From owner-freebsd-net@freebsd.org  Tue Jul  7 12:11:47 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52F4B995E51
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue,  7 Jul 2015 12:11:47 +0000 (UTC)
 (envelope-from technical@at-hacker.in)
Received: from mail.at-hacker.in (mail.at-hacker.in [82.146.54.71])
 by mx1.freebsd.org (Postfix) with ESMTP id 0E3C31488
 for <freebsd-net@freebsd.org>; Tue,  7 Jul 2015 12:11:46 +0000 (UTC)
 (envelope-from technical@at-hacker.in)
Received: from [192.168.1.14] (broadband-5-228-79-227.nationalcablenetworks.ru
 [5.228.79.227])
 by mail.at-hacker.in (Postfix) with ESMTPSA id E22532AE5BD
 for <freebsd-net@freebsd.org>; Tue,  7 Jul 2015 15:04:34 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=at-hacker.in; s=mail;
 t=1436270675; bh=W7x1kNulZvpw9l2oGcEGJMP/dxwuhqiHTC3R242WIrg=;
 h=Date:From:To:Subject;
 b=eVGALQZnOLwvi3jUPVFGHHH9P0CXlwD+GGIUTATqSDvveISAhxJcARnaOSxeKwSEA
 D2bauo8DDsw816IVplkwbGk6TxmFSccnEwR+Q1b0aW+mV3GWysKXuntid2jenIJu6q
 67N8c8wm8siIRscDF+luewEnnVOkw+JjYV3/44DQ=
Message-ID: <559BC04F.70107@at-hacker.in>
Date: Tue, 07 Jul 2015 15:04:31 +0300
From: technical account <technical@at-hacker.in>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: FreeBSD 9.3: Looks like a bug in pf NAT while translating ICMP packets
 of type 3
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 12:11:47 -0000

Hi.

I have an issue with pf in FreeBSD 9.3. Looks there is something wrong 
with pf's NAT while processing ICMP packets of type 3 (destination 
unreachable). Here is what I see on LAN interface:

16:46:10.334993 IP (tos 0xc0, ttl 64, id 63254, offset 0, flags [none], 
proto ICMP (1), length 289)
10.12.0.198 > 84.47.xx.yy: ICMP 10.12.0.198 udp port 8293 unreachable, 
length 269
IP (tos 0x0, ttl 60, id 34284, offset 0, flags [none], proto UDP (17), 
length 261)
84.47.xx.yy.53 > 10.12.0.198.8293: 37288 2/4/4 www.jdm022.com. CNAME 
sbsfe-p8.geo.mf0.yahoodns.net., sbsfe-p8.geo.mf0.yahoodns.net. A 
98.138.19.143 (233)

I.e. some server (84.47.xx.yy) send an UDP packet to client 
(10.12.0.198, port 8293). This port is closed on client and client send 
ICMP packet "Port unreachable" to server 84.47.xx.yy. This ICMP packet 
contains the header of that UDP packet that was sent to closed client's 
port:

84.47.xx.yy.53 > 10.12.0.198.8293: 37288 2/4/4 www.jdm022.com. CNAME 
sbsfe-p8.geo.mf0.yahoodns.net., sbsfe-p8.geo.mf0.yahoodns.net. A 
98.138.19.143 (233)

And this is what I see on external WAN interface:

16:46:10.335012 IP (tos 0xc0, ttl 63, id 63254, offset 0, flags [none], 
proto ICMP (1), length 289)
10.12.0.198 > 84.47.xx.yy: ICMP 213.208.kkk.zz udp port 61534 
unreachable, length 269
IP (tos 0x0, ttl 60, id 34284, offset 0, flags [none], proto UDP (17), 
length 261)
84.47.xx.yy.53 > 213.208.kkk.zz.61534: 37288 2/4/4 www.jdm022.com. CNAME 
sbsfe-p8.geo.mf0.yahoodns.net., sbsfe-p8.geo.mf0.yahoodns.net. A 
98.138.19.143 (233)

As you can see, pf translated UDP header that was included into ICMP 
packet: "ICMP 213.208.kkk.zz udp port 61534 unreachable". IP 
213.208.kkk.zz is IP of my external WAN interface where NAT works. But 
it did not change ICMP packet itself. So I have outgoing ICMP "port 
unreachable" packet with source address 10.12.0.198 ON EXTERNAL interface.

Also I found that pf can't block this kind of packets. Rule like:

block out quick on $wan_if proto icmp from 10.12/16 to any icmp-type 3 
code 3

does not work at all. So I have to use IPFW to block those ICMP packets.

Here is my NAT rule:

nat on $wan_if from <clients> to any -> 213.208.kkk.zz

Table <clients> defines like this:

table <clients> { 10.12/16, 10.13/16 }

Also I found a mention about this issue in OpenBSD pf: 
http://openbsd-archive.7691.n7.nabble.com/system-6564-pf-not-nating-does-not-see-icmp4-port-unreachable-packets-from-machine-behind-pf-td187997.html
They said that this bug is fixed in 2011. But in FreeBSD 9.3 it is not 
fixed so far?

My system: FreeBSD vpn2-lesnoy.isp.local 9.3-RELEASE-p2 FreeBSD 
9.3-RELEASE-p2 #0: Mon Sep 15 16:44:27 UTC 2014 
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64