kern/127233: ipnat + ipfilter source routing not handling ftp
properly
Keith Waters
keith at waters.co.za
Tue Sep 9 07:40:02 UTC 2008
>Number: 127233
>Category: kern
>Synopsis: ipnat + ipfilter source routing not handling ftp properly
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 09 07:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Keith Waters
>Release: 7.0-RELEASE
>Organization:
Keith Waters Consulting
>Environment:
7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Firewall has three NICs: sk0 (internal), sk1 (extenral ISP #1) and sk2 (external ISP #2) Default route is on sk1. Certain IPs on the internal network are NATted through to the second ISP (sk2)
When doing a passive FTP, tcpdump shows the packets correctly going out sk2 with the correct source IP, but on doing a directory listing (in ftp), some packets incorrectly go out sk1 (and not NATtted)
This worked fine in FreeBSD 5.x but not since upgrading to 7.x (at two different sites)
>How-To-Repeat:
ipf.rules:
pass out quick on sk1 to sk2:196.211.30.193 from 10.67.21.120/29 to any
ipnat.rules:
map sk2 from 10.67.21.120/29 to any -> 196.211.30.194/32 proxy port ftp ftp/tcp
map sk2 from 10.67.21.120/29 to any -> 196.211.30.194/32 portmap tcp/udp 1024:65000
map sk2 from 10.67.21.120/29 to any -> 196.211.30.194/32
now do a passive ftp from one of the 10.67.21.120/29 PCs
>Fix:
No known fix.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list