From owner-freebsd-questions  Wed Jul 25  0:44:25 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41])
	by hub.freebsd.org (Postfix) with ESMTP id 6F6BD37B403
	for <freebsd-questions@FreeBSD.ORG>; Wed, 25 Jul 2001 00:44:16 -0700 (PDT)
	(envelope-from mikescott@clara.net)
Received: from data.scotts ([213.104.70.121]) by mta01-svc.ntlworld.com
          (InterMail vM.4.01.02.27 201-229-119-110) with ESMTP
          id <20010725074414.HSUS351.mta01-svc.ntlworld.com@data.scotts>
          for <freebsd-questions@FreeBSD.ORG>;
          Wed, 25 Jul 2001 08:44:14 +0100
Received: from picard (picard.scotts [192.168.0.2])
	by data.scotts (8.11.3/8.11.3) with ESMTP id f6P7i6f05293
	for <freebsd-questions@FreeBSD.ORG>; Wed, 25 Jul 2001 08:44:07 +0100 (BST)
From: mikescott@clara.net
Organization: scott family
To: freebsd-questions@FreeBSD.ORG
Date: Wed, 25 Jul 2001 08:44:04 +0100
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: problems mixing ipfw, nat and ppp
Reply-To: mikescott@clara.net
Message-ID: <3B5E86D4.3499.73FB5A@localhost>
X-mailer: Pegasus Mail for Win32 (v3.12c)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I think I must be missing something incredibly obvious on this one --
 if anyone can spot it, I'd be very grateful!

It looks to me as though natd's address translation is inconsistent 
between inbound and outbound traffic, causing problems with 
dynamic rules in the firewall.

I'm using FreeBSD 4.3-stable as a dial-up gateway machine for a 
small lan with some windows machines on it.  The machine runs 
ppp (user mode), plus natd and ipfw.  (I know I could use ppp's 
internal nat code; but I've half an eye on moving to cable modem 
and would like to get the firewall sorted now, also I want to learn 
about this anyway.)  natd is running with switches -dynamic and -t 
192.168.0.254.  ppp is running with just -auto, and its config file 
doesn't enable aliasing.

The gateway machine has local address 192.168.0.1, external 
address variable of course, but of the form 213.x.x.x.  For testing 
purposes, from windows m/c 192.168.0.2, I run "telnet 195.8.69.79 
119", and wait for the news-server response

With the following ipfw config fragment, culled from various sources,

# divert packets through the tunnel interface
$fwcmd add divert natd all from any to any via tun0
...
# allow anything I start up (THIS FAILS!)
# allow connections to continue once made
$fwcmd add check-state
$fwcmd add deny log tcp from any to any established
$fwcmd add allow log tcp from any to any out via tun0 setup keep-
state

I get the following typical failures happening (please excuse 
awkward line-wrapping)

data# ipfw zero
Accounting cleared.

(Check counts are indeed zero, no dynamic rules in place.  Then 
try telnet session)

data# ipfw show
00100  15    882 divert 8668 ip from any to any via tun0
00200   0      0 allow ip from any to any via lo0
00300 405 102963 allow ip from any to any via ed0
00400   0      0 unreach port log logamount 100 tcp from any to any 
113 in recv tun0
00500   0      0 check-state
00600   8    344 deny log logamount 100 tcp from any to any 
established
00700   4    192 allow log logamount 100 tcp from any to any keep-
state out xmit tun0 setup
00800   1    210 allow udp from any 53 to any in recv tun0
00900   1     60 allow udp from any to any 53 out xmit tun0
01000   1     76 allow udp from any 123 to any 123 via tun0
65435   0      0 allow icmp from any to any
65435   0      0 deny log logamount 100 ip from any to any
65535   0      0 deny ip from any to any
## Dynamic rules:
00700 3 144 (T 5, # 86) ty 0 tcp, 213.104.70.121 1041 <-> 
195.8.69.73 119

(Note that dynamic rule shows the external IP address, where I 
would have expected the internal address).  The security log 
contains:

Jul 25 08:26:00 data /kernel: ipfw: Accounting cleared.

Jul 25 08:26:39 data /kernel: ipfw: 700 Accept TCP 
213.104.70.121:1041 195.8.69.73:119 out via tun0
( ^^^^   Note the external address)

Jul 25 08:26:39 data /kernel: ipfw: 600 Deny TCP 195.8.69.73:119 
192.168.0.2:1041 in via tun0
( ^^^^   Note the Internal address)

Jul 25 08:26:39 data /kernel: ipfw: 700 Accept TCP 
213.104.70.121:1041 195.8.69.73:119 out via tun0

Jul 25 08:26:39 data /kernel: ipfw: 600 Deny TCP 195.8.69.73:119 
192.168.0.2:1041 in via tun0
(and so on...)

The connection of course hangs.  It looks as thought the firewall 
takes note of the natted address for inbound traffic, but the dial-up 
address outbound, so the dynamic rule won't work.

I hope I'm missing something obvious, and would be very grateful 
for any pointers.  Thanks in advance!

--
various incoming sites blocked because of spam:
see www.mikescott.clara.net for a list

mikescott@clara.net           Mike Scott 
aka mikeascott@ntlworld.com   Harlow Essex England

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message