[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug in ipnat?

IPFilter-3.4.17 is the latest version and is supposed to not have this bug. 
 OpenBSD-2.9 ships with v. 3.4.16 with patches which are supposed to fix 
the bug.  Either downgrade to 2.7, upgrade to 2.9 or try to patch with 
3.4.17 (and I have no idea whether that will succeed or not).


On Friday 04 May 2001 05:44 am, mag@tech.sibal.ru wrote:
> Hi, hackers.
>
> I have one problem with IPfilter.
> Probably there are bugs in ipnat.
>
>
> Description
>
>
> My Internet connection
>
>            212.188.36.2 (fxp1)
>            +-----------------------+
> Internet---| gateway with IPfilter |
>            +-----------------------+
>
>                        | 192.168.164.5 (fxp0)
>                        | 192.168.164.6
>
>            +-----------------------+
>
>            | Host inside           |
>
>            +-----------------------+
>
>
> Configuration of the gateway with IPfilter
>
> # ipnat -l
> List of active MAP/Redirect filters:
> map fxp1 192.168.0.0/16  -> 0.0.0.0/32  proxy port ftp ftp/tcp
> map fxp1 172.16.0.0/12  -> 0.0.0.0/32  proxy port ftp ftp/tcp
> map fxp1 10.0.0.0/8  -> 0.0.0.0/32  proxy port ftp ftp/tcp
> map fxp1 192.168.0.0/16  -> 0.0.0.0/32  portmap tcp/udp 16384:32767
> map fxp1 192.168.0.0/16  -> 0.0.0.0/32
> map fxp1 172.16.0.0/12  -> 0.0.0.0/32  portmap tcp/udp 16384:32767
> map fxp1 172.16.0.0/12  -> 0.0.0.0/32
> map fxp1 10.0.0.0/8  -> 0.0.0.0/32  portmap tcp/udp 16384:32767
> map fxp1 10.0.0.0/8  -> 0.0.0.0/32
>
> List of active sessions:
> ...
>
>
> # ipfstat -io
> pass out from any to any
> pass in from any to any
>
>
> # ipf -V
> ipf: IP Filter: v3.3.18 (184)
> Kernel: IP Filter: v3.3.18
> Running: yes
> Log Flags: 0 = none set
> Default: block all, Logging: available
> Active list: 0
>
>
> # OS
> OpenBSD-2.8 i386 with all patches up to April 23 2001 applied.
>
>
> # ifconfig -A
> lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
>         inet 127.0.0.1 netmask 0xff000000
> lo1: flags=8008<LOOPBACK,MULTICAST> mtu 32972
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 192.168.164.6 netmask 0xfffffffc broadcast 192.168.164.7
> fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 212.188.36.2 netmask 0xffffffe0 broadcast 212.188.36.31
>
>
> # netstat -rn
> Routing tables
>
> Internet:
> Destination        Gateway            Flags     Refs     Use    Mtu 
> Interface default            212.188.36.1       UGS         2    19314  
> 1500  fxp1 10/8               192.168.164.5      UGS         0        0  
> 1500  fxp0 127/8              127.0.0.1          UGRS        0        0 
> 32972  lo0 127.0.0.1          127.0.0.1          UH          2       42 
> 32972  lo0 172.16/12          192.168.164.5      UGS         0        0  
> 1500  fxp0 192.168/16         192.168.164.5      UGS         2    36655  
> 1500  fxp0 192.168.164.4/30   link#1             UC          0        0  
> 1500  fxp0 192.168.164.5      0:4:ac:58:56:1     UHL         3       97  
> 1500  fxp0 192.168.164.6      127.0.0.1          UGHS        0        0 
> 32972  lo0 212.188.36.0/27    link#2             UC          0        0  
> 1500  fxp1 212.188.36.1       0:2:16:64:70:3f    UHL         1       68  
> 1500  fxp1 224/4              127.0.0.1          URS         0        0 
> 32972  lo0
>
> Encap:
> Source             Port  Destination        Port  Proto
> SA(Address/Proto/Type/Direction)
>
>
> Problem on the Host inside
>
> # traceroute -n -q 1 www.ru
> traceroute to www.ru (194.87.0.50), 30 hops max, 40 byte packets
>  1  192.168.164.6  0.180 ms
>  2  *
>  3  *
>  4  *
>  5  *
>  6  *
>  7  *
>  8  *
>  9  *
> 10  *
> 11  *
>
>
> Packet dumps on the network interfaces of the gateway with IPfilter
>
> tcpdump: listening on fxp0
