NAT Reflection issue



  • Hi everybody,

    I have a problem with nat reflection.

    It worked flawlessy till 1 mont ago or so, then in the event viewer started appearing this message:

    php: : Not installing nat reflection rules. Maximum 1,000 reached.

    The problem is that this in not true  ;D

    I've got no more than 100 maybe 120 port forward (considergin also the one with range, i mean in total i forward 120 ports)

    I checked inetd.conf and i can't understand why but every single entry is repeater 5 or 6 times:

    19000 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
    19001 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
    19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
    19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
    19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
    19005 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
    19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
    19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
    19008 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
    19009 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
    19010 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
    19011 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
    19012 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
    19013 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443

    in this example there are two rules for a webserver HTTP and HTTPS.

    I tried manually edit inetd.conf but everytime a create a nat rule it is overwrited bye the "buggy" one.

    What can I Do? maybe this appens because I have LAN, DMZ and other 4 VLANS ? so it creates an entry for every interface?

    I'm running 1.2 release version installed on HDD.

    Any help would be appreciated!

    Thanks,
    Speck



  • So no one notice this?

    Do you know if there is a way to enable port forwarding just for some rules?

    can I do it manually?

    Thanks,
    Speck


  • Rebel Alliance Developer Netgate

    It is likely due to the multiple interfaces you have present. It appears as though it's trying to add one entry per interface that it thinks it should listen upon, but judging by what is in the inetd.conf you pasted, it really only needs one line per port, not per interface and per port.

    It's probably just a matter of fixing up the code that generates that part of the config. You may want to open a ticket and report this:

    http://cvstrac.pfsense.org/



  • Ok, thanks.

    I'll open a ticket.

    In the meantime do you know how i can manually edit inetd.conf?

    Thanks,
    Speck


  • Rebel Alliance Developer Netgate

    Sorry for the late reply on this one.

    You can't edit inetd.conf, you'd have to edit the code that creates it. The relevant portion is in /etc/inc/filter.inc around lines 1135-1233 or so.



  • :o i think i'll wait until someone fix this  ;D

    i'm not enough skilled to put hands on configuration files  ;)

    Thanks,

    Speck


Log in to reply