From nobody@FreeBSD.org  Tue Sep  9 07:31:13 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ED3251065670
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  9 Sep 2008 07:31:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id DE5B48FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  9 Sep 2008 07:31:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m897VCQ1043711
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 9 Sep 2008 07:31:12 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m897VC4F043710;
	Tue, 9 Sep 2008 07:31:12 GMT
	(envelope-from nobody)
Message-Id: <200809090731.m897VC4F043710@www.freebsd.org>
Date: Tue, 9 Sep 2008 07:31:12 GMT
From: Keith Waters <keith@waters.co.za>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipnat + ipfilter source routing not handling ftp properly
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         127233
>Category:       kern
>Synopsis:       [ipfilter]: ipnat + ipfilter source routing not handling ftp properly
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 09 07:40:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:20:34 UTC 2013
>Originator:     Keith Waters
>Release:        7.0-RELEASE
>Organization:
Keith Waters Consulting
>Environment:
7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Firewall has three NICs: sk0 (internal),  sk1 (extenral ISP #1) and sk2 (external ISP #2)   Default route is on sk1.   Certain IPs on the internal network are NATted through to the second ISP (sk2)

When doing a passive FTP, tcpdump shows the packets correctly going out sk2 with the correct source IP, but on doing a directory listing (in ftp), some packets incorrectly go out sk1 (and not NATtted)

This worked fine in FreeBSD 5.x but not since upgrading to 7.x (at two different sites)
>How-To-Repeat:
ipf.rules:
pass out quick on sk1 to sk2:196.211.30.193  from 10.67.21.120/29  to any

ipnat.rules:
map sk2 from 10.67.21.120/29 to any -> 196.211.30.194/32 proxy port ftp ftp/tcp
map sk2 from 10.67.21.120/29 to any -> 196.211.30.194/32 portmap tcp/udp 1024:65000
map sk2 from 10.67.21.120/29 to  any -> 196.211.30.194/32

now do a passive ftp from one of the 10.67.21.120/29 PCs
 




>Fix:
No known fix.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: remko 
Responsible-Changed-When: Tue Sep 9 08:25:33 UTC 2008 
Responsible-Changed-Why:  
Darren, please have a look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127233 
State-Changed-From-To: open->open 
State-Changed-By: linimon 
State-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
State-Changed-Why:  
commit bit has been taken in for safekeeping. 


Responsible-Changed-From-To: darrenr->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=127233 
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:20:22 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=127233 
>Unformatted:
