Bug #99
closed
Reflection is broken in 2.0
Added by Scott Ullrich about 15 years ago.
Updated almost 15 years ago.
Description
This is closer than it was, but it still doesn't work. The port in inetd.conf and the one in the rdr don't match. The rdr starts at port 19000 just as 1.2.x does, but inetd.conf adds the actual external port. In this case, it's a port forward on WAN IP 10.0.64.28 port 88, forwarding to internal 192.168.1.199 port 80.
rdr on { em1 } proto tcp from any to 10.0.64.28 port 88 tag PFREFLECT -> 127.0.0.1 port 19000
88 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 192.168.1.199 80
- Status changed from New to Feedback
Scott Ullrich wrote:
Surfing into a website results in:
nc [-46DEdhklnrStUuvz] [-e policy] [-i interval] [-P proxy_username] [-p source_port]
Basically no traffic can pass on the firewall.
I made sure the pf rdr rule actually contains the external address as intended in the filter code.
Seems the nat filter generate code didn't include this port forward piece of code.
FTP from behind a 2.0 to a public FTP server works again for me.
Please test
I have done some commits which should fix this.
It even enhanced the rdr rules to specify ranges instead of creating infinite of them.
- Subject changed from Reflection is badly broken in 2.0 to Reflection is broken in 2.0
- Category changed from Operating System to Rules / NAT
- Status changed from Feedback to New
closer, still broken. Updated ticket with current status
- Status changed from New to Feedback
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by Ermal Luçi 
Updated by