IPNat Stops routing

I submitted this problem a few months ago and have worked down to more of
what the problem is and would like to see if anyone else if having the
problem. This is the original email with all the details. Notes to add as of
now are I changed from ipnat to natd with all firewalls open and the problem
went away. I switched back to ipnat and the problem happened within 30
minutes.

----- Original Email---
I am running Freebsd 4.8 with Ipfilter's latest version. This box is running
as a firewall/NAT box. There is a couple pc's behind the firewall. I have a
few more servers that are connected to the ISP router they are parallel to
the firewall. Current setup looks like this. I do have two blocks of IP on
my network from my ISP.

INET
|
|
<Cisco router | 10-Half Duplex>
|
|
------<Managed Switch> or <10/100 Switch non-managed>--
| | | |
208.1.223.242 208.1.223.243 63.165.219.162 63.165.219.171
Server 1 Server2 Server3 Server4(firewall)
Windows Windows BSD BSD
192.168.1.1
|
|
<Switch>
|
|
192.168.1.x
TO PC's

Problem:
Randomly we can not route from the pc's behind the firewall to Server 1. It
will stop routing to server 1 for 5-15 minutes. I can still reach Server 3
which is our DNS server and sometimes server 2. Then it will start working.
At this time while we can not reach Server 1, we can still browse to
websites beyond our network. This can happen 6 times an hour some days and
sometimes twice a day. If I set our Firewall, server 4 to ip 208.x.x.246,
we will have problems randomly reaching server 3. The problems happen not
as offen as the first setup. I have IPF and IPNAT enabled on the firewall. I
have disabled IPF completely and it still had problems. I have included as
much as possable


I am getting this error message in my /var/log/messages right when the
firewall stops routing to the local network.

""
May 2 01:01:40 vormund /kernel: Connection attempt to TCP 63.x.x.171:8634
(server4) from 208.x.x.242:80 (server1)
""

Thanks
Travis McQuinn

Server info
----------
$uname -a
FreeBSD vormund.cfmonster.com 4.8-STABLE FreeBSD 4.8-STABLE #0: Thu Apr 17
14:32:08 EDT 2003
root@vormund.cfmonster.com:/usr/obj/usr/src/sys/VORMUND i386
----------
$ifconfig -a
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 63.165.219.171 netmask 0xffffffe0 broadcast 63.165.219.191
inet6 fe80::204:5aff:fe7a:53c6%dc0 prefixlen 64 scopeid 0x1
inet 208.1.223.246 netmask 0xffffffff broadcast 208.1.223.246
ether 00:04:5a:7a:53:c6
media: Ethernet autoselect (10baseT/UTP)
status: active
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::204:5aff:fe7a:53ca%dc1 prefixlen 64 scopeid 0x2
ether 00:04:5a:7a:53:ca
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
----------
$netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 63.165.219.161 UGSc 2 7216 dc0
63.165.219.160/27 link#1 UC 3 0 dc0
63.165.219.161 00:07:0e:00:4f:e2 UHLW 2 0 dc0 1172
63.165.219.162 00:04:5a:67:5e:46 UHLW 0 13434 dc0 1155
63.165.219.163 00:04:5a:67:5e:46 UHLW 0 7 dc0 938
63.165.219.169/32 link#1 UC 0 0 dc0
63.165.219.170/32 link#1 UC 0 0 dc0
127.0.0.1 127.0.0.1 UH 1 1008 lo0
192.168.1 link#2 UC 4 0 dc1
192.168.1.4 00:04:5a:67:5b:00 UHLW 0 725 dc1 1101
192.168.1.11 00:04:5a:7a:53:e1 UHLW 0 1 dc1 888
192.168.1.33 00:04:5a:54:d4:42 UHLW 0 1236 dc1 698
192.168.1.40 00:50:8d:fd:a3:c1 UHLW 0 837 dc1 693
208.1.223.240/29 link#1 UC 3 0 dc0
208.1.223.241 00:07:0e:00:4f:e2 UHLW 0 54 dc0 796
208.1.223.242 00:50:8d:a0:25:d5 UHLW 0 463 dc0 633
208.1.223.243 00:50:8d:a0:14:6f UHLW 0 870 dc0 1048
208.1.223.246/32 link#1 UC 0 0 dc0

