Subject: Possible NAT problem
To: None <tech-kern@netbsd.org>
From: Olaf Seibert <rhialto@polder.ubc.kun.nl>
List: current-users
Date: 05/01/1999 02:50:17
I am having a problem with NAT mappings on 1.3.3 and I'm not sure it's
fixed in -current/1.4 Beta (another problem I had was). Perhaps somebody
knows or can try.

I have a router setup with NAT, and apart from using the ftp proxy for
outgoing ftp connections, I am redirecting incoming FTP traffic to a
machine inside the private part of the network.  This is in
/etc/ipnat.conf, among other things:

# Connects to the outside:
map ep0 polder.intern.polderland.nl/24 -> polder.ubc.kun.nl/32 proxy port ftp ftp/tcp
# Incoming connects:
map ep0 polder.ubc.kun.nl/32 -> ftp.intern.polderland.nl/32 proxy port ftp ftp/tcp

ep0 is the outside interface, polder.ubc.kun.nl/32 its address, and
ftp.intern.polderland.nl/32 a machine on the internal network.

Now if I ftp from this box to the outside, say ftp.nl.netbsd.org, I
get this from ipnat -slv:

List of active sessions:
MAP 131.174.21.32   4788  <- -> 131.174.238.10  4788  [146.50.3.49 21]
        age 117 use 0 sumd d8ea bkt 98 flags 1 bytes 120 pkts 2
        proxy ftp/6 use 2 flags 0
                6 131.174.238.10 -> 146.50.3.49 [0 120 2 0x0[0]]
                46098 -> 5376 state[0,0], sel[0,0]
                seq: off 0/0 min 0/0
                ack: off 0/0 min 0/0

131.174.238.10 is ftp.intern.polderland.nl
146.50.3.49 is ftp.nl.netbsd.org
4788 is the local port the ftp client is using.

In the mean time, the ftp connection remains in SYN_SENT state. The
pkts count (2 above) grows.  Eventually, "ftp: connect: Connection timed
out".

If I remove the second map rule, this problem does not occur. Note that
I thought, and the code seems to confirm that, that the address and port
in the map refer to the destination, but somehow a mapping seems to be
set up based on the source port or address.

I have stared at the source code for a long while (mostly assuming that
the problem starts when the first packet comes back from
ftp.nl.netbsd.org) but I can't see where it goes wrong.

It's probably not the first outgoing packet that triggers the map, for
if it were sent to 131.174.238.10 port 4788, there would be "connection
refused", right?

Note that ftps through this box work ok, and ftps from this box to the
"inside". It's just ftps to the outside that fail.

Like I said, other NAT bugs in the ftp proxy are fixed in -current.
Anybody know about this one?

-Olaf.
--
___ Olaf 'Rhialto' Seibert - rhialto@polder.ubc. ---- Unauthorized duplication,
\X/ .kun.nl ---- while sometimes necessary, is never as good as the real thing.