From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 15 09:12:43 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D77151065676 for ; Thu, 15 Jul 2010 09:12:43 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 299DB8FC14 for ; Thu, 15 Jul 2010 09:12:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o6F9Ceso035764; Thu, 15 Jul 2010 19:12:41 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 15 Jul 2010 19:12:40 +1000 (EST) From: Ian Smith To: Mamontov Roman In-Reply-To: <1931583025.20100715114512@gmail.com> Message-ID: <20100715183743.S86988@sola.nimnet.asn.au> References: <1931583025.20100715114512@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org Subject: Re: Problem with ipfw nat and packet to local services X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jul 2010 09:12:43 -0000 On Thu, 15 Jul 2010, Mamontov Roman wrote: > Hello, freebsd-ipfw. > > I try to use ipfw nat with this rules: > > 00035 138 10242 nat 1 log ip from any to any via ext_if1 > 65000 6823 689594 allow ip from any to any > 65535 170 13629 deny ip from any to any > > ipfw nat 1 config ip xxx.xxx.xxx.xxx deny_in same_ports unreg_only > redirect_port udp 192.168.54.50:417 417 redirect_port tcp 192.168.54.50:417 417 > redirect_port tcp 192.168.2.19:3233 3233 redirect_port udp 192.168.2.19:416 416 > redirect_port tcp 192.168.2.19:416 416 redirect_port udp 192.168.2.18:415 415 > redirect_port tcp 192.168.2.18:415 415 redirect_port udp 192.168.2.17:414 414 > redirect_port tcp 192.168.2.17:414 414 redirect_port udp 192.168.2.16:413 413 > redirect_port tcp 192.168.2.16:413 413 redirect_port tcp 192.168.2.15:3232 3232 > redirect_port udp 192.168.2.15:412 412 redirect_port tcp 192.168.2.15:412 412 > > Packet from local network and this box to outside network going correctly. > But packet from outside network to services (udp, icmp, tcp) on this box does not pass. > > In /var/log/security: > Jul 15 11:34:12 kernel: ipfw: 35 Nat UDP yyy.yyy.yyy.yyy:36129 xxx.xxx.xxx.xxx:33564 in > via ext_if1 > > In tcpdump output: > 11:34:17.239509 IP yyy.yyy.yyy.yyy.36129 > xxx.xxx.xxx.xxx.33565: UDP, length 12 UDP port 33564 on this box (xxx.xxx.xxx.xxx) is not redirected to any other address:port, and you have specified deny_in (-deny_incoming in natd-speak) so, well, you got what you asked for .. See the description under -deny_incoming and the explanation of what happens to incoming packets under -alias_address in natd(8) .. the nat description in ipfw(8) is still a bit thin, so natd(8) is still useful. Without deny_in, new inbound packets should be passed to the local machine - so you will then need firewall rules to restrict which local ports are to be accessible for connections from the outside. cheers, Ian > solution# kldstat > Id Refs Address Size Name > 1 20 0xc0400000 7ad380 kernel > 2 1 0xc0bae000 19654 geom_mirror.ko > 3 1 0xc0bc8000 3148 alias_ftp.ko > 4 1 0xc2d1b000 4000 ng_mppc.ko > 5 1 0xc2d1f000 2000 rc4.ko > 6 1 0xc303a000 5000 ng_ksocket.ko > 7 1 0xc303f000 3000 ng_tee.ko > 8 1 0xc3042000 7000 ng_ppp.ko > > solution# uname -r > 8.1-PRERELEASE > > solution# sysctl net.inet.ip.forwarding > net.inet.ip.forwarding: 1 > > I have some mistake in my firewall rules? Any idea? > > -- > Best regards, > Mamontov Roman mailto:mr.xanto@gmail.com