From owner-freebsd-security@freebsd.org Thu Sep 29 13:15:38 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D0A6BECC50; Thu, 29 Sep 2016 13:15:38 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from smtp-sofia.digsys.bg (smtp-sofia.digsys.bg [193.68.21.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp-sofia.digsys.bg", Issuer "Digital Systems Operational CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6AE9076F; Thu, 29 Sep 2016 13:15:36 +0000 (UTC) (envelope-from daniel@digsys.bg) Received: from [193.68.6.100] ([193.68.6.100]) (authenticated bits=0) by smtp-sofia.digsys.bg (8.15.2/8.15.2) with ESMTPSA id u8TD0Aq7016952 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 29 Sep 2016 16:00:10 +0300 (EEST) (envelope-from daniel@digsys.bg) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) Subject: Re: IPFW on CURRENT: NAT forwarding exposes internal IP! From: Daniel Kalchev In-Reply-To: <20160929144755.2e4f7800.ohartman@zedat.fu-berlin.de> Date: Thu, 29 Sep 2016 16:00:10 +0300 Cc: FreeBSD CURRENT , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <6C0203C4-F332-42B1-AF62-18723E63E112@digsys.bg> References: <20160929144755.2e4f7800.ohartman@zedat.fu-berlin.de> To: "O. Hartmann" X-Mailer: Apple Mail (2.3226) X-Mailman-Approved-At: Thu, 29 Sep 2016 15:47:11 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2016 13:15:38 -0000 It looks like your httpd server is doing a redirect to your internal IP = address, which it thinks is it=E2=80=99s ServerName. Don=E2=80=99t think = NAT has anything to do with it. Daniel > On 29.09.2016 =D0=B3., at 15:47, O. Hartmann = wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 >=20 > Despite other problems with IPFW and its documentation regarding NAT, = I face a serious > and disturbing problem. >=20 > I run a NanoBSD based router/firewall project of my own, running = CURRENT (FreeBSD > 12.0-CURRENT #1 r306333: Mon Sep 26 08:36:02 CEST 2016). IPFW is the = filter of my choice, > since it is FreeBSD's native. I also use In-kernel-NAT as well as = pppoed/ppp. The modem > is connected to a dedicated NIC, the pppoe-traffic is transported via = tun0 - I think this > is the usual stuff. >=20 > The IPFW has this NAT rule: >=20 > ${fwcmd} nat 1 config if ${if_isp0} \ > log \ > reset \ > same_ports \ > redirect_port tcp ${server_gate}:22 22 \ > redirect_port tcp ${server_www}:80 80 \ > redirect_port tcp ${server_www}:443 443 \ > redirect_port tcp ${server_refdb}:9734 9734 >=20 > server_www is assigned to a non-official IP, 192.168.10.10. >=20 > if_isp=3Dtun0, tun0's IP is given by the provider, I use net/ddclient = as the updater for a > dynamic DNS account. >=20 > I use an internal DNS server, which resolves 92.168.10.10 to a certain = name. I also use > self signed SSL certicates, just for completeness of this information. >=20 > Connecting from the outside world to my dynDNS domain triggers Firefox = or any other > browser to compalin about the self signed SSL certificate - as usual, = but then, adding > it, suddenly the domain name (say: www.blabla.org) is replaced by the = internal IP I > delegate any access on ports 80 and 443 to. >=20 > What happens here? I consider this a bug, I never saw this on our = Linux servers running a > similar setup (forwarding, BIND 9.10/BIND 9.11). >=20 > Thanks, >=20 > Oliver > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 >=20 > iQEcBAEBCAAGBQJX7Q17AAoJEOgBcD7A/5N88yAH/RZLURQbC5LTgJD/NUdE51F3 > yPVaUQIaeGm93du87K2opXs3DNtMr0m1SI1wQZdOAQDl3yqMkz9bX9VTUweuAltp > ZcBxhZ2VACQJCu/AsYIWWWp6rliniyZWMr+TOyNtTDxdPrIXYzwefX+fYN+Uy/04 > 9PalfcT/S+9q5DKd7sm7K6LqsU0HJ9GpKgNnsyqWEAWvORgxUvKS3GS9jEjxUnrD > 20yTXjyiu0mS8UYLS7DbrrgItg3fXEJVG8188tweFB5aalQRH6oyNGaxWlGaF8Rc > K9t479v6OW3XCs9FiG6AtCzpmnUkCoMtxl7lY3hPU/Sh1P5epYu26bdoF2ecr1g=3D > =3DoMGL > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to = "freebsd-current-unsubscribe@freebsd.org"