Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

NAT and keep-state issue.

0 views
Skip to first unread message

gr...@nova.fqdn.com

unread,
Feb 21, 2001, 3:17:15 PM2/21/01
to
Hi,

I'm trying to resolve an issue with my ipfw rules using NAT and the keep-state options.

When I do not use keep-state and use 'allow established' all works well.
When I remove 'allow established" and add keep state to out bound connections
that are NAT'd, it stops working. I think this is because packets returning
from the internet are translated, so the internal dest IP is swapped in. This fails as there isn't a dynamic rule to match. The rule created with the outbound connection would create a rule with the alias'd IP and dest IP. Returning packets would be checked by the rules after the IP swap has happened.


Am I missing something here or is there a trick? Any help would be great.
Thanks much.

greg

Here is the output of ipfw -a list.
222.222.222.222 is the external interface that faces the Internet.
333.333.333.333 is the ftp server I'm trying to reach. (or web both act the same)
192.168.50.50 is the internal proxy server where all connections heading out
to the Internet orginate from.

I've changed the IPs.

00500 391 30606 deny udp from any 137 to any
00502 289 69180 deny udp from any 138 to any
01040 0 0 allow ip from any to any via lo0
01050 0 0 deny ip from any to 127.0.0.0/8
01060 2969 3314153 divert 8668 tcp from any to any via fxp0
02055 456 18248 allow tcp from 222.222.222.222 1025-65000 to any 1025-65000 keep-state setup
02060 118 5192 allow tcp from any to any 20-21 keep-state setup
02070 2 88 allow tcp from 192.168.50.50 to any in recv xl0 setup
03030 149 8276 deny log logamount 100 ip from any to any in recv fxp0
03040 0 0 deny log logamount 100 ip from any to any in recv fxp1
03050 1250 155979 deny log logamount 100 ip from any to any in recv xl0
09000 72 2888 deny log logamount 100 ip from any to any
65535 0 0 deny ip from any to any
## Dynamic rules:
02055 3 120 (T 0, # 28) ty 0 tcp, 222.222.222.222 2018 <-> 333.333.333.333 51962
02060 12 606 (T 7, # 50) ty 0 tcp, 222.222.222.222 2083 <-> 333.333.333.333 21
02060 12 606 (T 11, # 52) ty 0 tcp, 222.222.222.222 2085 <-> 333.333.333.333 21
02060 1 40 (T 17, # 54) ty 0 tcp, 222.222.222.222 2087 <-> 333.333.333.333 21
02055 3 120 (T 0, # 62) ty 0 tcp, 222.222.222.222 2036 <-> 333.333.333.333 33998
02055 3 120 (T 0, # 74) ty 0 tcp, 222.222.222.222 2039 <-> 333.333.333.333 46521
02055 3 120 (T 0, # 116) ty 0 tcp, 222.222.222.222 2041 <-> 333.333.333.333 49033
02055 2 88 (T 20, # 117) ty 0 tcp, 222.222.222.222 2086 <-> 333.333.333.333 52311
02055 2 88 (T 16, # 125) ty 0 tcp, 222.222.222.222 2084 <-> 333.333.333.333 48733
02060 38 5690 (T 291, # 152) ty 0 tcp, 192.168.50.50 2085 <-> 333.333.333.333 21
02060 5 364 (T 300, # 154) ty 0 tcp, 192.168.50.50 2087 <-> 333.333.333.333 21
02060 38 5690 (T 287, # 158) ty 0 tcp, 192.168.50.50 2083 <-> 333.333.333.333 21
02055 1007 40280 (T 0, # 204) ty 0 tcp, 222.222.222.222 2038 <-> 333.333.333.333 11582
02055 255 10200 (T 0, # 205) ty 0 tcp, 222.222.222.222 2068 <-> 333.333.333.333 42717


thanks so much for your time.


greg
.


To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Tony Landells

unread,
Feb 21, 2001, 4:41:08 PM2/21/01
to
Please keep your lines a bit shorter--a couple of them were, um, quite long...

> When I do not use keep-state and use 'allow established' all works well.
> When I remove 'allow established" and add keep state to out bound connections
> that are NAT'd, it stops working. I think this is because packets returning
> from the internet are translated, so the internal dest IP is swapped in.
> This fails as there isn't a dynamic rule to match. The rule created with
> the outbound connection would create a rule with the alias'd IP and dest IP.
> Returning packets would be checked by the rules after the IP swap has
> happened.

