kern/86103: Bug: Illegal NAT Traversal in IPFilter
Necati Ersen SISECI
siseci at enderunix.org
Wed Sep 14 00:50:12 PDT 2005
>Number: 86103
>Category: kern
>Synopsis: Bug: Illegal NAT Traversal in IPFilter
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Sep 14 07:50:10 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Necati Ersen SISECI
>Release: FreeBSD 5.3 & 5.4
>Organization:
EnderUNIX SDT @ Turkey
>Environment:
>Description:
I think we have found a bug in ipnat that runs on FreeBSD 5.
We have repeated it in both FBSD-5.3-P17 and FBSD-5.4-P6·
The problem is that even we NAT connection from Internal Net
(192.168.9.0/24 subnet) we can still ping (icmp) to the host located
on 192.168.9.0/24 from our external net (192.168.6.0/24).
That is of course after adding a route for 192.168.9.0/24 network
from a machine located on External Network. (also net.inet.ip.forwarding
is enabled)
It only works with icmp packets not with tcp or udp.
The kernel is GENERIC kernel that comes with FreeBSD with the inclusion
of "options IPFILTER" and "options IPFILTER_LOG". We couldn't repeat this
bug in FreeBSD 6 and FreeBSD 7 Series. Thus the problem is
just related with FreeBSD 5.X. I don't know the current situation with
FreeBSD 4.
We think the problem is related with ipnat state table because when
we ping a host located on 192.168.9.0/24 say 192.168.9.100
we don't receive answer but after pinging another host
say 192.168.9.99 we get answer to our ping packet.
After reloading ipnat rules the first host we ping doesn't
answer but the second one does.
We have tried this on 3 different server configurations.
Here is sample output from our Firewall:
IFCONFIG:
root at firewall# ifconfig
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 192.168.9.1 netmask 0xffffff00 broadcast 192.168.9.255
inet6 fe80::204:75ff:fee5:1886%xl0 prefixlen 64 scopeid 0x1
ether 00:04:75:e5:18:86
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=9<RXCSUM,VLAN_MTU>
inet 192.168.6.190 netmask 0xffffff00 broadcast 192.168.6.255
inet6 fe80::204:75ff:fee9:8dff%xl1 prefixlen 64 scopeid 0x2
ether 00:04:75:e9:8d:ff
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::220:edff:fe63:f4d%fxp0 prefixlen 64 scopeid 0x3
ether 00:20:ed:63:0f:4d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
IPNAT and IPF
root at firewall# ipnat -l
List of active MAP/Redirect filters:
map xl1 from 192.168.9.0/24 to any -> 192.168.6.190/32 portmap tcp/udp 1025:65535
map xl1 from 192.168.9.0/24 to any -> 192.168.6.190/32
List of active sessions:
root at firewall# ipfstat -hion
empty list for ipfilter(out)
empty list for ipfilter(in)
root at firewall#
ROUTING TABLE:
root at firewall# netstat -nrt -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.6.1 UGS 0 0 xl1
10/24 link#3 UC 0 0 fxp0
10.0.0.1 00:20:ed:63:0f:4d UHLW 0 52 lo0
10.0.0.2 00:30:48:20:ac:68 UHLW 0 222 fxp0 839
127.0.0.1 127.0.0.1 UH 0 63 lo0
192.168.6 link#2 UC 0 0 xl1
192.168.6.1 00:30:23:ad:4f:40 UHLW 1 0 xl1 878
192.168.9 link#1 UC 0 0 xl0
192.168.9.1 00:04:75:e5:18:86 UHLW 0 52 lo0
root at firewall# uname -sr
FreeBSD 5.4-RELEASE-p6
FIREWALL ASCII:
FIREWALL
|---------------|
10.0.0.0/24 <-------DMZ------> | 10.0.0.1 |
| |
192.168.9.0/24 <---Local Net-> | 192.168.9.1 |
| |
| 192.168.6.190 | <-External Net-> 192.168.6.0/24
|---------------|
PING OUTPUT
root at external[root]# ping 192.168.9.100
PING 192.168.9.100 (192.168.9.100): 56 data bytes
^C
--- 192.168.9.100 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root at external[root]# ping 192.168.9.99
PING 192.168.9.99 (192.168.9.99): 56 data bytes
64 bytes from 192.168.9.99: icmp_seq=0 ttl=63 time=0.621 ms
64 bytes from 192.168.9.99: icmp_seq=1 ttl=63 time=0.475 ms
^C
--- 192.168.9.99 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.475/0.548/0.621/0.073 ms
After reloading Ipnat
root at firewall# ipnat -FC -f /etc/ipnat.rules
6 entries flushed from NAT table
2 entries flushed from NAT list
root at firewall#
root at external[root]# ping 192.168.9.100
PING 192.168.9.100 (192.168.9.100): 56 data bytes
64 bytes from 192.168.9.100: icmp_seq=0 ttl=127 time=0.590 ms
64 bytes from 192.168.9.100: icmp_seq=1 ttl=127 time=0.471 ms
^C
--- 192.168.9.100 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.471/0.530/0.590/0.059 ms
root at external[root]#
>How-To-Repeat:
>Fix:
Don't know any.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list