NAT Reflection issue

Speck · May 18, 2009, 4:37 PM

Hi everybody,

I have a problem with nat reflection.

It worked flawlessy till 1 mont ago or so, then in the event viewer started appearing this message:

php: : Not installing nat reflection rules. Maximum 1,000 reached.

The problem is that this in not true ;D

I've got no more than 100 maybe 120 port forward (considergin also the one with range, i mean in total i forward 120 ports)

I checked inetd.conf and i can't understand why but every single entry is repeater 5 or 6 times:

19000 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19001 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19005 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19008 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19009 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19010 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19011 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19012 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19013 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443

in this example there are two rules for a webserver HTTP and HTTPS.

I tried manually edit inetd.conf but everytime a create a nat rule it is overwrited bye the "buggy" one.

What can I Do? maybe this appens because I have LAN, DMZ and other 4 VLANS ? so it creates an entry for every interface?

I'm running 1.2 release version installed on HDD.

Any help would be appreciated!

Thanks,
Speck

Speck · May 25, 2009, 5:48 AM

So no one notice this?

Do you know if there is a way to enable port forwarding just for some rules?

can I do it manually?

Thanks,
Speck

jimp · May 25, 2009, 3:05 PM

It is likely due to the multiple interfaces you have present. It appears as though it's trying to add one entry per interface that it thinks it should listen upon, but judging by what is in the inetd.conf you pasted, it really only needs one line per port, not per interface and per port.

It's probably just a matter of fixing up the code that generates that part of the config. You may want to open a ticket and report this:

http://cvstrac.pfsense.org/

Speck · May 26, 2009, 8:40 AM

Ok, thanks.

I'll open a ticket.

In the meantime do you know how i can manually edit inetd.conf?

Thanks,
Speck

jimp · May 29, 2009, 9:00 PM

Sorry for the late reply on this one.

You can't edit inetd.conf, you'd have to edit the code that creates it. The relevant portion is in /etc/inc/filter.inc around lines 1135-1233 or so.

Speck · Jun 4, 2009, 4:07 PM

:o i think i'll wait until someone fix this ;D

i'm not enough skilled to put hands on configuration files ;)

Thanks,

Speck