From owner-freebsd-bugs@freebsd.org Wed Jul 15 15:49:35 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F02369A12AA for ; Wed, 15 Jul 2015 15:49:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D60581D05 for ; Wed, 15 Jul 2015 15:49:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t6FFnYdK031461 for ; Wed, 15 Jul 2015 15:49:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 201590] Zerowindow packets escape stateful in-kernel NAT Date: Wed, 15 Jul 2015 15:49:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: g_amanakis@yahoo.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2015 15:49:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201590 Bug ID: 201590 Summary: Zerowindow packets escape stateful in-kernel NAT Product: Base System Version: 10.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: g_amanakis@yahoo.com CC: dleg@free.fr, glebius@FreeBSD.org, melifaro@FreeBSD.org According to the example of the handbook regarding NAT (https://www.freebsd.org/doc/handbook/firewalls-ipfw.html), the inbound NAT rule should be placed first (below 0400) followed by the outbound NAT rule (below 24000) -------8<-------- ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset 00100 reass ip from any to any in 00200 allow ip from any to any via lo0 00300 allow ip from any to any via em1 00400 nat 123 ip from any to any in recv em0 00500 check-state 00600 skipto 24000 ip from any to me dst-port 80,443,22,500,4500,1194,993,8112 in recv em0 keep-state 00700 skipto 24000 ip from any to any out xmit em0 keep-state 00800 deny log ip from any to any 24000 nat 123 ip from any to any out xmit em0 24100 allow ip from any to any -------8<-------- However this allows some packets (TCP Zerowindow packets) to escape NAT (why?) and IPs on the LAN (behind NAT) are exposed on the external interface (where NAT is performed). When one places the NAT rules with the opposite order (i.e. outbound rule first and then the inbound rule) the problem disappears. -------8<-------- ipfw nat 123 config ip xxx.xxx.xxx.xxx same_ports reset 00100 reass ip from any to any in 00200 allow ip from any to any via lo0 00300 allow ip from any to any via em1 00400 nat 123 ip from any to any out xmit em0 00500 check-state 00600 skipto 24000 ip from any to me dst-port 80,443,22,500,4500,1194,993,8112 in recv em0 keep-state 00700 skipto 24000 ip from any to any out xmit em0 keep-state 00800 deny log ip from any to any 24000 nat 123 ip from any to any in recv em0 24100 allow ip from any to any -------8<-------- The bug consists of unexpected behaviour, i.e. the TCP Zerowindow should not escape NAT in the first case. See https://forums.freebsd.org/threads/ipfw-keep-state-and-in-kernel-nat-exposes-local-ip-on-external-interface.52134/ See https://forums.freebsd.org/threads/some-ip-frames-not-nated-with-ipfw-natd.51015/ -- You are receiving this mail because: You are the assignee for the bug.