From owner-freebsd-questions  Mon Mar 10  5:36:43 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6F73D37B401
	for <questions@freebsd.org>; Mon, 10 Mar 2003 05:36:41 -0800 (PST)
Received: from inton.ninja-assassin.com (ninja-assassin.com [198.78.65.149])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1922A43F85
	for <questions@freebsd.org>; Mon, 10 Mar 2003 05:36:41 -0800 (PST)
	(envelope-from static@ninja-assassin.com)
Received: from localhost (inton [198.78.65.149])
	by inton.ninja-assassin.com (Postfix) with ESMTP id 65A8546429
	for <questions@freebsd.org>; Mon, 10 Mar 2003 05:34:58 -0800 (PST)
Date: Mon, 10 Mar 2003 05:34:58 -0800 (PST)
From: Static <static@ninja-assassin.com>
To: questions@freebsd.org
Subject: Weird ipnat behaviour
Message-ID: <20030310052652.B73521@inton.Ninja-assassin.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello List,

I just recently did a buildworld on my gateway machine and now ipnat
appears to not want to cooperate.  I'm trying to nat port 80 from my
outside interface into an apache server on my network.

uname -a

FreeBSD PITA.ninja-assassin.com 4.7-STABLE FreeBSD 4.7-STABLE #2: Thu Jan
30 09:54:50 CST 2003
root@PITA.ninja-assassin.com:/usr/src/sys/compile/FIREWALL  i386
PITA#

For the sake of testing this is my 1st ipf rule in /etc/ipf.rules

pass in log quick on tun0 proto tcp from any to any port = 80

here is my /etc/ipnat.rules file
map tun0 192.168.1.0/24 -> 0.0.0.0/32
map tun0 0/0 -> 192.168.1.0/24 proxy port ftp ftp/tcp
rdr tun0 0/0 port 80 -> 192.168.1.20 port 80 tcp

Here is what I'm currently seeing in my firewall from the "log" option in
the above ipf rule

Mar 10 07:28:44 PITA ipmon[60]: 07:28:44.038335 tun0 @0:1 p
$WORK_HOSTNAME[$WORK_IP],61250 ->
$MY_HOSTNAME[$MY_IP],http PR tcp len 20 60
-S 4134496816 0 32120 IN


I believe that this is an ipnat issue.  The p right before $WORK_HOSTNAME
should signify that this rule is passed (IIRC, and as it should be).  What
strikes me as weird is when I run ipnat -l I receive

PITA# ipnat -l
List of active MAP/Redirect filters:
map tun0 192.168.1.0/0 -> 0.0.0.0/32
map tun0 0.0.0.0/0 -> 192.168.1.0/24 proxy port 21 ftp/ip
rdr tun0 0.0.0.0/0 port 0- 16 -> 192.168.1.20 port 80 tcp

List of active sessions:


The last line strikes me as weird, particulary the "port 0- 16"  section
of this.  This worked fine before I ran makeworld with the lastest batch
of ipf/ipnat code that came down the pipe the other week.

Here is the script I'm using to flush and reload my ruleset.

PITA# cat /root/ipf
/sbin/ipf -Fa -f /etc/ipf.rules &&
/sbin/ipnat -CF -f /etc/ipnat.rules


Any suggestions would be appreciated.


Static

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message