From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 4 22:16:09 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 38DF3502; Wed, 4 Feb 2015 22:16:09 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id F1792E74; Wed, 4 Feb 2015 22:16:08 +0000 (UTC) Received: from [IPv6:2001:470:923f:2:c806:d810:44dc:8c6f] (unknown [IPv6:2001:470:923f:2:c806:d810:44dc:8c6f]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 7F6D25C002; Thu, 5 Feb 2015 01:15:56 +0300 (MSK) Message-ID: <54D29A21.2080006@FreeBSD.org> Date: Thu, 05 Feb 2015 01:16:01 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: does "nat redirect_port tcp" works for you on -CURRENT? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2015 22:16:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I have such rules in my firewall: nat 9 config redirect_port tcp 192.168.134.2:16881 16881 redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp 192.168.134.2:22 22222 nat 1 config ip $EXT_IP same_ports ... // Packets from outer world 11040 nat 9 // Redirection? 11050 nat 1 dst-ip $EXT_IP // De-NAT what should be de-NATed (not redirected by previous) 11060 check-state 11070 skipto 30000 // Allowed local services - common block ... ... 30030 allow proto tcp dst-ip 192.168.134.2 dst-port 22 setup keep-state 30040 allow proto tcp dst-ip 192.168.134.2 dst-port 16881 setup keep-state 30050 allow proto udp dst-ip 192.168.134.2 dst-port 16881 keep-state ... And looks like TCP redirection doesn't work. Counters on rules 30030 and 30040 is strictly zero and "ssh -p 22222 $EXT_IP" (from external host) doesn't work. Rule 30050 (udp one) HAS counters increased, but what is REALLY strange, is that 11040 and 11050 (two NAT actions) always have SAME counters, as if 11040 never change destination address. Nut 30050 sees some packets! Is "nat redirect_port tcp" broken in -CURRENT or do I do something wrong? - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJU0pohXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePjNkP/3msSEuRm6RWuGGVqIddHzki k2oh5YfbjfXC6hP4XumouqHojbHoHfNqv6yOet31xFwscnX71Q7LVSTF95jhbu9J jJrF2PDkPh+d6XagtuLaAHBvG3PRS61vgW9kl00/IiiemPfA/r10vcXz1TixdLgB bI/N0OFQyz9YXwWWEwZNywAOLaUTYD1FM2F5FtbwGvedlhBcmC08h1D5M1Vk2mF5 P/2ZocAECUeRPW5/JRg6kcnA3nJ8CVJr08I1IqQEsaQifRAOFfYcVSdb9DbK5Hms z6nVaJSwi6D1QtxR4x3BNoqGD8o3oc5YWW8obsV6uYzxfZcew2OoyiRgTMDuoBho 73q6WmUlvlvFB1PCOCGr8YxzHPpQZ7KP8NMKoSM8CiAT0/n5qY9CJGOxcf2Q4EEv tErw/TkjAXmzxGDj0ZZBjjvWE7kIhSk9HgXfzF3XL3FasmcV5Iu+JeSswlPtpHyD RCfB84rUcjmldpGZVs9OXD3+jJpY2JaXNrDmdM7elVr9d/CvM1IDkm62N9b9Pqjr uE4VKyipVrbsb06INchz9Gg5D1LhTbBCWoB6mo/5F1dYBkpSqezVUMsibcKvLbeR 9cBkL+iQif1Q8TmfIMYBwbqcfIx6MhbOxhtAiHR3QECc1IJ6Vn3/hrcVzB/PXc4Y SQU7uy3TpJH320nN1BDV =aAlm -----END PGP SIGNATURE-----