> Am I missing something here or is there a trick? Any help would be great.
> Thanks much.

I may be going blind, but I can't see where you're doing a "check-state"...
Without that you'll never check the dynamic rules.

Cheers,
Tony
--
Tony Landells <a...@austclear.com.au>
Senior Network Engineer Ph: +61 3 9677 9319
Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia

greg

unread,
Feb 21, 2001, 6:21:36 PM2/21/01
to

Sory about the lack of lf/cr.

Ok what your seeing there is the rule set *after* I had removed the
check state rule in an effort to problem solve. 3 minutes befor I
sent that letter this rule existed:

1055 check-state (befor the divert rule)

As a note I also tried moving it to the next rule after the divert(1065).

xl0 is the internal NIC
fxp0 and fxp1 face the internet.

Thanks for taking the time to look at this Tony.

Greg

>Please keep your lines a bit shorter--a couple of them were, um, quite
long...
>

>I may be going blind, but I can't see where you're doing a "check-state"...
>Without that you'll never check the dynamic rules.

>Cheers,
>Tony

greg

unread,
Feb 21, 2001, 6:37:35 PM2/21/01
to

Just another thought on that Tony,

I think I read somewhere that if there is not a 'check-state' rule,
the dynamic rules would be checked at the first instance of "keep-state".
Is this your understanding too?


take care,
greg

Tony Landells

unread,
Feb 21, 2001, 6:52:27 PM2/21/01
to
>
> Just another thought on that Tony,
>
> I think I read somewhere that if there is not a 'check-state' rule,
> the dynamic rules would be checked at the first instance of "keep-state".
> Is this your understanding too?

Yes, but the problem is that if the natd on fxp0 is hiding internal
addresses as 222.222.222.222, you need to do a check-state on the
incoming packets before they hit natd again and are translated back
to the internal addresses.

Perhaps you should provide the arguments to natd, and some example of
the logging you're getting from ipfw?

Tony
--
Tony Landells <a...@austclear.com.au>
Senior Network Engineer Ph: +61 3 9677 9319
Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355
Level 4, Rialto North Tower
525 Collins Street
Melbourne VIC 3000
Australia

To Unsubscribe: send mail to majo...@FreeBSD.org

Crist J. Clark

unread,
Feb 22, 2001, 3:19:20 AM2/22/01
to
[Could we get some line wraps in your text at about 72 columns or so?]

On Wed, Feb 21, 2001 at 03:04:44PM -0500, gr...@nova.fqdn.com wrote:
> Hi,
>
> I'm trying to resolve an issue with my ipfw rules using NAT and the keep-state options.
>
> When I do not use keep-state and use 'allow established' all works well.
> When I remove 'allow established" and add keep state to out bound connections
> that are NAT'd, it stops working. I think this is because packets returning
> from the internet are translated, so the internal dest IP is swapped in. This fails as there isn't a dynamic rule to match. The rule created with the outbound connection would create a rule with the alias'd IP and dest IP. Returning packets would be checked by the rules after the IP swap has happened.
>
>
> Am I missing something here or is there a trick? Any help would be great.

[snip]

> ## Dynamic rules:


> 02060 12 606 (T 7, # 50) ty 0 tcp, 222.222.222.222 2083 <-> 333.333.333.333 21
> 02060 12 606 (T 11, # 52) ty 0 tcp, 222.222.222.222 2085 <-> 333.333.333.333 21
> 02060 1 40 (T 17, # 54) ty 0 tcp, 222.222.222.222 2087 <-> 333.333.333.333 21

[snip]

> 02060 38 5690 (T 291, # 152) ty 0 tcp, 192.168.50.50 2085 <-> 333.333.333.333 21
> 02060 5 364 (T 300, # 154) ty 0 tcp, 192.168.50.50 2087 <-> 333.333.333.333 21
> 02060 38 5690 (T 287, # 158) ty 0 tcp, 192.168.50.50 2083 <-> 333.333.333.333 21

I see both the untranslated and translated address having dynamic
rules.

Now what exactly is not working? You can't connect at all? Are any
packets relevant to this being logged by your deny rules?
--
Crist J. Clark cjc...@alum.mit.edu

Michael J. Turner

unread,
Feb 22, 2001, 6:58:36 AM2/22/01
to
I am having the same problem with natd and ipfw, the fact that you have
to "allow all from any to any" for nat to work is ridiculous, also the
dynamic
rules factory. Anyhow the only way I think I can solve the problem is to
move
ipnat and ipf.

