[Bug 201448] [IPFW] keep-state and in-kernel NAT exposes local ip on external interface

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jul 10 00:19:47 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201448

            Bug ID: 201448
           Summary: [IPFW] keep-state and in-kernel NAT exposes local ip
                    on external interface
           Product: Documentation
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Documentation
          Assignee: freebsd-doc at FreeBSD.org
          Reporter: g_amanakis at yahoo.com

According to the example of the handbook regarding NAT
(https://www.freebsd.org/doc/handbook/firewalls-ipfw.html), the inbound NAT
rule should be placed first (below 0400) followed by the outbound NAT rule
(below 24000)

-------8<--------
ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset

00100 reass ip from any to any in
00200 allow ip from any to any via lo0
00300 allow ip from any to any via em1
00400 nat 123 ip from any to any in recv em0
00500 check-state
00600 skipto 24000 ip from any to me dst-port 80,443,22,500,4500,1194,993,8112
in recv em0 keep-state
00700 skipto 24000 ip from any to any out xmit em0 keep-state
00800 deny log ip from any to any
24000 nat 123 ip from any to any out xmit em0
24100 allow ip from any to any
-------8<--------

However this allows some packets to escape NAT (why?) and IPs on the LAN
(behind NAT) are exposed on the external interface (where NAT is performed).

When one places the NAT rules with the opposite order (i.e. outbound rule first
and then the inbound rule) the problem disappears.

-------8<--------
    ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset

    00100 reass ip from any to any in
    00200 allow ip from any to any via lo0
    00300 allow ip from any to any via em1
    00400 nat 123 ip from any to any out xmit em0
    00500 check-state
    00600 skipto 24000 ip from any to me dst-port
80,443,22,500,4500,1194,993,8112 in recv em0 keep-state
    00700 skipto 24000 ip from any to any out xmit em0 keep-state
    00800 deny log ip from any to any
    24000 nat 123 ip from any to any in recv em0
    24100 allow ip from any to any
-------8<--------

See
https://forums.freebsd.org/threads/ipfw-keep-state-and-in-kernel-nat-exposes-local-ip-on-external-interface.52134/

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-doc mailing list