Netgate SG-1000 microFirewall

Author Topic: nat reflection and udp  (Read 19198 times)

0 Members and 1 Guest are viewing this topic.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #45 on: September 11, 2006, 08:30:12 am »
THE BAD NEWS ON REFLECTION

##########################
TEST WITH SCOTTS COMMITED  FILTER.INC
##########################

#######
TEST1
udp rule
########

# NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"


Inetd conf
19000   stream  udp     nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########
TEST 2
tcp rules
##########

# NAT Inbound Redirects
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"


Inetd conf
19002   stream  tcp     nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

# NAT Inbound Redirects
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
# NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123





#############################

TEST WITH ALANS  FILTER.INC using the variable in the udp case

############################

#######
TEST1
udp rule
########

# NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19000   stream  udp     nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161

##########


TEST 2
tcp rules
##########

# NAT Inbound Redirects
rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

# NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19002   stream  tcp     nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80

############
TEST3
tcp - udp rule
############

# NAT Inbound Redirects
rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004

# NAT Reflection rules
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

Inetd conf
19004   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123


conculsion it just does not work the way you want it to.
ports are not lining up right tcp/udp should use two nc ports and not one.
i think you should remove the feature or really look hard at it.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #46 on: September 11, 2006, 02:16:49 pm »
I will just remove.  I am really tired of reflection.

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #47 on: September 11, 2006, 03:11:31 pm »
I just commited a change to install both tcp and udp entries for reflection.  I am guessing this was the only bug that you are experiencing but its rather hard to tell from re-reading your text.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #48 on: September 11, 2006, 04:11:41 pm »
will check it out again i am getting a little tired of this one now but if you want me to work on it i will
let you knwo soon

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #49 on: September 11, 2006, 04:25:41 pm »
OK i made three rules 1 udp only 1 tcp only and one tcp/udp

19000   stream  udp     nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002   stream  tcp     nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123

# NAT Inbound Redirects
rdr on vlan1 proto udp from any to 192.168.50.254 port { 161 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000

rdr on vlan1 proto tcp from any to 192.168.50.254 port { 80 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002

rdr on vlan1 proto { tcp udp } from any to 192.168.50.254 port { 123 } -> 10.250.100.129
# Reflection redirects
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005


the rdr rules and the streams reconcile fine. but the localhost rules are messed up

# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"

as you can see there is nothing on 19001 and on 19002 there should only be tcp and there is nothing on 19003 or 4

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #50 on: September 11, 2006, 04:33:54 pm »
Alrighty, thanks.  I just commited a fix for this.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #51 on: September 12, 2006, 10:26:11 am »
ok will test this now. thanks scott your a hard worker. ::)

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #52 on: September 12, 2006, 01:26:59 pm »
# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state label "NAT REFLECT: Allow traffic to localhost"

the below is same for rdrs and inetd streams

rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19002
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19004
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19005

19000   stream  udp     nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19002   stream  tcp     nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19004   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19005   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123



Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #54 on: September 12, 2006, 03:45:21 pm »
# less /var/etc/inetd.conf
18999   stream  udp     nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 161
19000   stream  tcp     nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 80
19001   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -u -w 20 10.250.100.129 123
19002   stream  tcp/udp nowait/0        nobody  /usr/bin/nc nc -w 20 10.250.100.129 123


# NAT Inbound Redirects
rdr on $lan proto udp from any to 192.168.50.254 port { 161 } -> 127.0.0.1 port 18999
rdr on $lan proto tcp from any to 192.168.50.254 port { 80 } -> 127.0.0.1 port 19000
rdr on $lan proto tcp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19001
rdr on $lan proto udp from any to 192.168.50.254 port { 123 } -> 127.0.0.1 port 19002


# NAT Reflection rules
pass in quick on $lan inet proto udp from any to $loopback port 19000 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19001 keep state label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto tcp from any to $loopback port 19002 keep state  label "NAT REFLECT: Allow traffic to localhost"
pass in quick on $lan inet proto udp from any to $loopback port 19003 keep state  label "NAT REFLECT: Allow traffic to localhost"


very close now

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense
Re: nat reflection and udp
« Reply #55 on: September 12, 2006, 03:48:21 pm »
Commited.  Either search filter.inc for 18999 and change to 19000 or update to the latest RELENG_1 file.

Offline aldo

  • Full Member
  • ***
  • Posts: 202
  • Karma: +0/-0
    • View Profile
Re: nat reflection and udp
« Reply #56 on: September 12, 2006, 03:55:34 pm »
ok works but only change the first instance to 19000 leave the second one at 18999

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +7/-2348
    • View Profile
    • pfSense