ipnat wrong translation in case of high rate of new connections
Brought to you by:
darren_r
Menu
▾
▴
#560 ipnat wrong translation in case of high rate of new connections
FreeBSD 10.1-RELEASE-p9 amd64
ipf: IP Filter: v5.1.2 (608)
LARGE_NAT is used
This machine is a gateway between local net 192.168.120.0/22 and other RFC 1918 private nets
I have test rules:
List of active MAP/Redirect filters:
map ext0 from 192.168.120.103/32 to 192.168.0.0/16 -> 192.168.20.103/32
map ext0 from 192.168.120.103/32 to 172.16.0.0/12 -> 192.168.20.103/32
map ext0 from 192.168.120.103/32 to 10.0.0.0/8 -> 192.168.20.103/32
map ext0 from 192.168.120.103/32 to 0/0 -> 62.231.189.62/32
Run nmap -sP 192.168.0.0/16 to create many connections via gateway
Sometimes first more specific rules are skipped and we have wrong translation:
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.94 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.87 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.86 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.85 443]
MAP 192.168.120.103 49090 <- -> 62.231.189.62 49090 [192.168.1.84 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.83 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.82 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.81 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.80 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.79 443]
MAP 192.168.120.103 49090 <- -> 192.168.20.103 49090 [192.168.1.78 443]
