Question that has dogged me for a while.
Karl Denninger
karl at denninger.net
Thu May 4 20:02:08 UTC 2017
On 5/4/2017 14:44, Rodney W. Grimes wrote:
>> On 5/4/2017 13:47, Rodney W. Grimes wrote:
>>>> On 5/4/2017 12:12, Rodney W. Grimes wrote:
>>>>>> Consider the following network configuration.
>>>>>>
>>>>>>
>>>>>> Internet ------- Gateway/Firewall ---------- Inside network (including a
>>>>>> web host)
>>>>>> 70.16.10.1/28 192.168.0.0/24
> ...
>
>>> It is almost impossible to remotly debug this type of stuff without a
>>> complete and full picture of all elements involved.
>>> As a minimum:
>>> ifconfig -a
>>> ipfw -a list
>>> sysctl net.inet.ip.fw.one_pass
>>> sysctl net.inet.ip.forwarding
>>>
>>> I know this can be made to work, I think even dd-wrt has it right....
>>> And here is a good jumping off point from a very quick google:
>>> http://www.nycnetworkers.com/real-world/nat-reflectionnat-loopbacknat-hairpinning/
>> root at IPGw:/usr/local/etc # ifconfig -a
>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>> options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>> inet6 ::1 prefixlen 128
>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
>> inet 127.0.0.1 netmask 0xff000000
>> groups: lo
>> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>> ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>> options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
>> ether b8:27:eb:4e:88:64
>> inet 192.168.10.200 netmask 0xffffff00 broadcast 192.168.10.255
>> media: Ethernet autoselect (100baseTX <full-duplex>)
>> status: active
>> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>> ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>> options=8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE>
>> ether 00:50:b6:5d:1d:9f
>> inet 70.169.168.7 netmask 0xffffff80 broadcast 70.169.168.127
>> media: Ethernet autoselect (100baseTX <full-duplex>)
>> status: active
>> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>> ue0.3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>> ether b8:27:eb:4e:88:64
>> inet 192.168.4.200 netmask 0xffffff00 broadcast 192.168.4.255
>> groups: vlan
>> vlan: 3 vlanpcp: 0 parent interface: ue0
>> media: Ethernet autoselect (100baseTX <full-duplex>)
>> status: active
>> nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>>
>> root at IPGw:/usr/local/etc # ipfw -a list
>> 00100 14 1042 allow ip from any to any via lo0
>> 00200 0 0 deny log ip from any to 127.0.0.0/8
>> 00300 0 0 deny log ip from 127.0.0.0/8 to any
>> 00400 0 0 deny log ip from any to ::1
>> 00500 0 0 deny log ip from ::1 to any
>> 02000 0 0 allow ip from 192.168.100.1 to any in via ue1
>> 02010 0 0 deny log ip from 192.168.0.0/16 to any not ipsec in
>> via ue1
>> 02020 0 0 deny log ip from 70.169.168.0/25 to any in via ue0
>> 03000 0 0 deny log ip from 70.169.168.0/25 to any recv ue0
>> 04000 0 0 deny log ip from table(22) to any recv ue1
>> 04010 0 0 deny ip from any to
>> 114.215.179.104,122.226.84.253,122.248.234.207,167.206.87.147,168.1.83.89,175.41.238.100,176.58.116.160,202.96.134.133,203.143.89.106,220.181.111.147,23.234.53.61,23.234.53.67,46.137.188.54,50.19.254.134,50.7.114.59,50.7.124.48,50.7.176.18,50.7.235.90,50.7.44.82,61.188.37.216,68.192.249.119,74.125.31.99
>> 04020 0 0 deny log ip from
>> 218.90.0.0/16,218.91.0.0/16,218.92.0.0/16,218.93.0.0/16,218.94.0.0/16 to
>> any via ue1
>> 05000 0 0 deny log ip from
>> 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to any not ipsec recv ue1
>> 05010 0 0 deny log ip from
>> 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any
>> recv ue1
>> 06000 8726 10333291 nat 100 ip4 from any to me recv ue1
>> 07000 0 0 check-state :default
>> 08000 21 1064 nat 200 ip4 from 192.168.0.0/16 to 70.169.168.7
> Where is the other half of nat 200? This is from inside to outside IP,
> there needs to be a return nat occuring to de Nat the packets
> ipfw add 8000 nat 200 ip4 from 192.168.0.0/16 to 192.168.10.200,192.168.4.200
> It takes 2 rules to the same NAT to have working NAT usually, one for
> outbound packets, and one for inbound packets (relative to the NAT instance).
