Date: Mon, 13 Jan 2020 01:47:55 -0500 From: Paul Procacci <pprocacci@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Stateful NAT w/ record-state Message-ID: <CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
In an attempt to setup stateful nat with a new (to me) feature
(record-state), I'm running into difficulties with return packets getting
denied when atttempting to leave my primary interface.
My bad ascii diagram:
In Kernel Nat/Firewall
/---------------------\
+--------+ +-------+ +-----+ +-------+ +-------+
| Client | --- | igb0 | --- | Nat | --- | igb1 | --- | Host |
+--------+ +-------+ +-----+ +-------+ +-------+
Requests originate from "client", come in via "igb0", get passed to "nat",
leave "igb1" reaching host .... no problem.
The response leaving "host", come in via "igb1", get passed to "nat", and
get clobbered by ipfw's deny rule (see below).
# sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 0
I've separated my ruleset (below) in chucks to hopefully make it easier on
the eyes.
Note: this is only the pertinent parts of my ruleset.
Rules 91-99 : Dispatch table
Rules 3000-3499 : ip_output
Rules 50099-* : ip_input
#####################################################
00001 reass
00092 skipto 50000 not layer2 in
00093 skipto 3000 not layer2 out recv *
00094 skipto 3500 not layer2 out // not recv *
00099 deny // first-stage dispatch problem
03000 nat 1 ip from any to any out via igb0
03001 check-state :outside
03499 deny log ip from any to any // ip_output -- forwarded
50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside
defer-immediate-action
50100 nat 1 ip from any to me in via igb0
50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state
:outside
59999 deny log ip from any to any // ip_input -- DENY remaining
#####################################################
** I expect rule 50099 to record the state of "client -> igb0" in the state
table (ip_input)
** I expect rule 3001 to validate the state entered in rule 50099 however
it is getting caught by rule 3499
Pertinent dynamic rules:
50101 3 156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2
8765 :outside
50099 6 613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31
8765 :outside
I would seem to me I have everything where it needs to be to get this
working, but for some reason, it simply isn't.
Thanks for the help in advance.
__________________
:(){ :|:& };:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPuhGBEMCyexxQiareD6txd4Ehoq2WQWxw%2BO5hio_Out92g>