Subject: Re: ipnat and netmask
To: Patrick Welche <tech-net@netbsd.org>
From: Chris Dionissopoulos <dionch@freemail.gr>
List: tech-net
Date: 08/29/2005 17:09:55
> On Mon, Aug 29, 2005 at 03:24:13PM +0200, Quentin Garnier wrote:
>> On Mon, Aug 29, 2005 at 02:21:37PM +0100, Patrick Welche wrote:
>> > >From ipnat -l, I have
>> >
>> > map ex1 192.168.0.0/24 -> x.y.z.1/32 proxy port ftp ftp/tcp
>> > map ex1 192.168.0.0/24 -> x.y.z.1/32 portmap tcp/udp 10000:65000
>> > map ex1 192.168.0.0/24 -> x.y.z.1/32
>> > bimap ex1 192.168.0.180/32 -> x.y.z.180/32 proxy port ftp ftp/tcp
>> >
>> > yet, when I ssh out from 192.168.200.180, finger prlw1 tells me I am
>> > connecting from x.y.z.1 rather than x.y.z.180.
>> >
>> > According to the rules /32 should take precedence over /24, so what is
>> > wrong?
>>
>> Nothing. ipnat works in a "first-match" way, contrary to ipf.
>
> That's what I thought, but I had the bimap in first position and saw that
> finger claimed I was coming from the mapped rather than the bimapped
> address, so I found some documentation:
>
> http://www.phildev.net/ipf/IPFprob.html#prob16
>
> 16. I'm having problems with ipnat (e.g. can't get proxies to work
> with bimap, or some other problem).
>
> When troubleshooting problems with ipnat remember that rules are
> process by network size. So a /32 rule will always be applied
> before a /24 rule, etc. Therefore a ruleset like:
> ...
>
> which then leads to the above question...
"Bimap" rule applies for IP-to-IP translations and not for particular protocol/port, although
ipnat config file syntax permits.
In other words, It seems that your "bimap" rule never matches a flow due to "proxy" option.
Try something like:
map ex1 192.168.0.0/24 -> x.y.z.1/32 proxy port ftp ftp/tcp
map ex1 192.168.0.0/24 -> x.y.z.1/32 portmap tcp/udp 10000:65000
map ex1 192.168.0.0/24 -> x.y.z.1/32
bimap ex1 192.168.0.180/32 -> x.y.z.180/32
Chris.
____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.