Re: DNAT in freebsd

2013-07-01 Thread Sami Halabi 
Hi,

I've tried the following:

em1 - ip 10.0.1.1/24
em2 - ip 11.0.3.1/24
route add 11.0.4.0/24 11.0.3.2

ipfw flush
ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1

ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1


ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2

what i see in tcpdump and logs is that the rule 1000 converts the ip
correctly
10.0.1.2->10.0.1.1  ==>  11.0.3.1->10.0.1.1
while the 2000 rule does nothing...

Thanks in advance,
Sami



On Sun, Jun 30, 2013 at 11:27 PM, Sami Halabi  wrote:

> Hi Eugene,
>
> It simply doesn't work for me, the reverse option doesn't work properly
> for me it keeps translating the source instead of the destination...
>
>
> On Sun, Jun 30, 2013 at 6:32 PM, Eugene Grosbein wrote:
>
>> On 30.06.2013 18:48, Sami Halabi wrote:
>> > Hi,
>> > I don't understand how reverse mode works exactly, and didn't find a
>> good example.
>> >
>> >
>> > can you try and help on the configuration?
>>
>> Well, that's pretty simple. Generally, NAT translates source IP address
>> of the packet
>> keeping destination IP intact. You need both of source and
>> destination addresses get translated. Reverse NAT translates does,
>> well, reverse thing: it translates destination IP keeping source IP
>> intact.
>> So, you just need setup two ipfw nat instances, one "general" and one
>> "reverse"
>> and pass your packets through both instances.
>>
>> Eugene Grosbein
>>
>>
>>
>
>
> --
> Sami Halabi
> Information Systems Engineer
> NMS Projects Expert
> FreeBSD SysAdmin Expert
>



-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: DNAT in freebsd

2013-07-01 Thread Eugene Grosbein 
On 01.07.2013 14:30, Sami Halabi wrote:
> Hi,
> 
> I've tried the following:
> 
> em1 - ip 10.0.1.1/24 
> em2 - ip 11.0.3.1/24 
> route add 11.0.4.0/24  11.0.3.2
> 
> ipfw flush
> ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
> ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1
> 
> ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
> ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1
> 
> 
> ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
> ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2
> 
> what i see in tcpdump and logs is that the rule 1000 converts the ip correctly
> 10.0.1.2->10.0.1.1  ==>  11.0.3.1->10.0.1.1
> while the 2000 rule does nothing...

man ipfw says:

 To let the packet continue after being (de)aliased, set the sysctl vari-
 able net.inet.ip.fw.one_pass to 0.

By default, rule 1000 "consumes" aliased packets and they do not hit rule 2000 
at all.
So, you need to set sysctl net.inet.ip.fw.one_pass=0
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: DNAT in freebsd

2013-07-01 Thread Sami Halabi 
Hi,
forgot to mention that but this sysctl is already set to 0.
i see in the logs packets pass 1000 rule.

Sami


On Mon, Jul 1, 2013 at 12:17 PM, Eugene Grosbein  wrote:

> On 01.07.2013 14:30, Sami Halabi wrote:
> > Hi,
> >
> > I've tried the following:
> >
> > em1 - ip 10.0.1.1/24 
> > em2 - ip 11.0.3.1/24 
> > route add 11.0.4.0/24  11.0.3.2
> >
> > ipfw flush
> > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
> > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1
> >
> > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
> > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1
> >
> >
> > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
> > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2
> >
> > what i see in tcpdump and logs is that the rule 1000 converts the ip
> correctly
> > 10.0.1.2->10.0.1.1  ==>  11.0.3.1->10.0.1.1
> > while the 2000 rule does nothing...
>
> man ipfw says:
>
>  To let the packet continue after being (de)aliased, set the sysctl
> vari-
>  able net.inet.ip.fw.one_pass to 0.
>
> By default, rule 1000 "consumes" aliased packets and they do not hit rule
> 2000 at all.
> So, you need to set sysctl net.inet.ip.fw.one_pass=0
>



-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: DNAT in freebsd

2013-07-01 Thread Eugene Grosbein 
On 01.07.2013 17:05, Sami Halabi wrote:
> Hi,
> forgot to mention that but this sysctl is already set to 0.
> i see in the logs packets pass 1000 rule.

Use rules like 'ipfw add 1500 count log ip from any to any' to check
intermediate results of translation.

