Matthias Apitz guru at Sisis.de
Tue Aug 2 09:43:37 GMT 2005


I've the following problem (or perhaps some misunderstanding) of IPFILTER
and NAT for NTP in FreeBSD 6.0-BETA1:

the NAT rules is:

map em1 xxx.xxx.xxx.32/27 -> A.B.C.D/32

and the IPF rule is:

pass out log first quick on em1 proto udp from any to any port = 123 keep state

If now some host of the xxx.xxx.xxx.32/27 network ask for NTP with

/usr/sbin/ntpdate -v NTP-SERVER-ADDR

it works fine; the UDP pkg goes out, UDP comes back and a 'ipnat -l'
showes the entry in the NAT table on the firewall like this:

# ipnat -l | fgrep 123
MAP xxx.xxx.xxx.xxx    123   <- -> A.B.C.D   123   [NTP-SERVER-ADDR 123]

The problem is now, if I'm using the same 'ntpdate' query while
sitting on the firewall A.B.C.D itself, the UDP goes out as well
but of course without passing through NAT and the UDP pkg which
is coming back from the same NTP-SERVER-ADDR finds the tuple in the
NAT table:

A.B.C.D   123   [NTP-SERVER-ADDR 123]

and is trying to deliver it via NAT to xxx.xxx.xxx.xxx, but of course
the state in the IPFILTER is invalid which let ipf
blocking the pkg and saying:

10:22:16.895810 em1 @0:30 b NTP-SERVER-ADDR,123 -> xxx.xxx.xxx.xxx,123 PR udp len 20 76 IN NAT

What can I do? And it seems that the (first) entry in the NAT table is
sitting there for 10 minutes, why?


Matthias Apitz / Sisis Informationssysteme GmbH
Gruenwalder Weg 28g / D-82041 Oberhaching
Fon: ++49 89 / 61308-351, Fax: -399, Mobile ++49 170 4527211

More information about the freebsd-questions mailing list