Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 10 Nov 2001 21:41:47 -0800
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: problems with clients behind ipf/ipnat firewall
Message-ID:  <20011110214147.C69195@blossom.cjclark.org>
In-Reply-To: <20011110105933.A74294@nubisci.net>; from guru@nubisci.net on Sat, Nov 10, 2001 at 10:59:33AM -0500
References:  <20011107132853.B7624@nubisci.net> <20011107231359.J301@blossom.cjclark.org> <20011109133729.A21217@nubisci.net> <20011110005436.G51003@blossom.cjclark.org> <20011110105933.A74294@nubisci.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
OK, there is some weirdness going on here. Let's look at the
traceroute UDP packets hitting the inner interface,

  $ fgrep udp tcpdump.fxp1
  08:33:20.856394 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33435:  udp 12 [ttl 1]
  08:33:20.857533 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33436:  udp 12 [ttl 1]
  08:33:20.858461 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33437:  udp 12 [ttl 1]
  08:33:20.859840 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33438:  udp 12
  08:33:20.863953 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33439:  udp 12
  08:33:25.870160 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33440:  udp 12
  08:33:25.877853 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33441:  udp 12
  08:33:30.889018 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33442:  udp 12
  08:33:30.896902 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33443:  udp 12
  08:33:35.910771 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33444:  udp 12
  08:33:35.914579 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33445:  udp 12
  08:33:40.919260 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33446:  udp 12
  08:33:40.923175 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33447:  udp 12
  08:33:45.929393 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33448:  udp 12
  08:33:45.932661 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33449:  udp 12

Every five seconds, two packets come in, notice the incrementing
destination ports. Now look at what comes out the other side,

  $ fgrep udp tcpdump.fxp0
  08:33:20.859958 ganja.nubisci.net.1087 > ftp.beastie.tdk.net.33438:  udp 12 [ttl 1]
  08:33:20.863965 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33439:  udp 12 [ttl 1]
  08:33:25.870367 ganja.nubisci.net.1088 > ftp.beastie.tdk.net.33440:  udp 12 [ttl 1]
  08:33:25.877870 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33441:  udp 12
  08:33:30.889202 ganja.nubisci.net.1089 > ftp.beastie.tdk.net.33442:  udp 12
  08:33:30.896920 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33443:  udp 12
  08:33:35.910981 ganja.nubisci.net.1090 > ftp.beastie.tdk.net.33444:  udp 12
  08:33:35.914597 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33445:  udp 12
  08:33:40.919459 ganja.nubisci.net.1091 > ftp.beastie.tdk.net.33446:  udp 12
  08:33:40.923196 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33447:  udp 12
  08:33:45.929593 ganja.nubisci.net.1092 > ftp.beastie.tdk.net.33448:  udp 12
  08:33:45.932678 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33449:  udp 12

The first three packets that we saw on the inside are not seen, since
they expired on your firewall. As for what we see after
that... wierd. Every other packet is being NATed and the other being
passed unchanged. Note the incrementing destination port. The ones
being NATed are coming from 'kaleidoscope' as the other ones obviously
are.

If we look for the returning ICMP, we see that all of the properly
NATed packets get the ICMP 11:0 packets we expect, and the reason for
the loss is that the ICMP responses for the unNATed packets will never
find their way back to your gateway. This "every-other-NAT" thing is
definately causing your troubles...

Now why or even _how_ this could be happening... I've never seen this
with ipf/ipnat.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011110214147.C69195>