From nobody Thu Aug 25 06:36:22 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MCtXT1wqBz4b0rR for ; Thu, 25 Aug 2022 06:36:25 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: from puchar.net (puchar.net [194.1.144.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MCtXS4SqBz3R6p for ; Thu, 25 Aug 2022 06:36:24 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by puchar.net (8.15.2/8.16.1) with ESMTPS id 27P6aMCG077171 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 25 Aug 2022 08:36:22 +0200 (CEST) (envelope-from wojtek@puchar.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=puchar.net; s=default; t=1661409383; bh=ffoi/S58D9NPO1S0uXO8nwmK5haw77P4KP6JTx1WBmI=; h=Date:From:To:Subject:In-Reply-To:References; b=YYuVI7Vq4qHe8gT5jI2TccSg3G8GrLhjuIv2A3jr6Q7iFrIG+ADOZNMrerAj1+S1/ 1fb01L0AcxhaoNpWmxqslitgHsd6B2uXnF0Af8lnafXDIML2uih7z5CGQ6dzxmg4Hd LqBco4jEioWBFW0oxdGTI/qoYSpMndHYK6Gb2vps= Received: from wojtek.intra (localhost [127.0.0.1]) by wojtek.intra (8.16.1/8.16.1) with ESMTP id 27P6aMWq060740 for ; Thu, 25 Aug 2022 08:36:22 +0200 (CEST) (envelope-from wojtek@puchar.net) Received: from localhost (wojtek@localhost) by wojtek.intra (8.16.1/8.16.1/Submit) with ESMTP id 27P6aMd4060737 for ; Thu, 25 Aug 2022 08:36:22 +0200 (CEST) (envelope-from wojtek@puchar.net) X-Authentication-Warning: wojtek.intra: wojtek owned process doing -bs Date: Thu, 25 Aug 2022 08:36:22 +0200 (CEST) From: Wojciech Puchar To: freebsd-hackers@freebsd.org Subject: Re: ipfw nat problem In-Reply-To: Message-ID: <623ac39e-2915-463a-9e4c-9f99bae28c69@puchar.net> References: List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4MCtXS4SqBz3R6p X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=puchar.net header.s=default header.b=YYuVI7Vq; dmarc=none; spf=pass (mx1.freebsd.org: domain of wojtek@puchar.net designates 194.1.144.90 as permitted sender) smtp.mailfrom=wojtek@puchar.net X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[puchar.net:s=default]; R_SPF_ALLOW(-0.20)[+mx:c]; MIME_GOOD(-0.10)[text/plain]; DKIM_TRACE(0.00)[puchar.net:+]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[puchar.net]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:43476, ipnet:194.1.144.0/24, country:PL]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; HAS_XAW(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N found a reason. forwarding was set to 0 in sysctl On Thu, 25 Aug 2022, Wojciech Puchar wrote: > i use ipfw nat redirect feature for a long time. never had problems until > now. > > my ipfw config > > queue flush > pipe flush > #define INTERNETIP 1.2.3.4 > #define INTERNET igb1 > nat 1 config ip 1.2.3.4 \ > redirect_port tcp 10.255.255.253:22 20023 \ > redirect_port tcp 10.255.255.254:22 20022 > // > table 1 flush > table 1 add 5.6.7.8 > > add 6 skipto 1000 all from any to any via INTERNET in > add 7 skipto 2000 all from any to any via INTERNET out > add 10 allow all from any to any > > > add 1000 deny all from table(1) to any > add 1001 deny tcp from any to me 3306 > add 1010 nat 1 all from any to me > add 1999 allow all from any to any > > add 2000 reject tcp from me to any 113 > add 2001 nat 1 all from 10.255.255.0/24 to any > add 2002 allow all from any to any > > > this is server with 2 jails - i want these 2 jails ssh server be available > from outside. > > And it is. I can log in do many thing for a long time interactively no > problems. > > But trying to transfer files like ssh -p 20023 loginname@server "tar cf - > something"|tar xpf - > > or scp > > it always disconnects after transfering about 100kB > > > in logs i see > > Aug 25 08:29:35 <4.6> 10.255.255.253 sshd[63621]: Fssh_packet_write_poll: > Connection from user blebleble 9.9.9.9 port 53899: Permission denied > > No other errors > > > i have no problems doing such operations on host directly over ssh. > > I do use ssh redirects using nat on many servers without problems. > What can i do to find a source of this problem? > >