Date: Tue, 2 Aug 2005 11:43:22 +0200 From: guru@Sisis.de (Matthias Apitz) To: freebsd-questions@freebsd.org Subject: IPFILTER && NAT for UDP Message-ID: <20050802094322.GA4062@revolucion.Sisis.de>
next in thread | raw e-mail | index | archive | help
Hi, I've the following problem (or perhaps some misunderstanding) of IPFILTER and NAT for NTP in FreeBSD 6.0-BETA1: the NAT rules is: map em1 xxx.xxx.xxx.32/27 -> A.B.C.D/32 and the IPF rule is: pass out log first quick on em1 proto udp from any to any port = 123 keep state If now some host of the xxx.xxx.xxx.32/27 network ask for NTP with /usr/sbin/ntpdate -v NTP-SERVER-ADDR it works fine; the UDP pkg goes out, UDP comes back and a 'ipnat -l' showes the entry in the NAT table on the firewall like this: # ipnat -l | fgrep 123 MAP xxx.xxx.xxx.xxx 123 <- -> A.B.C.D 123 [NTP-SERVER-ADDR 123] The problem is now, if I'm using the same 'ntpdate' query while sitting on the firewall A.B.C.D itself, the UDP goes out as well but of course without passing through NAT and the UDP pkg which is coming back from the same NTP-SERVER-ADDR finds the tuple in the NAT table: A.B.C.D 123 [NTP-SERVER-ADDR 123] and is trying to deliver it via NAT to xxx.xxx.xxx.xxx, but of course the state in the IPFILTER is invalid which let ipf blocking the pkg and saying: 10:22:16.895810 em1 @0:30 b NTP-SERVER-ADDR,123 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN NAT What can I do? And it seems that the (first) entry in the NAT table is sitting there for 10 minutes, why? Thx matthias -- Matthias Apitz / Sisis Informationssysteme GmbH Gruenwalder Weg 28g / D-82041 Oberhaching Fon: ++49 89 / 61308-351, Fax: -399, Mobile ++49 170 4527211 http://www.sisis.de/~guru/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050802094322.GA4062>