Nat reflection and udp
-
Look in /var/etc/inetd.conf
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.The same code handles tcp and udp. This is normal for case type statements.
i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
$1500
-
aldo, please check out http://cvstrac.pfsense.com/chngview?cn=14258
-
ok one last question how do i reload the /tmp/rules.debug will come back to you tomorrow
-
sorted it looks impossible with the nc bit on the end.
-
think i have it scott
19000 stream udp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 161
this nc needs a -u option to get udp
as per
http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1&manpath=OpenBSD+3.9
the only other error that i saw was to do with this line which you seem to be working on. this line always shows up tcp not udp
pass in quick on $lan inet proto tcp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
-
line 919 fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 {$target} {$loc_pt}\n");
change this to
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 -u {$target} {$loc_pt}\n");the problem with this seems to be that this line even though the case is udpsets both tcp and udp streams???? i am sure you might know what this means
line 1891 $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
change this to
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";hope it helps alan
-
Please issue these commands to test:
fetch -o /etc/inc/ http://www.pfsense.com/~sullrich/filter.inc
/etc/rc.filter_configure -
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}**You need to add the case for tcp otherwise tcp get udp case set
the stream looks good but the local host rule needs the tcp case filled in i tested this and it worked fine
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break**; -
There is no break, it automatically hits the next case.
-
ok sorry i just stripped you code when pasting not mine
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issue -
Please test the file that I posted. It really should be working now.
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issueNot sure what you mean. Please show me either the generated rules from rules.debug or the netcat entries from inetd.conf
-
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 192.168.200.200 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 8000 -
Yeah it doesn't look "good" but it should work..
-
-
/* $Id: filter.inc,v 1.575.2.248 2006/09/09 22:53:48 sullrich Exp $ */
-
this definatly works correctly here
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state
label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state
label "NAT REFLECT: Allow traffic to localhost"