PF with routable internal addresses

Tony Martino crumb at msnomer.com
Fri Jun 10 03:06:34 GMT 2005 

Hi,

My internal network is 209.167.184.32/27, connected to the firewall on fxp0.
The firewall machine is connected to the Internet through a PPPOE connection
on fxp1/tun0, at 66.48.11.93.  There are no NAT rules configured.  This is
on a 5.4-release system.  I noticed a lot of bittorrent traffic getting
blocked by the default deny rule, rather than getting passed by rules set up
to let it through:

 pass in on $ext_if inet proto tcp from any to $azureus_users port 6882
 pass in on $ext_if inet proto udp from any to $azureus_users port 6882

Then I noticed the IP that the bittorrent peers were trying to connect to
was the tun0's address, rather than the address of the windows box the
bittorrent client is running on.  From this output, it appears that
something is rewriting the source address on outgoing packets:

 carriertone# tcpdump -i tun0 | grep whatis
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
 16:25:27.006924 IP 209.167.184.39.4029 > mail.whatismyip.com.http: P
4256462602:4256463003(401) ack 2685840180 win 65535
 16:25:27.070236 IP mail.whatismyip.com.http > 209.167.184.39.4029: .
1:1293(1292) ack 401 win 64000
 16:25:27.070568 IP mail.whatismyip.com > 209.167.184.39: tcp
 16:25:27.073661 IP mail.whatismyip.com.http > 209.167.184.39.4029: P
1441:2739(1298) ack 401 win 64000
 16:25:27.074116 IP 209.167.184.39.4029 > mail.whatismyip.com.http: . ack
2739 win 65535
 16:25:27.194978 IP mail.whatismyip.com.http > 209.167.184.39.4029: . ack
401 win 64000


 carriertone# tcpdump -i fxp1 | grep whatis
 tcpdump: WARNING: fxp1: no IPv4 address assigned
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on fxp1, link-type EN10MB (Ethernet), capture size 96 bytes
 16:25:27.007091 PPPoE  [ses 0x1a7b] IP 66.48.11.93.4029 >
mail.whatismyip.com.http: P 4256462602:4256463003(401) ack 2685840180 win
65535
 16:25:27.070045 PPPoE  [ses 0x1a7b] IP mail.whatismyip.com.http >
66.48.11.93.4029: . 1:1293(1292) ack 401 win 64000
 16:25:27.070446 PPPoE  [ses 0x1a7b] IP mail.whatismyip.com > 66.48.11.93:
tcp
 16:25:27.073515 PPPoE  [ses 0x1a7b] IP mail.whatismyip.com.http >
66.48.11.93.4029: P 1441:2739(1298) ack 401 win 64000
 16:25:27.074262 PPPoE  [ses 0x1a7b] IP 66.48.11.93.4029 >
mail.whatismyip.com.http: . ack 2739 win 65535
 16:25:27.194848 PPPoE  [ses 0x1a7b] IP mail.whatismyip.com.http >
66.48.11.93.4029: . ack 401 win 64000


Isn't this NAT?  Why is this happening when there is no NAT configured
anywhere on this system?


Thanks,
Tony

More information about the freebsd-pf mailing list