Nat reflection and udp
-
gotyou
/etc/inc/filter.inc
ok line 844 has a case for udp that is empty
there is another one a little lower than that.The same code handles tcp and udp. This is normal for case type statements.
i am still looking for the rest of it.
how much was the bounty for this scott can we afford to pay it was it a big one
$1500
-
aldo, please check out http://cvstrac.pfsense.com/chngview?cn=14258
-
ok one last question how do i reload the /tmp/rules.debug will come back to you tomorrow
-
sorted it looks impossible with the nc bit on the end.
-
think i have it scott
19000 stream udp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 161
this nc needs a -u option to get udp
as per
http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1&manpath=OpenBSD+3.9
the only other error that i saw was to do with this line which you seem to be working on. this line always shows up tcp not udp
pass in quick on $lan inet proto tcp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
-
line 919 fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 {$target} {$loc_pt}\n");
change this to
fwrite($inetd_fd, "{$starting_localhost_port}\tstream\t{$protocol}\tnowait/0\tnobody\t/usr/bin/nc nc -w 20 -u {$target} {$loc_pt}\n");the problem with this seems to be that this line even though the case is udpsets both tcp and udp streams???? i am sure you might know what this means
line 1891 $ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
change this to
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";hope it helps alan
-
Please issue these commands to test:
fetch -o /etc/inc/ http://www.pfsense.com/~sullrich/filter.inc
/etc/rc.filter_configure -
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}**You need to add the case for tcp otherwise tcp get udp case set
the stream looks good but the local host rule needs the tcp case filled in i tested this and it worked fine
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break**; -
There is no break, it automatically hits the next case.
-
ok sorry i just stripped you code when pasting not mine
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issue -
Please test the file that I posted. It really should be working now.
-
one last thing you have an extra white space on the udp stream now.
i did them both in clean cases before and all worked wellfor the inetd i added info the the tcp case and the upd case as i did in the localhost allow rule your
solution was definatly neater but there is a whitespace issueNot sure what you mean. Please show me either the generated rules from rules.debug or the netcat entries from inetd.conf
-
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 192.168.200.200 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.200.200 8000 -
Yeah it doesn't look "good" but it should work..
-
-
/* $Id: filter.inc,v 1.575.2.248 2006/09/09 22:53:48 sullrich Exp $ */
-
this definatly works correctly here
switch($rule['protocol']) {
case "tcp/udp":
$protocol = "{ tcp udp }";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "tcp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto tcp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
case "udp":
$protocol = $rule['protocol'];
$ipfrules .= "pass in quick on ${$ifname_real} inet proto udp from any to $loopback port {$starting_localhost_port} keep state label "NAT REFLECT: Allow traffic to localhost"\n";
break;
default:
break;
}NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state
label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state
label "NAT REFLECT: Allow traffic to localhost" -
Your not making any sense. Are you saying what is commited does not work? There is no difference, the udp case gets hit for tcp OR udp since there is no break.
Watch this example program:
$protocol = "tcp";
switch($protocol) {
case "tcp":
case "udp":
echo "case met";}
?>
php -f test.php
case met#
As you can see since there is no break, the case "udp" gets processed for either.
Now consider this:
$protocol = "udp";
switch($protocol) {
case "tcp":
case "udp":
echo "case met";}
?>
php -f test.php
case met#
As you can see you do not need to do it your way.
-
i agree but that was the result