Source address not NATed during OpenVPN startup?

bPsdTZpW

@stephenw10 said in Source address not NATed during OpenVPN startup?:

Hmm, check the actual state as it appears in the state table. Try using pfctl -vvss

If it creates a state it should be possible to add a rule that prevents it.

Steve

So after the bad packets have passed, pfctl -vvss gives many states of this form:

all tcp <website IP>:443 <- <LAN IP>:64970       CLOSED:SYN_SENT
   [0 + 16777216]  [1164774331 + 33554432]
   age 00:01:20, expires in 00:00:40, 1:1 pkts, 52:80 bytes, rule 122
   id: 4c80166200000000 creatorid: c79f1419 gateway: 0.0.0.0
   origif: igb1

which presumably correspond to some of the bad packets.

However, there are also a few state pairs that appear to correspond to working, NATed packets. The first state of the pair is very similar to the bad state, above, so I don't see how I could filter on it:

all tcp <website IP>:443 <- <LAN IP>:64972       TIME_WAIT:TIME_WAIT
   [4088558557 + 132096] wscale 7  [1887699560 + 1282998272] wscale 8
   age 00:01:20, expires in 00:01:13, 268:128 pkts, 27167:143271 bytes, rule 122
   id: 4d80166200000000 creatorid: c79f1419 gateway: 0.0.0.0
   origif: igb1

all tcp <WAN IP>:32245 (<LAN IP>:64972) -> <website IP>:443       ESTABLISHED:ESTABLISHED
   [3162374760 + 8323072] wscale 8  [4088558557 + 132096] wscale 7
   age 00:01:20, expires in 23:59:24, 268:128 pkts, 27167:143271 bytes, rule 74
   id: 4e80166200000000 creatorid: c79f1419 gateway: <WAN gateway>
   origif: igb0

This really seems like a bug.

stephenw10

It does. The only way I could possibly see anything sourced from the LAN IP itself would be some sort of proxy running. So Squid, HAProxy or NAT reflection in NAT+Proxy mode.

What is rule 122 in your ruleset?

Steve

bPsdTZpW

@stephenw10 said in Source address not NATed during OpenVPN startup?:

It does.

The only way I could possibly see anything sourced from the LAN IP itself would be some sort of proxy running. So Squid, HAProxy or NAT reflection in NAT+Proxy mode.

Nope, nope, and nope. The setup is quite vanilla. I have one package: service_watchdog.

What is rule 122 in your ruleset?

The only rule having any such number in the output of pfctl -vvsa is

@122(0) block drop in log quick on igb0 inet6 proto udp from any to any port = nameserver label "USER_RULE: Ports to monitor" ridentifier 1628204890
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 61558 State Creations: 0     ]

which makes not the least bit of sense. This is an inbound WAN block/log rule I use to see how many attempts at common ports the bad guys are making. Am I reading the numbers wrong?

stephenw10

Mmm, indeed. Can you see what rule 122 is or was when the OpenVPN is up?

This starts to look like a stale state somehow.

bPsdTZpW

@stephenw10 said in Source address not NATed during OpenVPN startup?:

Mmm, indeed. Can you see what rule 122 is or was when the OpenVPN is up?

That rule is from after OpenVPN came up. I don't know what the numbering was before it came up; it would be tricky to get; I'd probably need to write a script.

This starts to look like a stale state somehow.

Well, I did find that setting Reset All States in System/Advanced/Networking reduces (but does not zero) the number of bad packets.