Date: Thu, 29 Sep 2016 16:00:10 +0300 From: Daniel Kalchev <daniel@digsys.bg> To: "O. Hartmann" <ohartman@zedat.fu-berlin.de> Cc: FreeBSD CURRENT <freebsd-current@freebsd.org>, freebsd-security@freebsd.org Subject: Re: IPFW on CURRENT: NAT forwarding exposes internal IP! Message-ID: <6C0203C4-F332-42B1-AF62-18723E63E112@digsys.bg> In-Reply-To: <20160929144755.2e4f7800.ohartman@zedat.fu-berlin.de> References: <20160929144755.2e4f7800.ohartman@zedat.fu-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
It looks like your httpd server is doing a redirect to your internal IP =
address, which it thinks is it=E2=80=99s ServerName. Don=E2=80=99t think =
NAT has anything to do with it.
Daniel
> On 29.09.2016 =D0=B3., at 15:47, O. Hartmann =
<ohartman@zedat.fu-berlin.de> wrote:
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>=20
>=20
> Despite other problems with IPFW and its documentation regarding NAT, =
I face a serious
> and disturbing problem.
>=20
> I run a NanoBSD based router/firewall project of my own, running =
CURRENT (FreeBSD
> 12.0-CURRENT #1 r306333: Mon Sep 26 08:36:02 CEST 2016). IPFW is the =
filter of my choice,
> since it is FreeBSD's native. I also use In-kernel-NAT as well as =
pppoed/ppp. The modem
> is connected to a dedicated NIC, the pppoe-traffic is transported via =
tun0 - I think this
> is the usual stuff.
>=20
> The IPFW has this NAT rule:
>=20
> ${fwcmd} nat 1 config if ${if_isp0} \
> log \
> reset \
> same_ports \
> redirect_port tcp ${server_gate}:22 22 \
> redirect_port tcp ${server_www}:80 80 \
> redirect_port tcp ${server_www}:443 443 \
> redirect_port tcp ${server_refdb}:9734 9734
>=20
> server_www is assigned to a non-official IP, 192.168.10.10.
>=20
> if_isp=3Dtun0, tun0's IP is given by the provider, I use net/ddclient =
as the updater for a
> dynamic DNS account.
>=20
> I use an internal DNS server, which resolves 92.168.10.10 to a certain =
name. I also use
> self signed SSL certicates, just for completeness of this information.
>=20
> Connecting from the outside world to my dynDNS domain triggers Firefox =
or any other
> browser to compalin about the self signed SSL certificate - as usual, =
but then, adding
> it, suddenly the domain name (say: www.blabla.org) is replaced by the =
internal IP I
> delegate any access on ports 80 and 443 to.
>=20
> What happens here? I consider this a bug, I never saw this on our =
Linux servers running a
> similar setup (forwarding, BIND 9.10/BIND 9.11).
>=20
> Thanks,
>=20
> Oliver
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>=20
> iQEcBAEBCAAGBQJX7Q17AAoJEOgBcD7A/5N88yAH/RZLURQbC5LTgJD/NUdE51F3
> yPVaUQIaeGm93du87K2opXs3DNtMr0m1SI1wQZdOAQDl3yqMkz9bX9VTUweuAltp
> ZcBxhZ2VACQJCu/AsYIWWWp6rliniyZWMr+TOyNtTDxdPrIXYzwefX+fYN+Uy/04
> 9PalfcT/S+9q5DKd7sm7K6LqsU0HJ9GpKgNnsyqWEAWvORgxUvKS3GS9jEjxUnrD
> 20yTXjyiu0mS8UYLS7DbrrgItg3fXEJVG8188tweFB5aalQRH6oyNGaxWlGaF8Rc
> K9t479v6OW3XCs9FiG6AtCzpmnUkCoMtxl7lY3hPU/Sh1P5epYu26bdoF2ecr1g=3D
> =3DoMGL
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to =
"freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C0203C4-F332-42B1-AF62-18723E63E112>