From nobody@FreeBSD.org  Mon Apr  8 12:37:49 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0521E37B41A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  8 Apr 2002 12:37:49 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g38JbmH21424;
	Mon, 8 Apr 2002 12:37:48 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200204081937.g38JbmH21424@freefall.freebsd.org>
Date: Mon, 8 Apr 2002 12:37:48 -0700 (PDT)
From: Joe Barbish <barbish@a1poweruser.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: natd does not function correctly when ipfw rules use check-state/keep-state
X-Send-Pr-Version: www-1.0

>Number:         36895
>Category:       kern
>Synopsis:       natd does not function correctly when ipfw rules use check-state/keep-state
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 08 12:40:01 PDT 2002
>Closed-Date:    Wed Apr 10 21:58:13 PDT 2002
>Last-Modified:  Wed Apr 10 21:58:13 PDT 2002
>Originator:     Joe Barbish
>Release:        4.4 Release
>Organization:
n/a
>Environment:
>Description:
I have an ipfw firewall rule set that exclusively uses the advaniced
statefull keep-state option. Rule set functions correctly (ie: dynamic
rules get build) when I use the nat feature of user ppp.

When I compile the ipdivert option
into the kernel, enable the divert options in rc.conf, and add the
divert rule to the ipfw rules, my ipfw firewall stops working. All the packets get rejected by the default deny everything rule at the end of
the rule set. If I use stateless and simpile stateful rules instead of
advaniced statefull rules then the divert rule works ok.

Acts like the divert function packet handoff to natd has a problem when
the new keep-state option is used.     
>How-To-Repeat:
      Build your own keep-state rule set and test.
>Fix:
      
>Release-Note:
>Audit-Trail:

From: "Crist J. Clark" <cjc@FreeBSD.org>
To: Joe Barbish <barbish@a1poweruser.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state
Date: Mon, 8 Apr 2002 23:59:16 -0700

 On Mon, Apr 08, 2002 at 12:37:48PM -0700, Joe Barbish wrote:
 [snip]
 > I have an ipfw firewall rule set that exclusively uses the advaniced
 > statefull keep-state option. Rule set functions correctly (ie: dynamic
 > rules get build) when I use the nat feature of user ppp.
 > 
 > When I compile the ipdivert option
 > into the kernel, enable the divert options in rc.conf, and add the
 > divert rule to the ipfw rules, my ipfw firewall stops working. All the packets get rejected by the default deny everything rule at the end of
 > the rule set. If I use stateless and simpile stateful rules instead of
 > advaniced statefull rules then the divert rule works ok.
 > 
 > Acts like the divert function packet handoff to natd has a problem when
 > the new keep-state option is used.     
 > >How-To-Repeat:
 >       Build your own keep-state rule set and test.
 
 They work fine for me. Your ruleset, rc.conf(5), ifconfig(8), and
 'grep -i ipfw /var/run/dmesg.boot' please?
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->closed 
State-Changed-By: cjc 
State-Changed-When: Wed Apr 10 21:57:54 PDT 2002 
State-Changed-Why:  
After reviewing the submitter's rules, the problem is that states are 
only established for packets crossing the external interface after 
natd(8) gets the packets. Therefore, outgoing packets have had their 
source address translated to the address of the external interface and 
incoming packets have had the destination translated back to the 
private number when they hit the dynamic rules. They will not match 
up. 

This is not a bug. This is just how things work. There are ways to set 
up your rules so that this will work. People do this all of the time. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36895 
>Unformatted:
