Date: Mon, 13 Jan 2020 21:09:25 -0500 From: Paul Procacci <pprocacci@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Re: Stateful NAT w/ record-state Message-ID: <CAFbbPug7s8%2BhS2UfudAytpo4sirFXYGREiHKH2Qiu=qiCbsMUQ@mail.gmail.com> In-Reply-To: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g@mail.gmail.com> References: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Welp, I ended up using an intermediary (nginx) to proxy the request. I would have liked to avoid passing packets to userland though. If anyone find this, and knows anything about the record-state keyword and knows how to use it "properly", I'd love to hear about it. Take care On Mon, Jan 13, 2020 at 1:47 AM Paul Procacci <pprocacci@gmail.com> wrote: > In an attempt to setup stateful nat with a new (to me) feature > (record-state), I'm running into difficulties with return packets getting > denied when atttempting to leave my primary interface. > > My bad ascii diagram: > > In Kernel Nat/Firewall > /---------------------\ > +--------+ +-------+ +-----+ +-------+ +-------+ > | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host | > +--------+ +-------+ +-----+ +-------+ +-------+ > > Requests originate from "client", come in via "igb0", get passed to "nat", > leave "igb1" reaching host .... no problem. > The response leaving "host", come in via "igb1", get passed to "nat", and > get clobbered by ipfw's deny rule (see below). > > # sysctl net.inet.ip.fw.one_pass > net.inet.ip.fw.one_pass: 0 > > I've separated my ruleset (below) in chucks to hopefully make it easier on > the eyes. > Note: this is only the pertinent parts of my ruleset. > > Rules 91-99 : Dispatch table > Rules 3000-3499 : ip_output > Rules 50099-* : ip_input > > ##################################################### > 00001 reass > 00092 skipto 50000 not layer2 in > 00093 skipto 3000 not layer2 out recv * > 00094 skipto 3500 not layer2 out // not recv * > 00099 deny // first-stage dispatch problem > > 03000 nat 1 ip from any to any out via igb0 > 03001 check-state :outside > 03499 deny log ip from any to any // ip_output -- forwarded > > 50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside > defer-immediate-action > 50100 nat 1 ip from any to me in via igb0 > 50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state > :outside > 59999 deny log ip from any to any // ip_input -- DENY remaining > ##################################################### > > ** I expect rule 50099 to record the state of "client -> igb0" in the > state table (ip_input) > ** I expect rule 3001 to validate the state entered in rule 50099 however > it is getting caught by rule 3499 > > Pertinent dynamic rules: > > 50101 3 156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2 > 8765 :outside > 50099 6 613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31 > 8765 :outside > > > I would seem to me I have everything where it needs to be to get this > working, but for some reason, it simply isn't. > > Thanks for the help in advance. > > __________________ > > :(){ :|:& };: > -- __________________ :(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPug7s8%2BhS2UfudAytpo4sirFXYGREiHKH2Qiu=qiCbsMUQ>