ipfw/natd in 8.1

[Casey Scott]

Since a rebuild to FBSD 8.1, I can't get natd to function correctly. Below is 
my ipfw config. It closely follows the example in the Handbook.

http://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html (30.6.5.7 An 
Example NAT and Stateful Ruleset -- Ruleset #1)

firewall config (logging enabled temporarily while troubleshooting)

3 16133 2323153 allow ip from any to any via em0
4   672  144006 allow ip from any to any via lo0
00100965322 divert 8668 log ip from any to any in via fxp0
00101 0   0 check-state
00120644542 skipto 500 log udp from any to any out via fxp0 keep-state
00125   203   49916 skipto 500 log tcp from any to any out via fxp0 setup 
keep-state
00130262184 skipto 500 icmp from any to any out via fxp0 keep-state
00300 0   0 deny ip from 192.168.0.0/16 to any in via fxp0
00301 0   0 deny ip from 172.16.0.0/12 to any in via fxp0
00302 0   0 deny ip from 10.0.0.0/8 to any in via fxp0
00303 0   0 deny ip from 127.0.0.0/8 to any in via fxp0
00304 0   0 deny ip from 0.0.0.0/8 to any in via fxp0
00305 0   0 deny ip from 169.254.0.0/16 to any in via fxp0
00306 0   0 deny ip from 192.0.2.0/24 to any in via fxp0
00307 0   0 deny ip from 204.152.64.0/23 to any in via fxp0
00308 0   0 deny ip from 224.0.0.0/3 to any in via fxp0
00400101306 allow log udp from any to any dst-port 53,123 in keep-state
00401 0   0 allow log icmp from any to any icmptypes 0,3,11
00420 91112 allow log tcp from any to me dst-port 
20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
0045024 876 deny log logamount 1 ip from any to any
00500   293   56642 divert 8668 log ip from any to any
0051078   21591 allow log ip from any to any
65535   262   18726 deny ip from any to any


/etc/natd.conf

use_sockets
same_ports
unregistered_only
interface fxp0


Natd only properly NATs the first packet out:

# /sbin/natd -v -f /etc/natd.conf
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
natd[10702]: Aliasing to 74.94.69.225, mtu 1500 bytes
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 74.94.69.225:61447 - 65.61.153.152:80
In  {default}[TCP]  [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to
   [TCP] 65.61.153.152:80 - 192.168.1.6:61447
In  {default}[TCP]  [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to
   [TCP] 65.61.153.152:80 - 192.168.1.6:61447
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
In  {default}[TCP]  [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to
   [TCP] 65.61.153.152:80 - 192.168.1.6:61447
In  {default}[TCP]  [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to
   [TCP] 65.61.153.152:80 - 192.168.1.6:61447
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80
Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
   [TCP] 192.168.1.6:61447 - 65.61.153.152:80


I'm not sure why this happens!  Same config worked w/ FBSD 7x.


TIA,
Casey
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw/natd in 8.1

[Коньков Евгений]

Здравствуйте, Casey.

00300 0   0 deny ip from 192.168.0.0/16 to any in via fxp0
00301 0   0 deny ip from 172.16.0.0/12 to any in via fxp0
00302 0   0 deny ip from 10.0.0.0/8 to any in via fxp0
00303 0   0 deny ip from 127.0.0.0/8 to any in via fxp0
00304 0   0 deny ip from 0.0.0.0/8 to any in via fxp0
00305 0   0 deny ip from 169.254.0.0/16 to any in via fxp0
00306 0   0 deny ip from 192.0.2.0/24 to any in via fxp0
00307 0   0 deny ip from 204.152.64.0/23 to any in via fxp0
00308 0   0 deny ip from 224.0.0.0/3 to any in via fxp0
you can replace that all by:
deny all from any to not me in recv fxp0

in recv/in via are very different things!



CS 00100965322 divert 8668 log ip from any to any in via fxp0
CS 00500   293   56642 divert 8668 log ip from any to any
What are you trying to do by this rules??? what you do is wrong

they do different work with conjactions with keep-state and other
rules in your firewall. Devide logic in your firewall!

What is one_pass option in you kernel?
kes# sysctl -a | grep one_pass
maybe you have 1, but must 0

CS 00420 91112 allow log tcp from any to me dst-port 
20,21,53,76,80,123,443 in via fxp0 setup limit src-addr 20
this rule will not pass packets to undivert I think, or will have some
effect on divert rule

CS 0051078   21591 allow log ip from any to any
this rule is useless!!!

CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 74.94.69.225:61447 - 65.61.153.152:80
CS In  {default}[TCP]  [TCP] 65.61.153.152:80 - 74.94.69.225:61447 aliased to
CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447
before setup all works fine

after setup, you firewall fail. established connections does not work
CS In  {default}[TCP]  [TCP] 65.61.153.152:80 - 192.168.1.6:61447 aliased to
CS[TCP] 65.61.153.152:80 - 192.168.1.6:61447
CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80
CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80
CS Out {default}[TCP]  [TCP] 192.168.1.6:61447 - 65.61.153.152:80 aliased to
CS[TCP] 192.168.1.6:61447 - 65.61.153.152:80

try to understand divert, then will try keep-state,setup etc.

good luck

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org