current-users: Anyone else seeing this NAT weirdness? (2.0

Subject: Anyone else seeing this NAT weirdness? (2.0_BETA)
To: None <current-users@netbsd.org>
From: Jeff Rizzo <riz@redcrowgroup.com>
List: current-users
Date: 06/18/2004 12:56:46

Perhaps I'm doing something wrong, but I don't see what.  Suggestions
welcome.

My firewall system is running 2.0_BETA, just upgraded to yesterday's code
yesterday.  (this problem may have been occurring before, I have no way
of telling, but it's been running 2.0_BETA of a few weeks ago before that)

In my ipnat.conf, I have the following bimap:

bimap tlp1 10.0.0.14/32 -> 66.124.71.66/32 #desktop


tlp1 is my external interface, and 66.124.71.66 is one of its addresses -
I want it to NAT to an internal host (10.0.0.14).  Things seem to be
working OK for outgoing from the 10.0.0.14 host.  (the NAT is functioning
more or less correctly).

In troubleshooting another problem, I tried telnetting to port 1720
on 66.124.71.66 from a host outside, and it wouldn't connect.  So,
I tried again while watching my ipmon logs, and saw this:

Jun 18 12:51:07 boogers ipmon[349]: 12:51:07.153829 tlp1 @0:45 b random.tastylime.net[199.233.217.6],61198 -> lineaAQ14.velocom.com.ar[200.59.48.14],1720 PR tcp len 20 60 -S IN NAT 

I have *no* idea where the 200.59.48.14 IP came from, and looking through
my logs, I see that it's apparently mapped to different IP addresses
sometimes:

Jun 18 12:37:58 boogers ipmon[349]: 12:37:58.788250 tlp1 @0:45 b random.tastylime.net[199.233.217.6],61203 -> 200.63.200.14,1720 PR tcp len 20 60 -S IN NAT 
Jun 18 12:42:33 boogers ipmon[349]: 12:42:33.271743 tlp1 @0:45 b random.tastylime.net[199.233.217.6],61201 -> 200.62.88.14,1720 PR tcp len 20 60 -S IN NAT 


The interesting thing I notice is that all three of these weird IP addresses
(200.63.200.14, 200.62.88.14 and 200.59.48.14) have "14" as the last
octet, which is the same as what the actual mapping is supposed to be
(10.0.0.14).

Has anyone else seen this?  Have I fatfingered something somewhere?

Incidentally, I have the following two lines in ipf.conf at the moment:

pass in quick proto tcp from any to 10.0.0.14/32
pass in quick proto tcp from any to 66.124.71.66/32

...in case it matters.

Thanks,
+j


-- 
Jeff Rizzo                                         http://www.redcrowgroup.com/