Hello!
I need help to understand how redirect_port working in kernel NAT on FreeBSD 12.3.
I have ipfw rules like this:
While NAT working, some TCP and UDP packets still unredirected.
Counters on rules 11000 and 11100 must be 0, but it not.
Why?
How it works??
I need help to understand how redirect_port working in kernel NAT on FreeBSD 12.3.
I have ipfw rules like this:
Code:
#!/bin/sh -
fwcmd="/sbin/ipfw"
lanout="ng0"
netin="192.168.1.0"
netmask="24"
${fwcmd} -f flush
${fwcmd} nat 100 config log ip ${ipout} reset same_ports \
redirect_port udp 192.168.1.57:16451 16451 \
redirect_port tcp 192.168.1.57:16451 16451 \
${fwcmd} add deny icmp from any to any frag
${fwcmd} add pass all from any to any via lo0
${fwcmd} add pass all from any to any via br0
${fwcmd} add skipto 10000 all from any to any in recv ${lanout}
${fwcmd} add skipto 20000 all from any to any out xmit ${lanout}
${fwcmd} add deny log logamount 100 ip from any to any
############################################## any to any in recv lanout
${fwcmd} add 10000 count all from any to any
${fwcmd} add deny ip from any to 10.0.0.0/8
${fwcmd} add deny ip from any to 172.16.0.0/12
${fwcmd} add deny ip from any to 192.168.0.0/16
${fwcmd} add deny ip from any to 0.0.0.0/8
${fwcmd} add deny ip from any to 169.254.0.0/16
${fwcmd} add deny ip from any to 240.0.0.0/4
${fwcmd} add count tcp from any to me 16451
${fwcmd} add count udp from any to me 16451
${fwcmd} add nat 100 all from any to any in
${fwcmd} add count tcp from any to me 16451
${fwcmd} add count udp from any to me 16451
${fwcmd} add allow ip from any to any established
${fwcmd} add allow ip from any to ${netin}/${netmask}
${fwcmd} add deny log logamount 10000 all from any to any
############################################## any to any out xmit {lanout}
${fwcmd} add 20000 count all from any to any
${fwcmd} add nat 100 all from ${netin}/${netmask} to any out
${fwcmd} add allow tcp from me to any
${fwcmd} add allow udp from me to any
${fwcmd} add allow icmp from me to any icmptypes 0,3,4,8,11,12
${fwcmd} add deny log logamount 10000 ip from any to any
While NAT working, some TCP and UDP packets still unredirected.
Code:
>ipfw show
00100 0 0 deny icmp from any to any frag offset
00200 0 0 check-state :default
00300 8214 3071966 allow ip from any to any via lo0
00800 2050165 1573806088 allow ip from any to any via br0
00900 0 0 deny ip from any to 127.0.0.0/8
01000 0 0 deny ip from 127.0.0.0/8 to any
01100 1295067 1266330049 skipto 10000 ip from any to any in recv ng0
01200 738901 292538839 skipto 20000 ip from any to any out xmit ng0
01300 3 120 deny log logamount 100 ip from any to any
10000 1295062 1266323749 count ip from any to any
10100 0 0 deny ip from any to 10.0.0.0/8
10200 0 0 deny ip from any to 172.16.0.0/12
10300 0 0 deny ip from any to 192.168.0.0/16
10400 0 0 deny ip from any to 0.0.0.0/8
10500 0 0 deny ip from any to 169.254.0.0/16
10600 0 0 deny ip from any to 240.0.0.0/4
10700 200233 12651885 count tcp from any to me 16451
10800 11824 1391077 count udp from any to me 16451
10900 1295057 1266323325 nat 100 ip from any to any in
11000 1 40 count tcp from any to me 16451
11100 17 2137 count udp from any to me 16451
11200 374093 167231079 allow ip from any to any established
11300 920792 1099074330 allow ip from any to 192.168.1.0/24
11400 167 11616 deny log logamount 10000 ip from any to any
20000 738876 292532631 count ip from any to any
20100 736146 292124427 nat 100 ip from 192.168.1.0/24 to any out
20200 590155 275644023 allow tcp from me to any
20300 148719 16888348 allow udp from me to any
20400 2 260 allow icmp from me to any icmptypes 0,3,4,8,11,12
20500 0 0 deny log logamount 10000 ip from any to any
Counters on rules 11000 and 11100 must be 0, but it not.
Why?
How it works??