Stateful NAT w/ record-state

Paul Procacci pprocacci at gmail.com
Tue Jan 14 02:09:40 UTC 2020 

Welp,

I ended up using an intermediary (nginx) to proxy the request.
I would have liked to avoid passing packets to userland though.
If anyone find this, and knows anything about the record-state keyword and
knows how to use it "properly", I'd love to hear about it.

Take care

On Mon, Jan 13, 2020 at 1:47 AM Paul Procacci <pprocacci at gmail.com> wrote:

> In an attempt to setup stateful nat with a new (to me) feature
> (record-state), I'm running into difficulties with return packets getting
> denied when atttempting to leave my primary interface.
>
> My bad ascii diagram:
>
>                       In Kernel Nat/Firewall
>                         /---------------------\
> +--------+     +-------+    +-----+    +-------+    +-------+
> | Client | --- |  igb0 | --- | Nat | --- | igb1 | --- | Host |
> +--------+     +-------+    +-----+    +-------+    +-------+
>
> Requests originate from "client", come in via "igb0", get passed to "nat",
> leave "igb1" reaching host .... no problem.
> The response leaving "host", come in via "igb1", get passed to "nat", and
> get clobbered by ipfw's deny rule (see below).
>
> # sysctl net.inet.ip.fw.one_pass
> net.inet.ip.fw.one_pass: 0
>
> I've separated my ruleset (below) in chucks to hopefully make it easier on
> the eyes.
> Note: this is only the pertinent parts of my ruleset.
>
> Rules 91-99 : Dispatch table
> Rules 3000-3499 : ip_output
> Rules 50099-* : ip_input
>
> #####################################################
> 00001 reass
> 00092 skipto 50000 not layer2 in
> 00093 skipto 3000 not layer2 out recv *
> 00094 skipto 3500 not layer2 out // not recv *
> 00099 deny // first-stage dispatch problem
>
> 03000 nat 1 ip from any to any out via igb0
> 03001 check-state :outside
> 03499 deny log ip from any to any // ip_output -- forwarded
>
> 50099 allow tcp from any to me 8765 recv igb0 setup record-state :outside
> defer-immediate-action
> 50100 nat 1 ip from any to me in via igb0
> 50101 allow tcp from any to 192.168.70.2 8765 in via igb0 setup keep-state
> :outside
> 59999 deny log ip from any to any // ip_input -- DENY remaining
> #####################################################
>
> ** I expect rule 50099 to record the state of "client -> igb0" in the
> state table (ip_input)
> ** I expect rule 3001 to validate the state entered in rule 50099 however
> it is getting caught by rule 3499
>
> Pertinent dynamic rules:
>
> 50101      3      156 (20s) STATE tcp 79.79.179.215 54724 <-> 192.168.70.2
> 8765 :outside
> 50099      6      613 (1s) STATE tcp 79.79.179.215 54724 <-> 192.168.1.31
> 8765 :outside
>
>
> I would seem to me I have everything where it needs to be to get this
> working, but for some reason, it simply isn't.
>
> Thanks for the help in advance.
>
> __________________
>
> :(){ :|:& };:
>


-- 
__________________

:(){ :|:& };:

More information about the freebsd-ipfw mailing list