESMTP id 1A0DB37B419 for ; Mon, 24 Dec 2001 10:18:36 -0800 (PST) Received: (from guru@localhost) by ganja.nubisci.net (8.11.6/8.11.4) id fBOIIUt13474; Mon, 24 Dec 2001 13:18:30 -0500 (EST) (envelope-from guru) Date: Mon, 24 Dec 2001 13:18:16 -0500 From: GuRU To: ipfilter@coombs.anu.edu.au Cc: freebsd-questions@freebsd.org Subject: ipf/ipnat strangeness freebsd-current Message-ID: <20011224131816.A20795@nubisci.net> Mail-Followup-To: ipfilter@coombs.anu.edu.au, freebsd-questions@freebsd.org References: <20011104171404.A25705@nubisci.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011104171404.A25705@nubisci.net>; from guru@nubisci.net on Sun, Nov 04, 2001 at 05:14:04PM -0500 X-Operating-System: FreeBSD 5.0-CURRENT i386 WWW-Home-Page: http://www.nubisci.net Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello all :). This is a continuing problem i'm seeing on my firewall box running on a freebsd -curent box. ganja.nubisci.net:ipfilter# ipf -V ipf: IP Filter: v3.4.20 (264) Kernel: IP Filter: v3.4.20 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 the contents of my ipf.rules: # ipf.rules # interface naming: # fxp0 = internet, addr=198.109.166.215/32 # fxp1 = local private net, addr=192.168.0.1/24 # pass in log on fxp0 all pass out log on fxp0 all pass in log on fxp1 all pass out log on fxp1 all the contents of my ipnat.rules: map fxp0 192.168.0.1/24 -> 198.109.166.215/32 portmap tcp/udp 1025:65000 map fxp0 192.168.0.1/24 -> 198.109.166.215/32 the following was generated by the following command from the client machine (blunted) from behind the firewall (ganja) blunted.nubisci.net:guru% traceroute -S ftp.freebsd.org traceroute to ftp.beastie.tdk.net (62.243.72.50), 64 hops max, 40 byte packets 1 ganja (192.168.0.1) 0.584 ms 0.421 ms 0.414 ms (0% loss) 2 198.109.166.193 (198.109.166.193) 3.820 ms * 3.793 ms (33% loss) 3 * com-rtr-ve61.net.msu.edu (35.12.51.1) 6.774 ms * (66% loss) 4 cc-rtr-ge15.net.msu.edu (35.9.101.13) 3.294 ms * 6.656 ms (33% loss) 5 * g3-0.msu4.mich.net (35.9.82.114) 3.542 ms * (66% loss) 6 198.108.23.129 (198.108.23.129) 8.600 ms * 8.914 ms (33% loss) 7 * 63-149-0-185.cust.qwest.net (63.149.0.185) 13.153 ms * (66% loss) 8 chi-core-01.inet.qwest.net (205.171.20.121) 13.097 ms * 36.202 ms (33% loss) 9 * jfk-core-02.inet.qwest.net (205.171.5.11) 35.924 ms * (66% loss) 10 jfk-brdr-01.inet.qwest.net (205.171.30.18) 34.238 ms * 32.919 ms (33% loss) 11 * nyk-bb1-pos3-0-0.telia.net (213.248.82.93) 36.484 ms * (66% loss) 12 nyk-i1-pos1-0.telia.net (213.248.82.14) 38.008 ms * 32.876 ms (33% loss) 13 * teledk-2.k.telia.net (213.248.82.114) 33.632 ms * (66% loss) 14 pos3-0.622M.albnxg2.ip.tele.dk (195.249.2.233) 140.264 ms * 140.361 ms (33% loss) 15 * pos6-0.2488M.albnxg1.ip.tele.dk (195.249.4.165) 142.779 ms * (66% loss) 16 pos7-0.2488M.arcnxg1.ip.tele.dk (195.249.6.126) 183.184 ms * 150.709 ms (33% loss) 17 * pos4-0.2488M.opanxg1.ip.tele.dk (195.249.2.162) 140.144 ms * (66% loss) 18 ge2-2.1000M.d3.opa.tdk.net (193.163.158.169) 140.438 ms * 147.625 ms (33% loss) 19 * vlan30.d6.opa.tdk.net (62.243.72.206) 140.845 ms * (66% loss) 20 vlan30.d6.opa.tdk.net (62.243.72.206) 140.595 ms !X * 140.899 ms !X (33% loss) running tcpdump on both the public and private interface yields: fxp1 ==> private interface ganja.nubisci.net:ipfilter# fgrep udp tcpdump-r.fxp1 | head -20 21:12:07.497662 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33435: udp 12 [ttl 1] 21:12:07.500150 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33436: udp 12 [ttl 1] 21:12:07.501165 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33437: udp 12 [ttl 1] 21:12:07.502815 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33438: udp 12 21:12:07.509313 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33439: udp 12 21:12:12.511339 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33440: udp 12 21:12:12.516048 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33441: udp 12 21:12:17.521119 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33442: udp 12 21:12:17.530678 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33443: udp 12 21:12:22.541760 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33444: udp 12 21:12:22.547954 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33445: udp 12 21:12:27.551830 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33446: udp 12 21:12:27.557562 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33447: udp 12 21:12:32.561690 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33448: udp 12 21:12:32.567822 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33449: udp 12 21:12:37.572378 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33450: udp 12 21:12:37.581144 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33451: udp 12 21:12:42.592764 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33452: udp 12 21:12:42.599665 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33453: udp 12 21:12:47.602439 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33454: udp 12 Every 5 seconds two packets come in. Now for the other side ... fxp0 ==> public interface ganja.nubisci.net:ipfilter# fgrep udp tcpdump-r.fxp0 | fgrep beastie | head -20 21:12:07.502934 nubisci.net.1165 > ftp.beastie.tdk.net.33438: udp 12 [ttl 1] 21:12:07.509326 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33439: udp 12 [ttl 1] 21:12:12.511472 nubisci.net.1166 > ftp.beastie.tdk.net.33440: udp 12 [ttl 1] 21:12:12.516059 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33441: udp 12 21:12:17.521257 nubisci.net.phone > ftp.beastie.tdk.net.33442: udp 12 21:12:17.530695 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33443: udp 12 21:12:22.541915 nubisci.net.1168 > ftp.beastie.tdk.net.33444: udp 12 21:12:22.547968 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33445: udp 12 21:12:27.551968 nubisci.net.1169 > ftp.beastie.tdk.net.33446: udp 12 21:12:27.557580 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33447: udp 12 21:12:32.561828 nubisci.net.1170 > ftp.beastie.tdk.net.33448: udp 12 21:12:32.567836 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33449: udp 12 21:12:37.572533 nubisci.net.1171 > ftp.beastie.tdk.net.33450: udp 12 21:12:37.581159 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33451: udp 12 21:12:42.592902 nubisci.net.1172 > ftp.beastie.tdk.net.33452: udp 12 21:12:42.599677 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33453: udp 12 21:12:47.602583 nubisci.net.1173 > ftp.beastie.tdk.net.33454: udp 12 21:12:47.619030 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33455: udp 12 21:12:52.623139 nubisci.net.1174 > ftp.beastie.tdk.net.33456: udp 12 21:12:52.642401 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33457: udp 12 The first three packets that were seen on the inside expire on the firewall. After that it appears that every other packet is NATed and the other is being passed unchanged :( (Thanks to Crist J. Clark for his analysis) Now i need to know if anyone has seen this behavior before. Either way I need some assistance in finding out why this is happening. Any help would be appreciated. :) #;@0 -- Comparing information and knowledge is like asking whether the fatness of a pig is more or less green than the designated hitter rule." -- David Guaspari To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message