> 13:48:50.212769 192.168.164.5.34204 > 194.87.0.50.33435:  [no cksum] udp
> 12 [ttl 1] (id 34205) 13:48:50.212928 192.168.164.6 > 192.168.164.5:
> icmp: time exceeded in-transit (ttl 255, id 45396) 13:48:50.213648
> 192.168.164.5.34204 > 194.87.0.50.33436:  [no cksum] udp 12 (ttl 2, id
> 34206) 13:48:55.222130 192.168.164.5.34204 > 194.87.0.50.33437:  [no
> cksum] udp 12 (ttl 3, id 34207) 13:49:00.232539 192.168.164.5.34204 >
> 194.87.0.50.33438:  [no cksum] udp 12 (ttl 4, id 34208) 13:49:05.242933
> 192.168.164.5.34204 > 194.87.0.50.33439:  [no cksum] udp 12 (ttl 5, id
> 34209) 13:49:10.253345 192.168.164.5.34204 > 194.87.0.50.33440:  [no
> cksum] udp 12 (ttl 6, id 34210) 13:49:15.263855 192.168.164.5.34204 >
> 194.87.0.50.33441:  [no cksum] udp 12 (ttl 7, id 34211) 13:49:20.274204
> 192.168.164.5.34204 > 194.87.0.50.33442:  [no cksum] udp 12 (ttl 8, id
> 34212) 13:49:25.284556 192.168.164.5.34204 > 194.87.0.50.33443:  [no
> cksum] udp 12 (ttl 9, id 34213) 13:49:30.294960 192.168.164.5.34204 >
> 194.87.0.50.33444:  [no cksum] udp 12 (ttl 10, id 34214) 13:49:35.305368
> 192.168.164.5.34204 > 194.87.0.50.33445:  [no cksum] udp 12 (ttl 11, id
> 34215)
>
> tcpdump: listening on fxp1
> 13:48:50.213678 212.188.36.2.16462 > 194.87.0.50.33436:  [no cksum] udp
> 12 [ttl 1] (id 34206) 13:48:50.214326 212.188.36.1 > 212.188.36.2: icmp:
> time exceeded in-transit [tos 0xc0] (ttl 255, id 61891) 13:48:55.222174
> 212.188.36.2.16463 > 194.87.0.50.33437:  [no cksum] udp 12 (ttl 2, id
> 34207) 13:48:55.227157 212.188.43.97 > 212.188.36.2: icmp: time exceeded
> in-transit [tos 0xc0] (ttl 254, id 29540) 13:49:00.232586
> 212.188.36.2.16464 > 194.87.0.50.33438:  [no cksum] udp 12 (ttl 3, id
> 34208) 13:49:00.237924 195.34.52.66 > 212.188.36.2: icmp: time exceeded
> in-transit [tos 0xc0] (ttl 253, id 51778) 13:49:05.242970
> 212.188.36.2.16465 > 194.87.0.50.33439:  [no cksum] udp 12 (ttl 4, id
> 34209) 13:49:05.249307 212.30.177.106 > 212.188.36.2: icmp: time exceeded
> in-transit [tos 0xc0] (ttl 252, id 44346) 13:49:10.253403
> 212.188.36.2.16466 > 194.87.0.50.33440:  [no cksum] udp 12 (ttl 5, id
> 34210) 13:49:10.261012 193.232.244.35 > 212.188.36.2: icmp: time exceeded
> in-transit [tos 0xc0] (ttl 251, id 64887) 13:49:15.263895
> 212.188.36.2.16467 > 194.87.0.50.33441:  [no cksum] udp 12 (ttl 6, id
> 34211) 13:49:15.272142 194.87.0.86 > 212.188.36.2: icmp: time exceeded
> in-transit [tos 0xc0] (ttl 250, id 15343) 13:49:20.274247
> 212.188.36.2.16468 > 194.87.0.50.33442:  [no cksum] udp 12 (ttl 7, id
> 34212) 13:49:20.281983 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp
> port 33442 unreachable (DF) (ttl 249, id 60603) 13:49:25.284599
> 212.188.36.2.16469 > 194.87.0.50.33443:  [no cksum] udp 12 (ttl 8, id
> 34213) 13:49:25.292199 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp
> port 33443 unreachable (DF) (ttl 249, id 60604) 13:49:30.295006
> 212.188.36.2.16470 > 194.87.0.50.33444:  [no cksum] udp 12 (ttl 9, id
> 34214) 13:49:30.302254 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp
> port 33444 unreachable (DF) (ttl 249, id 60605) 13:49:35.305427
> 212.188.36.2.16471 > 194.87.0.50.33445:  [no cksum] udp 12 (ttl 10, id
> 34215) 13:49:35.312344 194.87.0.50 > 212.188.36.2: icmp: 194.87.0.50 udp
> port 33445 unreachable (DF) (ttl 249, id 60606)
>
>
> Conclusion
>
> The gateway with IPfilter does not pass ICMP messages
> ("time exceeded" and "port unreachable") from the Internet to inside.
> Also maybe that this gateway does not pass other ICMP messages
> ("parameter problem", "source quench", "destination unreacheable") too.
> Note: ping works fine.
> I think that there are bugs in ipnat. Any comments?
>
> --
> Alexei Malinin,
> System Administrator of
> Siberian Aluminium Group