Date: Tue, 28 Jul 2015 14:50:00 +0800 From: bycn82 <bycn82@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: Lev Serebryakov <lev@freebsd.org>, "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: Re: keep-state and in-kernel NAT exposes local ip on external interface Message-ID: <CAC%2BJH2zp5E8xi%2BjEX8AuFroKh60uc=t%2BxPa5UhmpFX18TdX1hg@mail.gmail.com> In-Reply-To: <20150728150845.V17327@sola.nimnet.asn.au> References: <1435692039.18121.12.camel@yahoo.com> <5594395D.6050103@FreeBSD.org> <20150728150845.V17327@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
for me. i am totally dont understand all these. waiting dor example as well On Tuesday, July 28, 2015, Ian Smith <smithi@nimnet.asn.au> wrote: > Way back on Wed, 1 Jul 2015 22:02:53 +0300, Lev Serebryakov wrote: > > On 30.06.2015 22:20, Georgios Amanakis via freebsd-ipfw wrote: > > > > It is good example for my changes :) All this "skipto / keep-state" > > magic is not understandable. > > Indeed. So all we're waiting for, Lev, is some simple usage examples of > how things should be done with your new stateful operators, especially > when combining stateful rules with NAT. Please see what you can do .. > > I know it's clear to you, but I for one cannot get my head around these > without a couple of examples, roughly suitable for inclusion in ipfw(8) > EXAMPLES section. Rough illustrations would do fine at first. > > In the problems shown lately, including the one below (harder to read > with the quoting wrapped like that!) it seems the problem of keepalives > being issued using the internal address would not occur if keep-state > was only applied _after_ NAT, only on the already-translated source > address, but like you and apparently many others, I find these rulesets > very difficult to follow in terms of different possible flows. > > cheers, Ian > > > > On FreeBSD 10.1p13 with two interfaces em0(internet) and em1(lan) I > > > can fish (tcpdump)packets on em0 which have escaped the in-kernel > > > NAT and have as source address an IP on the LAN. > > > > > > This should not happen and I can confirm that with pf this is not > > > the case. I have the following ipfw rules: > > > > > > nat: ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset > > > > > > 00100 reass ip from any to any in 00200 allow ip from any to any > > > via lo0 00300 allow ip from any to any via em1 00400 nat 123 ip > > > from any to any in recv em0 00500 check-state 00600 skipto 24000 ip > > > from any to me dst-port 80,443,22,500,4500,1194,993,8112 in recv > > > em0 keep-state 00700 skipto 24000 ip from any to any out xmit em0 > > > keep-state 00800 deny log ip from any to any 24000 nat 123 ip from > > > any to any out xmit em0 24100 allow ip from any to any > > > > > > Contrary to many online tutorials, including the example of the > > > handbook regarding NAT ( > > > https://www.freebsd.org/doc/handbook/firewalls-ipfw.html), when > > > one places the NAT rules with the opposite order (i.e. outbound > > > rule first and then the inbound rule) the problem disappears. > > > > > > i.e. ... 00400 nat 123 ip from any to any out xmit em0 ... 24000 > > > nat 123 ip from any to any in recv em0 ... > > > > > > Why is this happening? Any objections to reversing the order of the > > > NAT rules? > > > - -- > > // Lev Serebryakov > _______________________________________________ > freebsd-ipfw@freebsd.org <javascript:;> mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org > <javascript:;>" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC%2BJH2zp5E8xi%2BjEX8AuFroKh60uc=t%2BxPa5UhmpFX18TdX1hg>