Source address not NATed during OpenVPN startup?
-
@stephenw10 said in Source address not NATed during OpenVPN startup?:
Hmm, check the actual state as it appears in the state table. Try using
pfctl -vvss
If it creates a state it should be possible to add a rule that prevents it.
Steve
So after the bad packets have passed, pfctl -vvss gives many states of this form:
all tcp <website IP>:443 <- <LAN IP>:64970 CLOSED:SYN_SENT [0 + 16777216] [1164774331 + 33554432] age 00:01:20, expires in 00:00:40, 1:1 pkts, 52:80 bytes, rule 122 id: 4c80166200000000 creatorid: c79f1419 gateway: 0.0.0.0 origif: igb1
which presumably correspond to some of the bad packets.
However, there are also a few state pairs that appear to correspond to working, NATed packets. The first state of the pair is very similar to the bad state, above, so I don't see how I could filter on it:
all tcp <website IP>:443 <- <LAN IP>:64972 TIME_WAIT:TIME_WAIT [4088558557 + 132096] wscale 7 [1887699560 + 1282998272] wscale 8 age 00:01:20, expires in 00:01:13, 268:128 pkts, 27167:143271 bytes, rule 122 id: 4d80166200000000 creatorid: c79f1419 gateway: 0.0.0.0 origif: igb1 all tcp <WAN IP>:32245 (<LAN IP>:64972) -> <website IP>:443 ESTABLISHED:ESTABLISHED [3162374760 + 8323072] wscale 8 [4088558557 + 132096] wscale 7 age 00:01:20, expires in 23:59:24, 268:128 pkts, 27167:143271 bytes, rule 74 id: 4e80166200000000 creatorid: c79f1419 gateway: <WAN gateway> origif: igb0
This really seems like a bug.
-
It does. The only way I could possibly see anything sourced from the LAN IP itself would be some sort of proxy running. So Squid, HAProxy or NAT reflection in NAT+Proxy mode.
What is rule 122 in your ruleset?
Steve
-
@stephenw10 said in Source address not NATed during OpenVPN startup?:
It does.
The only way I could possibly see anything sourced from the LAN IP itself would be some sort of proxy running. So Squid, HAProxy or NAT reflection in NAT+Proxy mode.
Nope, nope, and nope. The setup is quite vanilla. I have one package: service_watchdog.
What is rule 122 in your ruleset?
The only rule having any such number in the output of
pfctl -vvsa
is@122(0) block drop in log quick on igb0 inet6 proto udp from any to any port = nameserver label "USER_RULE: Ports to monitor" ridentifier 1628204890 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: pid 61558 State Creations: 0 ]
which makes not the least bit of sense. This is an inbound WAN block/log rule I use to see how many attempts at common ports the bad guys are making. Am I reading the numbers wrong?
-
Mmm, indeed. Can you see what rule 122 is or was when the OpenVPN is up?
This starts to look like a stale state somehow.
-
@stephenw10 said in Source address not NATed during OpenVPN startup?:
Mmm, indeed. Can you see what rule 122 is or was when the OpenVPN is up?
That rule is from after OpenVPN came up. I don't know what the numbering was before it came up; it would be tricky to get; I'd probably need to write a script.
This starts to look like a stale state somehow.
Well, I did find that setting
Reset All States
inSystem/Advanced/Networking
reduces (but does not zero) the number of bad packets.