Netgate SG-1000 microFirewall

Author Topic: nat reflection and udp  (Read 19212 times)

0 Members and 1 Guest are viewing this topic.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
nat reflection and udp
« on: September 07, 2006, 03:38:24 pm »
i know there have been some conversations about this in the last while i just hope someone can conclude it for me.

on rc2 box when nat reflection is enabled it sends lan to 127.0.0.1 udp 8001
the other half though 127.0.0.1 tcp 8001 to opt1 server

I just cant find exactly where this commit was made to cvs.

lok forward to the reply

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #1 on: September 07, 2006, 04:07:02 pm »
rc2 is old.  upgrade, plz.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #2 on: September 07, 2006, 04:30:02 pm »
rc2 is old.  upgrade, plz.
but i dont see a commit since then on this issue????
tis ok i will test it again tomorrow on tonights build and check it out

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #3 on: September 08, 2006, 01:39:57 am »
ok upgraded to snapshot 07-09

rdr on lan on protocol udp from any to xxx.xxx.xxx.xxx/32 to 127.0.0.1:19006  this line looks fine
pass in on lan on protocol tcp from any to 127.0.0.1:19006 this line is the problem

these rules are not 100% as they are from memory but the problem is correct.

where does the 127.0.0.1:19006 got to i would guess it is a stream of some sort. but i cannot seem to find it.
i guess this is also wrong as i have added a rule to my user defined rules like so with no success.

pass in on lan on protocol udp from any to 127.0.0.1:19006

I can try to put some better logging on this maybe i can get a test up on it tomorrow to give further information.
can someone answer me about what happens in the loopback and how does it get to the dmz server that i am aiming for.

the dmz server is working externally and there is nothing hitting it. please believe me i have been attempting to get this working right for
some time in my own world. but with little sucess as i am lost in the loopback address routing.

regards

alan

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #4 on: September 08, 2006, 01:54:50 am »
See http://www.openbsd.org/faq/pf/rdr.html#tcpproxy for further reference. However, it seems to be only a TCP proxy, now as I read through it. Looks like UDP won't work with that  :-\

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #5 on: September 08, 2006, 04:31:31 pm »
thats how i thought it would work i was wondering where the config was for the streams the at least i could get it right and test udp and see if it works.
i use udp streams using inetd like ideas in linux and it works fine.

what file are the streams stored in i guess a netstat will tell me what is running???

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #6 on: September 09, 2006, 02:01:54 pm »
i know there have been some conversations about this in the last while i just hope someone can conclude it for me.

on rc2 box when nat reflection is enabled it sends lan to 127.0.0.1 udp 8001
the other half though 127.0.0.1 tcp 8001 to opt1 server

I just cant find exactly where this commit was made to cvs.

lok forward to the reply

well it seems to be physically possible to do this with udp as well. would you like me to bug track this or will u just remove udp support.
sorry the code is a little hard for me to flow through php is not really a strong suit of mine.

tested streaming udp through inetd seems to be ok though.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #7 on: September 09, 2006, 02:46:12 pm »
Please try the latest snapshot.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #8 on: September 09, 2006, 02:58:57 pm »
scott there has been no changes made since the 07/09/06 snapthat i used where is the code change in relation to this.
unless i have missed something in the cvstrac

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #9 on: September 09, 2006, 03:11:57 pm »
Yes, you have missed some items in cvstrac. Please test the latest version.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #10 on: September 09, 2006, 03:14:53 pm »
ok i will check the cvstrac for the items u mention and test it then thanks

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #11 on: September 09, 2006, 03:27:15 pm »
ok upgraded to snapshot 07-09

rdr on lan on protocol udp from any to xxx.xxx.xxx.xxx/32 to 127.0.0.1:19006  this line looks fine
pass in on lan on protocol tcp from any to 127.0.0.1:19006 this line is the problem

these rules are not 100% as they are from memory but the problem is correct.

where does the 127.0.0.1:19006 got to i would guess it is a stream of some sort. but i cannot seem to find it.
i guess this is also wrong as i have added a rule to my user defined rules like so with no success.

pass in on lan on protocol udp from any to 127.0.0.1:19006

I can try to put some better logging on this maybe i can get a test up on it tomorrow to give further information.
can someone answer me about what happens in the loopback and how does it get to the dmz server that i am aiming for.

the dmz server is working externally and there is nothing hitting it. please believe me i have been attempting to get this working right for
some time in my own world. but with little sucess as i am lost in the loopback address routing.

regards

alan

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #12 on: September 09, 2006, 03:30:28 pm »
Grmbl.  At this point we should just disable UDP and add this to the FAQ.   Reflection was a mistake from the git-go.   Since the sponsor of the feature decided to eat and run then its really left us in a awkward position to be happy about fixing this pile of crap.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #13 on: September 09, 2006, 03:32:57 pm »
i empathise with you anyway scott give me a few tips and i can look at it i just need to know how the inetd is called i am presently guessing it is being called at command line for each reflection as i can't find a .conf for it anywhere

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #14 on: September 09, 2006, 03:34:04 pm »
Look in /var/etc/inetd.conf