From owner-freebsd-questions@FreeBSD.ORG Tue Aug 2 09:43:37 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB85316A41F for ; Tue, 2 Aug 2005 09:43:37 +0000 (GMT) (envelope-from guru@Sisis.de) Received: from hunter.Sisis.de (mail.sisis.de [193.31.11.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD2B343D45 for ; Tue, 2 Aug 2005 09:43:36 +0000 (GMT) (envelope-from guru@Sisis.de) Received: (from mail@localhost) by hunter.Sisis.de (8.8.8/8.8.8) id LAA12925 for ; Tue, 2 Aug 2005 11:42:55 +0200 (CEST) (envelope-from guru@Sisis.de) X-Authentication-Warning: hunter.Sisis.de: mail set sender to using -f Received: from hermes.sisis.de(193.31.10.38) by hunter.Sisis.de via smap (V2.1) id xma012923; Tue, 2 Aug 05 11:42:52 +0200 Received: from revolucion.Sisis.de (brecht.Sisis.de [193.31.10.34]) by hermes.sisis.de (8.8.8/8.8.8) with ESMTP id LAA05247 for ; Tue, 2 Aug 2005 11:43:40 +0200 (CEST) (envelope-from guru@Sisis.de) Received: by revolucion.Sisis.de (Postfix, from userid 500) id 0661187182; Tue, 2 Aug 2005 11:43:22 +0200 (CEST) Date: Tue, 2 Aug 2005 11:43:22 +0200 To: freebsd-questions@freebsd.org Message-ID: <20050802094322.GA4062@revolucion.Sisis.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i From: guru@Sisis.de (Matthias Apitz) Subject: IPFILTER && NAT for UDP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: guru@Sisis.de List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 09:43:37 -0000 Hi, I've the following problem (or perhaps some misunderstanding) of IPFILTER and NAT for NTP in FreeBSD 6.0-BETA1: the NAT rules is: map em1 xxx.xxx.xxx.32/27 -> A.B.C.D/32 and the IPF rule is: pass out log first quick on em1 proto udp from any to any port = 123 keep state If now some host of the xxx.xxx.xxx.32/27 network ask for NTP with /usr/sbin/ntpdate -v NTP-SERVER-ADDR it works fine; the UDP pkg goes out, UDP comes back and a 'ipnat -l' showes the entry in the NAT table on the firewall like this: # ipnat -l | fgrep 123 MAP xxx.xxx.xxx.xxx 123 <- -> A.B.C.D 123 [NTP-SERVER-ADDR 123] The problem is now, if I'm using the same 'ntpdate' query while sitting on the firewall A.B.C.D itself, the UDP goes out as well but of course without passing through NAT and the UDP pkg which is coming back from the same NTP-SERVER-ADDR finds the tuple in the NAT table: A.B.C.D 123 [NTP-SERVER-ADDR 123] and is trying to deliver it via NAT to xxx.xxx.xxx.xxx, but of course the state in the IPFILTER is invalid which let ipf blocking the pkg and saying: 10:22:16.895810 em1 @0:30 b NTP-SERVER-ADDR,123 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN NAT What can I do? And it seems that the (first) entry in the NAT table is sitting there for 10 minutes, why? Thx matthias -- Matthias Apitz / Sisis Informationssysteme GmbH Gruenwalder Weg 28g / D-82041 Oberhaching Fon: ++49 89 / 61308-351, Fax: -399, Mobile ++49 170 4527211 http://www.sisis.de/~guru/