Date: Mon, 13 Jan 2020 21:09:25 -0500 From: Paul Procacci <pprocacci@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Re: Stateful NAT w/ record-state Message-ID: <CAFbbPug7s8%2BhS2UfudAytpo4sirFXYGREiHKH2Qiu=qiCbsMUQ@mail.gmail.com> In-Reply-To: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g@mail.gmail.com> References: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Welp,
I ended up using an intermediary (nginx) to proxy the request.
I would have liked to avoid passing packets to userland though.
If anyone find this, and knows anything about the record-state keyword and
knows how to use it "properly", I'd love to hear about it.
Take care
On Mon, Jan 13, 2020 at 1:47 AM Paul Procacci <pprocacci@gmail.com> wrote:
> In an attempt to setup stateful nat with a new (to me) feature
> (record-state), I'm running into difficulties with return packets getting
> denied when atttempting to leave my primary interface.
>
> My bad ascii diagram:
>
> In Kernel Nat/Firewall
> /---------------------\
> +--------+ +-------+ +-----+ +-------+ +-------+
> | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host |
> +--------+ +-------+ +-----+ +-------+ +-------+
>
> Requests originate from "client", come in via "igb0", get passed to "nat",
> leave "igb1" reaching host .... no problem.
> The response leaving "host", come in via "igb1", get passed to "nat", and
> get clobbered by ipfw's deny rule (see below).
>
> # sysctl net.inet.ip.fw.one_pass
> net.inet.ip.fw.one_pass: 0
>
> I've separated my ruleset (below) in chucks to hopefully make it easier on
> the eyes.
> Note: this is only the pertinent parts of my ruleset.
>
> Rules 91-99 : Dispatch table
> Rules 3000-3499 : ip_output
> Rules 50099-* : ip_input
>
> #####################################################
> 00001 reass
> 00092 skipto 50000 not layer2 in
> 00093 skipto 3000 not layer2 out recv *
> 00094 skipto 3500 not layer2 out // not recv *
> 00099 deny // first-stage dispatch problem
>
> 03000 nat 1 ip from any to any out via igb0
> 03001 check-state :outside
> 03499 deny log ip from any to any // ip_output -- forwarded
>
> 50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside
> defer-immediate-action
> 50100 nat 1 ip from any to me in via igb0
> 50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state
> :outside
> 59999 deny log ip from any to any // ip_input -- DENY remaining
> #####################################################
>
> ** I expect rule 50099 to record the state of "client -> igb0" in the
> state table (ip_input)
> ** I expect rule 3001 to validate the state entered in rule 50099 however
> it is getting caught by rule 3499
>
> Pertinent dynamic rules:
>
> 50101 3 156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2
> 8765 :outside
> 50099 6 613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31
> 8765 :outside
>
>
> I would seem to me I have everything where it needs to be to get this
> working, but for some reason, it simply isn't.
>
> Thanks for the help in advance.
>
> __________________
>
> :(){ :|:& };:
>
--
__________________
:(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPug7s8%2BhS2UfudAytpo4sirFXYGREiHKH2Qiu=qiCbsMUQ>