Nat reflection and udp
-
synced my dev build just now and rebuilt diff attached
-
Thanks, I've commited a slightly different version.
$rule['protocol'] should be used instead of the hard coded udp value since that case can trip for tcp or udp.
-
ok will test this case for you
thanks for wasting all that time scott i know what to do next time -
THE BAD NEWS ON REFLECTION
##########################
TEST WITH SCOTTS COMMITED FILTER.INC
#################################
TEST1
udp rule
########NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161##########
TEST 2
tcp rules
##########NAT Inbound Redirects
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80############
TEST3
tcp - udp rule
############NAT Inbound Redirects
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"Inetd conf
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123#############################
TEST WITH ALANS FILTER.INC using the variable in the udp case
############################
#######
TEST1
udp rule
########NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161##########
TEST 2
tcp rules
##########NAT Inbound Redirects
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
Inetd conf
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80############
TEST3
tcp - udp rule
############NAT Inbound Redirects
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"Inetd conf
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123conculsion it just does not work the way you want it to.
ports are not lining up right tcp/udp should use two nc ports and not one.
i think you should remove the feature or really look hard at it. -
I will just remove. I am really tired of reflection.
-
I just commited a change to install both tcp and udp entries for reflection. I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.
-
will check it out again i am getting a little tired of this one now but if you want me to work on it i will
let you knwo soon -
OK i made three rules 1 udp only 1 tcp only and one tcp/udp
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005the rdr rules and the streams reconcile fine. but the localhost rules are messed up
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4
-
Alrighty, thanks. I just commited a fix for this.
-
ok will test this now. thanks scott your a hard worker. ::)
-
NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"the below is same for rdrs and inetd streams
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 1900519000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123 -
Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1
-
less /var/etc/inetd.conf
18999 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161
19000 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80
19001 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 123
19002 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123NAT Inbound Redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"very close now
-
Commited. Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.
-
ok works but only change the first instance to 19000 leave the second one at 18999
-
Woops. Please test my latest filter.inc:
http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1