Date: Mon, 24 Dec 2001 13:37:05 +0000 From: Josh Paetzel <friar_josh@webwarrior.net> To: GuRU <guru@nubisci.net> Cc: ipfilter@coombs.anu.edu.au, freebsd-questions@FreeBSD.ORG Subject: Re: ipf/ipnat strangeness freebsd-current Message-ID: <20011224133705.I237@twincat.vladsempire.net> In-Reply-To: <20011224131816.A20795@nubisci.net>; from guru@nubisci.net on Mon, Dec 24, 2001 at 01:18:16PM -0500 References: <20011104171404.A25705@nubisci.net> <20011224131816.A20795@nubisci.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 24, 2001 at 01:18:16PM -0500, GuRU wrote: > Hello all :). > This is a continuing problem i'm seeing on my firewall box running on a > freebsd -curent box. > > ganja.nubisci.net:ipfilter# ipf -V > ipf: IP Filter: v3.4.20 (264) > Kernel: IP Filter: v3.4.20 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > > the contents of my ipf.rules: > # ipf.rules > # interface naming: > # fxp0 = internet, addr=198.109.166.215/32 > # fxp1 = local private net, addr=192.168.0.1/24 > # > > pass in log on fxp0 all > pass out log on fxp0 all > > pass in log on fxp1 all > pass out log on fxp1 all > > the contents of my ipnat.rules: > > map fxp0 192.168.0.1/24 -> 198.109.166.215/32 portmap tcp/udp 1025:65000 > map fxp0 192.168.0.1/24 -> 198.109.166.215/32 > > the following was generated by the following command from the client machine > (blunted) from behind the firewall (ganja) > blunted.nubisci.net:guru% traceroute -S ftp.freebsd.org > traceroute to ftp.beastie.tdk.net (62.243.72.50), 64 hops max, 40 byte packets > 1 ganja (192.168.0.1) 0.584 ms 0.421 ms 0.414 ms (0% loss) > 2 198.109.166.193 (198.109.166.193) 3.820 ms * 3.793 ms (33% loss) > 3 * com-rtr-ve61.net.msu.edu (35.12.51.1) 6.774 ms * (66% loss) > 4 cc-rtr-ge15.net.msu.edu (35.9.101.13) 3.294 ms * 6.656 ms (33% loss) > 5 * g3-0.msu4.mich.net (35.9.82.114) 3.542 ms * (66% loss) > 6 198.108.23.129 (198.108.23.129) 8.600 ms * 8.914 ms (33% loss) > 7 * 63-149-0-185.cust.qwest.net (63.149.0.185) 13.153 ms * (66% loss) > 8 chi-core-01.inet.qwest.net (205.171.20.121) 13.097 ms * 36.202 ms (33% loss) > 9 * jfk-core-02.inet.qwest.net (205.171.5.11) 35.924 ms * (66% loss) > 10 jfk-brdr-01.inet.qwest.net (205.171.30.18) 34.238 ms * 32.919 ms (33% loss) > 11 * nyk-bb1-pos3-0-0.telia.net (213.248.82.93) 36.484 ms * (66% loss) > 12 nyk-i1-pos1-0.telia.net (213.248.82.14) 38.008 ms * 32.876 ms (33% loss) > 13 * teledk-2.k.telia.net (213.248.82.114) 33.632 ms * (66% loss) > 14 pos3-0.622M.albnxg2.ip.tele.dk (195.249.2.233) 140.264 ms * 140.361 ms (33% loss) > 15 * pos6-0.2488M.albnxg1.ip.tele.dk (195.249.4.165) 142.779 ms * (66% loss) > 16 pos7-0.2488M.arcnxg1.ip.tele.dk (195.249.6.126) 183.184 ms * 150.709 ms (33% loss) > 17 * pos4-0.2488M.opanxg1.ip.tele.dk (195.249.2.162) 140.144 ms * (66% loss) > 18 ge2-2.1000M.d3.opa.tdk.net (193.163.158.169) 140.438 ms * 147.625 ms (33% loss) > 19 * vlan30.d6.opa.tdk.net (62.243.72.206) 140.845 ms * (66% loss) > 20 vlan30.d6.opa.tdk.net (62.243.72.206) 140.595 ms !X * 140.899 ms !X (33% loss) > > running tcpdump on both the public and private interface yields: > fxp1 ==> private interface > ganja.nubisci.net:ipfilter# fgrep udp tcpdump-r.fxp1 | head -20 > 21:12:07.497662 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33435: udp 12 [ttl 1] > 21:12:07.500150 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33436: udp 12 [ttl 1] > 21:12:07.501165 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33437: udp 12 [ttl 1] > 21:12:07.502815 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33438: udp 12 > 21:12:07.509313 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33439: udp 12 > 21:12:12.511339 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33440: udp 12 > 21:12:12.516048 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33441: udp 12 > 21:12:17.521119 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33442: udp 12 > 21:12:17.530678 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33443: udp 12 > 21:12:22.541760 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33444: udp 12 > 21:12:22.547954 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33445: udp 12 > 21:12:27.551830 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33446: udp 12 > 21:12:27.557562 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33447: udp 12 > 21:12:32.561690 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33448: udp 12 > 21:12:32.567822 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33449: udp 12 > 21:12:37.572378 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33450: udp 12 > 21:12:37.581144 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33451: udp 12 > 21:12:42.592764 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33452: udp 12 > 21:12:42.599665 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33453: udp 12 > 21:12:47.602439 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33454: udp 12 > > Every 5 seconds two packets come in. Now for the other side ... > > fxp0 ==> public interface > ganja.nubisci.net:ipfilter# fgrep udp tcpdump-r.fxp0 | fgrep beastie | head -20 > 21:12:07.502934 nubisci.net.1165 > ftp.beastie.tdk.net.33438: udp 12 [ttl 1] > 21:12:07.509326 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33439: udp 12 [ttl 1] > 21:12:12.511472 nubisci.net.1166 > ftp.beastie.tdk.net.33440: udp 12 [ttl 1] > 21:12:12.516059 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33441: udp 12 > 21:12:17.521257 nubisci.net.phone > ftp.beastie.tdk.net.33442: udp 12 > 21:12:17.530695 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33443: udp 12 > 21:12:22.541915 nubisci.net.1168 > ftp.beastie.tdk.net.33444: udp 12 > 21:12:22.547968 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33445: udp 12 > 21:12:27.551968 nubisci.net.1169 > ftp.beastie.tdk.net.33446: udp 12 > 21:12:27.557580 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33447: udp 12 > 21:12:32.561828 nubisci.net.1170 > ftp.beastie.tdk.net.33448: udp 12 > 21:12:32.567836 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33449: udp 12 > 21:12:37.572533 nubisci.net.1171 > ftp.beastie.tdk.net.33450: udp 12 > 21:12:37.581159 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33451: udp 12 > 21:12:42.592902 nubisci.net.1172 > ftp.beastie.tdk.net.33452: udp 12 > 21:12:42.599677 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33453: udp 12 > 21:12:47.602583 nubisci.net.1173 > ftp.beastie.tdk.net.33454: udp 12 > 21:12:47.619030 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33455: udp 12 > 21:12:52.623139 nubisci.net.1174 > ftp.beastie.tdk.net.33456: udp 12 > 21:12:52.642401 blunted.nubisci.net.34762 > ftp.beastie.tdk.net.33457: udp 12 > > The first three packets that were seen on the inside expire on the firewall. > After that it appears that every other packet is NATed and the other is being > passed unchanged :( (Thanks to Crist J. Clark for his analysis) > > Now i need to know if anyone has seen this behavior before. Either way I need > some assistance in finding out why this is happening. Any help would be > appreciated. :) > > #;@0 > -- > Comparing information and knowledge is like asking whether the fatness > of a pig is more or less green than the designated hitter rule." > -- David Guaspari > <guru@nubisci.net> This is something you need to take up on -CURRENT. You've got no business running -CURRENT on a production box in the first place, IMHO. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011224133705.I237>