Bug 102429

Summary: FreeBSD 6.1+VPN+ipnat+ipf: ÎÅ ÒÁÂÏÔÁÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÏÒÔÏ× (portmapping)
Product: Base System Reporter: Vadyn <vikulin>
Component: confAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Vadyn 2006-08-23 12:50:19 UTC 
 åÓÔØ FreeBSD × ËÁÞÅÓÔ×Å ÒÏÕÔÅÒÁ ÄÌÑ ÓÅÔÉ 192.168.0.È.
ïÄÎÁ ÓÅÔÅ×ÁÑ ÓÍÏÔÒÉÔ × ÓÅÔØ ÐÒÏ×ÁÊÄÅÒÁ (IP ÓÅÔÅ×ÏÊ: 192.168.25.135).
÷ÔÏÒÁÑ - ÄÌÑ ÌÏËÁÌØÎÏÊ ÓÅÔÉ (IP: 192.168.0.1).
äÌÑ ÄÏÓÔÕÐÁ Ë ÐÒÏ×ÁÊÄÅÒÕ ÓÏÚÄÁÅÔÓÑ VPN ËÁÎÁÌ Ó 192.168.25.135 ÎÁ VPN ÓÅÒ×ÅÒ 192.168.25.1 (PPTP ËÌÉÅÎÔ). NAT ÒÁÂÏÔÁÅÔ ÎÁ ipnat c ipf
óÕÔØ ÐÒÏÂÌÅÍÙ ÔÁËÁÑ:
                              ÎÅ ÒÁÂÏÔÁÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÏÒÔÏ× 21 É 80 ÎÁ ÁÄÒÅÓ ÌÏËÁÌØÎÏÇÏ ÓÅÒ×ÅÒÁ 192.168.0.5.

Fix: 

îÅ ÉÚ×ÅÓÔÎÏ
How-To-Repeat:  éÓÈÏÄÎÙÅ ÄÁÎÎÙÅ ÔÁËÉÅ:
ðÒÉ ÐÏÄÎÑÔÉÉ VPN ÓÏÚÄÁÅÔÓÑ ÉÎÔÅÒÆÅÊÓ tun0 c ×ÎÅÛÎÉÍ IP: 195.39.x.x

ifconfig ÄÁÅÔ ÔÁËÏÅ
__________________________________________________________________________________________________________________

rl0: 192.168.0.1/24 active
rl1: 192.168.25.135/24 active
tun0:195.39.x.x->10.100.101.1
ping ÎÁ ÍÉÒ - × ÐÏÒÑÄËÅ

rc.conf
__________________________________________________________________________________________________________________

hostname=FreeBS.			
nisdomainname="NO"		
dhclient_program="/sbin/dhclient"	
dhclient_flags=""		
background_dhclient="NO"	
firewall_enable="NO"		
firewall_script="/etc/rc.firewall" 
firewall_type="/etc/firewall.conf"
firewall_quiet="NO"		
firewall_logging="NO"	
firewall_flags=""		
ip_portrange_first="NO"	
ip_portrange_last="NO"	
ike_enable="NO"		
ike_program="/usr/local/sbin/isakmpd"
ike_flags=""			
ipsec_enable="NO"		
ipsec_file="/etc/ipsec.conf"	
natd_program="/sbin/natd"	
natd_enable="NO"		
#natd_interface="rl1"	
#natd_flags="-redirect_port tcp 192.168.0.5:21 21"
#natd_flags="-a 192.168.25.1"
#natd_flags="-f /etc/natd.conf"
ipfilter_enable="YES"	
ipfilter_program="/sbin/ipf"	
ipfilter_rules="/etc/ipf.rules"	
			
ipfilter_flags=""		
ipnat_enable="YES"	
ipnat_program="/sbin/ipnat"	
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""		
ipmon_enable="YES"	
ipmon_program="/sbin/ipmon"
ipmon_flags="-Ds"		
ipfs_enable="YES"		
			
ipfs_program="/sbin/ipfs"	
ipfs_flags=""		
pf_enable="NO"		
pf_rules="/etc/pf.conf"	
pf_program="/sbin/pfctl"	
pf_flags=""		
pflog_enable="NO"		
pflog_logfile="/var/log/pflog"	
pflog_program="/sbin/pflogd"	
pflog_flags=""		
pfsync_enable="NO"	
pfsync_syncdev=""		
pfsync_ifconfig=""		
tcp_extensions="YES"	
log_in_vain="0"		
tcp_keepalive="YES"	

tcp_drop_synfin="NO"		
				
icmp_drop_redirect="YES" 	
icmp_log_redirect="YES"	
network_interfaces="rl0 rl1 tun0 ng0"	
cloned_interfaces=""		
sppp_interfaces=""		
gif_interfaces="NO"	

