NAT reflection broken in 2.0? (SOLVED)



  • My fiancee's work VPN hijacks DNS so she can't get to email on the LAN, since it sends her to the outside IP.  I turned on NAT reflection, but when I try to connect to a port that is reflected, I see:

    usage: nc [-46DdEhklnrStUuvz] [-e policy] [-I length] [-i interval] [-O length]
              [-P proxy_username] [-p source_port] [-s source_ip_address] [-T ToS]
              [-V fib] [-w timeout] [-X proxy_protocol]
              [-x proxy_address[:port]] [hostname] [port]
    Connection closed by foreign host.
    
    

    snapshot from May 1st.



  • What does the rdr rule look like in /tmp/rules.debug and what does the entry for it look like in /var/etc/inetd.conf?  I can probably figure out what is going on if I have those two pieces of information.



  • Looking through the history of the port forward and reflection code, I see a couple potential issues from around that time, so it may not be an issue in newer snapshots.  One issue is that there was a change to the port forwards to allow options for the source and more options for the destination, but the upgrade code for it was not fully fixed until a few days after that snapshot.  If you have already fixed the port forwards that were not upgraded properly it will not be an issue, though.  There were also some cases in NAT reflection and port forwards in general that didn't get fixed before the changes for those extra options were committed.  I made several changes to both a couple days after that snapshot was built.



  • Sorry was too tired to purse last night.  The entries in /var/etc/inetd.conf are broken?  I will try a newer snapshot too.

    
    19000   dgram   udp     nowait/0        nobody  /usr/bin/nc     nc -u -w 2000   10.0.0.1 514
    19001   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 22
    19002   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
    19003   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
    19004   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 25
    19005   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
    19006   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 143
    19007   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
    19008   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 993
    19003   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
    19004   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
    19005   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 80
    19006   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1
    19007   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000   10.0.0.1 443
    
    and
    
    rdr-anchor "relayd/*"
    rdr-anchor "tftp-proxy/*"
    rdr on re0 proto udp from any to    port 514  -> $sphinx
    rdr on {  re1 openvpn } proto udp from any to 173.48.201.X port 514 tag PFREFLECT -> 127.0.0.1 port 19000
    rdr on re0 proto tcp from any to    port 2222  -> $sphinx port 22
    rdr on {  re1 openvpn } proto tcp from any to 173.48.201.X port 2222 tag PFREFLECT -> 127.0.0.1 port 19001
    rdr on re0 proto tcp from any to    port $mailports  -> $sphinx
    rdr on {  re1 openvpn } proto tcp from any to 173.48.201.X port $mailports tag PFREFLECT -> 127.0.0.1 port 19002
    rdr on re0 proto tcp from any to    port $webports  -> $sphinx
    rdr on {  re1 openvpn } proto tcp from any to 173.48.201.X port $webports tag PFREFLECT -> 127.0.0.1 port 19003
    rdr on re0 proto udp from any to    port 10000:19999 -> 10.0.0.7 port 10000:19999
    
    

    (sanitized last octet from public IP)



  • Hmmm, I upgraded to snapshot from May 26.  Now, it is completely absent.  e.g. even with both "disable NAT" boxes unchecked, no rdr or inetd.conf entries are created at all?



  • It looks like your port forwards have their destination address (external address) messed up from the upgrade.  You will need to fix all of them.  Snapshots from a few days after the May 1st one and any after will upgrade it properly, but if the damage has already been done it won't automatically fix it for you.  It will not create reflection rules when the address is absent because of the port forwards that were not properly upgraded (I added a check for blank addresses because of the unwanted effects it would have if reflection allowed it).

    Also, it looks like it is messing up on your port aliases.  As far as I know, reflection might work with aliases that only specify one port but never was made to work on aliases with multiple ports, so reflection still might not work for some of your port forwards after you fix them.

    Is this a full install or NanoBSD?  If it is the full version and if you would like to try something that would make port aliases work 100% on reflection, you could use gitsync to merge in changes from a branch of mine that has to do with a rewrite of NAT reflection on port forwards. (reflection on 1:1 mappings is related to the rewritten implementation and also came from that branch)  If you are interested, I'll post details on how to use gitsync to merge it in.



  • Thanks, but I think I'll just recreate the port forward rules.  This is my production gateway, so not feeling that adventurous :)



  • Thanks, that did it :)


Log in to reply