From nobody Sat Oct 07 10:30:45 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S2hQc4ZPDz4wcn7 for ; Sat, 7 Oct 2023 10:30:48 +0000 (UTC) (envelope-from 0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@mail.area536.com) Received: from a7-45.smtp-out.eu-west-1.amazonses.com (a7-45.smtp-out.eu-west-1.amazonses.com [54.240.7.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S2hQb0JxQz3Jn2 for ; Sat, 7 Oct 2023 10:30:46 +0000 (UTC) (envelope-from 0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@mail.area536.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=area536.com header.s=3owpl5zd3xvcvm3dtvtxhdjuss2oswpr header.b=bcDMqr41; dkim=pass header.d=amazonses.com header.s=shh3fegwg5fppqsuzphvschd53n6ihuv header.b=O2GYnRHi; spf=pass (mx1.freebsd.org: domain of 0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@mail.area536.com designates 54.240.7.45 as permitted sender) smtp.mailfrom=0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@mail.area536.com; dmarc=pass (policy=reject) header.from=area536.com DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=3owpl5zd3xvcvm3dtvtxhdjuss2oswpr; d=area536.com; t=1696674645; h=MIME-Version:Date:From:To:Subject:Message-ID:Content-Type; bh=HwjFpkqZ4NY5zon42RSehC+I/h9RzuPXS1wG+0Ja5M4=; b=bcDMqr41mUr5TPSnExXWGVMqVTPYgFhxbsXKvT29mdqW3QeRBvLAs22uRX3P08pa y6f8pihBWBMx00DSLiDCANgzs2BwwCeAFnF2SCsnU3W+II7ccxwdvayaNnpHtgVpIvd iHN1pUUCOLnVBqNU+o2JnV5mpkMepfVkhIrbAME8YkWHHXTVsFp6/Tgbu9nSsHNX+Ha jvbdE2O03u0ukRyEh3jWJpjpd/lfEceON4XRXhkVgJl4qphrq/geAPo7gwdIsGeFgPw Q7UACG4RI+AhwdTae2POBAoDwlwgrkKZ0QCN0kPyNkoF6NuTEDyCFK70uaodyUao1gd H4BHY1oyOA== DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=shh3fegwg5fppqsuzphvschd53n6ihuv; d=amazonses.com; t=1696674645; h=MIME-Version:Date:From:To:Subject:Message-ID:Content-Type:Feedback-ID; bh=HwjFpkqZ4NY5zon42RSehC+I/h9RzuPXS1wG+0Ja5M4=; b=O2GYnRHius643VmTpN2MMYEx0Y//mHD21KY0qXqnKTFIE6szioyTKmgEfOH7FdHZ /wlEIZGsZ9+4fF2YXhLltArgkW50GnAZ7F+vzPgaP8iOlG0VxSAU/QNuOxCqlMM/zZf /+TkBzM0gbnTcpigK1a31lTs3EI4lxlkC/TSKn3E= List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Date: Sat, 7 Oct 2023 10:30:45 +0000 From: "Bas v.d. Wiel" To: freebsd-net@freebsd.org Subject: In-kernel ipfw NAT and port ranges Message-ID: <0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@eu-west-1.amazonses.com> X-Sender: bas@area536.com Content-Type: multipart/alternative; boundary="=_445526c2f1f39b201276e0cd387df0c0" X-Virus-Scanned: clamav-milter 1.2.0 at mail.area536.com X-Virus-Status: Clean Feedback-ID: 1.eu-west-1.yY+/77lE/VZudnpGYto0TztNfw0ajdviTDEGTzBFP6w=:AmazonSES X-SES-Outgoing: 2023.10.07-54.240.7.45 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.90 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[area536.com,reject]; FORGED_SENDER(0.30)[bas@area536.com,0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@mail.area536.com]; R_DKIM_ALLOW(-0.20)[area536.com:s=3owpl5zd3xvcvm3dtvtxhdjuss2oswpr,amazonses.com:s=shh3fegwg5fppqsuzphvschd53n6ihuv]; RWL_MAILSPIKE_VERYGOOD(-0.20)[54.240.7.45:from]; R_SPF_ALLOW(-0.20)[+ip4:54.240.0.0/18]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_COUNT_ZERO(0.00)[0]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:16509, ipnet:54.240.0.0/21, country:US]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[area536.com:+,amazonses.com:+]; FROM_NEQ_ENVFROM(0.00)[bas@area536.com,0102018b09b08518-1c479f58-a7a5-4ed4-9295-a1096b7fb9fe-000000@mail.area536.com]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[54.240.7.45:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; DWL_DNSWL_NONE(0.00)[amazonses.com:dkim] X-Rspamd-Queue-Id: 4S2hQb0JxQz3Jn2 --=_445526c2f1f39b201276e0cd387df0c0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hello all, After an hour of googling I turned up empty so I decided to post here. I'm running a server with a single IPv4 address and a number of VNET jails. The jails all have RFC1918 addresses and are connected to a bridge. Pretty standard stuff and everything works, including individual port redirection. The problem now: passive FTP. I would like to NAT a range of high ports to an FTP jail on the inside. The jail lives at 10.20.0.17 and runs a low traffic anonymous FTP server for public use. Configuring the NAT to redirect ports 20 and 21 there individually works just fine. In order to also forward ports 63000-65000 there (the passvie high-port range as configured on the FTP server), I run into errors when trying to use redirect_port with a range. So this part of the NAT config works fine: redirect_port tcp 10.20.0.17:21 21 While this bit runs into errors: redirect_port tcp 10.20.0.17:63000-65000 63000-65000 I looked at the source code and it seems that the in-kernel NAT indeed doesn't permit passing in port ranges for redirection. Is this true? And if so, what would my options be? I'm trying to run as few services as possible on the host itself, so I'd prefer to not run FTP proxies on there unless that really is the best way forward. My other option seems to be natd. Any help or insights would be much appreciated! Bas --=_445526c2f1f39b201276e0cd387df0c0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

Hello all,

After an hour of googling I turned up empty so I decided to post here. I= 'm running a server with a single IPv4 address and a number of VNET jails. = The jails all have RFC1918 addresses and are connected to a bridge. Pretty = standard stuff and everything works, including individual port redirection.=

The problem now: passive FTP. I would like to NAT a range of high ports = to an FTP jail on the inside. The jail lives at 10.20.0.17 and runs a low t= raffic anonymous FTP server for public use. Configuring the NAT to redirect= ports 20 and 21 there individually works just fine. In order to also forwa= rd ports 63000-65000 there (the passvie high-port range as configured on th= e FTP server), I run into errors when trying to use redirect_port with a ra= nge.

So this part of the NAT config works fine:

redirect_port tcp 10.20.0.17:21 21
<= /span>

While this bit runs into errors:=

redirect_port tcp 10.20.0.17:63000-65000 63000-6= 5000

I looked at the source code and it seems that the in-kernel NAT indeed d= oesn't permit passing in port ranges for redirection. Is this true? And if = so, what would my options be? I'm trying to run as few services as possible= on the host itself, so I'd prefer to not run FTP proxies on there unless t= hat really is the best way forward. My other option seems to be natd.

Any help or insights would be much appreciated!

Bas

--=_445526c2f1f39b201276e0cd387df0c0--