keep-state and in-kernel NAT exposes local ip on external interface

Lev Serebryakov lev at
Tue Jul 28 19:43:18 UTC 2015

Hash: SHA512

On 28.07.2015 08:30, Ian Smith wrote:

 I have global lack of any spare time (and all my FreeBSD activity is
only a hobby) for last ~2 months. I see the end of this unfortunate
state of affairs in near future and I remember about these examples.

> Way back on Wed, 1 Jul 2015 22:02:53 +0300, Lev Serebryakov wrote:
>> On 30.06.2015 22:20, Georgios Amanakis via freebsd-ipfw wrote:
>> It is good example for my changes :) All this "skipto /
>> keep-state" magic is not understandable.
> Indeed.  So all we're waiting for, Lev, is some simple usage
> examples of how things should be done with your new stateful
> operators, especially when combining stateful rules with NAT.
> Please see what you can do ..
> I know it's clear to you, but I for one cannot get my head around
> these without a couple of examples, roughly suitable for inclusion
> in ipfw(8) EXAMPLES section.  Rough illustrations would do fine at
> first.
> In the problems shown lately, including the one below (harder to
> read with the quoting wrapped like that!) it seems the problem of
> keepalives being issued using the internal address would not occur
> if keep-state was only applied _after_ NAT, only on the
> already-translated source address, but like you and apparently many
> others, I find these rulesets very difficult to follow in terms of
> different possible flows.
> cheers, Ian
>>> On FreeBSD 10.1p13 with two interfaces em0(internet) and
>>> em1(lan) I can fish (tcpdump)packets on em0 which have escaped
>>> the in-kernel NAT and have as source address an IP on the LAN.
>>> This should not happen and I can confirm that with pf this is
>>> not the case. I have the following ipfw rules:
>>> nat:  ipfw nat 123 config ip same_ports reset
>>> 00100 reass ip from any to any in 00200 allow ip from any to
>>> any via lo0 00300 allow ip from any to any via em1 00400 nat
>>> 123 ip from any to any in recv em0 00500 check-state 00600
>>> skipto 24000 ip from any to me dst-port
>>> 80,443,22,500,4500,1194,993,8112 in recv em0 keep-state 00700
>>> skipto 24000 ip from any to any out xmit em0 keep-state 00800
>>> deny log ip from any to any 24000 nat 123 ip from any to any
>>> out xmit em0 24100 allow ip from any to any
>>> Contrary to many online tutorials, including the example of the
>>>  handbook regarding NAT ( 
>>> when one places the NAT rules with the opposite order (i.e.
>>> outbound rule first and then the inbound rule) the problem
>>> disappears.
>>> i.e. ... 00400 nat 123 ip from any to any out xmit em0 ...
>>> 24000 nat 123 ip from any to any in recv em0 ...
>>> Why is this happening? Any objections to reversing the order of
>>> the NAT rules?
>> - -- // Lev Serebryakov

- -- 
// Lev Serebryakov
Version: GnuPG v2


More information about the freebsd-ipfw mailing list