Nat reflection and udp

sullrich

Rerun the commands that I mentioned earlier.  I have updated the file to cover the tcp case either way.

I know for a fact that if other devs catch wind of this they are not going to like it.  I would have to agree with them, this should not be necessary.

aldo

i see the issue scott

make the udp case empty above the tcp case
and fill in the tcp case but then look at your working cases in the rdr sections there is the issue
i reran the commands but there is an error in the filter.inc on 389 or thereabouts now as well i fixed an if that was missing an I

role it back scott i will work on it tomorrow i understand what youa re trying to achieve now and how you should do it using your method.
i will have better resourses tomorrow i am at home at moment and is 1am

i will send you the diffs tomorrow for your review

aldo

ok i think you will be happy with the localhost rules but not so pleased with the nc inetd bits
have a look and let me know

it works perfectly and that was my goal

filter.inc.txt

sullrich

Looks like you started with a dated filter.inc.

Can you:

#1 update your filter.inc and make the changes again
#2 send a diff -u patch?  I need to also make these changes in -HEAD which this will assist with

aldo

will do it tomorrow for you got it working on a 7-9-06 box.

so will diff for you when i can

sullrich

You need to include the most latest and greatest filter.inc.

http://pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?only_with_tag=RELENG_1

aldo

synced my dev build just now and rebuilt diff attached

diff2-filter.inc.txt

sullrich

Thanks, I've commited a slightly different version.

$rule['protocol'] should be used instead of the hard coded udp value since that case can trip for tcp or udp.

aldo

ok will test this case for you
thanks for wasting all that time scott i know what to do next time

aldo

THE BAD NEWS ON REFLECTION

##########################
TEST WITH SCOTTS COMMITED  FILTER.INC
##########################

#######
TEST1
udp rule
########

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########
TEST 2
tcp rules
##########

NAT Inbound Redirects

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

NAT Inbound Redirects

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

#############################

TEST WITH ALANS  FILTER.INC using the variable in the udp case

############################

#######
TEST1
udp rule
########

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########

TEST 2
tcp rules
##########

NAT Inbound Redirects

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

NAT Inbound Redirects

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

conculsion it just does not work the way you want it to.
ports are not lining up right tcp/udp should use two nc ports and not one.
i think you should remove the feature or really look hard at it.

sullrich

I will just remove.  I am really tired of reflection.

sullrich

I just commited a change to install both tcp and udp entries for reflection.  I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.

aldo

will check it out again i am getting a little tired of this one now but if you want me to work on it i will
let you knwo soon

aldo

OK i made three rules 1 udp only 1 tcp only and one tcp/udp

19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

the rdr rules and the streams reconcile fine. but the localhost rules are messed up

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

sullrich

Alrighty, thanks.  I just commited a fix for this.

aldo

ok will test this now. thanks scott your a hard worker. ::)

aldo

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

the below is same for rdrs and inetd streams

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

sullrich

Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1

aldo

less /var/etc/inetd.conf

18999  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19000  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19001  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19002  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state  label "NAT REFLECT: Allow traffic to localhost"

very close now

sullrich

Commited.  Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.