Internet6:
Destination Gateway Flags
Netif Expire
::1 ::1 UH
lo0
fe80::%dc0/64 link#1 UC
dc0
fe80::204:5aff:fe7a:53c6%dc0 00:04:5a:7a:53:c6 UHL
lo0
fe80::%dc1/64 link#2 UC
dc1
fe80::204:5aff:fe7a:53ca%dc1 00:04:5a:7a:53:ca UHL
lo0
fe80::%lo0/64 fe80::1%lo0 Uc
lo0
fe80::1%lo0 link#3 UHL
lo0
ff01::/32 ::1 U
lo0
ff02::%dc0/32 link#1 UC
dc0
ff02::%dc1/32 link#2 UC
dc1
ff02::%lo0/32 ::1 UC
lo0
----------
$netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
dc0 1500 <Link#1> 00:04:5a:7a:53:c6 22376 0 26176 0
394
dc0 1500 63.165.219.16 63.165.219.171. 19225 -
7458 - -
dc0 1500 fe80:1::204 fe80:1::204:5aff: 0 -
0 - -
dc0 1500 63.165.219.17 63.165.219.170. 1 -
0 - -
dc0 1500 63.165.219.16 63.165.219.169. 1 -
0 - -
dc0 1500 208.1.223.240 208.1.223.244.b 183 -
732 - -
dc0 1500 208.1.223.246 208.1.223.246.b 0 -
0 - -
dc1 1500 <Link#2> 00:04:5a:7a:53:ca 8253 0 2876 0
0
dc1 1500 192.168.1 192.168.1.1 225 -
54 - -
dc1 1500 fe80:2::204 fe80:2::204:5aff: 0 -
0 - -
lo0 16384 <Link#3> 1080 0 1080 0
0
lo0 16384 localhost ::1 72 -
72 - -
lo0 16384 fe80:3::1 fe80:3::1 0 -
0 - -
lo0 16384 your-net localhost 1008 -
1008 - -
ppp0* 1500 <Link#4> 0 0 0 0
0
sl0* 552 <Link#5> 0 0 0 0
0
faith 1500 <Link#6> 0 0 0 0
0
----------
$ipf -V
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter: v3.4.31
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
----------
$ipfstat
IPv6 packets: in 74 out 82
input packets: blocked 56 passed 33724 nomatch 74 counted 0 short 0
output packets: blocked 0 passed 32327 nomatch 3209 counted 0 short
0
input packets logged: blocked 56 passed 5954
output packets logged: blocked 0 passed 4152
packets logged: input 0 output 0
log failures: input 400 output 452
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 3 lost 0
packet state(out): kept 14420 lost 23
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 2315 (out): 2236
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
----------
$ipfstat -io
pass out quick on dc1 from any to any
pass out quick on lo0 from any to any
pass out quick on dc0 proto tcp from any to any flags S/SA keep state keep
frags
pass out quick on dc0 proto udp from any to any keep state
pass out quick on dc0 proto icmp from any to any keep state
pass out quick proto udp from any to any port 33436 >< 33480
block in log on dc0 from any to any
pass in quick on dc1 from any to any
pass in quick on dc0 from 208.1.223.240/29 to any
pass in quick on dc0 from 63.165.219.160/27 to any
pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32
pass in quick on lo0 from any to any
block in quick on dc0 from 0.0.0.0/32 to any
block in quick on dc0 from 255.255.255.255/32 to any
block in quick on dc0 from any to 0.0.0.0/32
block in quick on dc0 from any to 255.255.255.255/32
block return-rst in log on dc1 proto tcp from any to any flags S/SA
block return-icmp-as-dest(port-unr) in log on dc1 proto udp from any to any
block return-icmp-as-dest(port-unr) in log on dc1 proto icmp from any to any
block in quick on dc0 from 0.0.0.0/8 to any
block in quick on dc0 from 10.0.0.0/8 to any
block in quick on dc0 from 127.0.0.0/8 to any
block in quick on dc0 from 172.16.0.0/12 to any
block in quick on dc0 from 192.168.0.0/16 to any
block in quick on dc0 from 169.254.0.0/16 to any
block in quick on dc0 from 192.0.2.0/24 to any
block in quick on dc0 from 204.152.64.0/23 to any
