Board index OpenBSD

IPNAT and ICMP (traceroute)

IPNAT and ICMP (traceroute)

Post by Marc Bigle » Thu, 10 May 2001 05:05:01



Hello,

I am using IPNAT to let some workstations on a private network access
the internet thru my internet network. Basically my firewall runs on
OpenBSD and has 2 network cards. 1 for the private network and one for
my network which is connected to internet thru my DSL router.

My problem is that when I try to do a traceroute to any machines on the
net (traceroute www.openbsd.org for example) from one of my computers on
my private network the traceroute only shows the IP address of my
firewall and then continues the next lines with stars so I cannot see
the route the packet takes. If I do exactly the same traceroute from my
firewall it works perfectly. I really don't understand whats the
problem. Here is my ipnat.rules:

map ep0 192.168.200.0/24 -> ep0/32 portmap tcp/udp 40000:60000
map ep0 192.168.200.0/24 -> ep0/32

ep0 is my network card connected to the internet network. My ipf.rules
is the same as standard I don't do any filtering so it's the contents
are the default one:

pass in from any to any
pass out from any to any

Thanks in advance for the help btw: the rest works fine it's only the
traceroute which gets blocked.

Regards,
Marc

 
 
 
Top

IPNAT and ICMP (traceroute)

Post by pe.. » Thu, 10 May 2001 05:32:23



> Hello,
> I am using IPNAT to let some workstations on a private network access
> the internet thru my internet network. Basically my firewall runs on
> OpenBSD and has 2 network cards. 1 for the private network and one for
> my network which is connected to internet thru my DSL router.
> My problem is that when I try to do a traceroute to any machines on the
> net (traceroute www.openbsd.org for example) from one of my computers on
> my private network the traceroute only shows the IP address of my
> firewall and then continues the next lines with stars so I cannot see
> the route the packet takes. If I do exactly the same traceroute from my
> firewall it works perfectly. I really don't understand whats the
> problem. Here is my ipnat.rules:
> map ep0 192.168.200.0/24 -> ep0/32 portmap tcp/udp 40000:60000
> map ep0 192.168.200.0/24 -> ep0/32
> ep0 is my network card connected to the internet network. My ipf.rules
> is the same as standard I don't do any filtering so it's the contents
> are the default one:

You could use a 'keep state' rule like :
pass out on rl0 proto icmp from 62.20.110.192/26 to any keep state

where 62.20.110.192/26 is my network and rl0 is my outgoing interface.

Quote:> pass in from any to any
> pass out from any to any
> Thanks in advance for the help btw: the rest works fine it's only the
> traceroute which gets blocked.
> Regards,
> Marc

--
Peter H?kanson        
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
           Remove "icke-reklam"and "invalid"  and it works.

 
 
 
Top

IPNAT and ICMP (traceroute)

Post by Marc Bigle » Thu, 10 May 2001 13:17:43



> You could use a 'keep state' rule like :
> pass out on rl0 proto icmp from 62.20.110.192/26 to any keep state

> where 62.20.110.192/26 is my network and rl0 is my outgoing interface.

Thanks for your answer but what I don't understand is that I have already

pass in from any to any
pass out from any to any

That means I do not filter anything, I accept everything to flow between the
two cards, so why do I need to add this extra line ?

Regards
Marc

 
 
 
Top

IPNAT and ICMP (traceroute)

Post by pe.. » Thu, 10 May 2001 16:48:31




>> You could use a 'keep state' rule like :
>> pass out on rl0 proto icmp from 62.20.110.192/26 to any keep state

>> where 62.20.110.192/26 is my network and rl0 is my outgoing interface.
> Thanks for your answer but what I don't understand is that I have already
> pass in from any to any
> pass out from any to any

Marc,

i missed that. Sorry.  Yes, you are right.

Quote:> That means I do not filter anything, I accept everything to flow between the
> two cards, so why do I need to add this extra line ?

the problem is in  the following events :

1- UDP packet outbound ( traceroute sends normal udp packets the only thing is
   a low TTL, but it's large enough to be forwarded bt the NAT unit)
2- a router "out there" finds that the TTL is too small for forwarding, it discards
   the packets and sends a "icmp time exceeded" to the sender. Included in this
   packet is the initial ip and udp portion.
3- this icmp packet is received by tha NAT unit. It's address to him ( cause thats
   was in the source-ip after NAT) but some version if ipfilter seems to have problems.
See "http://www.false.net/ipfilter/2000_08/0331.html" for one such problem.

Quote:> Regards
> Marc

--
Peter H?kanson        
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
           Remove "icke-reklam"and "invalid"  and it works.
 
