ipfw NAT, keepalive from wrong source
Pawel Worach
pawel.worach at gmail.com
Sun Mar 3 15:20:53 UTC 2013
Hi,
In the scenario below ipfw seems to be sending the keep-alive packets
from the wrong source address if the traffic is NATed, on the external
interface the packet is sent to the server with the original source. Did
I configure my ipfw rules incorrectly ? I'm using in-kernel NAT on
FreeBSD 9-STABLE r247666 with r247626 merged from head (that patch did
not change the behavior).
Internal client (172.16.0.31) connects to an external ssh server
(192.0.2.100) with hide-nat behind a.b.c.d.
tcpdump on outside interface (the second packets is likely the keepalive
ACK the client sent as result of the keepalive the ipfw gateway sent on
the inside which got forwarded on to the server, is that intentional ?):
15:36:28.075529 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack
2804620200, win 0, length 0
15:36:28.076823 IP a.b.c.d.41731 > 192.0.2.100.22: Flags [.], ack 2625,
win 1040, options [nop,nop,TS val 151519866 ecr 3275697134], length 0
15:36:33.075499 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1,
win 0, length 0
15:36:38.075497 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1,
win 0, length 0
15:36:43.075519 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1,
win 0, length 0
tcpdump on inside interface:
15:36:28.078015 IP 192.0.2.100.22 > 172.16.0.31.41731: Flags [.], ack
517940233, win 0, length 0
15:36:28.078040 IP 172.16.0.31.41731 > 192.0.2.100.22: Flags [.], ack 1,
win 1040, options [nop,nop,TS val 151519866 ecr 3275697134], length 0
State table (the keepalives where send at about 20-19 seconds before
expiration):
03600 27 7867 (22s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 27 7867 (21s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 27 7867 (20s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 27 7867 (19s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 28 7919 (18s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 28 7919 (17s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 28 7919 (16s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 28 7919 (15s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
03600 28 7919 (14s) STATE tcp 172.16.0.31 41731 <-> 192.0.2.100 22
.. continues to 1 and disappears ..
Rules (em0 is the external interface):
${fwcmd} nat 10 config if em0 log same_ports unreg_only
${fwcmd} add nat 10 all from 172.16.0.0/12 to any via em0
${fwcmd} add nat 10 all from not 172.16.0.0/12 any to me via em0
${fwcmd} add allow tcp from 172.16.0.0/12 to any established
${fwcmd} add allow tcp from 172.16.0.0/12 to any setup keep-state # this
is rule 03600)
Regards
Pawel
More information about the freebsd-net
mailing list