Packet forwarding only while snooping

[Thierry Bingen]

I run IPfilter on Solaris 10 quite successfully. However, I ran into  
a strange problem while trying to implement port forwarding with the  
rdr and map commands of ipnat.

Context:
# uname -a
SunOS lamorphe 5.10 Generic_120011-14 sun4u sparc SUNW,UltraAX-i2

# isainfo -vk
64-bit sparcv9 kernel modules

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu  
8232 index 1
        inet 127.0.0.1 netmask ff000000
eri0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu  
1500 index 2
        inet 194.88.106.36 netmask fffffff8 broadcast 194.88.106.39
        ether 0:3:ba:c:21:f7
qfe2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu  
1500 index 4
        inet 192.168.90.2 netmask ffffff00 broadcast 192.168.90.255
        ether 8:0:20:e5:7f:1a

# netstat -rn
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use      
Interface
-------------------- -------------------- ----- ----- ----------  
---------
default              194.88.106.33        UG        1      50259
192.168.90.0         192.168.90.2         U         1       5847 qfe2
194.88.106.32        194.88.106.36        U         1      11606 eri0
224.0.0.0            194.88.106.36        U         1          0 eri0
127.0.0.1            127.0.0.1            UH        1         66 lo0

# netstat -i
Name  Mtu  Net/Dest      Address        Ipkts  Ierrs Opkts  Oerrs  
Collis Queue
lo0   8232 loopback      localhost      652    0     652    0      
0      0
eri0  1500 lamorphe      lamorphe       24374356 0     18841128 0      
0      0
qfe2  1500 lamor2        lamor2         17639693 0     19901840 0      
0      0

# netstat -s -P ip

IPv4    ipForwarding        =     1     ipDefaultTTL        =   255
        ipInReceives        =59214974   ipInHdrErrors       =     0
        ipInAddrErrors      =     0     ipInCksumErrs       =     0
        ipForwDatagrams     =37418538   ipForwProhibits     =   262
        ipInUnknownProtos   =     0     ipInDiscards        =   290
        ipInDelivers        =1421895    ipOutRequests       =18930493
        ipOutDiscards       =     2     ipOutNoRoutes       =     0
        ipReasmTimeout      =    60     ipReasmReqds        =408190
        ipReasmOKs          =408184     ipReasmFails        =     6
        ipReasmDuplicates   =     0     ipReasmPartDups     =     0
        ipFragOKs           =     6     ipFragFails         =  2627
        ipFragCreates       =    15     ipRoutingDiscards   =     0
        tcpInErrs           =     3     udpNoPorts          =   592
        udpInCksumErrs      =     1     udpInOverflows      =     0
        rawipInOverflows    =     0     ipsecInSucceeded    =21232321
        ipsecInFailed       =     0     ipInIPv6            =     0
        ipOutIPv6           =     0     ipOutSwitchIPv6     =     0

# ipf -V
ipf: IP Filter: v4.1.9 (592)
Kernel: IP Filter: v4.1.9
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 1
Feature mask: 0x107

# ipfstat
bad packets:            in 0    out 0
 IPv6 packets:          in 0 out 0
 input packets:         blocked 79485 passed 59136029 nomatch  
19988431 counted 0 short 0
output packets:         blocked 38103 passed 56315224 nomatch  
13359002 counted 0 short 0
 input packets logged:  blocked 0 passed 224313
output packets logged:  blocked 0 passed 194313
 packets logged:        input 0 output 0
 log failures:          input 73754 output 78930
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 1386       lost 0
packet state(out):      kept 153856     lost 1150
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  27580158        (out):  25899861
IN Pullups succeeded:   408     failed: 0
OUT Pullups succeeded:  17762708        failed: 0
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      49257259
Packet log flags set: (0)
        none

# ipfstat -io
pass out quick on lo0 all
block out on eri0 all
block out log on qfe2 all
pass out quick on eri0 proto icmp from any to any keep state
pass out quick on eri0 proto tcp/udp from any to any keep state
pass out log quick on qfe2 proto icmp from any to any keep state
pass out log quick on qfe2 proto tcp from any to 192.168.90.1/32 port  
= ftp-data flags S/FSRPAU keep state
pass out log quick on qfe2 proto tcp from any to any keep state
pass out log quick on qfe2 proto tcp from any to 192.168.90.1/32
pass out log quick on qfe2 all keep state
block in log quick from any to any with short
block in log from any to any with ipopts
pass in quick on lo0 all
block in on eri0 all
block in log on qfe2 all
pass in quick on eri0 proto udp from any to any port = domain
pass in quick on eri0 proto tcp from any to any port = domain
pass in quick on eri0 proto tcp from any to any port = ssh flags S/ 
FSRPAU keep state
pass in log quick on qfe2 proto icmp from 192.168.90.0/24 to any keep  
state
pass in log quick on qfe2 proto tcp from 192.168.90.0/24 to any port  
= ftp flags S/FSRPAU keep state
pass in log quick on qfe2 proto tcp from 192.168.90.0/24 to  
192.168.90.2/32 port = ssh flags S/FSRPAU keep state
pass in log quick on qfe2 proto tcp from 192.168.90.0/24 to any
pass in quick on eri0 proto tcp from any to 194.88.106.36/32 port =  
ssh flags S/FSRPAU keep state

# ipnat -slv
mapped  in      2649    out     2411
added   1917    expired 0
no memory       0       bad nat 0
inuse   0
rules   2
wilds   0
table ffffffff7ffffc20 list 30000f52180
List of active MAP/Redirect filters:
rdr eri0 from any to 194.88.106.36/32 port = 9022 -> 192.168.90.1  
port 22 tcp
map qfe2 from any to 192.168.90.1/32 port = 22 -> 192.168.90.2/32

List of active sessions:

List of active host mappings:

#
___________________________________________________

Having stated all this, what is it that I am trying to achieve and  
what is the problem?

Starting out there on the Internet, I want to ssh 194.88.106.36 on  
port 9022 with the intent of reaching 192.168.90.1 port 22.

The given configuration works, BUT only while I snoop on interface  
eri0 of 194.88.106.36 !?
When I stop snooping, so does the traffic from source to destination.
As soon as I restart snoop, traffic resumes.

I only intended to use snoop as a debugging tool, not as an integral  
part of port forwarding.

Any idea out there?

Thanks,

Thierry