Project

General

Profile

Bug #99

Reflection is broken in 2.0

Added by Scott Ullrich almost 10 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
09/23/2009
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

This is closer than it was, but it still doesn't work. The port in inetd.conf and the one in the rdr don't match. The rdr starts at port 19000 just as 1.2.x does, but inetd.conf adds the actual external port. In this case, it's a port forward on WAN IP 10.0.64.28 port 88, forwarding to internal 192.168.1.199 port 80.

rdr on { em1 } proto tcp from any to 10.0.64.28 port 88 tag PFREFLECT -> 127.0.0.1 port 19000

88 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.199 80

Associated revisions

Revision 01cf3e74 (diff)
Added by Ermal Luçi over 9 years ago

Ticket #99. More fixes to reflection.

Revision 08ef3d78 (diff)
Added by Ermal Luçi over 9 years ago

Ticket #99. Increment the port number for the other to come instances.

History

#1 Updated by Seth Mos almost 10 years ago

  • Status changed from New to Feedback

Scott Ullrich wrote:

Surfing into a website results in:

nc [-46DEdhklnrStUuvz] [-e policy] [-i interval] [-P proxy_username] [-p source_port]

Basically no traffic can pass on the firewall.

I made sure the pf rdr rule actually contains the external address as intended in the filter code.
Seems the nat filter generate code didn't include this port forward piece of code.

FTP from behind a 2.0 to a public FTP server works again for me.

Please test

#2 Updated by Ermal Luçi over 9 years ago

I have done some commits which should fix this.

It even enhanced the rdr rules to specify ranges instead of creating infinite of them.

#3 Updated by Chris Buechler over 9 years ago

  • Subject changed from Reflection is badly broken in 2.0 to Reflection is broken in 2.0
  • Category changed from Operating System to Rules/NAT
  • Status changed from Feedback to New

closer, still broken. Updated ticket with current status

#4 Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Feedback

Another fix committed.

#5 Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF