Date: Thu, 23 Jul 2015 11:46:25 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-net@FreeBSD.org Subject: [Bug 201590] Zerowindow packets escape stateful in-kernel NAT Message-ID: <bug-201590-2472-ncD1ebCNTQ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-201590-2472@https.bugs.freebsd.org/bugzilla/> References: <bug-201590-2472@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201590 smithi@nimnet.asn.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |smithi@nimnet.asn.au --- Comment #6 from smithi@nimnet.asn.au --- > 00100 reass ip from any to any in > 00200 allow ip from any to any via lo0 > 00300 allow ip from any to any via em1 > 00400 nat 123 ip from any to any in recv em0 > 00500 check-state I think the problem here is with rule 300; this is (yet another) statement in the (now ancient) handbook ipfw examples that makes no sense, despite some good work towards cleaning it up over the last year or so. Assuming em1 is the internal interface, and that's where your keepalive packets originate, then they are allowed to pass (before NAT) on the way in. That's ok in one way, as NAT only needs to be done on the way out. The kernel routes these, then ipfw is again invoked on their way out. Because of the use of 'via' here, meaning that the receive iface is em1 on the way in, and is STILL the receive iface when on the way out, and 'via iface' is true on outbound packets if EITHER the recv OR xmit iface matches, once again these packets are allowed to pass; before NAT, and also before check-state. Hence they appear on the outside interface with their original (private) source addresses, and statelessly as well. Personally, I can't see the use for such a rule in any ruleset. The (better) examples in /etc/rc.firewall (here from 'client') are: # Allow any traffic to or from my own net. ${fwcmd} add pass all from me to ${net} ${fwcmd} add pass all from ${net} to me .. but these only refer to traffic between this host and internal net. Meanwhile, 'simple' is a better and far more thorough small-net ruleset. Alternatively, consider using explicit 'recv' and 'xmit' (or both!) on rules so it's always clear; refer to ipfw(8) "recv | xmit | via" section. It's a shame we don't have any good examples of a ruleset like 'simple' that include at least some stateful rules, to better show a) where NAT should be done and b) where check-state should be first used, especially where both are used together. No, I'm not sure about that either .. but it seems clear rule 300 is avoiding most of the ruleset, in and outbound. So yes, keepalive packets should be NAT'd .. so don't pass them before NAT! -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-201590-2472-ncD1ebCNTQ>