Outbound NAT weirdness with 127.0.0.0/8 addresses.



  • It seems that the automatic outbound NAT generates a rule for NATing traffic with 127.0.0.0/8 net as its source address. Is this really necessary? I've always thought that the way FreeBSD's routing code selects the source address for outgoing connections guarantees that the localnet addresses are never visible outside the host.

    This is on version 2.1.2-RELEASE i386.


  • Rebel Alliance Developer Netgate

    If a daemon binds specifically to only 127.0.0.1 then that NAT is necessary to get a packet out.



  • I have trouble picturing a scenario where that would happen. If a service is listening only on localhost and it's reachable from outside there has to be an RDR that redirects the traffic to localhost and correct port. Wouldn't the RDR translation cause the return traffic to appear not from the localhost but from the interface where the incoming connection came from?


  • Rebel Alliance Developer Netgate

    For that specific scenario, yes, but that's reply traffic – not traffic initiated by that daemon.

    Consider something like Squid or the DNS Forwarder where the client contacts the daemon and then the daemon makes another query to a remote service.



  • Well yes you're right. If the daemon doesn't allow you to specify the outgoing interfaces separate to listening interfaces and you have to bind the daemon only to localhost then there's no other option. I was able to replicate this scenario using Unbound by specifying  localhost as both listening and outbound interfaces and without the outbound NAT rule for 127.0.0.0/8 the daemon couldn't send queries to the internet.


  • Rebel Alliance Developer Netgate

    Yep. And for reasons like that, it's easier to keep the 127.0.0.0/8 NAT rule in place by default.