View Single Post
  #1   (View Single Post)  
Old 3rd November 2008
pinstripe pinstripe is offline
New User
 
Join Date: Nov 2008
Posts: 2
Default ipfilter / ipnat bad nat

Hey all,

I manage a pretty busy website and I've been perplexed by this problem for some time. ipnat -s shows something like this:
mapped in 837904779 out 1055985985
added 79997334 expired 0
no memory 0 bad nat 500334
inuse 11764
rules 5
wilds 0
What troubles me is the "bad nat" that you see there. It goes up pretty quickly (hundreds per minute), especially during high traffic times. My ipnat.rules is pretty simple:
#outgoing
map bce0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map bce0 192.168.1.0/24 -> 0.0.0.0/32

#incoming
rdr bce0 0.0.0.0/0 port 80 -> 192.168.1.100 port 80 tcp age 30
rdr bce0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443 tcp age 30
And my ipf.rules is simple enough:
# localhost
pass in quick on lo0 all
pass out quick on lo0 all

#internal interface
pass in quick on bce3 all
pass out quick on bce3 all

#web traffic
pass in quick on bce0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on bce0 proto tcp from any to any port = 443 flags S/SA keep state

#all outgoing
pass out quick proto tcp from any to any flags S/SA keep state
pass out quick proto icmp from any to any keep state
pass out quick proto udp from any to any keep state

#block the rest
block in quick on bce0 all
My internal interface is bce3 and external is bce0. Any thoughts what could be causing the bad nat?

Thanks --
Reply With Quote