Date: Thu, 4 May 2017 15:02:07 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-ipfw@freebsd.org Subject: Re: Question that has dogged me for a while. Message-ID: <2d59cd7e-2064-5304-9c6d-1fc205c48feb@denninger.net> In-Reply-To: <201705041944.v44JibiT005860@pdx.rh.CN85.dnsmgr.net> References: <201705041944.v44JibiT005860@pdx.rh.CN85.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms050100060403040602020503 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 5/4/2017 14:44, Rodney W. Grimes wrote: >> On 5/4/2017 13:47, Rodney W. Grimes wrote: >>>> On 5/4/2017 12:12, Rodney W. Grimes wrote: >>>>>> Consider the following network configuration. >>>>>> >>>>>> >>>>>> Internet ------- Gateway/Firewall ---------- Inside network (inclu= ding a >>>>>> web host) >>>>>> 70.16.10.1/28 192.168.0.0/24 =20 > ... > >>> It is almost impossible to remotly debug this type of stuff without a= >>> complete and full picture of all elements involved. >>> As a minimum: >>> ifconfig -a >>> ipfw -a list >>> sysctl net.inet.ip.fw.one_pass >>> sysctl net.inet.ip.forwarding >>> >>> I know this can be made to work, I think even dd-wrt has it right....= >>> And here is a good jumping off point from a very quick google: >>> http://www.nycnetworkers.com/real-world/nat-reflectionnat-loopbacknat= -hairpinning/=20 >> root@IPGw:/usr/local/etc # ifconfig -a >> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 >> options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 >> inet 127.0.0.1 netmask 0xff000000 >> groups: lo >> nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> >> ue0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu= 1500 >> options=3D80009<RXCSUM,VLAN_MTU,LINKSTATE> >> ether b8:27:eb:4e:88:64 >> inet 192.168.10.200 netmask 0xffffff00 broadcast 192.168.10.25= 5 >> media: Ethernet autoselect (100baseTX <full-duplex>) >> status: active >> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> >> ue1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu= 1500 >> options=3D8000b<RXCSUM,TXCSUM,VLAN_MTU,LINKSTATE> >> ether 00:50:b6:5d:1d:9f >> inet 70.169.168.7 netmask 0xffffff80 broadcast 70.169.168.127 >> media: Ethernet autoselect (100baseTX <full-duplex>) >> status: active >> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> >> ue0.3: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m= tu 1500 >> ether b8:27:eb:4e:88:64 >> inet 192.168.4.200 netmask 0xffffff00 broadcast 192.168.4.255 >> groups: vlan >> vlan: 3 vlanpcp: 0 parent interface: ue0 >> media: Ethernet autoselect (100baseTX <full-duplex>) >> status: active >> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> >> >> root@IPGw:/usr/local/etc # ipfw -a list >> 00100 14 1042 allow ip from any to any via lo0 >> 00200 0 0 deny log ip from any to 127.0.0.0/8 >> 00300 0 0 deny log ip from 127.0.0.0/8 to any >> 00400 0 0 deny log ip from any to ::1 >> 00500 0 0 deny log ip from ::1 to any >> 02000 0 0 allow ip from 192.168.100.1 to any in via ue1 >> 02010 0 0 deny log ip from 192.168.0.0/16 to any not ipsec = in >> via ue1 >> 02020 0 0 deny log ip from 70.169.168.0/25 to any in via ue= 0 >> 03000 0 0 deny log ip from 70.169.168.0/25 to any recv ue0 >> 04000 0 0 deny log ip from table(22) to any recv ue1 >> 04010 0 0 deny ip from any to >> 114.215.179.104,122.226.84.253,122.248.234.207,167.206.87.147,168.1.83= =2E89,175.41.238.100,176.58.116.160,202.96.134.133,203.143.89.106,220.181= =2E111.147,23.234.53.61,23.234.53.67,46.137.188.54,50.19.254.134,50.7.114= =2E59,50.7.124.48,50.7.176.18,50.7.235.90,50.7.44.82,61.188.37.216,68.192= =2E249.119,74.125.31.99 >> 04020 0 0 deny log ip from >> 218.90.0.0/16,218.91.0.0/16,218.92.0.0/16,218.93.0.0/16,218.94.0.0/16 = to >> any via ue1 >> 05000 0 0 deny log ip from >> 