[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Problem w/ NAT source-hash in OBSD 3.4

To: <bugs@openbsd.org>
Subject: Problem w/ NAT source-hash in OBSD 3.4
From: Arlen Fletcher <Arlen.Fletcher@farm-credit.com>
Date: Fri, 26 Mar 2004 10:28:10 -0800
User-Agent: Microsoft-Entourage/10.1.4.030702.0
Dmesg output:


OpenBSD 3.4 (GENERIC) #18: Wed Sep 17 03:34:47 MDT 2003
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (Coppermine) ("GenuineIntel" 686-class, 128KB L2
cache) 1.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,
SIMD
real mem  = 536195072 (523628K)
avail mem = 491302912 (479788K)
using 4278 buffers containing 26910720 bytes (26280K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 02/02/01, BIOS32 rev. 0 @ 0xfda74
apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled)
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf2bb0/144 (7 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB PCI-ISA" rev
0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1800 0xc9800/0x1800
0xdc000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX" rev 0x03
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <ST340016A>
wd0: 16-sector PIO, LBA, 38166MB, 16383 cyl, 16 head, 63 sec, 78165360
sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <TEAC, CD-224E, 1.7A> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not configured
fxp0 at pci0 dev 12 function 0 "Intel 82557" rev 0x08: irq 10, address
00:02:b3:2f:94:b6
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 4
fxp1 at pci0 dev 13 function 0 "Intel 82557" rev 0x08: irq 10, address
00:02:b3:2f:94:b7
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 4
vga1 at pci0 dev 14 function 0 "ATI Mach64 GT" rev 0x41
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask c840 netmask cc40 ttymask dc42
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302



/etc/pf.conf contents:


# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.

# Macros: define common values, so they can be referenced and changed
easily.
ext_if="fxp0"   # replace with actual external interface name i.e., dc0
int_if="fxp1"   # replace with actual internal interface name i.e., dc1
internal_net="10.1.96.1/27"
external_addr="192.168.1.1"

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
set loginterface fxp0
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
#scrub in all

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net
will
# get translated as coming from the address of $ext_if, a state is created
for
# such packets, and incoming packets will be redirected to the internal
address.
#nat on $ext_if from $internal_net to any -> ($ext_if)

rdr on fxp1 from any to 192.168.5.5 -> 167.210.197.68
rdr on fxp1 from any to 192.168.5.47 -> 172.30.1.47
rdr on fxp1 from any to 192.168.5.45 -> 172.30.1.45
rdr on fxp1 from any to 192.168.5.75 -> 172.30.1.75
rdr on fxp1 from any to 192.168.5.30 -> 172.30.1.30
rdr on fxp1 from any to 192.168.5.40 -> 192.168.0.40
nat on fxp0 inet from any to any -> 190.120.188.1/26 source-hash


rdr on fxp0 from any to 190.120.188.127 -> 10.1.99.115
# nat on fxp0 inet from 10.1.97.232 to any -> 190.120.188.125

# rdr on fxp0 from any to 190.120.188.126 -> 10.1.99.103
nat on fxp1 inet from 172.30.1.30 to any -> 192.168.5.30
# nat on fxp1 inet from 192.168.7.3 to any -> 192.168.5.3

# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

#no rdr on { lo0, lo1 } from any to any

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all
# pass  in  on $ext_if proto tcp from any to $ext_if port 22 keep state
pass  in on $int_if proto { tcp, udp } all keep state
pass  out on $ext_if proto { tcp, udp } all keep state

# FTP rules
pass in on $ext_if proto tcp from any to $ext_if port ftp keep state
allow-opts
pass in on $ext_if proto tcp from any to 10.1.99.103 port ftp keep state
allow-opts
pass out on $int_if proto tcp from any to 10.1.99.103 port ftp keep state
allow-opts
pass in on $ext_if proto tcp from any to 10.1.97.232 port ftp keep state
allow-opts
pass out on $int_if proto tcp from any to 10.1.97.232 port ftp keep state
allow-opts


# pass incoming ports for ftp-proxy
pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state

#pass ICMP echo requests (PING) outbound and inbound
pass in on $int_if inet proto icmp all icmp-type echoreq keep state
pass out on $ext_if inet proto icmp all icmp-type echoreq keep state
pass in on $ext_if inet proto icmp all icmp-type echoreq keep state
pass out on $int_if inet proto icmp all icmp-type echoreq keep state



The problem is when internal IP address 10.1.98.97 tries to contact
192.168.5.40.  The destination IP is translated to 172.30.1.45 as it should
be, but the source address is translated to 190.120.188.0 - which obviously
doesn't work.  The problem is repeatable - any internal machine with the
10.1.98.97 address gets translated incorrectly.


Please let me know if you have further questions.

Best Regards,

Arlen Fletcher



CONFIDENTIALITY NOTICE:
This e-mail transmission may contain confidential information.  This information is solely for the use of the individual(s) or entity to whom or which it was intended.  If you have received this email in error, please immediately notify the sender by reply e-mail.  Please delete this e-mail from your files if you are not the intended recipient.  Thank you for your compliance.
Prev by Date: Re: kernel/3728
Next by Date: macppc snapshot blows up on g4 pbook 400mhz
Prev by thread: Re: kernel/3728
Next by thread: macppc snapshot blows up on g4 pbook 400mhz
Index(es):
- Date
- Thread