Subject: ipf / ipnat statements without effect
To: None <netbsd-help@netbsd.org>
From: Patrick Leslie Polzer <leslie.polzer@gmx.net>
List: netbsd-help
Date: 04/15/2004 21:36:19
Hello there,
I have some serious problem I couldn't find any answer in the howto, the faq
or the archives: my simple rules don't work.
My network setup is:
Internet
<-ppp0->
|
Net A <-tlp0-> BOX <-ex0-> Net B
ipfilter setup:
# cat /etc/ipf.conf
block in quick on ppp0 proto tcp/udp from any to any port = 53
pass in from any to any
pass out from any to any
# cat /etc/ipnat.conf
rdr ppp0 213.54.234.158/32 port 80 -> 192.168.35.191 port 80 tcpudp
map ppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 192.168.1.0/24 -> 0/32
map ex0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map ex0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ex0 192.168.1.0/24 -> 0/32
Problem: mapping on ex0/ppp0 do work, redirect and block quick on 53 tcp/udp
don't. Why? These are simple statements supposed to work :(
Can you help me?
Leslie
--- sysinfo ---
# uname -a
NetBSD stronghold 1.6.1 NetBSD 1.6.1 (GENERIC) #0: Tue Apr 8 12:05:52 UTC 2003 autobuild@tgm.daemon.org:/autobuild/netbsd-1-6/i386/OBJ/autobuild/netbsd-1-6/src/sys/arch/i386/compile/GENERIC i386
# ifconfig -a
tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:00:e8:3c:74:ab
media: Ethernet autoselect (10baseT)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::200:e8ff:fe3c:74ab%tlp0 prefixlen 64 scopeid 0x1
ex0: flags=8a63<UP,BROADCAST,NOTRAILERS,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
address: 00:60:97:8f:15:34
media: Ethernet 10baseT
status: active
inet 192.168.34.184 netmask 0xfffffe00 broadcast 192.168.35.255
inet6 fe80::260:97ff:fe8f:1534%ex0 prefixlen 64 scopeid 0x2
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33220
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 213.54.234.158 -> 62.26.136.17 netmask 0xffffff00
inet6 fe80::200:e8ff:fe3c:74ab%ppp0 -> :: prefixlen 64 scopeid 0x4
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
strip0: flags=0<> mtu 1100
strip1: flags=0<> mtu 1100
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 62.26.136.17 UGS 10 1992961 - ppp0
62.26.136.17 213.54.234.158 UH 1 0 - ppp0
127 127.0.0.1 UGRS 0 0 33220 lo0
127.0.0.1 127.0.0.1 UH 2 0 33220 lo0
192.168.1 link#1 UC 1 0 - tlp0
192.168.1.2 00:48:54:66:c6:a5 UHLc 4 3753208 - tlp0
192.168.32/23 192.168.34.251 UGS 1 9106 - ex0
192.168.34/23 link#2 UC 3 0 - ex0
192.168.34.41 00:02:e3:22:6c:9b UHLc 1 621833 - ex0
192.168.34.184 127.0.0.1 UGHS 0 0 33220 lo0
192.168.34.251 00:0d:29:c3:c6:80 UHLc 1 0 - ex0
192.168.35.191 00:00:1c:d1:e3:84 UHLc 2 1833951 - ex0
XNS:
Destination Gateway Flags Refs Use Mtu Interface
ISO:
Destination Gateway Flags Refs Use Mtu Interface
X.25:
Destination Gateway Flags Refs Use Mtu Interface
AppleTalk:
Destination Gateway Flags Refs Use Mtu Interface
Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::/104 ::1 UGRS 0 0 33220 lo0 =>
::/96 ::1 UGRS 0 0 33220 lo0
::1 ::1 UH 12 0 33220 lo0
::127.0.0.0/104 ::1 UGRS 0 0 33220 lo0
::224.0.0.0/100 ::1 UGRS 0 0 33220 lo0
::255.0.0.0/104 ::1 UGRS 0 0 33220 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 33220 lo0
2002::/24 ::1 UGRS 0 0 33220 lo0
2002:7f00::/24 ::1 UGRS 0 0 33220 lo0
2002:e000::/20 ::1 UGRS 0 0 33220 lo0
2002:ff00::/24 ::1 UGRS 0 0 33220 lo0
fe80::/10 ::1 UGRS 0 0 33220 lo0
fe80::%tlp0/64 link#1 UC 0 0 - tlp0
fe80::%ex0/64 link#2 UC 0 0 - ex0
fe80::%lo0/64 fe80::1%lo0 U 0 0 33220 lo0
fe80::%ppp0/64 fe80::200:e8ff:fe3c:74ab%ppp0 UC 0 0 - ppp0
fe80::200:e8ff:fe3c:74ab%ppp0 ::1 UH 0 0 33220 lo0
fec0::/10 ::1 UGRS 0 0 33220 lo0
ff01::/32 ::1 U 0 0 33220 lo0
ff02::%tlp0/32 link#1 UC 0 0 - tlp0
ff02::%ex0/32 link#2 UC 0 0 - ex0
ff02::%lo0/32 fe80::1%lo0 UC 0 0 33220 lo0
ff02::%ppp0/32 fe80::200:e8ff:fe3c:74ab%ppp0 UC 0 0 - ppp0
# netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colls
tlp0 1500 <Link> 00:00:e8:3c:74:ab 5973875 0 5751732 0 1136183
tlp0 1500 192.168.1 192.168.1.1 5973875 0 5751732 0 1136183
tlp0 1500 fe80:: fe80::200:e8ff:fe 5973875 0 5751732 0 1136183
ex0 1500 <Link> 00:60:97:8f:15:34 4327619 0 2465070 0 533508
ex0 1500 fe80:: fe80::260:97ff:fe 4327619 0 2465070 0 533508
ex0 1500 192.168.34/23 192.168.34.184 4327619 0 2465070 0 533508
lo0 33220 <Link> 0 0 0 0 0
lo0 33220 fe80:: fe80::1 0 0 0 0 0
lo0 33220 localhost ::1 0 0 0 0 0
lo0 33220 loopback localhost 0 0 0 0 0
ppp0 1492 <Link> 1530955 0 1997729 0 0
ppp0 1492 213.54.234 p213.54.234.158.t 1530955 0 1997729 0 0
ppp0 1492 fe80:: fe80::200:e8ff:fe 1530955 0 1997729 0 0
ppp1* 1500 <Link> 0 0 0 0 0
sl0* 296 <Link> 0 0 0 0 0
sl1* 296 <Link> 0 0 0 0 0
strip 1100 <Link> 0 0 0 0 0
strip 1100 <Link> 0 0 0 0 0
# ipf -V
ipf: IP Filter: v3.4.29 (336)
Kernel: IP Filter: v3.4.29
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
# ipfstat
IPv6 packets: in 10 out 5
input packets: blocked 27 passed 8976167 nomatch 10 counted 0 short 0
output packets: blocked 0 passed 8215794 nomatch 5 counted 0 short 0
input packets logged: blocked 0 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 0 lost 0
packet state(out): kept 0 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 522876 (out): 84606
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
# ipfstat -io
pass out from any to any
block in log quick on ppp0 proto tcp/udp from any to 213.54.234.158/32 port = domain
pass in from any to any
# ipnat -slv|grep -i RDR
rdr ppp0 213.54.234.158/32 port 80 -> 192.168.35.191 port 80 tcp/udp