netbsd-help: Re: ipf / ipnat statements without effect

Subject: Re: ipf / ipnat statements without effect
To: None <netbsd-help@netbsd.org>
From: Patrick Leslie Polzer <leslie.polzer@gmx.net>
List: netbsd-help
Date: 04/16/2004 09:58:34

On Thu, 15 Apr 2004 17:17:15 -0700
"Conrad T. Pino" <NetBSD-Current@Pino.com> wrote:

> Hi Leslie,
> 
> > Hello there,
> > 
> > I have some serious problem I couldn't find any answer in the howto, the faq
> > or the archives: my simple rules don't work.
> > 
> > My network setup is:
> > 
> >              Internet
> >              <-ppp0->
> >                 |
> > Net A <-tlp0-> BOX <-ex0-> Net B
> > 
> > 
> > ipfilter setup:
> > 
> > # cat /etc/ipf.conf
> > block in quick on ppp0 proto tcp/udp from any to any port = 53 
> 
> This can't be tested from Net A, nor Net B, only from Internet.
Yes, I am well aware of this and always discern the three networks
when portscanning.

> > # cat /etc/ipnat.conf
> > rdr ppp0 213.54.234.158/32 port 80 -> 192.168.35.191 port 80 tcp/udp
> 
> This has a problem. HTTP protocol (port 80) uses tcp, not udp.
> The udp doesn't hurt but neither does it help at all for HTTP.
Well yes, thanks, that'd be a minor correction, but more important
for me  is to get the whole thing running at all.

> This can't be tested from Net A, nor Net B, only from Internet.
Same as above...

> > map ppp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> > map ppp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> > map ppp0 192.168.1.0/24 -> 0/32
> 
> These are fine.  "map" commands requires source IP address when
> transmitted on "ppp0" interface.
> 
> > map ex0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> > map ex0 192.168.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> > map ex0 192.168.1.0/24 -> 0/32
> 
> These are a problem.  They should be deleted altogether.
Why that? Packets from tlp0 (192.168.1.0/24) that go out via ex0
(that'll be, for example, 192.168.34.0/23) will be rewritten.
That's working fine and I don't think I'll have to change it
- or should I correct it somehow?
 
> The inverse IP mapping for returning packets is setup by
> first set of map statement when connections are opened.

> With /23 192.168.34.x & 192.168.35.x are on same subnet.  With /24 they
> are different subnets.
Yes, that's alright.
 
> > Can you help me?
> 
> I've tried.  Best of luck.
I think we're getting to it ;)

Leslie