Nat reflection and udp

aldo · Sep 10, 2006, 12:41 AM

will do it tomorrow for you got it working on a 7-9-06 box.

so will diff for you when i can

sullrich · Sep 10, 2006, 12:51 AM

You need to include the most latest and greatest filter.inc.

http://pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?only_with_tag=RELENG_1

aldo · Sep 10, 2006, 10:19 PM

synced my dev build just now and rebuilt diff attached

diff2-filter.inc.txt

sullrich · Sep 10, 2006, 10:27 PM

Thanks, I've commited a slightly different version.

$rule['protocol'] should be used instead of the hard coded udp value since that case can trip for tcp or udp.

aldo · Sep 10, 2006, 10:37 PM

ok will test this case for you
thanks for wasting all that time scott i know what to do next time

aldo · Sep 11, 2006, 1:30 PM

THE BAD NEWS ON REFLECTION

##########################
TEST WITH SCOTTS COMMITED FILTER.INC
##########################

#######
TEST1
udp rule
########

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########
TEST 2
tcp rules
##########

NAT Inbound Redirects

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

NAT Inbound Redirects

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123

#############################

TEST WITH ALANS FILTER.INC using the variable in the udp case

############################

#######
TEST1
udp rule
########

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########

TEST 2
tcp rules
##########

NAT Inbound Redirects

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

NAT Inbound Redirects

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

NAT Reflection rules

pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123

conculsion it just does not work the way you want it to.
ports are not lining up right tcp/udp should use two nc ports and not one.
i think you should remove the feature or really look hard at it.

sullrich · Sep 11, 2006, 7:16 PM

I will just remove. I am really tired of reflection.

sullrich · Sep 11, 2006, 8:11 PM

I just commited a change to install both tcp and udp entries for reflection. I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.

aldo · Sep 11, 2006, 9:11 PM

will check it out again i am getting a little tired of this one now but if you want me to work on it i will
let you knwo soon

aldo · Sep 11, 2006, 9:25 PM

OK i made three rules 1 udp only 1 tcp only and one tcp/udp

19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129

Reflection redirects

rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

the rdr rules and the streams reconcile fine. but the localhost rules are messed up

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

sullrich · Sep 11, 2006, 9:33 PM

Alrighty, thanks. I just commited a fix for this.

aldo · Sep 12, 2006, 3:26 PM

ok will test this now. thanks scott your a hard worker. ::)

aldo · Sep 12, 2006, 6:26 PM

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

the below is same for rdrs and inetd streams

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

19000 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80
19004 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123

sullrich · Sep 12, 2006, 6:54 PM

Please test http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.260;content-type=text%2Fplain;only_with_tag=RELENG_1

aldo · Sep 12, 2006, 8:45 PM

less /var/etc/inetd.conf

18999 stream udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 161
19000 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 80
19001 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -u -w 20 10.250.100.129 123
19002 stream tcp/udp nowait/0 nobody /usr/bin/nc nc -w 20 10.250.100.129 123

NAT Inbound Redirects

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002

NAT Reflection rules

pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

very close now

sullrich · Sep 12, 2006, 8:48 PM

Commited. Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.

aldo · Sep 12, 2006, 8:55 PM

ok works but only change the first instance to 19000 leave the second one at 18999

sullrich · Sep 12, 2006, 9:06 PM

Woops. Please test my latest filter.inc:

http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?rev=1.575.2.262;content-type=text%2Fplain;only_with_tag=RELENG_1