From owner-freebsd-questions@FreeBSD.ORG Tue Jun 21 18:42:17 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 959481065673 for ; Tue, 21 Jun 2011 18:42:17 +0000 (UTC) (envelope-from theultramage@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 2695B8FC12 for ; Tue, 21 Jun 2011 18:42:16 +0000 (UTC) Received: by fxm11 with SMTP id 11so214350fxm.13 for ; Tue, 21 Jun 2011 11:42:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:x-enigmail-version:content-type:content-transfer-encoding; bh=jPgXTZtQlt/ZvMXbZwIC3PK8KXnAjPYtrejdERJOmjk=; b=lMf2XiLXfWJ1XZEbOFrGZo5neN1sHYMT4mUBWUsEzfBz+opkouaMwChIS6xeehF7Xl T0SoqV5oc4ZT9lo0w99aoPrvNHyy/y0vVHUGCTQb+TEXnFk1p4nAeycg85xntP/09HKS 9DEru85vg+6oWCcwYWw2s5XXv6GQEL780awKs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=e0cTtFu9B/SIbC8pYJ3JZQCrdGLS50Be7Or9sz24xW+evkRGX0Py7j8bbUn7hAGynO BHGhQ2Aaq4tqaIJI2L2gqcuxsewyXbprsh3wpd+yA4mu6M4k6xyem+TkXMEds2nbgs19 8lJtQu8rbUQsRmn/RtbWqcH0ddU2Z8mYbeg2k= Received: by 10.223.100.15 with SMTP id w15mr67107fan.11.1308680195856; Tue, 21 Jun 2011 11:16:35 -0700 (PDT) Received: from [192.168.0.31] (chello089173013225.chello.sk [89.173.13.225]) by mx.google.com with ESMTPS id v20sm1567270fai.31.2011.06.21.11.16.34 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 21 Jun 2011 11:16:35 -0700 (PDT) Message-ID: <4E00E000.4040202@gmail.com> Date: Tue, 21 Jun 2011 20:16:32 +0200 From: umage User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-questions@freebsd.org X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2011 18:42:17 -0000 Hi, I'm an ipfw user that finally got the opportunity to set up NAT on an interface with a public IP. I was doing some multi-homing experiments using ipfw fwd combined with outbound ipfw nat - and since I needed to run both, and both immediately ended ipfw ruleset execution, I had to turn off net.inet.ip.fw.one_pass. This is where I discovered that with that setting turned off, my inbound NAT rule stopped working. Seems that with one-pass execution, the NAT rule also performs keep-state of some sort, the dynamic state table looks ok and everything works fine. But if I turn it off, and do my own "allow all in keep-state" after applying a static NAT rule on an inbound connection, I see that the state table has the remote IP on the left side and mine on the right side. I also see that my NAT setup breaks and my packets are sent to the internet with a 192.168.0.x source address. I'd like to ask if I'm doing anything wrong, or whether this is a bug. I checked the issue tracker, but found no relevant issues there. I also tried asking around, but it seems noone even uses ipfw anymore. Triggering the issue requires a modified kernel (ipfw forward and ipfw nat are not available by default), requires using ipfw nat (a relatively new thing) instead of the old natd daemon, and requires changing the value of a system setting.