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Current problem reports assigned to freebsd-ipfw@FreeBSD.org

2013-07-01 Thread FreeBSD bugmaster 
Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker  Resp.  Description

o kern/178482  ipfw   [ipfw] logging problem from vnet jail
o kern/178480  ipfw   [ipfw] dynamically loaded ipfw with a vimage kernel do
o kern/178317  ipfw   [ipfw] ipfw options need to specifed in specific order
o kern/177948  ipfw   [ipfw] ipfw fails to parse port ranges (p1-p2) for udp
o kern/176503  ipfw   [ipfw] ipfw layer2 problem
o kern/169206  ipfw   [ipfw] ipfw does not flush entries in table
o conf/167822  ipfw   [ipfw] [patch] start script doesn't load firewall_type
o kern/166406  ipfw   [ipfw] ipfw does not set ALTQ identifier for ipv6 traf
o kern/165939  ipfw   [ipfw] bug: incomplete firewall rules loaded if tables
o kern/165190  ipfw   [ipfw] [lo] [patch] loopback interface is not marking 
o kern/158066  ipfw   [ipfw] ipfw + netgraph + multicast = multicast packets
o kern/157689  ipfw   [ipfw] ipfw nat config does not accept nonexistent int
f kern/155927  ipfw   [ipfw] ipfw stops to check packets for compliance with
o bin/153252   ipfw   [ipfw][patch] ipfw lockdown system in subsequent call 
o kern/153161  ipfw   [ipfw] does not support specifying rules with ICMP cod
o kern/152113  ipfw   [ipfw] page fault on 8.1-RELEASE caused by certain amo
o kern/148827  ipfw   [ipfw] divert broken with in-kernel ipfw
o kern/148430  ipfw   [ipfw] IPFW schedule delete broken.
o kern/148091  ipfw   [ipfw] ipfw ipv6 handling broken.
f kern/143973  ipfw   [ipfw] [panic] ipfw forward option causes kernel reboo
o kern/143621  ipfw   [ipfw] [dummynet] [patch] dummynet and vnet use result
o kern/137346  ipfw   [ipfw] ipfw nat redirect_proto is broken
o kern/137232  ipfw   [ipfw] parser troubles
o kern/135476  ipfw   [ipfw] IPFW table breaks after adding a large number o
o kern/129036  ipfw   [ipfw] 'ipfw fwd' does not change outgoing interface n
o kern/127230  ipfw   [ipfw] [patch] Feature request to add UID and/or GID l
f kern/122963  ipfw   [ipfw] tcpdump does not show packets redirected by 'ip
s kern/121807  ipfw   [request] TCP and UDP port_table in ipfw
o kern/116009  ipfw   [ipfw] [patch] Ignore errors when loading ruleset from
o kern/104682  ipfw   [ipfw] [patch] Some minor language consistency fixes a
o kern/103454  ipfw   [ipfw] [patch] [request] add a facility to modify DF b
o kern/103328  ipfw   [ipfw] [request] sugestions about ipfw table
o kern/97951   ipfw   [ipfw] [patch] ipfw does not tie interface details to 
o kern/95084   ipfw   [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v
o kern/86957   ipfw   [ipfw] [patch] ipfw mac logging
o bin/83046ipfw   [ipfw] ipfw2 error: "setup" is allowed for icmp, but s
o kern/82724   ipfw   [ipfw] [patch] [request] Add setnexthop and defaultrou
o bin/78785ipfw   [patch] ipfw(8) verbosity locks machine if /etc/rc.fir
o kern/60719   ipfw   [ipfw] Headerless fragments generate cryptic error mes
s kern/55984   ipfw   [ipfw] [patch] time based firewalling support for ipfw
o kern/48172   ipfw   [ipfw] [patch] ipfw does not log size and flags
o kern/46159   ipfw   [ipfw] [patch] [request] ipfw dynamic rules lifetime f
a kern/26534   ipfw   [ipfw] Add an option to ipfw to log gid/uid of who cau

43 problems total.

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: DNAT in freebsd

2013-07-01 Thread Sami Halabi 
Hi,
I did ping 10.0.1.1 from 10.0.1.2, so packet is 10.0.1.2 ->10.0.1.1
> ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
if I have 10.0.1.1 in em1 no translation is done!
if I delete it (and add a static arp entry in 10.0.1.2 for mac of 10.0.1.1)
rule 1000 translates well and I get packet from 11.0.3.1->10.0.1.1

> ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1
no translation is done at all!

Sami

> ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
> ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1
>
>
> ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
> ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2



On Mon, Jul 1, 2013 at 1:42 PM, Eugene Grosbein  wrote:

> On 01.07.2013 17:05, Sami Halabi wrote:
> > Hi,
> > forgot to mention that but this sysctl is already set to 0.
> > i see in the logs packets pass 1000 rule.
>
> Use rules like 'ipfw add 1500 count log ip from any to any' to check
> intermediate results of translation.
>
>


-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"