block in quick on dc0 from 224.0.0.0/3 to any
block in log quick from any to any with short
block in log quick from any to any with ipopt
block in log quick from any to any with opt lsrr
block in log quick from any to any with opt ssrr
block in on dc0 proto udp from any to any port = 137
block in on dc0 proto udp from any to any port = 138
block in on dc0 proto udp from any to any port = 139
block in on dc0 proto udp from any to any port = 520
pass in quick on dc0 proto icmp from any to any icmp-type echorep
pass in quick on dc0 proto icmp from any to any icmp-type unreach
pass in quick on dc0 proto icmp from any to any icmp-type squench
pass in quick on dc0 proto icmp from any to any icmp-type redir
pass in quick on dc0 proto icmp from any to any icmp-type echo
pass in quick on dc0 proto icmp from any to any icmp-type timex
pass in quick on dc0 proto icmp from any to any icmp-type paramprob
block in log quick on dc0 proto icmp from any to any
pass in quick proto udp from any to any port 33436 >< 33480
pass in log quick on dc1 proto tcp from 192.168.1.0/24 to any port = 22
flags S/SA keep state
pass in log quick on dc0 proto tcp from 205.158.72.5/32 to any port = 22
flags S/SA keep state
pass in log quick on dc0 proto tcp from 66.89.55.81/32 to any port = 22
flags S/SA keep state
pass in log quick on dc0 proto tcp from 63.165.219.160/27 to any port = 22
flags S/SA keep state
pass in log quick on dc0 proto tcp from 208.1.223.240/29 to any port = 22
flags S/SA keep state
pass in log quick on dc0 proto tcp from 66.188.12.26/32 to any port = 22
flags S/SA keep state
pass in log quick on dc1 proto tcp from 192.168.1.0/24 to 63.165.219.171/32
port = 80 flags S/SA keep state
pass in log quick on dc0 proto tcp from 205.158.72.5/32 to 63.165.219.171/32
port = 80 flags S/SA keep state
pass in log quick on dc0 proto tcp from 66.89.55.81/32 to 63.165.219.171/32
port = 80 flags S/SA keep state
pass in log quick on dc0 proto tcp from 63.165.219.160/27 to
63.165.219.171/32 port = 80 flags S/SA keep state
pass in log quick on dc0 proto tcp from 208.1.223.240/29 to
63.165.219.171/32 port = 80 flags S/SA keep state
pass in log quick on dc0 proto tcp from 66.188.12.26/32 to 63.165.219.171/32
port = 80 flags S/SA keep state
pass in quick on dc1 proto tcp/udp from 192.168.1.0/24 port = domain to any
port > 1024
pass in quick on dc0 proto tcp/udp from 65.106.1.196/32 port = domain to any
port > 1024
pass in quick on dc0 proto tcp/udp from 65.106.7.196/32 port = domain to any
port > 1024
pass in quick on dc0 proto tcp/udp from 63.165.219.162/32 port = domain to
any port > 1024
pass in quick on dc0 proto tcp/udp from 63.165.219.163/32 port = domain to
any port > 1024
pass in on dc0 proto tcp/udp from any to 192.168.1.4/32
----------
$ipnat -slv
mapped in 2820 out 3064
added 190 expired 168
no memory 0 bad nat 0
inuse 22
rules 7
wilds 0
table 0xbfbffbc4 list 0xc0c38400
List of active MAP/Redirect filters:
map dc0 192.168.1.0/24 -> 63.165.219.171/32 portmap tcp/udp auto
map dc0 192.168.1.0/24 -> 63.165.219.171/32
rdr dc0 208.1.223.244/32 port 25 -> 192.168.1.4 port 25 tcp
rdr dc0 208.1.223.244/32 port 110 -> 192.168.1.4 port 110 tcp
rdr dc0 208.1.223.244/32 port 5800 -> 192.168.1.4 port 5800 tcp
rdr dc0 208.1.223.244/32 port 5900 -> 192.168.1.4 port 5900 tcp
rdr dc0 208.1.223.244/32 port 32000 -> 192.168.1.4 port 32000 tcp

