From owner-freebsd-net@FreeBSD.ORG Mon Nov 3 16:19:02 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 460FB1065677 for ; Mon, 3 Nov 2008 16:19:02 +0000 (UTC) (envelope-from jjfitzgerald@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.30]) by mx1.freebsd.org (Postfix) with ESMTP id EF02F8FC18 for ; Mon, 3 Nov 2008 16:19:01 +0000 (UTC) (envelope-from jjfitzgerald@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so936312yxb.13 for ; Mon, 03 Nov 2008 08:19:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=zhwKmjX/1CttPjOp8QcGXns3IjBzLSvVyOZplDsuz9c=; b=rWzadx98lMIIL5vS9ZMTL+I96FGNMGqk/gKfARrMlXSgt66waBu2+khQ1x81pfkJEr XSVz0SHY0AYLUdawLAhyzA1ostQnZpFMQuZTOiWasozD1qcG3v1h1eeQo8jMFtjciBdF pZTYIV6U8fgj4g8ahdpQvH+h7TslCx5wCJOSk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=AH9HW7njYQPwQ/46NN3gAn4d9VKaSn2p3H7zFmOJBTnAkqXvx1xbVn0Hc8Q++JhtQ6 qhmwpVweF18wtPpNnOsA+Wkn9+dGFA9pIeCqIrxvv6vKcNFXB217Z3r9qaAcCBNLcDX5 lCHKo50Wvqx/NRpdXpYUwr2KeH46Yi2JY8nWY= Received: by 10.151.111.15 with SMTP id o15mr490967ybm.205.1225727517096; Mon, 03 Nov 2008 07:51:57 -0800 (PST) Received: by 10.151.27.10 with HTTP; Mon, 3 Nov 2008 07:51:57 -0800 (PST) Message-ID: <5e49673f0811030751i292a80f4pf9ed6300ec46a504@mail.gmail.com> Date: Mon, 3 Nov 2008 10:51:57 -0500 From: "John Fitzgerald" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipf / ipnat bad nat X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2008 16:19:02 -0000 Hey all, I manage a pretty busy website and I've been perplexed by this problem for some time. ipnat -s shows something like this: mapped in 837904779 out 1055985985 added 79997334 expired 0 no memory 0 bad nat 500334 inuse 11764 rules 5 wilds 0 What troubles me is the "bad nat" that you see there. It goes up pretty quickly (hundreds per minute), especially during high traffic times. My ipnat.rules is pretty simple: #outgoing map bce0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto map bce0 192.168.1.0/24 -> 0.0.0.0/32 #incoming rdr bce0 0.0.0.0/0 port 80 -> 192.168.1.100 port 80 tcp age 30 rdr bce0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443 tcp age 30 And my ipf.rules is simple enough: # localhost pass in quick on lo0 all pass out quick on lo0 all #internal interface pass in quick on bce3 all pass out quick on bce3 all #web traffic pass in quick on bce0 proto tcp from any to any port = 80 flags S/SA keep state pass in quick on bce0 proto tcp from any to any port = 443 flags S/SA keep state #all outgoing pass out quick proto tcp from any to any flags S/SA keep state pass out quick proto icmp from any to any keep state pass out quick proto udp from any to any keep state #block the rest block in quick on bce0 all My internal interface is bce3 and external is bce0. Any thoughts what could be causing the bad nat? Thanks --