Later,

Mike Turner


----- Original Message -----
From: "Crist J. Clark" <cjc...@reflexnet.net>
To: <gr...@nova.fqdn.com>
Cc: <freebsd-...@FreeBSD.ORG>; <gr...@fqdn.com>
Sent: Thursday, February 22, 2001 2:18 AM
Subject: Re: NAT and keep-state issue.


> [Could we get some line wraps in your text at about 72 columns or so?]
>
> On Wed, Feb 21, 2001 at 03:04:44PM -0500, gr...@nova.fqdn.com wrote:

> > Hi,
> >
> > I'm trying to resolve an issue with my ipfw rules using NAT and the
keep-state options.
> >
> > When I do not use keep-state and use 'allow established' all works well.
> > When I remove 'allow established" and add keep state to out bound
connections
> > that are NAT'd, it stops working. I think this is because packets
returning
> > from the internet are translated, so the internal dest IP is swapped
in. This fails as there isn't a dynamic rule to match. The rule created
with the outbound connection would create a rule with the alias'd IP and
dest IP. Returning packets would be checked by the rules after the IP swap
has happened.
> >
> >
> > Am I missing something here or is there a trick? Any help would be
great.
>

> [snip]
>
> > ## Dynamic rules:


> > 02060 12 606 (T 7, # 50) ty 0 tcp, 222.222.222.222 2083 <->
333.333.333.333 21
> > 02060 12 606 (T 11, # 52) ty 0 tcp, 222.222.222.222 2085 <->
333.333.333.333 21
> > 02060 1 40 (T 17, # 54) ty 0 tcp, 222.222.222.222 2087 <->
333.333.333.333 21
>

> [snip]


>
> > 02060 38 5690 (T 291, # 152) ty 0 tcp, 192.168.50.50 2085 <->
333.333.333.333 21
> > 02060 5 364 (T 300, # 154) ty 0 tcp, 192.168.50.50 2087 <->
333.333.333.333 21
> > 02060 38 5690 (T 287, # 158) ty 0 tcp, 192.168.50.50 2083 <->
333.333.333.333 21
>

> I see both the untranslated and translated address having dynamic
> rules.
>
> Now what exactly is not working? You can't connect at all? Are any
> packets relevant to this being logged by your deny rules?
> --
> Crist J. Clark cjc...@alum.mit.edu
>

Crist J. Clark

unread,
Feb 22, 2001, 11:14:36 AM2/22/01
to
On Thu, Feb 22, 2001 at 05:56:51AM -0600, Michael J. Turner wrote:
> I am having the same problem with natd and ipfw, the fact that you have
> to "allow all from any to any" for nat to work is ridiculous,

Yes, it would. Fortunately, it is not the case.

> also the
> dynamic
> rules factory. Anyhow the only way I think I can solve the problem is to
> move
> ipnat and ipf.

My natd(8) and dynamic rules work fine.

Excerpts from the firewall rules,

10000 divert 8668 ip from any to any via ${oif}
10100 check-state
10200 allow tcp from ${oip} to any keep-state out xmit ${oif}
20000 deny udp from any 137-138 to ${obc} 137-138 in recv ${oif}
20100 allow udp from ${oip} to any keep-state out xmit ${oif}
20200 allow icmp from ${oip} to any keep-state out xmit ${oif}
20300 allow ip from ${oip} to any keep-state out xmit ${oif}
20400 allow icmp from any to any icmptype 0,3,11
20500 allow ip from ${inet} to ${iip} in recv ${iif}
20600 allow ip from ${iip} to ${inet} out xmit ${iif}
20700 allow ip from ${inet} to any keep-state in recv ${iif}

For example, I just pinged freebsd.org from a machine on the internal
net,

## Dynamic rules:
20700 9 756 (T 56, # 12) ty 0 icmp, 192.168.AAA.30 0 <-> 216.136.204.18 0
20200 3 252 (T 56, # 186) ty 0 icmp, BBB.CCC.DDD.EEE 0 <-> 216.136.204.18 0

--
Crist J. Clark cjc...@alum.mit.edu

To Unsubscribe: send mail to majo...@FreeBSD.org

0 new messages