>
>
> Do we see atleast the packets this nats on the wire with tcpdump?
Nope! That's the problem at this point. I know there needs to be
another one; I'll add it but it shouldn't matter until after I see the
packets come out on the wire, right? (Added, no difference)
>> 08001 4834 264258 nat 100 ip4 from 192.168.0.0/16 to any xmit ue1
>> 08009 0 0 deny log ip4 from 192.168.0.0/16 to any xmit ue1
>> 08010 4836 264410 allow ip4 from 70.169.168.0/25 to any xmit ue1
>> 08011 0 0 allow log ip from 192.168.10.200 to 192.168.0.0/16
>> dst-port 2552
>> 08020 5374 306553 allow ip from 192.168.0.0/16 to any recv ue0
>> 08030 2 104 allow ip from 192.168.4.0/25 to any recv ue0.3
>> 08500 0 0 deny log ip from 192.168.0.0/16 to any xmit ue1
>> 09000 17823 20712366 allow ip from any to 192.168.0.0/16
>> 22000 0 0 allow tcp from any to any established
> Interesting that the count on this is 0? This is usually a stateless
> packet matching rule that goes with your setups. Nvm, there are not
> packets maching the setup rules, so no change to have this matter.
>
>> 22700 0 0 allow tcp from any to me dst-port 2200 setup
>> 22710 0 0 allow tcp from any to me dst-port 22 setup
>> 22800 0 0 allow icmp from any to me
>> 23100 0 0 allow udp from any to me dst-port 33434-34000
>> 23110 0 0 allow udp from any 33434-34000 to me
>> 23410 0 0 allow udp from any to me dst-port 53
>> 23420 0 0 allow udp from me 53 to any
>> 23430 4 545 allow udp from any 53 to me
>> 23500 0 0 allow tcp from any to 192.168.1.214 dst-port 8080 setup
>> 23510 0 0 allow tcp from any to 192.168.4.210 dst-port 443 setup
>> 23520 0 0 allow tcp from any to 192.168.4.211 dst-port 443 setup
>> 23530 0 0 allow tcp from any to 192.168.4.211 dst-port 554 setup
>> 24430 0 0 allow udp from any 123 to me dst-port 123
>> 24500 0 0 allow udp from any to me dst-port 500
>> 24510 0 0 allow udp from me 500 to any
>> 24520 0 0 allow udp from any to me dst-port 4500
>> 24530 0 0 allow udp from me 4500 to any
>> 24600 46 2760 deny tcp from 192.168.4.211 to any dst-port 80 setup
> What are these denied packets? Part of our issue?
No, those are packets coming from an IP cam that is trying to "phone
home" and which I'm intentionally blocking. I am attempting to connect
to port 2552 for the purpose of proving it up, not 80 (there IS a
listener there and it's also an uncommon port so I don't get the noise
from people trying to bang on the box when I'm tracing it.)
>> 29999 5 272 deny log ip from any to any
> And these?
Nope -- random other people trying to bang things on the host from the
Internet.
root at IPGw:/usr/local/etc # grep 2552 /var/log/security
root at IPGw:/usr/local/etc #
Nothing in the log at all denying any packets.
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.verbose: 1
This is all I get with tcpdump:
root at IPGw:/usr/local/etc # tcpdump -n -i ue0 port 2552
14:51:23.968124 IP 192.168.10.40.50756 > 70.169.168.7.2552: Flags [S],
seq 3005777928, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:51:23.968187 IP 192.168.10.40.50755 > 70.169.168.7.2552: Flags [S],
seq 1100017986, win 8192, options [mss 1460,nop,nop,sackOK], length 0
14:51:24.217125 IP 192.168.10.40.50757 > 70.169.168.7.2552: Flags [S],
seq 4201089264, win 8192, options [mss 1460,nop,nop,sackOK], length 0
The original packets headed to the gateway are on the wire but I never
see the translated ones on the wire at all. It's like the 200 NAT
swallowed the packets and never re-emitted them, nor do I have any
indication where they went; they're not getting logged off any of the
deny lines nor can I find them on the wire.
