Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 15 Jul 2010 19:12:40 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Mamontov Roman <mr.xanto@gmail.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Problem with ipfw nat and packet to local services
Message-ID:  <20100715183743.S86988@sola.nimnet.asn.au>
In-Reply-To: <1931583025.20100715114512@gmail.com>
References:  <1931583025.20100715114512@gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 15 Jul 2010, Mamontov Roman wrote:
 > Hello, freebsd-ipfw.
 > 
 > I try to use ipfw nat with this rules:
 > 
 > 00035  138  10242 nat 1 log ip from any to any via ext_if1
 > 65000 6823 689594 allow ip from any to any
 > 65535  170  13629 deny ip from any to any
 > 
 > ipfw nat 1 config ip xxx.xxx.xxx.xxx deny_in same_ports unreg_only
 > redirect_port udp 192.168.54.50:417 417 redirect_port tcp 192.168.54.50:417 417
 > redirect_port tcp 192.168.2.19:3233 3233 redirect_port udp 192.168.2.19:416 416
 > redirect_port tcp 192.168.2.19:416 416 redirect_port udp 192.168.2.18:415 415
 > redirect_port tcp 192.168.2.18:415 415 redirect_port udp 192.168.2.17:414 414
 > redirect_port tcp 192.168.2.17:414 414 redirect_port udp 192.168.2.16:413 413
 > redirect_port tcp 192.168.2.16:413 413 redirect_port tcp 192.168.2.15:3232 3232
 > redirect_port udp 192.168.2.15:412 412 redirect_port tcp 192.168.2.15:412 412
 > 
 > Packet from local network and this box to outside network going correctly.
 > But packet from outside network to services (udp, icmp, tcp) on this box does not pass.
 > 
 > In /var/log/security:
 > Jul 15 11:34:12 kernel: ipfw: 35 Nat UDP yyy.yyy.yyy.yyy:36129 xxx.xxx.xxx.xxx:33564 in
 > via ext_if1
 > 
 > In tcpdump output:
 > 11:34:17.239509 IP yyy.yyy.yyy.yyy.36129 > xxx.xxx.xxx.xxx.33565: UDP, length 12

UDP port 33564 on this box (xxx.xxx.xxx.xxx) is not redirected to any 
other address:port, and you have specified deny_in (-deny_incoming in 
natd-speak) so, well, you got what you asked for ..

See the description under -deny_incoming and the explanation of what 
happens to incoming packets under -alias_address in natd(8) .. the nat 
description in ipfw(8) is still a bit thin, so natd(8) is still useful.

Without deny_in, new inbound packets should be passed to the local 
machine - so you will then need firewall rules to restrict which local 
ports are to be accessible for connections from the outside.

cheers, Ian

 > solution# kldstat
 > Id Refs Address    Size     Name
 >  1   20 0xc0400000 7ad380   kernel
 >  2    1 0xc0bae000 19654    geom_mirror.ko
 >  3    1 0xc0bc8000 3148     alias_ftp.ko
 >  4    1 0xc2d1b000 4000     ng_mppc.ko
 >  5    1 0xc2d1f000 2000     rc4.ko
 >  6    1 0xc303a000 5000     ng_ksocket.ko
 >  7    1 0xc303f000 3000     ng_tee.ko
 >  8    1 0xc3042000 7000     ng_ppp.ko
 > 
 > solution# uname -r
 > 8.1-PRERELEASE
 > 
 > solution# sysctl net.inet.ip.forwarding
 > net.inet.ip.forwarding: 1
 > 
 > I have some mistake in my firewall rules? Any idea?
 > 
 > -- 
 > Best regards,
 >  Mamontov Roman                          mailto:mr.xanto@gmail.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100715183743.S86988>