IPFW on CURRENT: NAT forwarding exposes internal IP!

O. Hartmann ohartman at zedat.fu-berlin.de
Thu Sep 29 12:48:09 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Despite other problems with IPFW and its documentation regarding NAT, I face a serious
and disturbing problem.

I run a NanoBSD based router/firewall project of my own, running CURRENT (FreeBSD
12.0-CURRENT #1 r306333: Mon Sep 26 08:36:02 CEST 2016). IPFW is the filter of my choice,
since it is FreeBSD's native. I also use In-kernel-NAT as well as pppoed/ppp. The modem
is connected to a dedicated NIC, the pppoe-traffic is transported via tun0 - I think this
is the usual stuff.

The IPFW has this NAT rule:

${fwcmd}        nat 1 config if ${if_isp0} \
                        log \
                        reset \
                        same_ports \
                        redirect_port tcp ${server_gate}:22 22 \
                        redirect_port tcp ${server_www}:80 80 \
                        redirect_port tcp ${server_www}:443 443 \
                        redirect_port tcp ${server_refdb}:9734 9734

server_www is assigned to a non-official IP, 192.168.10.10.

if_isp=tun0, tun0's IP is given by the provider, I use net/ddclient as the updater for a
dynamic DNS account.

I use an internal DNS server, which resolves 92.168.10.10 to a certain name. I also use
self signed SSL certicates, just for completeness of this information.

Connecting from the outside world to my dynDNS domain triggers Firefox or any other
browser to compalin about the self signed SSL certificate - as usual, but then, adding
it, suddenly the domain name (say: www.blabla.org) is replaced by the internal IP I
delegate any access on ports 80 and 443 to.

What happens here? I consider this a bug, I never saw this on our Linux servers running a
similar setup (forwarding, BIND 9.10/BIND 9.11).

Thanks,

Oliver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX7Q17AAoJEOgBcD7A/5N88yAH/RZLURQbC5LTgJD/NUdE51F3
yPVaUQIaeGm93du87K2opXs3DNtMr0m1SI1wQZdOAQDl3yqMkz9bX9VTUweuAltp
ZcBxhZ2VACQJCu/AsYIWWWp6rliniyZWMr+TOyNtTDxdPrIXYzwefX+fYN+Uy/04
9PalfcT/S+9q5DKd7sm7K6LqsU0HJ9GpKgNnsyqWEAWvORgxUvKS3GS9jEjxUnrD
20yTXjyiu0mS8UYLS7DbrrgItg3fXEJVG8188tweFB5aalQRH6oyNGaxWlGaF8Rc
K9t479v6OW3XCs9FiG6AtCzpmnUkCoMtxl7lY3hPU/Sh1P5epYu26bdoF2ecr1g=
=oMGL
-----END PGP SIGNATURE-----


More information about the freebsd-security mailing list