DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 3rd November 2008
pinstripe pinstripe is offline
New User
 
Join Date: Nov 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default ipfilter / ipnat bad nat

Hey all,

I manage a pretty busy website and I've been perplexed by this problem for some time. ipnat -s shows something like this:
mapped in 837904779 out 1055985985
added 79997334 expired 0
no memory 0 bad nat 500334
inuse 11764
rules 5
wilds 0
What troubles me is the "bad nat" that you see there. It goes up pretty quickly (hundreds per minute), especially during high traffic times. My ipnat.rules is pretty simple:
#outgoing
map bce0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map bce0 192.168.1.0/24 -> 0.0.0.0/32

#incoming
rdr bce0 0.0.0.0/0 port 80 -> 192.168.1.100 port 80 tcp age 30
rdr bce0 0.0.0.0/0 port 443 -> 192.168.1.100 port 443 tcp age 30
And my ipf.rules is simple enough:
# localhost
pass in quick on lo0 all
pass out quick on lo0 all

#internal interface
pass in quick on bce3 all
pass out quick on bce3 all

#web traffic
pass in quick on bce0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on bce0 proto tcp from any to any port = 443 flags S/SA keep state

#all outgoing
pass out quick proto tcp from any to any flags S/SA keep state
pass out quick proto icmp from any to any keep state
pass out quick proto udp from any to any keep state

#block the rest
block in quick on bce0 all
My internal interface is bce3 and external is bce0. Any thoughts what could be causing the bad nat?

Thanks --
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick