netbsd-users: IPfilter blocking on the wrong interface?

Subject: IPfilter blocking on the wrong interface?
To: None <netbsd-users@netbsd.org>
From: Wouter Schoot <wouter@schoot.org>
List: netbsd-users
Date: 09/27/2004 14:06:02
Hello all listreaders,

I'm using ipfilter on my netbsd machine to take some control over the flows,
and I stumbled into a weird problem lately.

Here's the situation:

---       ---
|A| ===== |B| ==> Internet
---       ---

Computer A is on an internal, local subnet. It has IP adres 10.0.0.33.
Computer B has two nics, one is ex1, with IP 10.0.0.1, and the other is ex0
with (internet) ip address 130.89.162.142 (Yes, the same ip that hosts the
NetBSD 2.0 beta iso's: http://netbsd.student.utwente.nl/NetBSD-2.0_RC1-iso/).

This is your average NAT setup, I figured:
map ex0 10.0.0.33/32 -> 0/32 proxy port ftp ftp/tcp
map ex0 10.0.0.33/32 -> 0/32 portmap tcp/udp 40000:60000
map ex0 10.0.0.33/32 -> 0/32

Take the following line:
block in quick on ex0 from any to 10.0.0.0/8

I put it there to prevent the outer networkcard (connected to the internet)
from packets destinated for internal networks. I figured, they should not
end up at my external interface.

But here's the catch. When I have that block rule enabled, machine A can't
connect to the internet anymore. Connecting to 10.0.0.1 goes fine, but no
internet anymore.

When I 'ipfstat -hi' with the rule enabled, and ping some on A to the
internet, those requests do match the rule:

8 block in quick on ex0 from any to 10.0.0.0/8

According to http://www.phildev.net/ipf/IPFques.html#11, the rules should
apply in this order: "interface --> NAT --> filter --> OS --> filter --> NAT
--> interface"

I've been snooping on ex0 for 10/8 traffic using tcpdumps rule: tcpdump -n -i
ex0 'net 10.0.0.0/8'.

It didn't show any rules when I pinged from A to the internet.

So the interface shouldn't even be seeing any of the 10.0.0.0/8 traffic. 

ipf.conf is on http://ascent.student.utwente.nl/~ascent/ipf.conf
ipnat.conf is on http://ascent.student.utwente.nl/~ascent/ipnat.conf

I use NetBSD 1.6.2_STABLE, 
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10a

So my question is, why is the traffic blocked when I use that rule ?
Any help is greatly appreciated!

Wouter

-- 
Er was eens een boer. Hij had 3 koeien, 2 witte en 1 witte.
Maar dat gaf niet, want de koe gaf ook niet.  De boer vond een 
horloge, de koe vond van niet.  Ra-ra kameel politiepet.