From nobody Thu Aug 25 06:31:55 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCtRW05M4z4b0bM
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Thu, 25 Aug 2022 06:32:07 +0000 (UTC)
	(envelope-from wojtek@puchar.net)
Received: from puchar.net (puchar.net [194.1.144.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MCtRT6B0Tz3PxQ
	for <freebsd-hackers@freebsd.org>; Thu, 25 Aug 2022 06:32:05 +0000 (UTC)
	(envelope-from wojtek@puchar.net)
Received: Received: from 127.0.0.1 (localhost [127.0.0.1])
        by puchar.net (8.15.2/8.16.1) with ESMTPS id 27P6Vt76072973
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
        for <freebsd-hackers@freebsd.org>; Thu, 25 Aug 2022 08:31:56 +0200 (CEST)
        (envelope-from wojtek@puchar.net)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=puchar.net;
	s=default; t=1661409116;
	bh=8XZGII+Ug2kS5b+DpdiyFVkRljp0VEWhQShRnPjczpM=;
	h=Date:From:To:Subject;
	b=Ic+YsvkUTjZ7z8YvrmNZbLYhDSzQzmmsQJrrWB3U4HuOPQ4vdpz3WBJ+PUl1DPTiT
	 zyB2G1fp5aLz7aMVspnEfspk3BXfDA80dXRzTP/rCn3TSgUC3S6iFkbu7L9aDQPnop
	 op71J8NQj1x8JeLgj8S9lSY50v0TVJdIat25mj3E=
Received: from wojtek.intra (localhost [127.0.0.1])
	by wojtek.intra (8.16.1/8.16.1) with ESMTP id 27P6VtYr060716
	for <freebsd-hackers@freebsd.org>; Thu, 25 Aug 2022 08:31:55 +0200 (CEST)
	(envelope-from wojtek@puchar.net)
Received: from localhost (wojtek@localhost)
	by wojtek.intra (8.16.1/8.16.1/Submit) with ESMTP id 27P6Vtvi060713
	for <freebsd-hackers@freebsd.org>; Thu, 25 Aug 2022 08:31:55 +0200 (CEST)
	(envelope-from wojtek@puchar.net)
X-Authentication-Warning: wojtek.intra: wojtek owned process doing -bs
Date: Thu, 25 Aug 2022 08:31:55 +0200 (CEST)
From: Wojciech Puchar <wojtek@puchar.net>
To: freebsd-hackers@freebsd.org
Subject: ipfw nat problem
Message-ID: <d36e56ff-c7cd-1634-dbc-f76bdb46503c@puchar.net>
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Rspamd-Queue-Id: 4MCtRT6B0Tz3PxQ
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=puchar.net header.s=default header.b=Ic+YsvkU;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of wojtek@puchar.net designates 194.1.144.90 as permitted sender) smtp.mailfrom=wojtek@puchar.net
X-Spamd-Result: default: False [-3.50 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	R_DKIM_ALLOW(-0.20)[puchar.net:s=default];
	R_SPF_ALLOW(-0.20)[+mx];
	MIME_GOOD(-0.10)[text/plain];
	DKIM_TRACE(0.00)[puchar.net:+];
	RCVD_TLS_LAST(0.00)[];
	MIME_TRACE(0.00)[0:+];
	DMARC_NA(0.00)[puchar.net];
	FROM_EQ_ENVFROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:43476, ipnet:194.1.144.0/24, country:PL];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	HAS_XAW(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	TO_DN_NONE(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

i use ipfw nat redirect feature for a long time. never had problems until 
now.

my ipfw config

queue flush
pipe flush
#define INTERNETIP 1.2.3.4
#define INTERNET igb1
nat 1 config ip 1.2.3.4 \
  redirect_port tcp 10.255.255.253:22 20023 \
  redirect_port tcp 10.255.255.254:22 20022
//
table 1 flush
table 1 add 5.6.7.8

add 6 skipto 1000 all from any to any via INTERNET in
add 7 skipto 2000 all from any to any via INTERNET out
add 10 allow all from any to any


add 1000 deny all from table(1) to any
add 1001 deny tcp from any to me 3306
add 1010 nat 1 all from any to me
add 1999 allow all from any to any

add 2000 reject tcp from me to any 113
add 2001 nat 1 all from 10.255.255.0/24 to any
add 2002 allow all from any to any


this is server with 2 jails - i want these 2 jails ssh server be available 
from outside.

And it is. I can log in do many thing for a long time interactively no 
problems.

But trying to transfer files like ssh -p 20023 loginname@server "tar cf - something"|tar xpf -

or scp

it always disconnects after transfering about 100kB


in logs i see

Aug 25 08:29:35 <4.6> 10.255.255.253 sshd[63621]: Fssh_packet_write_poll: 
Connection from user blebleble 9.9.9.9 port 53899: Permission denied

No other errors


i have no problems doing such operations on host directly over ssh.

I do use ssh redirects using nat on many servers without problems.
What can i do to find a source of this problem?