I'm trying to get a bimap working on a FreeBSD-STABLE machine, with no luck.
I have bimaps working well in other places, but for the life of me, I can't
figure out what's going on in this case.
There's three interfaces I need to work with on this machine:
rl0: external, 216.16.237.106
tun0: external, 64.7.136.167
rl2: internal, 192.168.3.1/24
The host I'm trying to bimap to is 216.16.239.13, which (AFAIK) should be an
aliased interface on the ipf machine -- we've used lo0 by convention. Its
internal address is 192.168.30.24:
bimap tun0 216.16.239.13/32 -> 192.168.30.24/32
bimap rl0 216.16.239.13/32 -> 192.168.30.24/32
map tun0 192.168.30.24/32 -> 216.16.239.13/32 proxy port ftp ftp/tcp
map tun0 192.168.30.24/32 -> 216.16.239.13/32
map rl0 192.168.30.24/32 -> 216.16.239.13/32 proxy port ftp ftp/tcp
map rl0 192.168.30.24/32 -> 216.16.239.13/32
Now the weirdness...
If I /don't/ have 216.16.239.13 aliased on the loopback interface, then an
ICMP_HOST_UNREACH is sent in response to the SYN. If it /is/ aliased, an
RST is the response to the SYN. I'm guessing that it's the ipf machine
itself that is responding with these, but I don't know for sure.
I'm running 3.4.31 (again, on -STABLE):
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter: v3.4.31
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 1
And I'm pretty sure it's not ipf that's getting in the way -- I've added
eight rules at the top of /etc/ipf.rules, allowing all traffic in and out on
all interfaces (tcp keep state) for the two addresses above (192.168.30.24
and 216.16.239.13).
- Damian
