Netgate SG-1000 microFirewall

Author Topic: nat reflection and udp  (Read 19197 times)

0 Members and 1 Guest are viewing this topic.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #30 on: September 09, 2006, 06:08:43 pm »
Yeah it doesn't look "good" but it should work..

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #31 on: September 09, 2006, 06:11:37 pm »

# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state
 label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state
 label "NAT REFLECT: Allow traffic to localhost"

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #32 on: September 09, 2006, 06:12:32 pm »
/* $Id: filter.inc,v 1.575.2.248 2006/09/09 22:53:48 sullrich Exp $ */

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #33 on: September 09, 2006, 06:14:36 pm »
this definatly works correctly here



                                                                switch($rule['protocol']) {
                                                                        case "tcp/udp":
                                                                                $protocol = "{ tcp udp }";
                                                                                $ipfrules .= "pass in quick on \${$ifname_real} inet proto tcp from any to \$loopback port {$starting_localhost_port} keep state label \"NAT REFLECT: Allow traffic to localhost\"\n";
                                                                                $ipfrules .= "pass in quick on \${$ifname_real} inet proto udp from any to \$loopback port {$starting_localhost_port} keep state label \"NAT REFLECT: Allow traffic to localhost\"\n";
                                                                                break;
                                                                        case "tcp":
                                                                                $protocol = $rule['protocol'];
                                                                                $ipfrules .= "pass in quick on \${$ifname_real} inet proto tcp from any to \$loopback port {$starting_localhost_port} keep state label \"NAT REFLECT: Allow traffic to localhost\"\n";
                                                                                break;
                                                                        case "udp":
                                                                                $protocol = $rule['protocol'];
                                                                                $ipfrules .= "pass in quick on \${$ifname_real} inet proto udp from any to \$loopback port {$starting_localhost_port} keep state label \"NAT REFLECT: Allow traffic to localhost\"\n";
                                                                                break;
                                                                        default:
                                                                                break;
                                                                }



# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state
 label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state
 label "NAT REFLECT: Allow traffic to localhost"

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #34 on: September 09, 2006, 06:17:41 pm »
Your not making any sense.  Are you saying what is commited does not work?  There is no difference, the udp case gets hit for tcp *OR* udp since there is no break.

Watch this example program:

<?php

$protocol = "tcp";

switch($protocol) {
        case "tcp":
        case "udp":
                echo "case met";

}

?>

# php -f test.php
case met#

As you can see since there is no break, the case "udp" gets processed for either.

Now consider this:

<?php

$protocol = "udp";

switch($protocol) {
        case "tcp":
        case "udp":
                echo "case met";

}

?>


# php -f test.php
case met#

As you can see you do not need to do it your way.


Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #35 on: September 09, 2006, 06:20:09 pm »
i agree but that was the result

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #36 on: September 09, 2006, 06:24:39 pm »
Rerun the commands that I mentioned earlier.  I have updated the file to cover the tcp case either way.

I know for a fact that if other devs catch wind of this they are not going to like it.  I would have to agree with them, this should not be necessary.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #37 on: September 09, 2006, 06:46:52 pm »
i see the issue scott

make the udp case empty above the tcp case
and fill in the tcp case but then look at your working cases in the rdr sections there is the issue
i reran the commands but there is an error in the filter.inc on 389 or thereabouts now as well i fixed an if that was missing an I

role it back scott i will work on it tomorrow i understand what youa re trying to achieve now and how you should do it using your method.
i will have better resourses tomorrow i am at home at moment and is 1am

i will send you the diffs tomorrow for your review

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #38 on: September 09, 2006, 07:20:17 pm »
ok i think you will be happy with the localhost rules but not so pleased with the nc inetd bits
have a look and let me know

it works perfectly and that was my goal

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #39 on: September 09, 2006, 07:27:44 pm »
Looks like you started with a dated filter.inc.

Can you:

#1 update your filter.inc and make the changes again
#2 send a diff -u patch?  I need to also make these changes in -HEAD which this will assist with

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #40 on: September 09, 2006, 07:41:48 pm »
will do it tomorrow for you got it working on a 7-9-06 box.

so will diff for you when i can

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #41 on: September 09, 2006, 07:51:19 pm »
You need to include the most latest and greatest filter.inc.

http://pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/filter.inc?only_with_tag=RELENG_1

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #42 on: September 10, 2006, 05:19:45 pm »
synced my dev build just now and rebuilt diff attached

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #43 on: September 10, 2006, 05:27:40 pm »
Thanks, I've commited a slightly different version.

$rule['protocol'] should be used instead of the hard coded udp value since that case can trip for tcp or udp.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #44 on: September 10, 2006, 05:37:29 pm »
ok will test this case for you
thanks for wasting all that time scott i know what to do next time