From owner-freebsd-net@FreeBSD.ORG Mon Feb 16 12:23:20 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2FB51065670 for ; Mon, 16 Feb 2009 12:23:20 +0000 (UTC) (envelope-from prt@prt.org) Received: from smtp6.uk.umis.net (smtp6.uk.umis.net [217.65.166.41]) by mx1.freebsd.org (Postfix) with ESMTP id 9D0508FC21 for ; Mon, 16 Feb 2009 12:23:20 +0000 (UTC) (envelope-from prt@prt.org) Received: from kate.prtsystems.ltd.uk ([217.65.165.35]) by smtp6.uk.umis.net with esmtpa (Exim 4.63 (FreeBSD)) (envelope-from ) id 1LZ2VK-0002dl-NM for freebsd-net@freebsd.org; Mon, 16 Feb 2009 12:23:18 +0000 Message-ID: <49995AB5.50200@prt.org> Date: Mon, 16 Feb 2009 12:23:17 +0000 From: Paul Thornton User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw problems using divert and fwd at the same time with 6.3-release X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 12:23:21 -0000 Hi folks, I'm having trouble using NAT and forward in the same ipfw ruleset. It appears that the forward "wins" over the NAT regardless of ordering in the ipwf ruleset. I'm hoping that I'm missing something obvious; but is there a way to use these two together? Some background - I'm testing in the lab a potential setup to provide limited network access to a few subnets in 10.X address space, but if you aren't going to an "approved" address then you get forwarded to a web page running on port 8000 on the same box. This box is running 6.3-RELEASE-p9 and has two em interfaces. In this setup, 10.81.0.0/16 are my subnets. They are presented to the machine as a bunch of VLANs physically on em1, one /24 subnet per VLAN. The machine also does DHCP and DNS for each of these VLANs, and is the default gateway. em0 is the external IP address for the machine, currently 192.91.199.5 The machine has no problem accessing the 'net. If I remove the "clever" divert rules and the fwd rule, and make it a vanilla NAT setup, the client has no problem accessing the 'net. In this setup, I expect to be able to browse to www.prt.org (on 217.65.161.4) and that a machine in the 10.81.129.0/24 subnet has unrestricted NATted access to the 'net. Any other attempt at browsing should hit the forward and display the "no access" page from the server on the gateway machine. Using the following ruleset: > [root@xrg1 /var/tmp]# ipfw show > 00010 0 0 allow ip from any to any via lo0 > 00020 0 0 deny ip from any to 127.0.0.1 > 00022 0 0 deny ip from 127.0.0.1 to any > 00050 0 0 allow udp from any 67-68 to 255.255.255.255 dst-port 67-68 > 00052 0 0 allow udp from 10.81.0.0/16 67-68 to me dst-port 67-68 > 00054 0 0 allow udp from me 67-68 to 10.81.0.0/16 dst-port 67-68 > 00056 0 0 allow udp from 10.81.0.0/16 to me dst-port 53 > 00058 0 0 allow udp from me 53 to 10.81.0.0/16 > 00060 0 0 allow icmp from 10.81.0.0/16 to me > 00062 0 0 allow icmp from me to 10.81.0.0/16 > 00100 0 0 allow ip from 192.91.199.5 to any > 02000 0 0 divert 8668 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 80 via em0 > 05000 0 0 divert 8668 ip from 10.81.129.0/24 to any via em0 > 06000 0 0 divert 8668 ip from any to me via em0 > 08000 0 0 fwd 127.0.0.1,8000 tcp from 10.81.0.0/16 to any dst-port 80 > 32000 0 0 allow ip from any to any If I browse "www.prt.org" on the client machine (10.81.2.246) I hit the fwd rule and I get my "Sorry you can't view this" webpage from the local server, and neither of the NAT rules are hit. (DNS on the client correctly resolves to 217.65.161.4) : > [root@xrg1 /var/tmp]# ipfw show > 00010 0 0 allow ip from any to any via lo0 > 00020 0 0 deny ip from any to 127.0.0.1 > 00022 0 0 deny ip from 127.0.0.1 to any > 00050 0 0 allow udp from any 67-68 to 255.255.255.255 dst-port 67-68 > 00052 0 0 allow udp from 10.81.0.0/16 67-68 to me dst-port 67-68 > 00054 0 0 allow udp from me 67-68 to 10.81.0.0/16 dst-port 67-68 > 00056 2 119 allow udp from 10.81.0.0/16 to me dst-port 53 > 00058 2 356 allow udp from me 53 to 10.81.0.0/16 > 00060 0 0 allow icmp from 10.81.0.0/16 to me > 00062 0 0 allow icmp from me to 10.81.0.0/16 > 00100 3 214 allow ip from 192.91.199.5 to any > 02000 0 0 divert 8668 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 80 via em0 > 05000 0 0 divert 8668 ip from 10.81.129.0/24 to any via em0 > 06000 3 601 divert 8668 ip from any to me via em0 > 08000 43 4796 fwd 127.0.0.1,8000 tcp from 10.81.0.0/16 to any dst-port 80 > 32000 58 55935 allow ip from any to any If I remove rule 8000, then I can browse to www.prt.org as expected, and I hit the divert rules: > 00010 0 0 allow ip from any to any via lo0 > 00020 0 0 deny ip from any to 127.0.0.1 > 00022 0 0 deny ip from 127.0.0.1 to any > 00050 0 0 allow udp from any 67-68 to 255.255.255.255 dst-port 67-68 > 00052 0 0 allow udp from 10.81.0.0/16 67-68 to me dst-port 67-68 > 00054 0 0 allow udp from me 67-68 to 10.81.0.0/16 dst-port 67-68 > 00056 7 460 allow udp from 10.81.0.0/16 to me dst-port 53 > 00058 7 1247 allow udp from me 53 to 10.81.0.0/16 > 00060 0 0 allow icmp from 10.81.0.0/16 to me > 00062 0 0 allow icmp from me to 10.81.0.0/16 > 00100 45 3375 allow ip from 192.91.199.5 to any > 02000 38 5096 divert 8668 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 80 via em0 > 05000 0 0 divert 8668 ip from 10.81.129.0/24 to any via em0 > 06000 75 37498 divert 8668 ip from any to me via em0 > 32000 273 142906 allow ip from any to any The natd config is trivial - I'm just launching it with: natd -port 8668 -same_ports -verbose interface em0 Does anyone have any ideas? I've spent the whole weekend trying various things (like extra permits of the "special" traffic before the fwd line) but it makes no difference - the fwd still wins over everything. Many thanks, Paul.