Date: Mon, 3 Nov 2008 10:51:57 -0500 From: "John Fitzgerald" <jjfitzgerald@gmail.com> To: freebsd-net@freebsd.org Subject: ipf / ipnat bad nat Message-ID: <5e49673f0811030751i292a80f4pf9ed6300ec46a504@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hey all,
I manage a pretty busy website and I've been perplexed by this problem
for some time. ipnat -s shows something like this:
mapped in 837904779 out 1055985985
added 79997334 expired 0
no memory 0 bad nat 500334
inuse 11764
rules 5
wilds 0
What troubles me is the "bad nat" that you see there. It goes up
pretty quickly (hundreds per minute), especially during high traffic
times. My ipnat.rules is pretty simple:
#outgoing
map bce0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map bce0 192.168.1.0/24 -> 0.0.0.0/32
#incoming
rdr bce0 0.0.0.0/0 port 80 -> 192.168.1.100 port 80 tcp age 30
rdr bce0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443 tcp age 30
And my ipf.rules is simple enough:
# localhost
pass in quick on lo0 all
pass out quick on lo0 all
#internal interface
pass in quick on bce3 all
pass out quick on bce3 all
#web traffic
pass in quick on bce0 proto tcp from any to any port = 80 flags
S/SA keep state
pass in quick on bce0 proto tcp from any to any port = 443 flags
S/SA keep state
#all outgoing
pass out quick proto tcp from any to any flags S/SA keep state
pass out quick proto icmp from any to any keep state
pass out quick proto udp from any to any keep state
#block the rest
block in quick on bce0 all
My internal interface is bce3 and external is bce0. Any thoughts what
could be causing the bad nat?
Thanks --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5e49673f0811030751i292a80f4pf9ed6300ec46a504>