 
 
Top

IPNAT and ICMP (traceroute)

Post by Dave Uhrin » Fri, 11 May 2001 12:31:38



> Hello,

> I am using IPNAT to let some workstations on a private network access
> the internet thru my internet network. Basically my firewall runs on
> OpenBSD and has 2 network cards. 1 for the private network and one for
> my network which is connected to internet thru my DSL router.

> My problem is that when I try to do a traceroute to any machines on the
> net (traceroute www.openbsd.org for example) from one of my computers on
> my private network the traceroute only shows the IP address of my
> firewall and then continues the next lines with stars so I cannot see
> the route the packet takes. If I do exactly the same traceroute from my
> firewall it works perfectly. I really don't understand whats the
> problem. Here is my ipnat.rules:

> map ep0 192.168.200.0/24 -> ep0/32 portmap tcp/udp 40000:60000
> map ep0 192.168.200.0/24 -> ep0/32

> ep0 is my network card connected to the internet network. My ipf.rules
> is the same as standard I don't do any filtering so it's the contents
> are the default one:

> pass in from any to any
> pass out from any to any

> Thanks in advance for the help btw: the rest works fine it's only the
> traceroute which gets blocked.

> Regards,
> Marc

If you are running OpenBSD-2.8 and ipfilter is even started, regardless of
the ruleset, return ICMP will be blocked.  Windoze boxes use ICMP for
traceroute, not UDP.

Upgrade to OpenBSD-2.9 or downgrade to OpenBSD-2.7 and apply all patches.

 
 
 
Top

IPNAT and ICMP (traceroute)

Post by Marc Bigle » Fri, 11 May 2001 15:15:58


Quote:> If you are running OpenBSD-2.8 and ipfilter is even started, regardless of
> the ruleset, return ICMP will be blocked.  Windoze boxes use ICMP for
> traceroute, not UDP.

> Upgrade to OpenBSD-2.9 or downgrade to OpenBSD-2.7 and apply all patches.

Hi ! Yes I am running version OpenBSD-2.8, I think I will upgrade or either
submit this problem as a  bug to OpenBSD and hope they will come out with a
patch similar as the one that Peter H?kanson found
(http://www.false.net/ipfilter/2000_08/0331.html). Thanks Peter btw.

Regards
Marc

 
 
 
Top

1. traceroute from int. network fails with ipf/ipnat

Traceroute from any internal m/c does not work for an OpenBSD 2.8
firewall that I setup.  It has three NICs:

- fxp0 connected to a class B network (ISP)
- fxp1 (192.168.1.1) to DMZ
- fxp2 (192.168.128.1) to trusted network.

Otherwise the firewall works as intended. From outside, http, dns,
telnet, ftp, vpn access to pptp windows server etc works. From internal
network, everything else (ping, telnet, http, ftp ... works) fine.

Do I need to set up any special routes in the routing table? If routing
table is incorrect, why does the rest of the stuff work?

To check traceroute, I tried the simplest configuration - permit all
for ipf and just the basic nat mapping in ipnat -- but it still does
not work. Have you seen this before? All suggestions are welcome.

Even this setting does not work:
/etc/ipf.rules
pass in quick on fxp0 all
pass out quick on fxp0 all
pass in quick on fxp1 all
pass out quick on fxp1 all
pass in quick on fxp2 all
pass out quick on fxp2 all

/etc/ipnat.rules
map fxp0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.1.0/24 -> 0/32 portmap tcp/udp 10000:20000
map fxp0 192.168.1.0/24 -> 0/32
map fxp0 192.168.128.0/24 -> 0/32 proxy port ftp ftp/tcp
map fxp0 192.168.128.0/24 -> 0/32 portmap tcp/udp 10000:20000
map fxp0 192.168.128.0/24 -> 0/32

/etc/hostname.fxp0
inet a.b.c.134 255.255.255.240 NONE media autoselect
/etc/hostname.fxp1
inet 192.168.1.1 255.255.255.0 NONE media autoselect
/etc/hostname.fxp2
inet 192.168.1.1 255.255.255.0 NONE media autoselect

Sent via Deja.com
http://www.deja.com/

2. command(s) that emulate Solaris prtdiag command

3. ipnat & traceroutes

4. Upgrading Kernel to 2.0.35 question

5. ipnat and traceroute

6. HP OmniBook 5500 CT, XF86Config

7. traceroute w/ icmp and udp probes

8. Midi card suggestions for Linux?

9. Solaris 2.3/4/5 all do this w/ traceroute - ICMP port unreachable

10. ICMP- traceroute -DNS

11. traceroute: icmp socket: Permission denied?

12. Sol 2.5 & traceroute & icmp

13. traceroute icmp error


All times are UTC
Board index