https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=201519
Bug ID: 201519
Summary: pf NAT translates ICMP type 3 packects incorrectly
Product: Base System
Version: 9.3-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: bin
Assignee: freebsd-bugs@FreeBSD.org
Reporter: my...@at-hacker.in
I have an issue with pf in FreeBSD 9.3. Looks there is something wrong with
pf's NAT while processing ICMP packets of type 3 (destination unreachable).
Here is what I see on LAN interface:
16:46:10.334993 IP (tos 0xc0, ttl 64, id 63254, offset 0, flags [none], proto
ICMP (1), length 289)
10.12.0.198 84.47.xx.yy: ICMP 10.12.0.198 udp port 8293 unreachable, length
269
IP (tos 0x0, ttl 60, id 34284, offset 0, flags [none], proto UDP (17), length
261)
84.47.xx.yy.53 10.12.0.198.8293: 37288 2/4/4 www.jdm022.com. CNAME
sbsfe-p8.geo.mf0.yahoodns.net., sbsfe-p8.geo.mf0.yahoodns.net. A 98.138.19.143
(233)
I.e. some server (84.47.xx.yy) send an UDP packet to client (10.12.0.198, port
8293). This port is closed on client and client send ICMP packet Port
unreachable to server 84.47.xx.yy. This ICMP packet contains the header of
that UDP packet that was sent to closed client's port:
84.47.xx.yy.53 10.12.0.198.8293: 37288 2/4/4 www.jdm022.com. CNAME
sbsfe-p8.geo.mf0.yahoodns.net., sbsfe-p8.geo.mf0.yahoodns.net. A 98.138.19.143
(233)
And this is what I see on external WAN interface:
16:46:10.335012 IP (tos 0xc0, ttl 63, id 63254, offset 0, flags [none], proto
ICMP (1), length 289)
10.12.0.198 84.47.xx.yy: ICMP 213.208.kkk.zz udp port 61534 unreachable,
length 269
IP (tos 0x0, ttl 60, id 34284, offset 0, flags [none], proto UDP (17), length
261)
84.47.xx.yy.53 213.208.kkk.zz.61534: 37288 2/4/4 www.jdm022.com. CNAME
sbsfe-p8.geo.mf0.yahoodns.net., sbsfe-p8.geo.mf0.yahoodns.net. A 98.138.19.143
(233)
As you can see, pf translated UDP header that was included into ICMP packet:
ICMP 213.208.kkk.zz udp port 61534 unreachable. IP 213.208.kkk.zz is IP of my
external WAN interface where NAT works. But it did not change ICMP packet
itself. So I have outgoing ICMP port unreachable packet with source address
10.12.0.198 ON EXTERNAL interface.
Also I found that pf can't block this kind of packets. Rule like:
block out quick on $wan_if proto icmp from 10.12/16 to any icmp-type 3 code 3
does not work at all. So I have to use IPFW to block those ICMP packets.
Here is my NAT rule:
nat on $wan_if from clients to any - 213.208.kkk.zz
Table clients defines like this:
table clients { 10.12/16, 10.13/16 }
Also I found a mention about this issue in OpenBSD pf:
http://openbsd-archive.7691.n7.nabble.com/system-6564-pf-not-nating-does-not-see-icmp4-port-unreachable-packets-from-machine-behind-pf-td187997.html
They said that this bug is fixed in 2011. But in FreeBSD 9.3 it is not fixed so
far?
My system: FreeBSD vpn2-lesnoy.isp.local 9.3-RELEASE-p2 FreeBSD 9.3-RELEASE-p2
#0: Mon Sep 15 16:44:27 UTC 2014
r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
I checked if I can reproduce this issue with CURRENT. Well, CURRENT has the
same problem. Here is my test lab:
# uname -a
FreeBSD test-BSD-01.hyperv.local 11.0-CURRENT FreeBSD 11.0-CURRENT #1 r285351:
Fri Jul 10 14:49:08 MSK 2015
root@test-BSD-01.hyperv.local:/usr/obj/usr/src/sys/GENERIC amd64
Here is dump on LAN interface:
# tcpdump -npi hn1 host 172.16.129.18
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hn1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:43:25.506775 IP 172.16.129.18.29490 208.67.220.220.53: 9125+ A?
freebsd.org. (29)
11:43:25.570851 IP 208.67.220.220.53 172.16.129.18.29490: 9125 1/0/0 A
8.8.178.110 (45)
11:43:25.571635 IP 172.16.129.18 208.67.220.220: ICMP 172.16.129.18 udp port
29490 unreachable, length 36
Dump on external WAN interface at the same moment:
# tcpdump -npi hn0 \(udp and port 53\) or icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hn0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:43:30.741672 IP 213.208.xx.yy.55677 208.67.220.220.53: 1319+ A? ya.ru.
(23)
11:43:30.795961 IP 208.67.220.220.53 213.208.xx.yy.55677: 1319 3/0/0 A
93.158.134.3, A 213.180.193.3, A 213.180.204.3 (71)
11:43:30.796700 IP 172.16.129.18 208.67.220.220: ICMP 213.208.xx.yy udp port
55677 unreachable, length 36
Here is my /etc/pf.conf:
nat on hn0 from 172.16.129.18 to any - hn0
pass in all
pass out all
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to freebsd-bugs-unsubscr...@freebsd.org
