Project

General

Profile

Actions

Bug #4269

closed

Modifying port forwarding rule to invalid IP kill the firewall until reboot

Added by Eric Hoffman almost 10 years ago. Updated over 9 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
01/23/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

First, this is using invalid actions, so this is not so critical, but doing so will result in denial of service.

--SETUP--
I start with 3 interfaces + 1 VPN interface.
WAN -> em0 -> 192.168.10.66/24
LAN -> le1 -> 192.168.1.1/24
MGMT -> le0 -> 192.168.20.66/24
VPN -> ovpnc1 -> <VPN interface IP>

So, basic setup with traffic from LAN is NATted to VPN. Everything working fine as initial condition.

--PROBLEM--
If I create a port forwarding rule (So VPN traffic on port 1234 get forwarded), but I select an invalid (user make a mistake) IP address to forward to, and set for example destination as 192.168.0.123 (mistakenly typed instead of 192.168.1.123), and apply, then the rules somehow get trashed and the firewall no longer respond.

Sometime this happen after deleting the above NAT rule.

For example, with initial setup, add port forward rule:
- Interface: VPN
- Destination: VPN address
- Dest port: 1234~1234
- Redirect target IP: 192.168.0.123
- Redirect target port: 1234
- Description: ...
- Filter rule association: Add associated filter rule
- Save, Apply.

If the firewall is still accessible, delete the NAT rule you created.

When the issue occurs, all traffic on the firewall is blocked. Only the console is available. If you disable packet filtering (pfctl -d), the the firewall is reachable, but as soon as filtering is re-enabled, traffic stop. This condition persist until reboot.

Actions

Also available in: Atom PDF