Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 9 Sep 2007 22:08:49 GMT
From:      Joe Acosta <josepha48@yahoo.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/116238: natd/ipfw not maintaining interface of udp packets (maybe tcp too?)
Message-ID:  <200709092208.l89M8nXn045887@www.freebsd.org>
Resent-Message-ID: <200709092210.l89MA4j9068961@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         116238
>Category:       misc
>Synopsis:       natd/ipfw not maintaining interface of udp packets (maybe tcp too?)
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 09 22:10:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Joe Acosta
>Release:        6.2 p7
>Organization:
>Environment:
FreeBSD gaywayrouter.org 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #3: Thu Aug 16 21:54:24 PDT 2007     root@bobthebuilder.gaywayrouter.org:/usr/obj/usr/src/sys/CDGAYWAY  i386

>Description:
natd is natting everything and messing up certain outgoing packets.

So packets coming in on interface INT_IFACE go out EXT_IFACE and come back again.  That works fine as expected. 

However running a service on the internal interface (INT_IFACE) results in packets going into INT_IFACE and returing from EXT_IFACE.  This was first noticed in isc-dhcp3-server where the service is not bound to an ip address, it is bound to an interface like INT_IFACE.  


For DNS queries go out EXT_IFACE with EXT_IP address. Then they come back in and are 'de-natted' and sent to INT_IFACE.  

DNS: 

    - query comes in via int iface / ilan
    - query then is natted and sent out ext iface / ext ip 
    - query comes back in via ext iface and denatted 
    - response is sent back to client in iface / ilan


For DHCP packets are sent broadcast.  

    - query comes in via int iface / ilan as broadcast 0.0.0.0 68 to 255.255.255.255 67
    - query then is natted and sent out ext iface / ext ip 
         ----> broadcast OUT Ext interface instead of int iface 
    - client never gets IP address.


Could it be my firewall rules or something else?  yes, but this setup works with a dhcp binary built with freebsd 5.x


>How-To-Repeat:
install dhcp, on a dual nic box. 

setup a firewall and nat on ext nic using ipfw/natd

try to get dhcp ip address on internal lan


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709092208.l89M8nXn045887>