Nat reflection and udp
-
thats how i thought it would work i was wondering where the config was for the streams the at least i could get it right and test udp and see if it works.
i use udp streams using inetd like ideas in linux and it works fine.what file are the streams stored in i guess a netstat will tell me what is running???
-
i know there have been some conversations about this in the last while i just hope someone can conclude it for me.
on rc2 box when nat reflection is enabled it sends lan to 127.0.0.1 udp 8001
the other half though 127.0.0.1 tcp 8001 to opt1 serverI just cant find exactly where this commit was made to cvs.
lok forward to the reply
well it seems to be physically possible to do this with udp as well. would you like me to bug track this or will u just remove udp support.
sorry the code is a little hard for me to flow through php is not really a strong suit of mine.tested streaming udp through inetd seems to be ok though.
-
Please try the latest snapshot.
-
scott there has been no changes made since the 07/09/06 snapthat i used where is the code change in relation to this.
unless i have missed something in the cvstrac -
Yes, you have missed some items in cvstrac. Please test the latest version.
-
ok i will check the cvstrac for the items u mention and test it then thanks
-
ok upgraded to snapshot 07-09
rdr on lan on protocol udp from any to xxx.xxx.xxx.xxx/32 to 127.0.0.1:19006 this line looks fine
pass in on lan on protocol tcp from any to 127.0.0.1:19006 this line is the problemthese rules are not 100% as they are from memory but the problem is correct.
where does the 127.0.0.1:19006 got to i would guess it is a stream of some sort. but i cannot seem to find it.
i guess this is also wrong as i have added a rule to my user defined rules like so with no success.pass in on lan on protocol udp from any to 127.0.0.1:19006
I can try to put some better logging on this maybe i can get a test up on it tomorrow to give further information.
can someone answer me about what happens in the loopback and how does it get to the dmz server that i am aiming for.the dmz server is working externally and there is nothing hitting it. please believe me i have been attempting to get this working right for
some time in my own world. but with little sucess as i am lost in the loopback address routing.regards
alan
-
Grmbl. At this point we should just disable UDP and add this to the FAQ. Reflection was a mistake from the git-go. Since the sponsor of the feature decided to eat and run then its really left us in a awkward position to be happy about fixing this pile of crap.
-
i empathise with you anyway scott give me a few tips and i can look at it i just need to know how the inetd is called i am presently guessing it is being called at command line for each reflection as i can't find a .conf for it anywhere
-
Look in /var/etc/inetd.conf
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.The same code handles tcp and udp. This is normal for case type statements.
i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
$1500
-
aldo, please check out http://cvstrac.pfsense.com/chngview?cn=14258
-
ok one last question how do i reload the /tmp/rules.debug will come back to you tomorrow
-
sorted it looks impossible with the nc bit on the end.
-
think i have it scott
19000 stream udp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 161
this nc needs a -u option to get udp
as per
http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1&manpath=OpenBSD+3.9
the only other error that i saw was to do with this line which you seem to be working on. this line always shows up tcp not udp
pass in quick on $lan inet proto tcp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
-
line 919 fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 {$target} {$loc_pt}\n");
change this to
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 -u {$target} {$loc_pt}\n");the problem with this seems to be that this line even though the case is udpsets both tcp and udp streams???? i am sure you might know what this means
line 1891 $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
change this to
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";hope it helps alan
-
Please issue these commands to test:
fetch -o /etc/inc/ http://www.pfsense.com/~sullrich/filter.inc
/etc/rc.filter_configure -
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}**You need to add the case for tcp otherwise tcp get udp case set
the stream looks good but the local host rule needs the tcp case filled in i tested this and it worked fine
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break**; -
There is no break, it automatically hits the next case.