Excessive TCP: PA FA RA
-
Then you weren't capturing correctly or something else on your network is sending those packets from that IP address.
-
Maybe I missed it. can't predict when it happens, but will leave the capture tool running on 192.168.1.2. I have it filtered for incoming and outgoing port 19006.
Is the xinetd.conf I posted earlier correct? It shows 192.168.20.2 tied to port 19006. Why does it do this? -
Probably a package. What have you installed and why?
there was a time in the past where the LAN any-any rule would not work for some devices on the same LAN subnet unless I gave it a specific rule.
Poppycock. The firewall NEVER gets in the way there unless you are bridging interfaces or some other edge case.
-
Diagnostics > Command Prompt
Execute: cat /var/etc/xinetd.conf
-
how exactly would the firewall even see that traffic to loopback.. Your pc if wanting to talk to a 127.0.0.1 address wouldn't even put it on the wire, that is localhost. That traffic doesn't go out on the wire.
So that has to be coming from your firewall, or some sort of port forward that you send to loopback?
service 19006-tcp
{
type = unlisted
bind = 127.0.0.1
port = 19006
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/nc
server_args = -w 2000 192.168.20.2 993
}Your running something with NC… netcat, not sure of what package or config settings would create those.. I sure and the hell do not have them that is for sure.
-
.. I sure and the hell do not have them that is for sure.
Hmmm, scary stuff for a firewall… 8)
Netcat is often referred to as a "Swiss Army knife" utility, and for a good reason. Just like the multi-function usefulness of the venerable Swiss Army pocket knife, netcat's functionality is as helpful. Some of its features include port scanning, transferring files, port listening and it can be used a backdoor.
[http://www.catonmat.net/blog/unix-utilities-netcat/]
imaps 993 udp imap4 protocol over TLS/SSL
-
yeah not sure what he is doing, or what would of done that..
Yeah NC is very powerful tool.. Why there would be stuff like that setup in his xinetd I have no idea.. The only thing that was in mine the tftp proxy, and I rem them out because not using it and was just causing log spam.
I am not a nc guru by any means, but looks like to me if sees traffic on loopback to port 19006 send it over to that 192.168.20.2 IP on port 993.
I do believe that if you setup nat reflection that pfsense starts with ports 19000, so you had prob setup some sort of nat reflection. Or if he has port forwards and has it using nat reflection these sorts of entries would be put in.
Maybe this is caused by having auto nat reflection enabled?? I personal see nat reflection as an abomination that should be killed with greek fire whenever possible.. Looking back at his firewall rules he does have some port forwards to that 20.2 IP.. But he has the ports all hidden in an alias. So he has some sort of nat reflection going on and then some weirdness is causing out of state..
Again going to state this for the record that nat reflection is an abomination… Turn it off and your problems will go away would be my guess..
-
…I rem them out because...
... Turn it off and your problems will go away would be my guess..To disable a service config, add "disable =yes", (then exec the usual 'killall HUP xinetd'), like in:
service 6969-udp { disable = yes type = unlisted bind = 127.0.0.1 port = 6969 socket_type = dgram protocol = udp wait = yes user = root server = /usr/libexec/tftp-proxy server_args = -v }
-
So I take it that these xinetd.conf entries are for NAT reflection?
I am using NAT reflection on all my port forwards NAT+Proxy. I did that so the LAN can communicate with other interfaces
So, if I should not be using NAT Reflection, should I setup rules instead?
I know for a fact if I turn off NR I cannot open my websites from 192.168.1.2 to the web server @ 192.168.20.2 or load my config page on the NAS @ 192.168.10.2. NR solved all the local communication.I want the LAN subnet to be able to connect to OPT1/2/3. NAT Reflection does this for me.
Here are my Port Forward rules. NAT Reflection Enabled (NAT+Proxy) on first three, system default (Pure NAT) on the last rule
-
…So, if I should not be using NAT Reflection, should I setup rules instead?
No.
Split DNS. Tell your DNS server to point to your local servers, case a LAN-host requests that global server address of yours. -
I use my ISP's DNS and DNS Resolver in PFsense. Do not have a local DNS Server setup.
Are you saying no to using NAT reflection altogether and find a different method. Or just to using rules.
So johnpoz, why the boo.. against NAT Reflection?
-
Have a look see at Services / DNS Forwarder / Host Overrides
-
I do not use DNS Forwarder, I use Resolver, but I do see the host override in there.
So if I put / Host-www / Domain-mydomain.com / IP-192.168.20.2 / in there, 192.168.1.0/24 and 192.168.3.0/24 and 192.168.10.0/24 will be able to get to www.mydomain.com on 192.168.20.2
I host a lot of domains, so I guess I would have to have a list of all of them including all the sub domains. NAT reflection seems easier to me.
-
I'm going to start a new thread on the DNS Resolver host override issue and lock this one. This thread has too many issues that are just compounding.