• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Nat reflection and udp

NAT
3
58
24.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    aldo
    last edited by Sep 11, 2006, 9:11 PM

    will check it out again i am getting a little tired of this one now but if you want me to work on it i will
    let you knwo soon

    1 Reply Last reply Reply Quote 0
    • A
      aldo
      last edited by Sep 11, 2006, 9:25 PM

      OK i made three rules 1 udp only 1 tcp only and one tcp/udp

      19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
      19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
      19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
      19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

      NAT Inbound Redirects

      rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

      Reflection redirects

      rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

      rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

      Reflection redirects

      rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

      rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

      Reflection redirects

      rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
      rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

      the rdr rules and the streams reconcile fine. but the localhost rules are messed up

      NAT Reflection rules

      pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
      pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
      pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
      pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

      as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by Sep 11, 2006, 9:33 PM

        Alrighty, thanks.  I just commited a fix for this.

        1 Reply Last reply Reply Quote 0
        • A
          aldo
          last edited by Sep 12, 2006, 3:26 PM

          ok will test this now. thanks scott your a hard worker. ::)

          1 Reply Last reply Reply Quote 0
          • A
            aldo
            last edited by Sep 12, 2006, 6:26 PM

            NAT Reflection rules

            pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
            pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
            pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
            pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

            the below is same for rdrs and inetd streams

            rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
            rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
            rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
            rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

            19000  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
            19002  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
            19004  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
            19005  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by Sep 12, 2006, 6:54 PM

              Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1

              1 Reply Last reply Reply Quote 0
              • A
                aldo
                last edited by Sep 12, 2006, 8:45 PM

                less /var/etc/inetd.conf

                18999  stream  udp    nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
                19000  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
                19001  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
                19002  stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

                NAT Inbound Redirects

                rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
                rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
                rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
                rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002

                NAT Reflection rules

                pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state  label "NAT REFLECT: Allow traffic to localhost"
                pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
                pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state  label "NAT REFLECT: Allow traffic to localhost"
                pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state  label "NAT REFLECT: Allow traffic to localhost"

                very close now

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich
                  last edited by Sep 12, 2006, 8:48 PM

                  Commited.  Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.

                  1 Reply Last reply Reply Quote 0
                  • A
                    aldo
                    last edited by Sep 12, 2006, 8:55 PM

                    ok works but only change the first instance to 19000 leave the second one at 18999

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by Sep 12, 2006, 9:06 PM

                      Woops.  Please test my latest filter.inc:

                      http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1

                      1 Reply Last reply Reply Quote 0
                      58 out of 58
                      • First post
                        58/58
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.