Stateful NAT w/ record-state

Paul Procacci pprocacci at
Mon Jan 13 06:48:10 UTC 2020

In an attempt to setup stateful nat with a new (to me) feature
(record-state), I'm running into difficulties with return packets getting
denied when atttempting to leave my primary interface.

My bad ascii diagram:

                      In Kernel Nat/Firewall
+--------+     +-------+    +-----+    +-------+    +-------+
| Client | --- |  igb0 | --- | Nat | --- | igb1 | --- | Host |
+--------+     +-------+    +-----+    +-------+    +-------+

Requests originate from "client", come in via "igb0", get passed to "nat",
leave "igb1" reaching host .... no problem.
The response leaving "host", come in via "igb1", get passed to "nat", and
get clobbered by ipfw's deny rule (see below).

# sysctl net.inet.ip.fw.one_pass
net.inet.ip.fw.one_pass: 0

I've separated my ruleset (below) in chucks to hopefully make it easier on
the eyes.
Note: this is only the pertinent parts of my ruleset.

Rules 91-99 : Dispatch table
Rules 3000-3499 : ip_output
Rules 50099-* : ip_input

00001 reass
00092 skipto 50000 not layer2 in
00093 skipto 3000 not layer2 out recv *
00094 skipto 3500 not layer2 out // not recv *
00099 deny // first-stage dispatch problem

03000 nat 1 ip from any to any out via igb0
03001 check-state :outside
03499 deny log ip from any to any // ip_output -- forwarded

50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside
50100 nat 1 ip from any to me in via igb0
50101 allow tcp from any to 8765 in via igb0 setup keep-state
59999 deny log ip from any to any // ip_input -- DENY remaining

** I expect rule 50099 to record the state of "client -> igb0" in the state
table (ip_input)
** I expect rule 3001 to validate the state entered in rule 50099 however
it is getting caught by rule 3499

Pertinent dynamic rules:

50101      3      156 (20s) STATE tcp 54724 <->
8765 :outside
50099      6      613 (1s) STATE tcp 54724 <->
8765 :outside

I would seem to me I have everything where it needs to be to get this
working, but for some reason, it simply isn't.

Thanks for the help in advance.


:(){ :|:& };:

More information about the freebsd-ipfw mailing list