netbsd-help: RE: ipf / ipnat statements without effect

Subject: RE: ipf / ipnat statements without effect
To: Patrick Leslie Polzer <leslie.polzer@gmx.net>
From: Conrad T. Pino <NetBSD-Current@Pino.com>
List: netbsd-help
Date: 04/15/2004 17:17:15

Hi Leslie,

> Hello there,
> 
> I have some serious problem I couldn't find any answer in the howto, the faq
> or the archives: my simple rules don't work.
> 
> My network setup is:
> 
>              Internet
>              <-ppp0->
>                 |
> Net A <-tlp0-> BOX <-ex0-> Net B
> 
> 
> ipfilter setup:
> 
> # cat /etc/ipf.conf
> block in quick on ppp0 proto tcp/udp from any to any port = 53 

This can't be tested from Net A, nor Net B, only from Internet.

> pass in from any to any
> pass out from any to any
> 
> 
> # cat /etc/ipnat.conf
> rdr ppp0 213.54.234.158/32 port 80 -> 192.168.35.191 port 80 tcp/udp

This has a problem. HTTP protocol (port 80) uses tcp, not udp.
The udp doesn't hurt but neither does it help at all for HTTP.
This can't be tested from Net A, nor Net B, only from Internet.

To access from Net A, add this:
rdr tlp0 213.54.234.158/32 port 80 -> 192.168.35.191 port 80 tcp

To access from Net B, add this:
rdr ex0 213.54.234.158/32 port 80 -> 192.168.35.191 port 80 tcp

Single statement option is to use with no interface:
rdr 213.54.234.158/32 port 80 -> 192.168.35.191 port 80 tcp

"rdr" rewrites destination IP address when received on interface.

> map ppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map ppp0 192.168.1.0/24 -> 0/32

These are fine.  "map" commands requires source IP address when
transmitted on "ppp0" interface.

> map ex0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> map ex0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> map ex0 192.168.1.0/24 -> 0/32

These are a problem.  They should be deleted altogether.

The inverse IP mapping for returning packets is setup by
first set of map statement when connections are opened.

> Problem: mapping on ex0/ppp0 do work, redirect and block quick on 53 tcp/udp
> don't. Why? These are simple statements supposed to work :(

See comments above.  Great problem report.  Information below very helpful.

I assume you know your netmask on ex0 is /23 instead of usual /24 value.
With /23 192.168.34.x & 192.168.35.x are on same subnet.  With /24 they
are different subnets.

> Can you help me?

I've tried.  Best of luck.

> Leslie

Conrad