Date: Mon, 13 Jan 2020 01:47:55 -0500 From: Paul Procacci <pprocacci@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Stateful NAT w/ record-state Message-ID: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
In an attempt to setup stateful nat with a new (to me) feature (record-state), I'm running into difficulties with return packets getting denied when atttempting to leave my primary interface. My bad ascii diagram: In Kernel Nat/Firewall /---------------------\ +--------+ +-------+ +-----+ +-------+ +-------+ | Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host | +--------+ +-------+ +-----+ +-------+ +-------+ Requests originate from "client", come in via "igb0", get passed to "nat", leave "igb1" reaching host .... no problem. The response leaving "host", come in via "igb1", get passed to "nat", and get clobbered by ipfw's deny rule (see below). # sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 0 I've separated my ruleset (below) in chucks to hopefully make it easier on the eyes. Note: this is only the pertinent parts of my ruleset. Rules 91-99 : Dispatch table Rules 3000-3499 : ip_output Rules 50099-* : ip_input ##################################################### 00001 reass 00092 skipto 50000 not layer2 in 00093 skipto 3000 not layer2 out recv * 00094 skipto 3500 not layer2 out // not recv * 00099 deny // first-stage dispatch problem 03000 nat 1 ip from any to any out via igb0 03001 check-state :outside 03499 deny log ip from any to any // ip_output -- forwarded 50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside defer-immediate-action 50100 nat 1 ip from any to me in via igb0 50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state :outside 59999 deny log ip from any to any // ip_input -- DENY remaining ##################################################### ** I expect rule 50099 to record the state of "client -> igb0" in the state table (ip_input) ** I expect rule 3001 to validate the state entered in rule 50099 however it is getting caught by rule 3499 Pertinent dynamic rules: 50101 3 156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2 8765 :outside 50099 6 613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31 8765 :outside I would seem to me I have everything where it needs to be to get this working, but for some reason, it simply isn't. Thanks for the help in advance. __________________ :(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g>