NAT bug?
Berkes Gábor
gberkes at freemail.hu
Wed Feb 20 13:33:54 UTC 2008
Hi!
There is a strange NAT behaviour in our cfg.
OS: amd64 7.0-RC1
kernel recomplied wint IPSEC and IPSEC_FILTERTUNNEL
We are using isakmp-tools, and we have a dozen ipsec tunnels working fine.
The internal users can do practically anything through NAT.
Except one.
There is one user, who has an ipsec client sw on Windoze. The user wants a connection to a remote
customer, through our fw, nat.
If I tcpdump on the external interface i see that all of user traffic is nat-ed, but udp 500. It was sent
out with private address, without nat.
In this case no trace of traffic in pflog (every rule has 'log' directive in pf.conf).
If using stricter rules, not to allow priv addr to go out, the traffic is appeared in pflog, but
instead of nat and allow out (like everything else) I see that pf blocks the outgoing isakmp traffic
on external if with the private address of the PC.
The pf.conf has the recommended order of rules: first nat after filter.
I tried nat proxy as well (and this is the current cfg), but it does not helped (I didn't hoped really).
So how can it be, that everything is nat-ed except udp-isakmp?
Everything is working very well, except this one.
Thanks in advance
Gabor
More information about the freebsd-pf
mailing list