From owner-freebsd-bugs@FreeBSD.ORG Wed Sep 14 07:50:12 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F02116A41F for ; Wed, 14 Sep 2005 07:50:12 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38B6C43D4C for ; Wed, 14 Sep 2005 07:50:11 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j8E7oB0g082707 for ; Wed, 14 Sep 2005 07:50:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j8E7oBiE082706; Wed, 14 Sep 2005 07:50:11 GMT (envelope-from gnats) Resent-Date: Wed, 14 Sep 2005 07:50:11 GMT Resent-Message-Id: <200509140750.j8E7oBiE082706@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Necati Ersen SISECI Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26C4816A41F for ; Wed, 14 Sep 2005 07:40:55 +0000 (GMT) (envelope-from siseci@istanbul.enderunix.org) Received: from istanbul.enderunix.org (freefall.marmara.edu.tr [193.140.143.23]) by mx1.FreeBSD.org (Postfix) with SMTP id 3C6A443D48 for ; Wed, 14 Sep 2005 07:40:53 +0000 (GMT) (envelope-from siseci@istanbul.enderunix.org) Received: (qmail 25153 invoked by uid 1027); 14 Sep 2005 07:40:57 -0000 Message-Id: <20050914074056.25148.qmail@istanbul.enderunix.org> Date: 14 Sep 2005 07:40:56 -0000 From: Necati Ersen SISECI To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Omer Faruk Sen Subject: kern/86103: Bug: Illegal NAT Traversal in IPFilter X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Necati Ersen SISECI List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2005 07:50:12 -0000 >Number: 86103 >Category: kern >Synopsis: Bug: Illegal NAT Traversal in IPFilter >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Sep 14 07:50:10 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Necati Ersen SISECI >Release: FreeBSD 5.3 & 5.4 >Organization: EnderUNIX SDT @ Turkey >Environment: >Description: I think we have found a bug in ipnat that runs on FreeBSD 5. We have repeated it in both FBSD-5.3-P17 and FBSD-5.4-P6· The problem is that even we NAT connection from Internal Net (192.168.9.0/24 subnet) we can still ping (icmp) to the host located on 192.168.9.0/24 from our external net (192.168.6.0/24). That is of course after adding a route for 192.168.9.0/24 network from a machine located on External Network. (also net.inet.ip.forwarding is enabled) It only works with icmp packets not with tcp or udp. The kernel is GENERIC kernel that comes with FreeBSD with the inclusion of "options IPFILTER" and "options IPFILTER_LOG". We couldn't repeat this bug in FreeBSD 6 and FreeBSD 7 Series. Thus the problem is just related with FreeBSD 5.X. I don't know the current situation with FreeBSD 4. We think the problem is related with ipnat state table because when we ping a host located on 192.168.9.0/24 say 192.168.9.100 we don't receive answer but after pinging another host say 192.168.9.99 we get answer to our ping packet. After reloading ipnat rules the first host we ping doesn't answer but the second one does. We have tried this on 3 different server configurations. Here is sample output from our Firewall: IFCONFIG: root@firewall# ifconfig xl0: flags=8843 mtu 1500 options=9 inet 192.168.9.1 netmask 0xffffff00 broadcast 192.168.9.255 inet6 fe80::204:75ff:fee5:1886%xl0 prefixlen 64 scopeid 0x1 ether 00:04:75:e5:18:86 media: Ethernet autoselect (100baseTX ) status: active xl1: flags=8843 mtu 1500 options=9 inet 192.168.6.190 netmask 0xffffff00 broadcast 192.168.6.255 inet6 fe80::204:75ff:fee9:8dff%xl1 prefixlen 64 scopeid 0x2 ether 00:04:75:e9:8d:ff media: Ethernet autoselect (100baseTX ) status: active fxp0: flags=8843 mtu 1500 options=8 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 inet6 fe80::220:edff:fe63:f4d%fxp0 prefixlen 64 scopeid 0x3 ether 00:20:ed:63:0f:4d media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 IPNAT and IPF root@firewall# ipnat -l List of active MAP/Redirect filters: map xl1 from 192.168.9.0/24 to any -> 192.168.6.190/32 portmap tcp/udp 1025:65535 map xl1 from 192.168.9.0/24 to any -> 192.168.6.190/32 List of active sessions: root@firewall# ipfstat -hion empty list for ipfilter(out) empty list for ipfilter(in) root@firewall# ROUTING TABLE: root@firewall# netstat -nrt -f inet Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.6.1 UGS 0 0 xl1 10/24 link#3 UC 0 0 fxp0 10.0.0.1 00:20:ed:63:0f:4d UHLW 0 52 lo0 10.0.0.2 00:30:48:20:ac:68 UHLW 0 222 fxp0 839 127.0.0.1 127.0.0.1 UH 0 63 lo0 192.168.6 link#2 UC 0 0 xl1 192.168.6.1 00:30:23:ad:4f:40 UHLW 1 0 xl1 878 192.168.9 link#1 UC 0 0 xl0 192.168.9.1 00:04:75:e5:18:86 UHLW 0 52 lo0 root@firewall# uname -sr FreeBSD 5.4-RELEASE-p6 FIREWALL ASCII: FIREWALL |---------------| 10.0.0.0/24 <-------DMZ------> | 10.0.0.1 | | | 192.168.9.0/24 <---Local Net-> | 192.168.9.1 | | | | 192.168.6.190 | <-External Net-> 192.168.6.0/24 |---------------| PING OUTPUT root@external[root]# ping 192.168.9.100 PING 192.168.9.100 (192.168.9.100): 56 data bytes ^C --- 192.168.9.100 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss root@external[root]# ping 192.168.9.99 PING 192.168.9.99 (192.168.9.99): 56 data bytes 64 bytes from 192.168.9.99: icmp_seq=0 ttl=63 time=0.621 ms 64 bytes from 192.168.9.99: icmp_seq=1 ttl=63 time=0.475 ms ^C --- 192.168.9.99 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.475/0.548/0.621/0.073 ms After reloading Ipnat root@firewall# ipnat -FC -f /etc/ipnat.rules 6 entries flushed from NAT table 2 entries flushed from NAT list root@firewall# root@external[root]# ping 192.168.9.100 PING 192.168.9.100 (192.168.9.100): 56 data bytes 64 bytes from 192.168.9.100: icmp_seq=0 ttl=127 time=0.590 ms 64 bytes from 192.168.9.100: icmp_seq=1 ttl=127 time=0.471 ms ^C --- 192.168.9.100 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.471/0.530/0.590/0.059 ms root@external[root]# >How-To-Repeat: >Fix: Don't know any. >Release-Note: >Audit-Trail: >Unformatted: