ipnat stops working under heavy traffic

Hi,
I have installed ipfilter on a Solaris 8 box with a DNS server
installed too. I just want redirect all DNS queries on standar port 53
to antoher port (54). There is a small program listening on this port
what at this moment only redirect queries to port 53 again to the DNS
server.
The machine has 3 interfaces and my ipnat.conf defines a rule for each
interface in this way:

rdr <interface> A.B.C.D/32 port 53 -> A.B.C.D port 54 udp

Testing in a closed environtment it works perfectly, and doing some
test with nslookup, packets are received on port 54 and forwarded to DNS
server.

But in a real environtment, with heavy DNS traffic, I have realized that
some traffic is reaching the DNS server directly, not from the dummy
program on port 54.
Altough at the first moment it seems that traffic is being received on
port 54 and redirected to 53 again, later I can check it's not happening
the same, and traffic is not passing throug the program on port 54. To
confirm my suspects, if I stop the program on port 54 but leave ipnat
running, DNS still receive traffic, and it shouldn't as long as all DNS
traffic should be redirected to port 54 and none is listening on this port.
So, looking at some posts on the list, by the moment my first suspect is
that NAT table is overloaded and I suppose in this case traffic go
directly to port 53 ignoring ipfilter.
I'm not sure if I'm right with this assumption. I'm running ipfilter
with default values, on a machine with RAM 2Gb and two proccesors. (so I
think it's not a hardware limitation problem)

Any idea is welcomed

kind regards,

Alvaro



Jeet escribió:

>Jim,
>Thanks a lot for your reply.
>Right now I have enabled ip_forwarding and first
>trying to get the ipnat working My ipf.conf is empty
>and default is to pass all.
>
>my external interface qfe0 connects to a cisco
>3548 switch and the switch goes to a router.
>qfe0 is 10.10.10.1
>if I try a ipnat map with qfe0 it works fine.
>However if I try a map with the second ip 10.10.10.2
>I can see that the ipnat has translated the ip but
>there is no response back.
>Same is the problem with rdr, there is no response.
>Then I thought maybe I have to do a proxy arp for the
>second ip so that the switch and the router would know
>that packets for 10.10.10.2 should go to qfe0 so I did
>a
>arp -s 10.10.10.2 <mac-address qfe0>
>however that did not work too.
>
>Any ideas would surely help.
>
>-Jeet
>
>
>
>--- Jim Sandoz <sandoz@lucent.com> wrote:
>
>
>
>>jeet,
>>
>>ipfilter consists of two subsystems, "ipf" and
>>"ipnat".
>>
>>ipf's task is to filter packets by using criteria
>>which
>>you define in /etc/opt/ipf/ipf.conf.
>>
>>ipnat's task is to rewrite packets using criteria
>>which
>>you define in /etc/opt/ipf/ipnat.conf
>>
>>you can use ipf and ipnat individually (by leaving
>>the
>>config file nulled you effectively disable that
>>function),
>>or you can use them in tandem. most folks use both.
>>there are some interactions between the two which i
>>will
>>note in a moment.
>>
>>you will be interested in using ipnat to rewrite the
>>IP
>>addresses of specific packets coming into your
>>exterenal
>>interface. this will cause some packets to be
>>routed by
>>your sparc into the private address space behind it.
>>
>>keep in mind that you need kernel routing enabled to
>>do
>>this. if you sparc has two interfaces configured at
>>boot
>>time it should do this automatically; otherwise you
>>can
>>force it to do kernel routing via
>># /usr/sbin/ndd -set /dev/ip ip_forwarding 1
>>
>>but the direct answer to your question is "no", you
>>don't
>>configure any additional IP addresses on your
>>external
>>interface. however, you do need to add some rules
>>to
>>ipnat's config file to rewrite specific address/port
>>pairs; one such example would be
>>rdr qfe0 10.10.10.1/32 port 80 -> 172.16.1.2 port
>>8080 tcp
>>this says
>>"any packets arriving on interface qfe0 with the
>>destination
>>of 10.10.10.1:80 should be rewritten to have a
>>destination
>>address of 172.16.1.2:8080, then given to ipf for
>>filtering,
>>and if not blocked by ipf subsequently passed to the
>>kernel
>>for routing"
>>
>>substitute your "external" interface (hme1?) for the
>>qfe0
>>above.
>>
>>the above statement implies that ipf is configured
>>to accept
>>(i.e. "pass") packets that have a destination
>>address of
>>172.16.1.2:8080 -- this little tidbit causes trouble
>>for
>>everyone. keep this in mind when writing ipf rules;
>>ipf
>>has to deal with packets AFTER ipnat has rewritten
>>them.
>>
>>you may be asking, "what happens to the reply packet
>>coming
>>back out of the network from 172.16.1.2:8080"?
>>well, ipnat
>>keeps a table of its translations, just like ipf
>>keeps a
>>table of its states. hence, on the return journey,
>>ipnat
>>rewrites the IP address back to the original. as
>>far as the
>>remote machine is concerned, it is talking to your
>>sparc and
>>has no knowledge that your sparc is actually
>>frontending the
>>real physical webserver.
>>
>>you will want to read
>>http://www.phildev.net/ipf/
>>and
>>http://www.obfuscation.org/ipf/
>>
>>also see
>>
>>
>>
>http://marc.theaimsgroup.com/?l=ipfi...9861622589&w=2
>
>
>>and
>>
>>
>>
>http://marc.theaimsgroup.com/?l=ipfi...8074705794&w=2
>
>
>>and
>>
>>
>>
>http://marc.theaimsgroup.com/?l=ipfi...1495100723&w=2
>
>
>>jim
>>
>>
>>
>>Jeet wrote:
>>
>>
>>>Hi Everyone,
>>>I have started using ipfilters on solaris 9 sparc
>>>Ultra 10.
>>>
>>>However I have a small newbie question the
>>>
>>>
>>external
>>
>>
>>>interface is
>>>
>>>e.g 10.10.10.1 internal 172.16.1.1
>>>
>>>
>>>In order to set up something like this
>>>
>>>10.10.10.2:80 - 172.16.1.2:8080
>>>10.10.10.3:80 - 172.16.1.3:8080
>>>
>>>
>>>Do I have to configure the external interfaces
>>>
>>>
>>with
>>
>>
>>>the external ip's or there is some way to get it
>>>working without that.
>>>
>>> Thanks a lot.
>>> -Jeet
>>>
>>>
>>
>>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Mail Address AutoComplete - You start. We finish.
>http://promotions.yahoo.com/new_mail
>
>
>