Project

General

Profile

Bug #193

NAT reflection duplicate entries

Added by Chris Buechler over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
11/29/2009
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

(confirmed in 2.0 and moved from cvstrac)

Hi, the problem is with automatic NAT reflection.

Everytime you add a nat rule, the nat reflection rule in inetd.conf is created N times where N is the number of interface assigned.

this is an example of inetd.conf with two rules for HTTP and HTTPS webserver on a machine with six itnerface:

19001 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19003 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19004 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19005 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19006 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 80
19007 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19008 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19009 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19010 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19011 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443
19012 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.0.2 443

The system adds the same line in inetd.conf for the number of interface that you have configured.

I've six interface then i get six lines with same content, on another test machine with two interface i get two line with same content.

Associated revisions

Revision b93a3dd5 (diff)
Added by Scott Ullrich over 10 years ago

Do not allow duplicate netcat reflection entries. Resolves #193

Revision 01fa26e8 (diff)
Added by Ermal Luçi over 10 years ago

Ticket #193. Reduce number of lines created for reflection in inetd and lines of rdr created on ruleset. Hints-from: Erik Fonnesbeck

History

#1 Updated by Scott Ullrich over 10 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Erik Fonnesbeck over 10 years ago

After some of the restructuring of NAT reflection and subsequent fixes, this has regressed and it currently does this again.

The attached patch builds a list of the interfaces to put on a single rdr rule instead of making multiple entries and only adds the lines to inetd.conf once instead of duplicating for each interface.

Note: the patch may look messier here than it really is. Excluding whitespace changes because of reducing the indent level, there are really very few changed lines.

#3 Updated by Chris Buechler over 10 years ago

  • Status changed from Resolved to New
  • Priority changed from Low to Normal

#4 Updated by Ermal Luçi over 10 years ago

  • Status changed from New to Feedback

Committed fix based on yours.
Thanks.

#5 Updated by Chris Buechler over 10 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF