ipf / ipnat bad nat
John Fitzgerald
jjfitzgerald at gmail.com
Mon Nov 3 08:19:02 PST 2008
Hey all,
I manage a pretty busy website and I've been perplexed by this problem
for some time. ipnat -s shows something like this:
mapped in 837904779 out 1055985985
added 79997334 expired 0
no memory 0 bad nat 500334
inuse 11764
rules 5
wilds 0
What troubles me is the "bad nat" that you see there. It goes up
pretty quickly (hundreds per minute), especially during high traffic
times. My ipnat.rules is pretty simple:
#outgoing
map bce0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map bce0 192.168.1.0/24 -> 0.0.0.0/32
#incoming
rdr bce0 0.0.0.0/0 port 80 -> 192.168.1.100 port 80 tcp age 30
rdr bce0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443 tcp age 30
And my ipf.rules is simple enough:
# localhost
pass in quick on lo0 all
pass out quick on lo0 all
#internal interface
pass in quick on bce3 all
pass out quick on bce3 all
#web traffic
pass in quick on bce0 proto tcp from any to any port = 80 flags
S/SA keep state
pass in quick on bce0 proto tcp from any to any port = 443 flags
S/SA keep state
#all outgoing
pass out quick proto tcp from any to any flags S/SA keep state
pass out quick proto icmp from any to any keep state
pass out quick proto udp from any to any keep state
#block the rest
block in quick on bce0 all
My internal interface is bce3 and external is bce0. Any thoughts what
could be causing the bad nat?
Thanks --
More information about the freebsd-net
mailing list