List of active sessions:
MAP 192.168.1.4 2948 <- -> 63.165.219.171 2208 [203.15.67.212 25]
age 287 use 0 sumd 0x56c0/0x56c0 pr 6 bkt 47/67 flags 1 drop 0/0
ifp dc0 bytes 264 pkts 6
MAP 192.168.1.4 2947 <- -> 63.165.219.171 2207 [203.15.67.212 25]
age 285 use 0 sumd 0x56c0/0x56c0 pr 6 bkt 45/65 flags 1 drop 0/0
ifp dc0 bytes 264 pkts 6
MAP 192.168.1.4 2946 <- -> 63.165.219.171 2206 [203.15.67.212 25]
age 282 use 0 sumd 0x56c0/0x56c0 pr 6 bkt 43/63 flags 1 drop 0/0
ifp dc0 bytes 264 pkts 6
MAP 192.168.1.4 2945 <- -> 63.165.219.171 2205 [203.15.67.212 25]
age 280 use 0 sumd 0x56c0/0x56c0 pr 6 bkt 41/61 flags 1 drop 0/0
ifp dc0 bytes 264 pkts 6
MAP 192.168.1.4 2944 <- -> 63.165.219.171 2204 [63.165.219.162 53]
age 998 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 35/55 flags 2 drop 0/0
ifp dc0 bytes 216 pkts 2
MAP 192.168.1.4 2943 <- -> 63.165.219.171 2203 [63.165.219.162 53]
age 998 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 33/53 flags 2 drop 0/0
ifp dc0 bytes 167 pkts 2
MAP 192.168.1.4 2942 <- -> 63.165.219.171 2202 [205.205.236.232 25]
age 158 use 0 sumd 0x56c0/0x56c0 pr 6 bkt 37/57 flags 1 drop 0/0
ifp dc0 bytes 144 pkts 3
MAP 192.168.1.4 2941 <- -> 63.165.219.171 2201 [63.165.219.162 53]
age 878 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 29/49 flags 2 drop 0/0
ifp dc0 bytes 187 pkts 2
MAP 192.168.1.33 1459 <- -> 63.165.219.171 9539 [63.165.219.162 53]
age 187 use 0 sumd 0x7917/0x7917 pr 17 bkt 21/33 flags 2 drop 0/0
ifp dc0 bytes 220 pkts 2
MAP 192.168.1.4 2936 <- -> 63.165.219.171 2196 [63.165.219.162 53]
age 38 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 19/39 flags 2 drop 0/0
ifp dc0 bytes 208 pkts 2
MAP 192.168.1.4 2935 <- -> 63.165.219.171 2195 [63.165.219.162 53]
age 200 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 17/37 flags 2 drop 0/0
ifp dc0 bytes 513 pkts 4
MAP 192.168.1.4 2925 <- -> 63.165.219.171 2185 [63.165.219.162 53]
age 190 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 124/17 flags 2 drop 0/0
ifp dc0 bytes 499 pkts 4
MAP 192.168.1.4 2922 <- -> 63.165.219.171 2182 [63.165.219.162 53]
age 180 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 118/11 flags 2 drop 0/0
ifp dc0 bytes 531 pkts 4
MAP 192.168.1.4 2919 <- -> 63.165.219.171 2179 [63.165.219.162 53]
age 170 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 112/5 flags 2 drop 0/0
ifp dc0 bytes 497 pkts 4
MAP 192.168.1.4 2917 <- -> 63.165.219.171 2177 [63.165.219.162 53]
age 160 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 108/1 flags 2 drop 0/0
ifp dc0 bytes 544 pkts 4
MAP 192.168.1.4 2915 <- -> 63.165.219.171 2175 [63.165.219.162 53]
age 150 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 104/124 flags 2 drop 0/0
ifp dc0 bytes 468 pkts 4
MAP 192.168.1.4 2909 <- -> 63.165.219.171 2169 [63.165.219.162 53]
age 140 use 0 sumd 0x56c0/0x56c0 pr 17 bkt 92/112 flags 2 drop 0/0
ifp dc0 bytes 485 pkts 4
MAP 192.168.1.40 3011 <- -> 63.165.219.171 11343 [64.12.24.113 5190]
age 863935 use 0 sumd 0x7a0c/0x7a0c pr 6 bkt 60/39 flags 1 drop 0/0
ifp dc0 bytes 20748 pkts 395
MAP 192.168.1.40 3005 <- -> 63.165.219.171 11337 [64.12.30.160 5190]
age 863972 use 0 sumd 0x7a0c/0x7a0c pr 6 bkt 16/122 flags 1 drop 0/0
ifp dc0 bytes 83343 pkts 1145
MAP 192.168.1.33 1364 <- -> 63.165.219.171 9444 [64.12.30.220 5190]
age 863972 use 0 sumd 0x7917/0x7917 pr 6 bkt 15/30 flags 1 drop 0/0
ifp dc0 bytes 71878 pkts 1049
MAP 192.168.1.33 1361 <- -> 63.165.219.171 9441 [207.46.106.47 1863]
age 863626 use 0 sumd 0x7917/0x7917 pr 6 bkt 18/49 flags 1 drop 0/0
ifp dc0 bytes 7592 pkts 127
MAP 192.168.1.33 1360 <- -> 63.165.219.171 9440 [64.12.26.83 5190]
age 863897 use 0 sumd 0x7917/0x7917 pr 6 bkt 35/66 flags 1 drop 0/0
ifp dc0 bytes 15134 pkts 275

List of active host mappings:
192.168.1.33 -> 63.165.219.171 (use = 4 hv = 34)
192.168.1.4 -> 63.165.219.171 (use = 16 hv = 56)
192.168.1.40 -> 63.165.219.171 (use = 2 hv = 90)
----------