From owner-freebsd-pf@FreeBSD.ORG Wed Feb 20 13:33:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF5AC16A419 for ; Wed, 20 Feb 2008 13:33:53 +0000 (UTC) (envelope-from gberkes@freemail.hu) Received: from fmx22.freemail.hu (fmx22.freemail.hu [195.228.245.72]) by mx1.freebsd.org (Postfix) with SMTP id 4295613C474 for ; Wed, 20 Feb 2008 13:33:53 +0000 (UTC) (envelope-from gberkes@freemail.hu) Received: (qmail 44716 invoked from network); 20 Feb 2008 14:07:09 +0100 Received: from fm02.freemail.hu (195.228.245.102) by fmx22.freemail.hu with SMTP; 20 Feb 2008 14:07:09 +0100 Received: (qmail 3778 invoked by uid 618565); 20 Feb 2008 14:07:09 +0100 Date: Wed, 20 Feb 2008 14:07:09 +0100 (CET) From: =?ISO-8859-2?Q?Berkes_G=E1bor?= To: freebsd-pf@freebsd.org Message-ID: X-Originating-IP: [91.120.142.80] X-HTTP-User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; hu; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=ISO-8859-2 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: NAT bug? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 13:33:54 -0000 Hi! There is a strange NAT behaviour in our cfg. OS: amd64 7.0-RC1 kernel recomplied wint IPSEC and IPSEC_FILTERTUNNEL We are using isakmp-tools, and we have a dozen ipsec tunnels working fine. The internal users can do practically anything through NAT. Except one. There is one user, who has an ipsec client sw on Windoze. The user wants a connection to a remote customer, through our fw, nat. If I tcpdump on the external interface i see that all of user traffic is nat-ed, but udp 500. It was sent out with private address, without nat. In this case no trace of traffic in pflog (every rule has 'log' directive in pf.conf). If using stricter rules, not to allow priv addr to go out, the traffic is appeared in pflog, but instead of nat and allow out (like everything else) I see that pf blocks the outgoing isakmp traffic on external if with the private address of the PC. The pf.conf has the recommended order of rules: first nat after filter. I tried nat proxy as well (and this is the current cfg), but it does not helped (I didn't hoped really). So how can it be, that everything is nat-ed except udp-isakmp? Everything is working very well, except this one. Thanks in advance Gabor