Nat reflection and udp
-
ok upgraded to snapshot 07-09
rdr on lan on protocol udp from any to xxx.xxx.xxx.xxx/32 to 127.0.0.1:19006 this line looks fine
pass in on lan on protocol tcp from any to 127.0.0.1:19006 this line is the problemthese rules are not 100% as they are from memory but the problem is correct.
where does the 127.0.0.1:19006 got to i would guess it is a stream of some sort. but i cannot seem to find it.
i guess this is also wrong as i have added a rule to my user defined rules like so with no success.pass in on lan on protocol udp from any to 127.0.0.1:19006
I can try to put some better logging on this maybe i can get a test up on it tomorrow to give further information.
can someone answer me about what happens in the loopback and how does it get to the dmz server that i am aiming for.the dmz server is working externally and there is nothing hitting it. please believe me i have been attempting to get this working right for
some time in my own world. but with little sucess as i am lost in the loopback address routing.regards
alan
-
Grmbl. At this point we should just disable UDP and add this to the FAQ. Reflection was a mistake from the git-go. Since the sponsor of the feature decided to eat and run then its really left us in a awkward position to be happy about fixing this pile of crap.
-
i empathise with you anyway scott give me a few tips and i can look at it i just need to know how the inetd is called i am presently guessing it is being called at command line for each reflection as i can't find a .conf for it anywhere
-
Look in /var/etc/inetd.conf
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.The same code handles tcp and udp. This is normal for case type statements.
i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
$1500
-
aldo, please check out http://cvstrac.pfsense.com/chngview?cn=14258
-
ok one last question how do i reload the /tmp/rules.debug will come back to you tomorrow
-
sorted it looks impossible with the nc bit on the end.
-
think i have it scott
19000 stream udp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 161
this nc needs a -u option to get udp
as per
http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1&manpath=OpenBSD+3.9
the only other error that i saw was to do with this line which you seem to be working on. this line always shows up tcp not udp
pass in quick on $lan inet proto tcp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
-
line 919 fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 {$target} {$loc_pt}\n");
change this to
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 -u {$target} {$loc_pt}\n");the problem with this seems to be that this line even though the case is udpsets both tcp and udp streams???? i am sure you might know what this means
line 1891 $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
change this to
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";hope it helps alan
-
Please issue these commands to test:
fetch -o /etc/inc/ http://www.pfsense.com/~sullrich/filter.inc
/etc/rc.filter_configure -
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}**You need to add the case for tcp otherwise tcp get udp case set
the stream looks good but the local host rule needs the tcp case filled in i tested this and it worked fine
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break**; -
There is no break, it automatically hits the next case.
-
ok sorry i just stripped you code when pasting not mine
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issue -
Please test the file that I posted. It really should be working now.
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issueNot sure what you mean. Please show me either the generated rules from rules.debug or the netcat entries from inetd.conf
-
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 192.168.200.200 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 8000 -
Yeah it doesn't look "good" but it should work..
-
-
/* $Id: filter.inc,v 1.575.2.248 2006/09/09 22:53:48 sullrich Exp $ */
-
this definatly works correctly here
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state
label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state
label "NAT REFLECT: Allow traffic to localhost" -
Your not making any sense. Are you saying what is commited does not work? There is no difference, the udp case gets hit for tcp OR udp since there is no break.
Watch this example program:
$protocol = "tcp";
switch($protocol) {
case "tcp":
case "udp":
echo "case met";}
?>
php -f test.php
case met#
As you can see since there is no break, the case "udp" gets processed for either.
Now consider this:
$protocol = "udp";
switch($protocol) {
case "tcp":
case "udp":
echo "case met";}
?>
php -f test.php
case met#
As you can see you do not need to do it your way.
-
i agree but that was the result
-
Rerun the commands that I mentioned earlier. I have updated the file to cover the tcp case either way.
I know for a fact that if other devs catch wind of this they are not going to like it. I would have to agree with them, this should not be necessary.
-
i see the issue scott
make the udp case empty above the tcp case
and fill in the tcp case but then look at your working cases in the rdr sections there is the issue
i reran the commands but there is an error in the filter.inc on 389 or thereabouts now as well i fixed an if that was missing an Irole it back scott i will work on it tomorrow i understand what youa re trying to achieve now and how you should do it using your method.
i will have better resourses tomorrow i am at home at moment and is 1ami will send you the diffs tomorrow for your review
-
ok i think you will be happy with the localhost rules but not so pleased with the nc inetd bits
have a look and let me knowit works perfectly and that was my goal
-
Looks like you started with a dated filter.inc.
Can you:
#1 update your filter.inc and make the changes again
#2 send a diff -u patch? I need to also make these changes in -HEAD which this will assist with -
will do it tomorrow for you got it working on a 7-9-06 box.
so will diff for you when i can
-
You need to include the most latest and greatest filter.inc.
http://pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?only_with_tag=RELENG_1
-
synced my dev build just now and rebuilt diff attached
-
Thanks, I've commited a slightly different version.
$rule['protocol'] should be used instead of the hard coded udp value since that case can trip for tcp or udp.
-
ok will test this case for you
thanks for wasting all that time scott i know what to do next time -
THE BAD NEWS ON REFLECTION
##########################
TEST WITH SCOTTS COMMITED FILTER.INC
#################################
TEST1
udp rule
########NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161##########
TEST 2
tcp rules
##########NAT Inbound Redirects
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80############
TEST3
tcp - udp rule
############NAT Inbound Redirects
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"Inetd conf
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123#############################
TEST WITH ALANS FILTER.INC using the variable in the udp case
############################
#######
TEST1
udp rule
########NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161##########
TEST 2
tcp rules
##########NAT Inbound Redirects
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80############
TEST3
tcp - udp rule
############NAT Inbound Redirects
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"Inetd conf
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123conculsion it just does not work the way you want it to.
ports are not lining up right tcp/udp should use two nc ports and not one.
i think you should remove the feature or really look hard at it. -
I will just remove. I am really tired of reflection.
-
I just commited a change to install both tcp and udp entries for reflection. I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.
-
will check it out again i am getting a little tired of this one now but if you want me to work on it i will
let you knwo soon -
OK i made three rules 1 udp only 1 tcp only and one tcp/udp
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005the rdr rules and the streams reconcile fine. but the localhost rules are messed up
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4
-
Alrighty, thanks. I just commited a fix for this.