With the changes to try to isolate it, here it is..... nothing (as
expected) showing on 6000 and no packets on the wire from the attempted
twist.
root at IPGw:/usr/local/etc # ipfw -a list
00100 52 4660 allow ip from any to any via lo0
00200 0 0 deny log ip from any to 127.0.0.0/8
00300 0 0 deny log ip from 127.0.0.0/8 to any
00400 0 0 deny log ip from any to ::1
00500 0 0 deny log ip from ::1 to any
02000 0 0 allow ip from 192.168.100.1 to any in via ue1
02010 0 0 deny log ip from 192.168.0.0/16 to any not ipsec in
via ue1
02020 0 0 deny log ip from 70.169.168.0/25 to any in via ue0
03000 0 0 deny log ip from 70.169.168.0/25 to any recv ue0
04000 0 0 deny log ip from table(22) to any recv ue1
04010 0 0 deny ip from any to
114.215.179.104,122.226.84.253,122.248.234.207,167.206.87.147,168.1.83.89,175.41.238.100,176.58.116.160,202.96.134.133,203.143.89.106,220.181.111.147,23.234.53.61,23.234.53.67,46.137.188.54,50.19.254.134,50.7.114.59,50.7.124.48,50.7.176.18,50.7.235.90,50.7.44.82,61.188.37.216,68.192.249.119,74.125.31.99
04020 0 0 deny log ip from
218.90.0.0/16,218.91.0.0/16,218.92.0.0/16,218.93.0.0/16,218.94.0.0/16 to
any via ue1
05000 0 0 deny log ip from
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to any not ipsec recv ue1
05010 0 0 deny log ip from
0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any
recv ue1
06000 0 0 nat 200 ip4 from 192.168.0.0/16 2552 to 192.168.10.200
06010 9528 11688747 nat 100 ip4 from any to me recv ue1
07000 0 0 check-state :default
08000 15 768 nat 200 ip4 from 192.168.0.0/16 to 70.169.168.7
08001 5314 286721 nat 100 ip4 from 192.168.0.0/16 to any xmit ue1
08009 0 0 deny log ip4 from 192.168.0.0/16 to any xmit ue1
08010 5319 287081 allow ip4 from 70.169.168.0/25 to any xmit ue1
08011 0 0 allow log ip from 192.168.10.200 to 192.168.0.0/16
dst-port 2552
08020 5905 328699 allow ip from 192.168.0.0/16 to any recv ue0
08030 0 0 allow ip from 192.168.4.0/25 to any recv ue0.3
08500 0 0 deny log ip from 192.168.0.0/16 to any xmit ue1
09000 19682 23487591 allow ip from any to 192.168.0.0/16
22000 0 0 allow tcp from any to any established
22700 0 0 allow tcp from any to me dst-port 2200 setup
22710 0 0 allow tcp from any to me dst-port 22 setup
22800 4 284 allow icmp from any to me
23100 0 0 allow udp from any to me dst-port 33434-34000
23110 0 0 allow udp from any 33434-34000 to me
23410 0 0 allow udp from any to me dst-port 53
23420 0 0 allow udp from me 53 to any
23430 0 0 allow udp from any 53 to me
23500 0 0 allow tcp from any to 192.168.1.214 dst-port 8080 setup
23510 0 0 allow tcp from any to 192.168.4.210 dst-port 443 setup
23520 0 0 allow tcp from any to 192.168.4.211 dst-port 443 setup
23530 0 0 allow tcp from any to 192.168.4.211 dst-port 554 setup
24430 0 0 allow udp from any 123 to me dst-port 123
24500 0 0 allow udp from any to me dst-port 500
24510 0 0 allow udp from me 500 to any
24520 0 0 allow udp from any to me dst-port 4500
24530 0 0 allow udp from me 4500 to any
24600 35 2100 deny tcp from 192.168.4.211 to any dst-port 80 setup
29999 2 80 deny log ip from any to any
65535 2709 484767 deny ip from any to any
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20170504/449e98ac/attachment-0001.bin>
More information about the freebsd-ipfw
mailing list