Nat reflection and udp
-
ok i will check the cvstrac for the items u mention and test it then thanks
-
ok upgraded to snapshot 07-09
rdr on lan on protocol udp from any to xxx.xxx.xxx.xxx/32 to 127.0.0.1:19006 this line looks fine
pass in on lan on protocol tcp from any to 127.0.0.1:19006 this line is the problemthese rules are not 100% as they are from memory but the problem is correct.
where does the 127.0.0.1:19006 got to i would guess it is a stream of some sort. but i cannot seem to find it.
i guess this is also wrong as i have added a rule to my user defined rules like so with no success.pass in on lan on protocol udp from any to 127.0.0.1:19006
I can try to put some better logging on this maybe i can get a test up on it tomorrow to give further information.
can someone answer me about what happens in the loopback and how does it get to the dmz server that i am aiming for.the dmz server is working externally and there is nothing hitting it. please believe me i have been attempting to get this working right for
some time in my own world. but with little sucess as i am lost in the loopback address routing.regards
alan
-
Grmbl. At this point we should just disable UDP and add this to the FAQ. Reflection was a mistake from the git-go. Since the sponsor of the feature decided to eat and run then its really left us in a awkward position to be happy about fixing this pile of crap.
-
i empathise with you anyway scott give me a few tips and i can look at it i just need to know how the inetd is called i am presently guessing it is being called at command line for each reflection as i can't find a .conf for it anywhere
-
Look in /var/etc/inetd.conf
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.The same code handles tcp and udp. This is normal for case type statements.
i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
$1500
-
aldo, please check out http://cvstrac.pfsense.com/chngview?cn=14258
-
ok one last question how do i reload the /tmp/rules.debug will come back to you tomorrow
-
sorted it looks impossible with the nc bit on the end.
-
think i have it scott
19000 stream udp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 161
this nc needs a -u option to get udp
as per
http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1&manpath=OpenBSD+3.9
the only other error that i saw was to do with this line which you seem to be working on. this line always shows up tcp not udp
pass in quick on $lan inet proto tcp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
-
line 919 fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 {$target} {$loc_pt}\n");
change this to
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 -u {$target} {$loc_pt}\n");the problem with this seems to be that this line even though the case is udpsets both tcp and udp streams???? i am sure you might know what this means
line 1891 $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
change this to
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";hope it helps alan
-
Please issue these commands to test:
fetch -o /etc/inc/ http://www.pfsense.com/~sullrich/filter.inc
/etc/rc.filter_configure -
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}**You need to add the case for tcp otherwise tcp get udp case set
the stream looks good but the local host rule needs the tcp case filled in i tested this and it worked fine
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break**; -
There is no break, it automatically hits the next case.
-
ok sorry i just stripped you code when pasting not mine
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issue -
Please test the file that I posted. It really should be working now.
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issueNot sure what you mean. Please show me either the generated rules from rules.debug or the netcat entries from inetd.conf
-
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 192.168.200.200 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 8000