Nat reflection and udp

aldo

synced my dev build just now and rebuilt diff attached

diff2-filter.inc.txt

sullrich

Thanks, I've commited a slightly different version.

$rule['protocol'] should be used instead of the hard coded udp value since that case can trip for tcp or udp.

aldo

ok will test this case for you
thanks for wasting all that time scott i know what to do next time

aldo

THE BAD NEWS ON REFLECTION

##########################
TEST WITH SCOTTS COMMITED  FILTER.INC
##########################

#######
TEST1
udp rule
########

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########
TEST 2
tcp rules
##########

NAT Inbound Redirects

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

NAT Inbound Redirects

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

#############################

TEST WITH ALANS  FILTER.INC using the variable in the udp case

############################

#######
TEST1
udp rule
########

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########

TEST 2
tcp rules
##########

NAT Inbound Redirects

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

NAT Inbound Redirects

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

conculsion it just does not work the way you want it to.
ports are not lining up right tcp/udp should use two nc ports and not one.
i think you should remove the feature or really look hard at it.

sullrich

I will just remove.  I am really tired of reflection.

sullrich

I just commited a change to install both tcp and udp entries for reflection.  I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.

aldo

will check it out again i am getting a little tired of this one now but if you want me to work on it i will
let you knwo soon

aldo

OK i made three rules 1 udp only 1 tcp only and one tcp/udp

19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

the rdr rules and the streams reconcile fine. but the localhost rules are messed up

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

sullrich

Alrighty, thanks.  I just commited a fix for this.

aldo

ok will test this now. thanks scott your a hard worker. ::)

aldo

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

the below is same for rdrs and inetd streams

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

sullrich

Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1

aldo

less /var/etc/inetd.conf

18999  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19000  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19001  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19002  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state  label "NAT REFLECT: Allow traffic to localhost"

very close now

sullrich

Commited.  Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.

aldo

ok works but only change the first instance to 19000 leave the second one at 18999

sullrich

Woops.  Please test my latest filter.inc:

http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1