netbsd-help: Re: IPfilter blocking on the wrong interface?

Subject: Re: IPfilter blocking on the wrong interface?
To: Wouter Schoot <wouter@schoot.org>
From: roberto <roberto@redix.it>
List: netbsd-help
Date: 09/27/2004 14:15:01
> Hello all listreaders,
>
> I'm using ipfilter on my netbsd machine to take some control over the
> flows,
> and I stumbled into a weird problem lately.
>
> Here's the situation:
>
> ---       ---
> |A| ===== |B| ==> Internet
> ---       ---
>
> Computer A is on an internal, local subnet. It has IP adres 10.0.0.33.
> Computer B has two nics, one is ex1, with IP 10.0.0.1, and the other is
> ex0
> with (internet) ip address 130.89.162.142 (Yes, the same ip that hosts the
> NetBSD 2.0 beta iso's:
> http://netbsd.student.utwente.nl/NetBSD-2.0_RC1-iso/).
>
> This is your average NAT setup, I figured:
> map ex0 10.0.0.33/32 -> 0/32 proxy port ftp ftp/tcp
> map ex0 10.0.0.33/32 -> 0/32 portmap tcp/udp 40000:60000
> map ex0 10.0.0.33/32 -> 0/32
>
> Take the following line:
> block in quick on ex0 from any to 10.0.0.0/8
>
> I put it there to prevent the outer networkcard (connected to the
> internet)
> from packets destinated for internal networks. I figured, they should not
> end up at my external interface.
>
> But here's the catch. When I have that block rule enabled, machine A can't
> connect to the internet anymore. Connecting to 10.0.0.1 goes fine, but no
> internet anymore.
>
> When I 'ipfstat -hi' with the rule enabled, and ping some on A to the
> internet, those requests do match the rule:
>
> 8 block in quick on ex0 from any to 10.0.0.0/8
>
> According to http://www.phildev.net/ipf/IPFques.html#11, the rules should
> apply in this order: "interface --> NAT --> filter --> OS --> filter -->
> NAT
> --> interface"
>
> I've been snooping on ex0 for 10/8 traffic using tcpdumps rule: tcpdump -n
> -i
> ex0 'net 10.0.0.0/8'.
>
> It didn't show any rules when I pinged from A to the internet.
>
> So the interface shouldn't even be seeing any of the 10.0.0.0/8 traffic.
>
Wrong: if have a NAT server your internal traffic is "masquerade" by ext.
ip of NAT server: so look for 130.89.162.142 on ex0!!!. The translation
into 10.0.0.0/8 should occour after tcpdump has captured the packet.

> ipf.conf is on http://ascent.student.utwente.nl/~ascent/ipf.conf
> ipnat.conf is on http://ascent.student.utwente.nl/~ascent/ipnat.conf
OK, it is quite a long setup: I can't check all the rules toghether; so
basically all you should have is (with stateful ipf):

ipf.conf:
block in log all
block out log all
pass in quick on <internal_interface> from 10.0.0.0/8 to any keep state

ipnat.conf:
map <external_interface> 10.0.0.0/8 -> 0/0

This should work on IP Filter: v3.4.29.
I suggest you to:
  - use "log" on every block rule;
  - start with a small set of rules;
  - use ipmon and start to test... and look at tcpdump !

[snip]
>
> So my question is, why is the traffic blocked when I use that rule ?
> Any help is greatly appreciated!
>
> Wouter

Hope this will be useful