Date: 14 Sep 2005 07:40:56 -0000 From: Necati Ersen SISECI <siseci@enderunix.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Omer Faruk Sen <ofsen@enderunix.org> Subject: kern/86103: Bug: Illegal NAT Traversal in IPFilter Message-ID: <20050914074056.25148.qmail@istanbul.enderunix.org> Resent-Message-ID: <200509140750.j8E7oBiE082706@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 86103
>Category: kern
>Synopsis: Bug: Illegal NAT Traversal in IPFilter
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 14 07:50:10 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Necati Ersen SISECI
>Release: FreeBSD 5.3 & 5.4
>Organization:
EnderUNIX SDT @ Turkey
>Environment:
>Description:
I think we have found a bug in ipnat that runs on FreeBSD 5.
We have repeated it in both FBSD-5.3-P17 and FBSD-5.4-P6·
The problem is that even we NAT connection from Internal Net
(192.168.9.0/24 subnet) we can still ping (icmp) to the host located
on 192.168.9.0/24 from our external net (192.168.6.0/24).
That is of course after adding a route for 192.168.9.0/24 network
from a machine located on External Network. (also net.inet.ip.forwarding
is enabled)
It only works with icmp packets not with tcp or udp.
The kernel is GENERIC kernel that comes with FreeBSD with the inclusion
of "options IPFILTER" and "options IPFILTER_LOG". We couldn't repeat this
bug in FreeBSD 6 and FreeBSD 7 Series. Thus the problem is
just related with FreeBSD 5.X. I don't know the current situation with
FreeBSD 4.
We think the problem is related with ipnat state table because when
we ping a host located on 192.168.9.0/24 say 192.168.9.100
we don't receive answer but after pinging another host
say 192.168.9.99 we get answer to our ping packet.
After reloading ipnat rules the first host we ping doesn't
answer but the second one does.
We have tried this on 3 different server configurations.
Here is sample output from our Firewall:
IFCONFIG:
root@firewall# ifconfig
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 192.168.9.1 netmask 0xffffff00 broadcast 192.168.9.255
inet6 fe80::204:75ff:fee5:1886%xl0 prefixlen 64 scopeid 0x1
ether 00:04:75:e5:18:86
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 192.168.6.190 netmask 0xffffff00 broadcast 192.168.6.255
inet6 fe80::204:75ff:fee9:8dff%xl1 prefixlen 64 scopeid 0x2
ether 00:04:75:e9:8d:ff
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::220:edff:fe63:f4d%fxp0 prefixlen 64 scopeid 0x3
ether 00:20:ed:63:0f:4d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
IPNAT and IPF
root@firewall# ipnat -l
List of active MAP/Redirect filters:
map xl1 from 192.168.9.0/24 to any -> 192.168.6.190/32 portmap tcp/udp 1025:65535
map xl1 from 192.168.9.0/24 to any -> 192.168.6.190/32
List of active sessions:
root@firewall# ipfstat -hion
empty list for ipfilter(out)
empty list for ipfilter(in)
root@firewall#
ROUTING TABLE:
root@firewall# netstat -nrt -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.6.1 UGS 0 0 xl1
10/24 link#3 UC 0 0 fxp0
10.0.0.1 00:20:ed:63:0f:4d UHLW 0 52 lo0
10.0.0.2 00:30:48:20:ac:68 UHLW 0 222 fxp0 839
127.0.0.1 127.0.0.1 UH 0 63 lo0
192.168.6 link#2 UC 0 0 xl1
192.168.6.1 00:30:23:ad:4f:40 UHLW 1 0 xl1 878
192.168.9 link#1 UC 0 0 xl0
192.168.9.1 00:04:75:e5:18:86 UHLW 0 52 lo0
root@firewall# uname -sr
FreeBSD 5.4-RELEASE-p6
FIREWALL ASCII:
FIREWALL
|---------------|
10.0.0.0/24 <-------DMZ------> | 10.0.0.1 |
| |
192.168.9.0/24 <---Local Net-> | 192.168.9.1 |
| |
| 192.168.6.190 | <-External Net-> 192.168.6.0/24
|---------------|
PING OUTPUT
root@external[root]# ping 192.168.9.100
PING 192.168.9.100 (192.168.9.100): 56 data bytes
^C
--- 192.168.9.100 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@external[root]# ping 192.168.9.99
PING 192.168.9.99 (192.168.9.99): 56 data bytes
64 bytes from 192.168.9.99: icmp_seq=0 ttl=63 time=0.621 ms
64 bytes from 192.168.9.99: icmp_seq=1 ttl=63 time=0.475 ms
^C
--- 192.168.9.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.475/0.548/0.621/0.073 ms
After reloading Ipnat
root@firewall# ipnat -FC -f /etc/ipnat.rules
6 entries flushed from NAT table
2 entries flushed from NAT list
root@firewall#
root@external[root]# ping 192.168.9.100
PING 192.168.9.100 (192.168.9.100): 56 data bytes
64 bytes from 192.168.9.100: icmp_seq=0 ttl=127 time=0.590 ms
64 bytes from 192.168.9.100: icmp_seq=1 ttl=127 time=0.471 ms
^C
--- 192.168.9.100 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.471/0.530/0.590/0.059 ms
root@external[root]#
>How-To-Repeat:
>Fix:
Don't know any.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050914074056.25148.qmail>