[Bug 201590] Zerowindow packets escape stateful in-kernel NAT
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jul 15 15:49:35 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201590
Bug ID: 201590
Summary: Zerowindow packets escape stateful in-kernel NAT
Product: Base System
Version: 10.1-RELEASE
Hardware: amd64
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: g_amanakis at yahoo.com
CC: dleg at free.fr, glebius at FreeBSD.org,
melifaro at FreeBSD.org
According to the example of the handbook regarding NAT
(https://www.freebsd.org/doc/handbook/firewalls-ipfw.html), the inbound NAT
rule should be placed first (below 0400) followed by the outbound NAT rule
(below 24000)
-------8<--------
ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset
00100 reass ip from any to any in
00200 allow ip from any to any via lo0
00300 allow ip from any to any via em1
00400 nat 123 ip from any to any in recv em0
00500 check-state
00600 skipto 24000 ip from any to me dst-port 80,443,22,500,4500,1194,993,8112
in recv em0 keep-state
00700 skipto 24000 ip from any to any out xmit em0 keep-state
00800 deny log ip from any to any
24000 nat 123 ip from any to any out xmit em0
24100 allow ip from any to any
-------8<--------
However this allows some packets (TCP Zerowindow packets) to escape NAT (why?)
and IPs on the LAN (behind NAT) are exposed on the external interface (where
NAT is performed).
When one places the NAT rules with the opposite order (i.e. outbound rule first
and then the inbound rule) the problem disappears.
-------8<--------
ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset
00100 reass ip from any to any in
00200 allow ip from any to any via lo0
00300 allow ip from any to any via em1
00400 nat 123 ip from any to any out xmit em0
00500 check-state
00600 skipto 24000 ip from any to me dst-port
80,443,22,500,4500,1194,993,8112 in recv em0 keep-state
00700 skipto 24000 ip from any to any out xmit em0 keep-state
00800 deny log ip from any to any
24000 nat 123 ip from any to any in recv em0
24100 allow ip from any to any
-------8<--------
The bug consists of unexpected behaviour, i.e. the TCP Zerowindow should not
escape NAT in the first case.
See
https://forums.freebsd.org/threads/ipfw-keep-state-and-in-kernel-nat-exposes-local-ip-on-external-interface.52134/
See
https://forums.freebsd.org/threads/some-ip-frames-not-nated-with-ipfw-natd.51015/
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list