[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in ipnat?



Hi, hackers.

I have one problem with IPfilter.
Probably there are bugs in ipnat.


Description


My Internet connection

           212.188.36.2 (fxp1)
           +-----------------------+
Internet---| gateway with IPfilter |
           +-----------------------+
                       | 192.168.164.5 (fxp0)
                       | 192.168.164.6
           +-----------------------+
           | Host inside           |
           +-----------------------+


Configuration of the gateway with IPfilter

# ipnat -l
List of active MAP/Redirect filters:
map fxp1 192.168.0.0/16  -> 0.0.0.0/32  proxy port ftp ftp/tcp
map fxp1 172.16.0.0/12  -> 0.0.0.0/32  proxy port ftp ftp/tcp
map fxp1 10.0.0.0/8  -> 0.0.0.0/32  proxy port ftp ftp/tcp
map fxp1 192.168.0.0/16  -> 0.0.0.0/32  portmap tcp/udp 16384:32767
map fxp1 192.168.0.0/16  -> 0.0.0.0/32
map fxp1 172.16.0.0/12  -> 0.0.0.0/32  portmap tcp/udp 16384:32767
map fxp1 172.16.0.0/12  -> 0.0.0.0/32
map fxp1 10.0.0.0/8  -> 0.0.0.0/32  portmap tcp/udp 16384:32767
map fxp1 10.0.0.0/8  -> 0.0.0.0/32

List of active sessions:
...


# ipfstat -io
pass out from any to any
pass in from any to any


# ipf -V
ipf: IP Filter: v3.3.18 (184)
Kernel: IP Filter: v3.3.18
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0


# OS
OpenBSD-2.8 i386 with all patches up to April 23 2001 applied.


# ifconfig -A
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
        inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 32972
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.164.6 netmask 0xfffffffc broadcast 192.168.164.7
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 212.188.36.2 netmask 0xffffffe0 broadcast 212.188.36.31


# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            212.188.36.1       UGS         2    19314   1500  fxp1
10/8               192.168.164.5      UGS         0        0   1500  fxp0
127/8              127.0.0.1          UGRS        0        0  32972  lo0
127.0.0.1          127.0.0.1          UH          2       42  32972  lo0
172.16/12          192.168.164.5      UGS         0        0   1500  fxp0
192.168/16         192.168.164.5      UGS         2    36655   1500  fxp0
192.168.164.4/30   link#1             UC          0        0   1500  fxp0
192.168.164.5      0:4:ac:58:56:1     UHL         3       97   1500  fxp0
192.168.164.6      127.0.0.1          UGHS        0        0  32972  lo0
212.188.36.0/27    link#2             UC          0        0   1500  fxp1
212.188.36.1       0:2:16:64:70:3f    UHL         1       68   1500  fxp1
224/4              127.0.0.1          URS         0        0  32972  lo0

Encap:
Source             Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)


Problem on the Host inside

# traceroute -n -q 1 www.ru
traceroute to www.ru (194.87.0.50), 30 hops max, 40 byte packets
 1  192.168.164.6  0.180 ms
 2  *
 3  *
 4  *
 5  *
 6  *
 7  *
 8  *
 9  *
10  *
11  *


