From nobody@FreeBSD.ORG  Sat Aug 19 02:33:02 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id DE14837B423; Sat, 19 Aug 2000 02:33:02 -0700 (PDT)
Message-Id: <20000819093302.DE14837B423@hub.freebsd.org>
Date: Sat, 19 Aug 2000 02:33:02 -0700 (PDT)
From: markm68k@yahoo.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: errant firewall rule response
X-Send-Pr-Version: www-1.0

>Number:         20714
>Category:       misc
>Synopsis:       errant firewall rule response
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 19 02:40:00 PDT 2000
>Closed-Date:    Thu Aug 31 07:40:07 PDT 2000
>Last-Modified:  Thu Aug 31 07:48:11 PDT 2000
>Originator:     Mark Miller
>Release:        4.1-RELEASE
>Organization:
>Environment:
FreeBSD myhost 4.1-RELEASE FreeBSD 4.1-RELEASE #7: Mon Aug 14 21:32:29 PDT 2000     me@myhost:/usr/src/sys/compile/MYHOST  i386

>Description:
Setting up a firewall rule to send the icmp unreachable for a tcp connection causes the icmp response that is sent to say that the firewall itself is unreachable.

>How-To-Repeat:
1. install FreeBSD 4.1-RELEASE
2. configure an "open" firewall
3. configure a natd alias internal interface.
3. add a "unreach host-prohib" rule (e.g. telnet)
4. from a computer connected to the FreeBSD computer behind a natd connection, try to connect to the unreachable host via tcp (e.g. telnet)
5. watch the results from tcpdump.

>Fix:
unknown.


>Release-Note:
>Audit-Trail:

From: Ruslan Ermilov <ru@sunbay.com>
To: markm68k@yahoo.com
Cc: bug-followup@FreeBSD.org
Subject: Re: misc/20714: errant firewall rule response
Date: Mon, 21 Aug 2000 15:20:13 +0300

 On Sat, Aug 19, 2000 at 02:33:02AM -0700, markm68k@yahoo.com wrote:
 > 
 > FreeBSD myhost 4.1-RELEASE FreeBSD 4.1-RELEASE #7: Mon Aug 14 21:32:29 PDT 2000     me@myhost:/usr/src/sys/compile/MYHOST  i386
 > 
 > Setting up a firewall rule to send the icmp unreachable for a tcp connection
 > causes the icmp response that is sent to say that the firewall itself is
 > unreachable.
 > 
 > 1. install FreeBSD 4.1-RELEASE
 > 2. configure an "open" firewall
 > 3. configure a natd alias internal interface.
 > 3. add a "unreach host-prohib" rule (e.g. telnet)
 > 4. from a computer connected to the FreeBSD computer behind a natd
 > connection, try to connect to the unreachable host via tcp (e.g. telnet)
 > 5. watch the results from tcpdump.
 > 
 I cannot reproduce this.  Could you please send me (in private mail) the
 output of `ifconfig -a inet', `ipfw list', `grep natd_ /etc/rc.conf*' and
 `tcpdump' output?
 
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
State-Changed-From-To: open->feedback 
State-Changed-By: sheldonh 
State-Changed-When: Tue Aug 22 08:11:36 PDT 2000 
State-Changed-Why:  
Ruslan asked for feedback. 


Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Aug 22 08:11:36 PDT 2000 
Responsible-Changed-Why:  
Ruslan asked for feedback in private, so nobody else is 
going to know when developments progress. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20714 
State-Changed-From-To: feedback->closed 
State-Changed-By: ru 
State-Changed-When: Thu Aug 31 07:40:07 PDT 2000 
State-Changed-Why:  
Though there are some issues to be addressed with how libalias(3) 
handles outgoing ICMP messages, this particular misbehavior was 
caused by improper firewall configuration. 

The originator confirms (in private email) that the problems 
disappeared after supplying a proper ruleset for firewall: 

On Wed, Aug 23, 2000 at 10:16:09AM -0700, Mark Miller wrote: 
> 
> > But there are still some issues with your setup. 
> > Natd(8) was designed to be run on `public' interface, not 
> > the `internal' one, while in your case they are the same (ep0). 
> > Such a configuration requires a special ruleset to work properly. 
> > Replace your single `divert' rule with the following two ones 
> > and let me know whether it works for you: 
> > 
> > ipfw add 50 divert natd ip from 192.168.1.0/24 to not 192.168.1.0/24 out via ep0 
> > ipfw add 50 divert natd ip from any to X.194.243.192 in via ep0 
> 
> This works great!  I have noticed a significant improvement in efficiency 
> when accessing many different sites on the internet. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20714 
>Unformatted:
