(I've tried this already on the "questions" list already, but without
success. I hope it's not too trivial for this list -- either I'm missing
something glaringly obvious (probable), or there's a bug. Either
way, I'm stuck :-( )
It looks to me as though natd and ipfw interact inconsistently for
inbound and outbound traffic, causing problems with
dynamic rules in the firewall.
I'm using FreeBSD 4.3-stable as a dial-up gateway machine for a
small lan with some windows machines on it. The machine runs
ppp (user mode), plus natd and ipfw. natd is running with switches
-dynamic and -t 192.168.0.254. ppp is running with just -auto, and
its config file doesn't enable aliasing.
The gateway machine has local address 192.168.0.1, external
address variable of course, but of the form 213.x.x.x. For testing
purposes, from windows m/c 192.168.0.2, I ran "telnet 195.8.69.79
119", and waited for the news-server response
With the following ipfw config fragment,
# divert packets through the tunnel interface
$fwcmd add divert natd all from any to any via tun0
...
# allow anything I start up (OK)
# allow connections to continue once made (FAILS!)
$fwcmd add check-state
$fwcmd add deny log tcp from any to any established
$fwcmd add allow log tcp from any to any out via tun0 setup keep-
state
I get the following typical failures happening
data# ipfw zero
Accounting cleared.
(Run telnet session)
data# ipfw show
00100 15 882 divert 8668 ip from any to any via tun0
00200 0 0 allow ip from any to any via lo0
00300 405 102963 allow ip from any to any via ed0
00400 0 0 unreach port log logamount 100 tcp from any to any
113 in recv tun0
00500 0 0 check-state
00600 8 344 deny log logamount 100 tcp from any to any
established
00700 4 192 allow log logamount 100 tcp from any to any keep-
state out xmit tun0 setup
00800 1 210 allow udp from any 53 to any in recv tun0
00900 1 60 allow udp from any to any 53 out xmit tun0
01000 1 76 allow udp from any 123 to any 123 via tun0
65435 0 0 allow icmp from any to any
65435 0 0 deny log logamount 100 ip from any to any
65535 0 0 deny ip from any to any
## Dynamic rules:
00700 3 144 (T 5, # 86) ty 0 tcp, 213.104.70.121 1041 <->
195.8.69.73 119
(Note that dynamic rule shows the external IP address, where I
would have expected the internal address). The security log
contains:
Jul 25 08:26:00 data /kernel: ipfw: Accounting cleared.
Jul 25 08:26:39 data /kernel: ipfw: 700 Accept TCP
213.104.70.121:1041 195.8.69.73:119 out via tun0
( ^^^^ Note the external address, setting up the dynamic rule)
Jul 25 08:26:39 data /kernel: ipfw: 600 Deny TCP 195.8.69.73:119
192.168.0.2:1041 in via tun0
( ^^^^ Note the Internal address, which doesn't match the
dynamic rule)
Jul 25 08:26:39 data /kernel: ipfw: 700 Accept TCP
213.104.70.121:1041 195.8.69.73:119 out via tun0
Jul 25 08:26:39 data /kernel: ipfw: 600 Deny TCP 195.8.69.73:119
192.168.0.2:1041 in via tun0
(and so on...)
Not surprisingly, the connection then hangs. Running natd with the
-v option as well only shows the expected address translations;
nothing amiss.
With less robust, non-dynamic rules, everything works fine. Can
anyone spot what's going on here please?
--
various incoming sites blocked because of spam:
see www.mikescott.clara.net for a list
[EMAIL PROTECTED] Mike Scott
aka [EMAIL PROTECTED] Harlow Essex England
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
