Strange natd problem.

danny at dannysplace.net danny at dannysplace.net
Fri May 23 00:48:12 PDT 2003 

Hello all,

I have a strange problem.
At home I have a standard lan adsl setup.

LAN
192.168.10.x  ---- FreeBSD 4.8 with ipfw and natd ---- ADSL modem ---- Internet.

The natd setup here is what you would expect, 1 IP address and several clients. 
A few specific port redirects for web/mail etc...

Now, this week I setup quake on a box sitting at a hosted location.
It's running on FreeBSD 4.8 as well.  But there is another firewall before it. 
It looks like this:

           (4.3.2.1 to 4.3.2.10)
Internet --- FreeBSD 4.4 with ipfw and natd --- FreeBSD 4.8 (192.168.1.1)
                             (192.168.1.250)

The natd setup here is simple, there are 10 public IP addresses (4.3.2.1 to
4.3.2.10) and a natd config forwarding these to similar internal ip's (4.3.2.1
= 192.168.1.1 and so on...)

natd.conf is:
interface xl0
same_ports yes
punch_fw 1000:500
log_denied yes
log_facility security
redirect_address 192.168.1.10 4.3.2.10
redirect_address 192.168.1.1 4.3.2.1
redirect_address 192.168.1.2 4.3.2.2
redirect_address 192.168.1.3 4.3.2.3
redirect_address 192.168.1.4 4.3.2.4
redirect_address 192.168.1.5 4.3.2.5
redirect_address 192.168.1.6 4.3.2.6
redirect_address 192.168.1.7 4.3.2.7
redirect_address 192.168.1.8 4.3.2.8

Now, the firwall for the quake server has the following pertainent rules.
These are not the real rules, just an example.

100 divert 8668 ip from any to any via xl0
200 allow udp from any to 4.3.2.1 27960
200 allow udp from 4.3.2.1 27960 to any
300 allow ip from any to 4.3.2.1 27960
300 allow ip from 4.3.2.1 27960 to any
65435 allow icmp from any to any
65535 deny ip from any to any


Here is the strange bit...
rule 100 matches and (re-inserts)
rules 200 never match
rules 300 match and allow the quake packets through.

I've tried the following protocols specifically.  tcp,udp,icmp
But it will ONLY match when I say "ip"

So could it be that the firewall on my home lan does something with natd, then
the firewall on the quake servers lan does something *else* to the packets
there by screwing them up?

Or does quake just use some strange ip protocol?.

More information about the freebsd-ipfw mailing list