From owner-freebsd-ipfw@FreeBSD.ORG Thu May 5 08:06:07 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59B7A1065674 for ; Thu, 5 May 2011 08:06:07 +0000 (UTC) (envelope-from 62mkv@mail.ru) Received: from smtp18.mail.ru (smtp18.mail.ru [94.100.176.155]) by mx1.freebsd.org (Postfix) with ESMTP id CB0F38FC13 for ; Thu, 5 May 2011 08:06:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:To:Message-ID:Reply-To:From:Date; bh=CTTC50JxtU8KcmDsrGgXMXZCNrGxuVEjv5nz4PbKuC4=; b=EuoOc2QT6dp1q9mA5gkhRRmkQm6eIMyds/JN0EhJuhUunF4+gwDSVd4/jkSIUB7/B6Rm7W542wy4Upe+fShhL2UA88cb+uBNnF9AkVimtjKtbuqdaIJ3ojiRT5Tm2Uty; Received: from [81.201.246.18] (port=5916 helo=RABBIT) by smtp18.mail.ru with asmtp id 1QHtZU-00055R-00 for freebsd-ipfw@freebsd.org; Thu, 05 May 2011 12:06:04 +0400 Date: Thu, 5 May 2011 15:06:03 +0700 From: 62mkv <62mkv@mail.ru> X-Priority: 3 (Normal) Message-ID: <1188133221.20110505150603@mail.ru> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam: Not detected X-Mras: Ok Subject: bug in IPFW+NATD+keep-state (FreeBSD 8.2, GENERIC) ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: 62mkv <62mkv@mail.ru> List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2011 08:06:07 -0000 Hello Freebsd-ipfw, A was already asking a question to this maillist couple of days ago. as long as nobody answered, I went on and discovered a very strange thing, which definitely is not normal. In short: I am using IPFW+NATD, essentally in the same way as is written in handbook (NAT+Stateful rules, example 1). Everything (I test for simplicity only on ICMP packets) works OK if I use stateless syntax. BUT only I add a "keep-state" option to a "skipto $nat" rule - NATD stops aliasing !!! It just pushes packets "as is" onto a global interface with unregistered source IP !!! It is so much unexpected and goes in contrary with Handbook, so that I decided to post it here. general setup: rl0 - external (WAN) interface, fxp0 - LAN (unregistered) interface. I want to make it possible for a single station from LAN (192.168.0.2) make pings and get replies of course, to global WAN addresses. for this I use IPFW and NATD. IPFW setup 0 (stateless): ipfw show: 00001 11 660 divert 1000 ip from any to any in via rl0 00002 0 0 check-state 00005 0 0 allow ip from any to me via fxp0 00006 0 0 allow ip from me to any via fxp0 00010 0 0 allow ip from any to any via lo0 00011 15 900 allow icmp from 192.168.0.2 to any in via fxp0 00012 15 900 skipto 20 icmp from 192.168.0.2 to any out via rl0 00013 0 0 allow ip from any to me via fxp0 00016 11 660 deny log logamount 5 icmp from any to any 00019 49 5670 deny ip from any to any 00020 15 900 divert 1000 ip from any to any via rl0 00040 11 660 allow ip from any to any 65535 0 0 deny ip from any to any natd.log (I had to type it in manually, because with ">" or "| tee" redirections I cannot get logs of natd (probably when I terminate him with Ctrl-C, it loses its buffered output) -is there a workaround for this ?) : Out {default}[ICMP] [ICMP] 192.168.0.2 -> 81.201.246.17 8(0) aliased to [ICMP] 81.201.146.94 -> 81.201.246.17 8(0) In {default}[ICMP] [ICMP] 81.201.246.17 -> 81.201.246.94 0(0) aliased to [ICMP] 81.201.246.17 -> 192.168.0.2 0(0) ... natd is run as follows: natd -p -1000 -v -n rl0 tcpdump on rl0: 13:54:11.419747 IP 81.201.246.94 > 81.201.246.17: ICMP echo request, id 512, seq 46601, length 40 13:54:11.420345 IP 81.201.246.17 > 81.201.246.94: ICMP echo reply, id 512, seq 46601, length 40 13:54:16.919819 IP 81.201.246.94 > 81.201.246.17: ICMP echo request, id 512, seq 46857, length 40 13:54:16.920352 IP 81.201.246.17 > 81.201.246.94: ICMP echo reply, id 512, seq 46857, length 40 so, all works fine (except that "replies" are dropped by IPFW because as such they're forbidden, and IPFW ruleset is yet stateless) now IPFW setup 1 (=setup0 + only one keep-state to skipto rule #12): ipfw -d show: 00001 1 60 divert 1000 ip from any to any in via rl0 00002 0 0 check-state 00005 0 0 allow ip from any to me via fxp0 00006 0 0 allow ip from me to any via fxp0 00010 0 0 allow ip from any to any via lo0 00011 15 900 allow icmp from 192.168.0.2 to any in via fxp0 00012 19 1140 skipto 20 icmp from 192.168.0.2 to any out via rl0 keep-state 00016 0 0 deny log logamount 5 icmp from any to any 00019 45 4845 deny ip from any to any 00020 17 1020 divert 1000 ip from any to any via rl0 00040 10 600 allow ip from any to any 65535 1 78 deny ip from any to any ## Dynamic rules (1): 00012 0 0 (1s) STATE icmp 192.168.0.2 0 <-> 81.201.246.17 0 natd.log: Out {default}[ICMP] [ICMP] 192.168.0.2 -> 81.201.246.17 8(0) aliased to [ICMP] 192.168.0.2 -> 81.201.246.17 8(0) Out {default}[ICMP] [ICMP] 192.168.0.2 -> 81.201.246.17 8(0) aliased to [ICMP] 192.168.0.2 -> 81.201.246.17 8(0) tcpdump on rl0: 17:54:13.711016 IP 192.168.0.2 > 81.201.246.17: ICMP echo request, id 512, seq 50443, length 40 17:54:19.211081 IP 192.168.0.2 > 81.201.246.17: ICMP echo request, id 512, seq 50699, length 40 17:54:24.711198 IP 192.168.0.2 > 81.201.246.17: ICMP echo request, id 512, seq 50955, length 40 So, what would it all mean, and what am I doing wrong ? -- Best wishes, 62mkv mailto: 62mkv@mail.ru