NAT reflection broken in 2.0? (SOLVED)
-
My fiancee's work VPN hijacks DNS so she can't get to email on the LAN, since it sends her to the outside IP. I turned on NAT reflection, but when I try to connect to a port that is reflected, I see:
usage: nc [-46DdEhklnrStUuvz] [-e policy] [-I length] [-i interval] [-O length] [-P proxy_username] [-p source_port] [-s source_ip_address] [-T ToS] [-V fib] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [hostname] [port] Connection closed by foreign host.snapshot from May 1st.
-
What does the rdr rule look like in /tmp/rules.debug and what does the entry for it look like in /var/etc/inetd.conf? I can probably figure out what is going on if I have those two pieces of information.
-
Looking through the history of the port forward and reflection code, I see a couple potential issues from around that time, so it may not be an issue in newer snapshots. One issue is that there was a change to the port forwards to allow options for the source and more options for the destination, but the upgrade code for it was not fully fixed until a few days after that snapshot. If you have already fixed the port forwards that were not upgraded properly it will not be an issue, though. There were also some cases in NAT reflection and port forwards in general that didn't get fixed before the changes for those extra options were committed. I made several changes to both a couple days after that snapshot was built.
-
Sorry was too tired to purse last night. The entries in /var/etc/inetd.conf are broken? I will try a newer snapshot too.
19000 dgram udp nowait/0 nobody /usr/bin/nc nc -u -w 2000 10.0.0.1 514 19001 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 22 19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 25 19005 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 143 19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 19008 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 993 19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 19005 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 80 19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 443 and rdr-anchor "relayd/*" rdr-anchor "tftp-proxy/*" rdr on re0 proto udp from any to port 514 -> $sphinx rdr on { re1 openvpn } proto udp from any to 173.48.201.X port 514 tag PFREFLECT -> 127.0.0.1 port 19000 rdr on re0 proto tcp from any to port 2222 -> $sphinx port 22 rdr on { re1 openvpn } proto tcp from any to 173.48.201.X port 2222 tag PFREFLECT -> 127.0.0.1 port 19001 rdr on re0 proto tcp from any to port $mailports -> $sphinx rdr on { re1 openvpn } proto tcp from any to 173.48.201.X port $mailports tag PFREFLECT -> 127.0.0.1 port 19002 rdr on re0 proto tcp from any to port $webports -> $sphinx rdr on { re1 openvpn } proto tcp from any to 173.48.201.X port $webports tag PFREFLECT -> 127.0.0.1 port 19003 rdr on re0 proto udp from any to port 10000:19999 -> 10.0.0.7 port 10000:19999(sanitized last octet from public IP)
-
Hmmm, I upgraded to snapshot from May 26. Now, it is completely absent. e.g. even with both "disable NAT" boxes unchecked, no rdr or inetd.conf entries are created at all?
-
It looks like your port forwards have their destination address (external address) messed up from the upgrade. You will need to fix all of them. Snapshots from a few days after the May 1st one and any after will upgrade it properly, but if the damage has already been done it won't automatically fix it for you. It will not create reflection rules when the address is absent because of the port forwards that were not properly upgraded (I added a check for blank addresses because of the unwanted effects it would have if reflection allowed it).
Also, it looks like it is messing up on your port aliases. As far as I know, reflection might work with aliases that only specify one port but never was made to work on aliases with multiple ports, so reflection still might not work for some of your port forwards after you fix them.
Is this a full install or NanoBSD? If it is the full version and if you would like to try something that would make port aliases work 100% on reflection, you could use gitsync to merge in changes from a branch of mine that has to do with a rewrite of NAT reflection on port forwards. (reflection on 1:1 mappings is related to the rewritten implementation and also came from that branch) If you are interested, I'll post details on how to use gitsync to merge it in.
-
Thanks, but I think I'll just recreate the port forward rules. This is my production gateway, so not feeling that adventurous :)
-
Thanks, that did it :)