ppp_enable="NO"		
ppp_program="/usr/sbin/ppp"	
ppp_mode="auto"		
			
ppp_nat="YES"		
ppp_profile="papchap"	
ppp_user="root"		
hostapd_enable="NO"		
syslogd_enable="YES"		
syslogd_program="/usr/sbin/syslogd" 
syslogd_flags="-s"		
inetd_enable="NO"		
inetd_program="/usr/sbin/inetd"
inetd_flags="-wW -C 60"	
#
# named.  It may be possible to run named in a sandbox, man security for
# details.
#
named_enable="NO"		
named_program="/usr/sbin/named"	
#named_flags="" 		
named_pidfile="/var/run/named/pid"
named_uid="bind" 		
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"
			
named_symlink_enable="YES"	

defaultrouter=192.168.25.1		
static_routes=""		
natm_static_routes=""	
gateway_enable="YES"	
router_enable="NO"	
router="/sbin/routed"	
router_flags="-q"		
mrouted_enable="NO"	
mrouted_flags=""		
ipxgateway_enable="NO"	
ipxrouted_enable="NO"	
ipxrouted_flags=""		
arpproxy_all="NO"		
forward_sourceroute="NO"	
accept_sourceroute="NO"	

### Miscellaneous network options: ###
icmp_bmcastecho="NO"	
if [ -z "${source_rc_confs_defined}" ]; then
	source_rc_confs_defined=yes
	source_rc_confs () {
		local i sourced_files
		for i in ${rc_conf_files}; do
			case ${sourced_files} in
			*:$i:*)
				;;
			*)
				sourced_files="${sourced_files}:$i:"
				if [ -r $i ]; then
					. $i
				fi
				;;
			esac
		done
	}
fi
ifconfig_rl0="inet 192.168.0.1 netmask 0xffffff00"
ifconfig_rl1="inet 192.168.25.135 netmask 0xffffff00"
ifconfig_lo0="inet 127.0.0.1"
__________________________________________________________________________________________________________________
ppp.conf
__________________________________________________________________________________________________________________

vpn:
 dns enable
 nat enable yes
 set authname nikolay
 set authkey 911
 set timeout 0
 set ifaddr 0 0
 add default HISADDR
__________________________________________________________________________________________________________________
ipnat.rules
__________________________________________________________________________________________________________________

rdr tun0 195.39.253.24/32 port 21 -> 192.168.0.5 port 21
rdr tun0 195.39.253.24/32 port 80 -> 192.168.0.5 port 80
map tun0 192.168.0.0/24 -> 195.39.253.24/32 proxy port ftp ftp/tcp
map tun0 192.168.0.0/24 -> 195.39.253.24/32 portmap tcp/udp 10000:60000
map tun0 192.168.0.0/24 -> 195.39.253.24/32
__________________________________________________________________________________________________________________
ipf.rules
__________________________________________________________________________________________________________________

pass in all
pass out all
__________________________________________________________________________________________________________________
ÄÌÑ ÓÏÅÄÉÎÅÎÉÑ Ó ftp ÓÅÒ×ÅÒÁ(192.168.0.5) ÎÁ ÐÏÒÔ 21
tcpdump rl0 ÄÁÅÔ ÔÁËÏÅ:
__________________________________________________________________________________________________________________

08:38:19 3528202 arp who-has 192.168.0.1 tell 192.168.0.5
352829 arp replay 192.168.0.1 is-at 00:02:44:66:05:a1 (oi Unknown)
352925 IP 192.168.0.5.4332 > 195.39.253.24.ftp: S 2706215230:2706215230 (0) win 65535 <msss 1460,nop, nop, sack Ok>
352969 IP 195.39.x.x.ftp: > 192.168.0.5.4332: R 0:0(0) ack 2706215231 win 0
813373 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 (0) win 65535 <mss 1460, nop, nop,sackOk>
813400 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0
316291 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 (0) win 65535 <mss 1460, nop, nop, sackOk>
316324 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0
__________________________________________________________________________________________________________________

áÎÁÌÏÇÉÞÎÏ É ÄÌÑ ÐÏÒÔÁ 80.
Comment 1 Gavin Atkinson freebsd_committer freebsd_triage 2007-06-13 23:25:18 UTC 
State Changed
From-To: open->feedback


To submitter:  Please, if possible, submit your problem report 
in English.  If not possible, you will probably have more luck 
with one of the FreeBSD mailing lists in your own language, see 
http://www.freebsd.org/community/mailinglists.html
Comment 2 Gavin Atkinson freebsd_committer freebsd_triage 2007-07-16 14:11:35 UTC 
State Changed
From-To: feedback->closed

Feedback timeout (1 month).  To submitter:  If this still a problem, 
please try to summarise your problem in English, or ask on a mailing 
list in your native language.  Thanks!