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to any not ipsec recv ue1 >> 05010 0 0 deny log ip from >> 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any >> recv ue1 >> 06000 8726 10333291 nat 100 ip4 from any to me recv ue1 >> 07000 0 0 check-state :default >> 08000 21 1064 nat 200 ip4 from 192.168.0.0/16 to 70.169.168.7 > Where is the other half of nat 200? This is from inside to outside IP,= > there needs to be a return nat occuring to de Nat the packets > ipfw add 8000 nat 200 ip4 from 192.168.0.0/16 to 192.168.10.200,192.168= =2E4.200 > It takes 2 rules to the same NAT to have working NAT usually, one for > outbound packets, and one for inbound packets (relative to the NAT inst= ance). > > > Do we see atleast the packets this nats on the wire with tcpdump? Nope! That's the problem at this point. I know there needs to be another one; I'll add it but it shouldn't matter until after I see the packets come out on the wire, right? (Added, no difference) >> 08001 4834 264258 nat 100 ip4 from 192.168.0.0/16 to any xmit ue1 >> 08009 0 0 deny log ip4 from 192.168.0.0/16 to any xmit ue1 >> 08010 4836 264410 allow ip4 from 70.169.168.0/25 to any xmit ue1 >> 08011 0 0 allow log ip from 192.168.10.200 to 192.168.0.0/1= 6 >> dst-port 2552 >> 08020 5374 306553 allow ip from 192.168.0.0/16 to any recv ue0 >> 08030 2 104 allow ip from 192.168.4.0/25 to any recv ue0.3 >> 08500 0 0 deny log ip from 192.168.0.0/16 to any xmit ue1 >> 09000 17823 20712366 allow ip from any to 192.168.0.0/16 >> 22000 0 0 allow tcp from any to any established > Interesting that the count on this is 0? This is usually a stateless > packet matching rule that goes with your setups. Nvm, there are not > packets maching the setup rules, so no change to have this matter. > >> 22700 0 0 allow tcp from any to me dst-port 2200 setup >> 22710 0 0 allow tcp from any to me dst-port 22 setup >> 22800 0 0 allow icmp from any to me >> 23100 0 0 allow udp from any to me dst-port 33434-34000 >> 23110 0 0 allow udp from any 33434-34000 to me >> 23410 0 0 allow udp from any to me dst-port 53 >> 23420 0 0 allow udp from me 53 to any >> 23430 4 545 allow udp from any 53 to me >> 23500 0 0 allow tcp from any to 192.168.1.214 dst-port 8080= setup >> 23510 0 0 allow tcp from any to 192.168.4.210 dst-port 443 = setup >> 23520 0 0 allow tcp from any to 192.168.4.211 dst-port 443 = setup >> 23530 0 0 allow tcp from any to 192.168.4.211 dst-port 554 = setup >> 24430 0 0 allow udp from any 123 to me dst-port 123 >> 24500 0 0 allow udp from any to me dst-port 500 >> 24510 0 0 allow udp from me 500 to any >> 24520 0 0 allow udp from any to me dst-port 4500 >> 24530 0 0 allow udp from me 4500 to any >> 24600 46 2760 deny tcp from 192.168.4.211 to any dst-port 80 se= tup > What are these denied packets? Part of our issue? No, those are packets coming from an IP cam that is trying to "phone home" and which I'm intentionally blocking. I am attempting to connect to port 2552 for the purpose of proving it up, not 80 (there IS a listener there and it's also an uncommon port so I don't get the noise from people trying to bang on the box when I'm tracing it.) >> 29999 5 272 deny log ip from any to any > And these? Nope -- random other people trying to bang things on the host from the Internet. root@IPGw:/usr/local/etc # grep 2552 /var/log/security root@IPGw:/usr/local/etc # Nothing in the log at all denying any packets. net.inet.ip.fw.verbose_limit: 0 net.inet.ip.fw.verbose: 1 This is all I get with tcpdump: root@IPGw:/usr/local/etc # tcpdump -n -i ue0 port 2552 14:51:23.968124 IP 192.168.10.40.50756 > 70.169.168.7.2552: Flags [S], seq 3005777928, win 8192, options [mss 1460,nop,nop,sackOK], length 0 14:51:23.968187 IP 192.168.10.40.50755 > 70.169.168.7.2552: Flags [S], seq 1100017986, win 8192, options [mss 1460,nop,nop,sackOK], length 0 14:51:24.217125 IP 192.168.10.40.50757 > 70.169.168.7.2552: Flags [S], seq 4201089264, win 8192, options [mss 1460,nop,nop,sackOK], length 0 The original packets headed to the gateway are on the wire but I never see the translated ones on the wire at all. It's like the 200 NAT swallowed the packets and never re-emitted them, nor do I have any indication where they went; they're not getting logged off any of the deny lines nor can I find them on the wire. With the changes to try to isolate it, here it is..... nothing (as expected) showing on 6000 and no packets on the wire from the attempted twist. root@IPGw:/usr/local/etc # ipfw -a list 00100 52 4660 allow ip from any to any via lo0 00200 0 0 deny log ip from any to 127.0.0.0/8 00300 0 0 deny log ip from 127.0.0.0/8 to any 00400 0 0 deny log ip from any to ::1 00500 0 0 deny log ip from ::1 to any 02000 0 0 allow ip from 192.168.100.1 to any in via ue1 02010 0 0 deny log ip from 192.168.0.0/16 to any not ipsec in via ue1 02020 0 0 deny log ip from 70.169.168.0/25 to any in via ue0 03000 0 0 deny log ip from 70.169.168.0/25 to any recv ue0 04000 0 0 deny log ip from table(22) to any recv ue1 04010 0 0 deny ip from any to 114.215.179.104,122.226.84.253,122.248.234.207,167.206.87.147,168.1.83.89= ,175.41.238.100,176.58.116.160,202.96.134.133,203.143.89.106,220.181.111.= 147,23.234.53.61,23.234.53.67,46.137.188.54,50.19.254.134,50.7.114.59,50.= 7.124.48,50.7.176.18,50.7.235.90,50.7.44.82,61.188.37.216,68.192.249.119,= 74.125.31.99 04020 0 0 deny log ip from 218.90.0.0/16,218.91.0.0/16,218.92.0.0/16,218.93.0.0/16,218.94.0.0/16 to any via ue1 05000 0 0 deny log ip from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to any not ipsec recv ue1 05010 0 0 deny log ip from 0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,224.0.0.0/4,240.0.0.0/4 to any recv ue1 06000 0 0 nat 200 ip4 from 192.168.0.0/16 2552 to 192.168.10.2= 00 06010 9528 11688747 nat 100 ip4 from any to me recv ue1 07000 0 0 check-state :default 08000 15 768 nat 200 ip4 from 192.168.0.0/16 to 70.169.168.7 08001 5314 286721 nat 100 ip4 from 192.168.0.0/16 to any xmit ue1 08009 0 0 deny log ip4 from 192.168.0.0/16 to any xmit ue1 08010 5319 287081 allow ip4 from 70.169.168.0/25 to any xmit ue1 08011 0 0 allow log ip from 192.168.10.200 to 192.168.0.0/16 dst-port 2552 08020 5905 328699 allow ip from 192.168.0.0/16 to any recv ue0 08030 0 0 allow ip from 192.168.4.0/25 to any recv ue0.3 08500 0 0 deny log ip from 192.168.0.0/16 to any xmit ue1 09000 19682 23487591 allow ip from any to 192.168.0.0/16 22000 0 0 allow tcp from any to any established 22700 0 0 allow tcp from any to me dst-port 2200 setup 22710 0 0 allow tcp from any to me dst-port 22 setup 22800 4 284 allow icmp from any to me 23100 0 0 allow udp from any to me dst-port 33434-34000 23110 0 0 allow udp from any 33434-34000 to me 23410 0 0 allow udp from any to me dst-port 53 23420 0 0 allow udp from me 53 to any 23430 0 0 allow udp from any 53 to me 23500 0 0 allow tcp from any to 192.168.1.214 dst-port 8080 se= tup 23510 0 0 allow tcp from any to 192.168.4.210 dst-port 443 set= up 23520 0 0 allow tcp from any to 192.168.4.211 dst-port 443 set= up 23530 0 0 allow tcp from any to 192.168.4.211 dst-port 554 set= up 24430 0 0 allow udp from any 123 to me dst-port 123 24500 0 0 allow udp from any to me dst-port 500 24510 0 0 allow udp from me 500 to any 24520 0 0 allow udp from any to me dst-port 4500 24530 0 0 allow udp from me 4500 to any 24600 35 2100 deny tcp from 192.168.4.211 to any dst-port 80 setup= 29999 2 80 deny log ip from any to any 65535 2709 484767 deny ip from any to any --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms050100060403040602020503 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC BlwwggZYMIIEQKADAgECAgE9MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE2MTIxODE5NDUzNVoXDTIxMTIxNzE5NDUzNVowVzEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxGzAZBgNVBAMUEmthcmxAZGVubmluZ2VyLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAM2N5maxs7NkoY9g5NMxFWll0TYiO7gXrGZTo3q25ZJgNdPMwrntLz/5ewE9 07TEbwJ3ah/Ep9BfZm7JF9vTtE1HkgKtXNKi0pawNGm1Yn26Dz5AbUr1byby6dFtDJr14E07 trzDCtRRvTkOVSBj6PQPal0fAnDtkIYQBVcuMkXkuMCtyfE95pjm8g4K9l7lAcKii3T1/3rE hCc1o2nBnb7EN1/XwBeCDGB+I2SN/ftZDbKQqGAF5q9dUn+iXU7Z/CVSfUWmhVh6cVZA4Ftv TglUqj410OuPx+cUQch3h1kFgsuhQR63HiJc3HbRJllHsV0rihvL1CjeARQkhnA6uY9NLFST p5I/PfzBzW2MSmtN/tGZvmfKKnmtbfUNgkzbIR1K3lsum+yEL71kB93Xtz/4f1demEx5c8TJ RBIniDHjDeLGK1aoBu8nfnvXAvgthFNTWBOEoR49AHEPjC3kZj0l8JQml1Y8bTQD5gtC5txl klO60WV0EufU7Hy9CmynMuFtjiA2v71pm097rXeCdrAKgisdYeEESB+SFrlY65rLiLv4n8o1 PX7DqRfqKkOYIakZ0ug/yHVKcq2EM3RiJxwzls5gT70CoOBlKbrC98O8TA6teON0Jq30M06t NTI2HhvNbJDLbBH+Awf4h1UKB+0ufENwjVvF5Jfz8Ww/FaSDAgMBAAGjgfQwgfEwNwYIKwYB BQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgwCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpfAI3y+751pp9A0w 6vJHx8RoR/MwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYwFIES a2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBiB6MlugxYJdccD8boZ/u8 d8VxmLkJCtbfyYHRjYdyoABLW5hE3k3xSpYCM9L7vzWyV/UWwDYKi4ZzxHo4g+jG/GQZfKhx v38BQjL2G9xD0Hn2d+cygOq3UPjVYlbbfQoew6JbyCFXrrZ7/0jvRMLAN2+bRC7ynaFUixPH Whnj9JSH7ieYdzak8KN+G2coIC2t2iyfXVKehzi5gdNQ0vJ7+ypbGsRm4gE8Mdo9N/WgFPvZ HPFqR9Dwas7Z+aHwOabpk5r/336SyjOaZsn3MqKJQZL6GqDKusVOCWt+9uFAD8kadg7FetZe atIoD9I+zbp59oVoMnkMDMx7Hi85faU03csusqMGsjSsAzWSI1N8PJytZlchLiykokLKc3OL G87QKlErotlou7cfPX2BbEAH5wmkj9oiqZhxIL/wwAUA+PkiTbEmksKBNompSjUq/6UsR8EA s74gnu17lmijv8mrg2qMlwRirE7qG8pnE8egLtCDxcjd0Of9WMi2NJskn0/ovC7P+J60Napl m3ZIgPJst1piYSE0Zc1FIat4fFphMfK5v4iLblo1tFSlkdx1UNDGdg/U+LaXkNVXlMp8fyPm R80V6cIrCAlEWnBJNxG1UyfbbsvNMCCZBM4faGGsR/hhQOiydlruxhjL6P8J2WV8p11DdeGx KymWoil2s1J5WTGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxv cmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRww GgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5c3Rl bXMgTExDIENBAgE9MA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA1MDQyMDAyMDdaME8GCSqGSIb3DQEJBDFCBECi2au+ k3QyoR5ZESJ1YVJJzjAlbkYZ9X5MmvIkcHFHbW1VTLA2e7t4jK+yolEFvu7vjLZP4X0Govn+ ZzHowpsUMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI hvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT B0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExM QzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3VkYSBT eXN0ZW1zIExMQyBDQQIBPTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYTAlVT MRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEg U3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0B CQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECAT0wDQYJKoZIhvcNAQEBBQAEggIAEvpa8D6riNdE OsPXEzKfqsGXyZGY0dHsAGZZPdCkl3XjCi4vgc7GB3U7V71YaJicEyo205geWUCT5BR3s9oZ byh7x3n9S1sEG0c5pQ3Rwjc1EQgS/96aw304Be/hDNK5ghuky0FzWqwYiYAWzD4XcL36uI4m chUTj34A0lN2PWr2TsHW07ZOWy7pmFLiwC2sd0OEitbuYO5/38w+oxkKLHyeupn7zyx/++Gu SPIMCV/V0KCxFSCnfEHd1hWSFhZ7HL55vtNmNFn6ewYexwWwoqCH54GAsZJ2koTAc3l8schs 221HfJWr/ZZcUTH5cVOdXvFKEpAuiryGoTaOks4W5xhlBRPsixD49yHu5gTDW6OAEl7nJlbI Dok+Hv9jXCd8QRb9yRl8hd06NoUS92W1a7Cvo7UN5t75CoIlAUG5uNkQu7aTQ+bx2htz1UZ8 krHPg6YbptsuQfr8aHJL8I5iz3Hj97PpSHXZzTyq8dXYEvFbHLC0C5/XX5EEr/L+m/iSBfH9 VXfQwkvVd+UFpb6bDSYV9UN7BrSREHFy8jxzxMg0mvxxKTM52wWBs2ymgYmxhZZ8rdF3avQe T15NlW3Pk+3X928RGnNnOfDVrABEVEcki0asOoM/aeeKFhocA9twaWryj7gfyMhcfvLeVJYz IUTUjjX7tjvsMOqXHqarpesAAAAAAAA= --------------ms050100060403040602020503--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2d59cd7e-2064-5304-9c6d-1fc205c48feb>