NPF NAT port range behaviour

To: netbsd-users%netbsd.org@localhost
Subject: NPF NAT port range behaviour
From: brkt <ryan.brackenbury%gmail.com@localhost>
Date: Sat, 10 Sep 2016 19:39:56 -0700 (MST)

I've been using NPF as a gateway router for my homelab for a number of weeks
now, after a positive experience using it+fail2ban on my homeserver.

What I've run into however is some (to me) unexpected NAT behaviour. I
wanted to expose a homelab server entirely to my home lan. I assigned an
aliased IP onto the homelab gateway's external IP, and wanted set up NAT
forwarding to redirect all ports to the server (in this case 10.1.0.0/24 is
my homelab netseg, 192.168.0.0/24 is my home lan netseg):

map $ext_if dynamic 10.1.0.74 <- 192.168.0.124

When I tried SSHing to 192.168.0.124 from my home lan, I ended up getting:

ssh: connect to host 192.168.0.124 port 22: Connection refused

However, explicitly forwarding *just* port 22 works:

map $ext_if dynamic 10.1.0.74 port 22 <- 192.168.0.124 port 22

I set up a firewall on the destination box and decided to monitor what was
happening to the packets, and realized that the destination port for the
packets was being selected randomly when the port wasn't explicitly set.
This behaviour also applies when a specific port is set, or a range of ports
are set:

# maps port 22 to random dest port:
map $ext_if dynamic 10.1.0.74 <- 192.168.0.124 port 22
# maps ports 22, 80, 6667 all to random dest ports
$port_range = { ssh, http, irc }
map $ext_if dynamic 10.1.0.74 <- 192.168.0.124 port $port_range
# map all ports to dest port 22 -- this one actually makes sense
syntactically (to me)
map $ext_if dynamic 10.1.0.74 port 22 <- 192.168.0.124

Is all this expected behaviour? If so, what is the correct way to map all or
a range of ports? I would really like to do DNAT this way, rather than
resorting to BINAT (which seems to work for exposing all ports, as needed).
To me, what would seem to make the most sense would be implicit port ranges
- the forwarded ports go to thei ridentical dest port, unless specified
otherwise. This is the kind of behaviour I've noticed when working with
iptables, where I've been able to set a range of incoming ports and also the
corresponding range of destination ports.

Regards,
-brkt








--
View this message in context: http://netbsd.2816.n7.nabble.com/NPF-NAT-port-range-behaviour-tp350056.html
Sent from the netbsd-users mailing list archive at Nabble.com.

Follow-Ups:
- Re: NPF NAT port range behaviour
  - From: Eric Garver

Prev by Date: Re: Good 4-port network adapters
Next by Date: Re: Phoronix 8-way-BSD-install - NetBSD bombed
Previous by Thread: Good 4-port network adapters
Next by Thread: Re: NPF NAT port range behaviour
Indexes:

Home | Main Index | Thread Index | Old Index