From owner-freebsd-questions@FreeBSD.ORG Thu Mar 16 17:27:05 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EFF716A427 for ; Thu, 16 Mar 2006 17:27:05 +0000 (UTC) (envelope-from subscriber@insignia.com) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9E7E343D4C for ; Thu, 16 Mar 2006 17:27:02 +0000 (GMT) (envelope-from subscriber@insignia.com) Received: from inchgower.internal.local (inchgower-e0.isltd.insignia.com [195.74.141.61]) by highland.isltd.insignia.com (8.12.6p3/8.12.6) with ESMTP id k2GHR0ZL008304 for ; Thu, 16 Mar 2006 17:27:00 GMT (envelope-from subscriber@insignia.com) Received: from exchange-uk.internal.local (exchange-uk [172.16.64.9]) by inchgower.internal.local (8.12.11/8.12.11) with ESMTP id k2GHR0ZZ031199 for ; Thu, 16 Mar 2006 17:27:00 GMT (envelope-from subscriber@insignia.com) Received: from [172.16.64.55] (fujipix.internal.local [172.16.64.55]) by exchange-uk.internal.local with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id G8MJ8G8J; Thu, 16 Mar 2006 17:27:00 -0000 Message-ID: <44199FE4.6060705@insignia.com> Date: Thu, 16 Mar 2006 17:27:00 +0000 From: Jim Hatfield User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.53 on 195.74.141.1 Subject: Interaction between mpd and ipfilter/ipnat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 17:27:05 -0000 I have a FreeBSD firewall which does packet filtering and NAT. The internal address range is 172.16.64.0/24. The only filtering is incoming on the external NIC, fxp0. The machine also runs mpd for remote access. By pure chance I was tailing ipf.log when I connected an XP laptop to the mpd service, and immediately I saw these: > Mar 16 16:57:41 inchgower ipmon[61]: 16:57:40.923619 fxp0 @0:2 b 172.16.64.168,137 -> 172.16.64.200,137 PR udp len 20 96 IN > Mar 16 16:57:42 inchgower ipmon[61]: 16:57:42.425811 fxp0 @0:2 b 172.16.64.168,137 -> 172.16.64.200,137 PR udp len 20 96 IN 172.16.64.168 is the address given out by mpd to the laptop. 172.16.64.200 is the Active Directory Domain Controller. I'm confused as to why ipf is seeing these packets coming in on fxp0. Surely what comes in is the GRE packet to the external NIC's address, this is then decapsulated and the embedded packet routed on. Why does ipf even see it, let alone block it? I would expect the source interface to be ng0, not fxp0. From the laptop I can ping and connect to internal machines, so most packets are not being blocked in this way. tcpdump also sees the packets coming in on fxp0, but I'm not convinced they are. I guess I can only really tell if I get the switch to copy packets to another port and monitor from there.