Packet dumps on the network interfaces of the gateway with IPfilter

tcpdump: listening on fxp0
13:48:50.212769 192.168.164.5.34204 > 194.87.0.50.33435:  [no cksum] udp 12 [ttl 1] (id 34205)
13:48:50.212928 192.168.164.6 > 192.168.164.5: icmp: time exceeded in-transit (ttl 255, id 45396)
13:48:50.213648 192.168.164.5.34204 > 194.87.0.50.33436:  [no cksum] udp 12 (ttl 2, id 34206)
13:48:55.222130 192.168.164.5.34204 > 194.87.0.50.33437:  [no cksum] udp 12 (ttl 3, id 34207)
13:49:00.232539 192.168.164.5.34204 > 194.87.0.50.33438:  [no cksum] udp 12 (ttl 4, id 34208)
13:49:05.242933 192.168.164.5.34204 > 194.87.0.50.33439:  [no cksum] udp 12 (ttl 5, id 34209)
13:49:10.253345 192.168.164.5.34204 > 194.87.0.50.33440:  [no cksum] udp 12 (ttl 6, id 34210)
13:49:15.263855 192.168.164.5.34204 > 194.87.0.50.33441:  [no cksum] udp 12 (ttl 7, id 34211)
13:49:20.274204 192.168.164.5.34204 > 194.87.0.50.33442:  [no cksum] udp 12 (ttl 8, id 34212)
13:49:25.284556 192.168.164.5.34204 > 194.87.0.50.33443:  [no cksum] udp 12 (ttl 9, id 34213)
13:49:30.294960 192.168.164.5.34204 > 194.87.0.50.33444:  [no cksum] udp 12 (ttl 10, id 34214)
13:49:35.305368 192.168.164.5.34204 > 194.87.0.50.33445:  [no cksum] udp 12 (ttl 11, id 34215)

tcpdump: listening on fxp1
13:48:50.213678 212.188.36.2.16462 > 194.87.0.50.33436:  [no cksum] udp 12 [ttl 1] (id 34206)
13:48:50.214326 212.188.36.1 > 212.188.36.2: icmp: time exceeded in-transit [tos 0xc0] (ttl 255, id 61891)
13:48:55.222174 212.188.36.2.16463 > 194.87.0.50.33437:  [no cksum] udp 12 (ttl 2, id 34207)
13:48:55.227157 212.188.43.97 > 212.188.36.2: icmp: time exceeded in-transit [tos 0xc0] (ttl 254, id 29540)
13:49:00.232586 212.188.36.2.16464 > 194.87.0.50.33438:  [no cksum] udp 12 (ttl 3, id 34208)
13:49:00.237924 195.34.52.66 > 212.188.36.2: icmp: time exceeded in-transit [tos 0xc0] (ttl 253, id 51778)
13:49:05.242970 212.188.36.2.16465 > 194.87.0.50.33439:  [no cksum] udp 12 (ttl 4, id 34209)
13:49:05.249307 212.30.177.106 > 212.188.36.2: icmp: time exceeded in-transit [tos 0xc0] (ttl 252, id 44346)
13:49:10.253403 212.188.36.2.16466 > 194.87.0.50.33440:  [no cksum] udp 12 (ttl 5, id 34210)
13:49:10.261012 193.232.244.35 > 212.188.36.2: icmp: time exceeded in-transit [tos 0xc0] (ttl 251, id 64887)
13:49:15.263895 212.188.36.2.16467 > 194.87.0.50.33441:  [no cksum] udp 12 (ttl 6, id 34211)
13:49:15.272142 194.87.0.86 > 212.188.36.2: icmp: time exceeded in-transit [tos 0xc0] (ttl 250, id 15343)
13:49:20.274247 212.188.36.2.16468 > 194.87.0.50.33442:  [no cksum] udp 12 (ttl 7, id 34212)
13:49:20.281983 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp port 33442 unreachable (DF) (ttl 249, id 60603)
13:49:25.284599 212.188.36.2.16469 > 194.87.0.50.33443:  [no cksum] udp 12 (ttl 8, id 34213)
13:49:25.292199 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp port 33443 unreachable (DF) (ttl 249, id 60604)
13:49:30.295006 212.188.36.2.16470 > 194.87.0.50.33444:  [no cksum] udp 12 (ttl 9, id 34214)
13:49:30.302254 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp port 33444 unreachable (DF) (ttl 249, id 60605)
13:49:35.305427 212.188.36.2.16471 > 194.87.0.50.33445:  [no cksum] udp 12 (ttl 10, id 34215)
13:49:35.312344 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp port 33445 unreachable (DF) (ttl 249, id 60606)


Conclusion

The gateway with IPfilter does not pass ICMP messages
("time exceeded" and "port unreachable") from the Internet to inside.
Also maybe that this gateway does not pass other ICMP messages
("parameter problem", "source quench", "destination unreacheable") too.
Note: ping works fine.
I think that there are bugs in ipnat. Any comments?

--
Alexei Malinin,
System Administrator of
Siberian Aluminium Group