Nat reflection and udp

sullrich

I will just remove.  I am really tired of reflection.

sullrich

I just commited a change to install both tcp and udp entries for reflection.  I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.

aldo

will check it out again i am getting a little tired of this one now but if you want me to work on it i will
let you knwo soon

aldo

OK i made three rules 1 udp only 1 tcp only and one tcp/udp

19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

the rdr rules and the streams reconcile fine. but the localhost rules are messed up

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

sullrich

Alrighty, thanks.  I just commited a fix for this.

aldo

ok will test this now. thanks scott your a hard worker. ::)

aldo

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

the below is same for rdrs and inetd streams

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

sullrich

Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1

aldo

less /var/etc/inetd.conf

18999  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19000  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19001  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19002  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state  label "NAT REFLECT: Allow traffic to localhost"

very close now

sullrich

Commited.  Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.

aldo

ok works but only change the first instance to 19000 leave the second one at 18999

sullrich

Woops.  Please test my latest filter.inc:

http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1