From owner-freebsd-net@FreeBSD.ORG Tue Jul 6 17:20:29 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 495D116A4CE for ; Tue, 6 Jul 2004 17:20:29 +0000 (GMT) Received: from smtp.cegetel.net (mf00.sitadelle.com [212.94.174.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 749CB43D1D for ; Tue, 6 Jul 2004 17:20:28 +0000 (GMT) (envelope-from tataz@sitadelle.com) Received: from droopy.tech.sitadelle.com (unknown [213.223.184.201]) by smtp.cegetel.net (Postfix) with ESMTP id 727D767274 for ; Tue, 6 Jul 2004 19:20:27 +0200 (CEST) Received: by droopy.tech.sitadelle.com (Postfix, from userid 1000) id 632F8FC2F5; Tue, 6 Jul 2004 19:19:11 +0200 (CEST) Date: Tue, 6 Jul 2004 19:19:11 +0200 From: Jeremie Le Hen To: freebsd-net@freebsd.org Message-ID: <20040706171911.GK4549@sitadelle.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.5.1+cvs20040105i Subject: Weird ipf rdr rule behaviour X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jul 2004 17:20:29 -0000 Hi freebsd-net@, I set jailed DNS and SMTP server on a box in my LAN, and I want to make them accessible from Internet. Since my router uses FreeBSD 4.10 with IPFilter for firewalling and NATing, I simply added these two lines in my ipnat.rules : rdr tun0 0.0.0.0/0 port 53 -> 192.168.1.53 port 53 tcp/udp rdr tun0 0.0.0.0/0 port 25 -> 192.168.1.25 port 25 tcp I encounter a very strange behaviour : while the redirection on port 53 works well, the one on port 25 doesn't ; I tried setting "tcp/udp" instead of "tcp", but it does not change anything. After a few tcpdump(8), I understood that while the SYN packet was correctly rdr'ed (destination IP address becomes 192.168.1.25 on the LAN wire), the SYN/ACK packet answered goes on Internet without having its source IP address changed (it still has a private source IP address) and the initiator of the connection obviously discards it. Very oddly, this does not append with rdr on port 53. Here are dumps on my public interface : yoda:log# tcpdump -vni tun0 'tcp port 25' tcpdump: listening on tun0 18:46:03.888283 213.223.XXX.XXX.38609 > 212.180.XXX.XXX.25: SWE [tcp sum ok] 3067984472:3067984472(0) win 5840 (DF) [tos 0x10] (ttl 55, id 14183, len 60) 18:46:03.950498 192.168.1.25.25 > 213.223.XXX.XXX.38609: S [tcp sum ok] 496647005:496647005(0) ack 3067984473 win 65535 (DF) (ttl 63, id 28213, len 60) yoda:log# tcpdump -vni tun0 'tcp port 53' tcpdump: listening on tun0 18:47:29.303454 213.223.XXX.XXX.38613 > 212.180.XXX.XXX.53: SWE [tcp sum ok] 3149981312:3149981312(0) win 5840 (DF) [tos 0x10] (ttl 55, id 18461, len 60) 18:47:29.351839 212.180.XXX.XXX.53 > 213.223.XXX.XXX.38613: S [tcp sum ok] 3077327056:3077327056(0) ack 3149981313 win 65535 (DF) (ttl 63, id 44544, len 60) 18:47:29.425325 213.223.XXX.XXX.38613 > 212.180.XXX.XXX.53: . [tcp sum ok] ack 1 win 5840 (DF) [tos 0x10] (ttl 55, id 18462, len 52) Here are the corresponding IPFilter's log : Jul 6 18:46:04 yoda ipmon[59]: 18:46:03.888426 tun0 @1:4 p 213. 223.XXX.XXX,38609 -> 192.168.1.25,25 PR tcp len 20 60 -SEC K-S K-F IN Jul 6 18:47:29 yoda ipmon[59]: 18:47:29.303592 tun0 @1:2 p 213. 223.XXX.XXX,38613 -> 192.168.1.53,53 PR tcp len 20 60 -SEC K-S K-F IN I notice a difference between the two cases while watching a connections state using ipnat(8) : List of active sessions: RDR 192.168.1.53 53 <- -> 212.180.XXX.XXX 53 [213.223.XXX.XXX 38656] RDR 192.168.1.25 25 <- -> 192.168.1.25 25 [213.223.XXX.XXX 38655] RDR 192.168.1.25 25 <- -> 212.180.XXX.XXX 25 [213.223.XXX.XXX 38655] As you can see, there are two mappings for the rdr of port 25 which is clearly unusual. Another difference I noticed is that there are an SMTP server bound to *:25 and a DNS server bound to 212.180.XXX.XXX:53 (no wildcard) on the router itself. But I tried to disable them, and it doesn't matter. I would greatly appreciate if someone could help me to resolve this problem. I didn't supplied all the informations that may be relevant in the case, but I can give nearly whatever you might ask for. Regards, -- Jeremie LE HEN aka TtZ/TataZ jeremie.le-hen@epita.fr ttz@epita.fr Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!