[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-ipfw
Subject:    Ipfw + Natd + multiple instance
From:       Jean-Baptiste COUPIAC <jeanbaptiste.coupiac () nfrance ! com>
Date:       2016-09-14 15:25:03
Message-ID: CAH22wMWDFHY-6807zDUrc+1DK5DK8xNAsWcgPV2wKk8_RY=ztw () mail ! gmail ! com
[Download RAW message or body]

Hello IPFWers,

I'm trying to use IPfw, with several natd instances

==== igb0 (192.31.3.253/22)
tun1 (10.69.0.0/24)   ====          FreeBSD router
==== em0 (192.168.1.2/24)

Above, my pretty simple configuration. (but I've re-write in this mail some
networks/interfaces for sec reason )

My trafic comes by tun1 (an openvpn tunnel), and depending the destination,
I need to NAT it via igb0 or em0.

Below my natd.conf
_________________
*instance default*
*interface em0*
*port 8668*
*use_sockets yes*
*same_ports yes*

*instance mgmt*
*interface igb0*
*port 8669*
*use_sockets yes*
*same_ports yes*
_________________


Below my rc.firewall
_________________
*cmd="ipfw add"*
*lans="10.0.0.0/8 <http://10.0.0.0/8>"*
*vpn_lans="10.69.0.0/24,10.70.0.0/24 <http://10.69.0.0/24,10.70.0.0/24>"*
*mgmt="192.31.0.0/21 <http://192.31.0.0/21>"*

*ipfw -q -f flush*

*$cmd 00010 divert 8668 log ip from $lans to any in  via em0*
*$cmd 00011 divert 8669 log ip from $mgmt to any in via igb0*

*$cmd 00100 check-state*

*$cmd 00110 skipto 2000 log ip from $vpn_lans to $lans out via em0
keep-state*
*$cmd 00111 skipto 2200 log ip from $vpn_lans to $mgmt out via igb0
keep-state*

*$cmd 01010 deny all from 'table(1)' to any dst-port 22 in*
*$cmd 01011 allow log ip from any to any*

*$cmd 02000 divert 8668 log ip from any to any out via em0*
*$cmd 02001 allow log ip from any to $lans*

*$cmd 02200 divert 8669 log ip from any to any out via igb0*
*$cmd 02201 allow log ip from any to $mgmt*

*$cmd 03000 deny log  logamount 500 ip from any to any*
*s*
*same_ports yes*
_________________


I use default instance to nat to LANS
I use mgmt instance to nat to MGMT


NAT for LANS is working good (icmp from *10.69.0.10* to *10.54.255.254*) ,
but NAT for MGMT does not work (icmp from* 10.69.0.10* to *192.31.0.99*):

*Sep 13 17:55:18 <security.info <http://security.info>> kimberley kernel:
ipfw: 2201 Accept ICMP:8.0 10.69.0.10 192.31.0.99 in via tun1*
*Sep 13 17:55:18 <security.info <http://security.info>> kimberley kernel:
ipfw: 2200 Divert 8669 ICMP:8.0 10.69.0.10 192.31.0.99 out via igb0*
*Sep 13 17:55:18 <security.info <http://security.info>> kimberley kernel:
ipfw: 2201 Accept ICMP:8.0 192.31.3.253 192.31.0.99 out via igb0*
*Sep 13 17:55:18 <security.notice> kimberley kernel: ipfw: limit 5 reached
on entry 2201*
*Sep 13 17:55:18 <security.info <http://security.info>> kimberley kernel:
ipfw: 11 Divert 8669 ICMP:0.0 192.31.0.99 192.31.3.253 in via igb0*
*Sep 13 17:55:18 <security.info <http://security.info>> kimberley kernel:
ipfw: 3000 Deny ICMP:0.0 192.31.0.99 10.69.0.10 in via igb0*

NAT for LAN working show:

*Sep 13 17:45:01 <security.info <http://security.info>> kimberley kernel:
ipfw: 110 SkipTo 2000 ICMP:8.0 10.69.0.10 10.54.255.254 in via tun1*
*Sep 13 17:45:01 <security.info <http://security.info>> kimberley kernel:
ipfw: 2001 Accept ICMP:8.0 10.69.0.10 10.54.255.254 in via tun1*
*Sep 13 17:45:01 <security.info <http://security.info>> kimberley kernel:
ipfw: 110 SkipTo 2000 ICMP:8.0 10.69.0.10 10.54.255.254 out via em0*
*Sep 13 17:45:01 <security.notice> kimberley kernel: ipfw: limit 5 reached
on entry 110*
*Sep 13 17:45:01 <security.info <http://security.info>> kimberley kernel:
ipfw: 2000 Divert 8668 ICMP:8.0 10.69.0.10 10.54.255.254 out via em0*
*Sep 13 17:45:01 <security.info <http://security.info>> kimberley kernel:
ipfw: 2001 Accept ICMP:8.0 192.168.1.2 10.54.255.254 out via em0*


I'm pretty stuck, can you help me please ?



__

[image: NFrance Conseil] <http://www.nfrance.com/>

*Jean-Baptiste COUPIAC*
Tél. : +33 5 34 45 55 00 <%20+33534455500>
4 rue Kennedy 31000 Toulouse - France | www.nfrance.com
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic