Bug 20714

Summary: errant firewall rule response
Product: Base System Reporter: markm68k <markm68k>
Component: miscAssignee: ru <ru>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.1-RELEASE   
Hardware: Any   
OS: Any   

Description markm68k 2000-08-19 10:40:00 UTC 
Setting up a firewall rule to send the icmp unreachable for a tcp connection causes the icmp response that is sent to say that the firewall itself is unreachable.

Fix: 

unknown.
How-To-Repeat: 1. install FreeBSD 4.1-RELEASE
2. configure an "open" firewall
3. configure a natd alias internal interface.
3. add a "unreach host-prohib" rule (e.g. telnet)
4. from a computer connected to the FreeBSD computer behind a natd connection, try to connect to the unreachable host via tcp (e.g. telnet)
5. watch the results from tcpdump.
Comment 1 Ruslan Ermilov 2000-08-21 13:20:13 UTC 
On Sat, Aug 19, 2000 at 02:33:02AM -0700, markm68k@yahoo.com wrote:
> 
> FreeBSD myhost 4.1-RELEASE FreeBSD 4.1-RELEASE #7: Mon Aug 14 21:32:29 PDT 2000     me@myhost:/usr/src/sys/compile/MYHOST  i386
> 
> Setting up a firewall rule to send the icmp unreachable for a tcp connection
> causes the icmp response that is sent to say that the firewall itself is
> unreachable.
> 
> 1. install FreeBSD 4.1-RELEASE
> 2. configure an "open" firewall
> 3. configure a natd alias internal interface.
> 3. add a "unreach host-prohib" rule (e.g. telnet)
> 4. from a computer connected to the FreeBSD computer behind a natd
> connection, try to connect to the unreachable host via tcp (e.g. telnet)
> 5. watch the results from tcpdump.
> 
I cannot reproduce this.  Could you please send me (in private mail) the
output of `ifconfig -a inet', `ipfw list', `grep natd_ /etc/rc.conf*' and
`tcpdump' output?

-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age
Comment 2 Sheldon Hearn freebsd_committer freebsd_triage 2000-08-22 16:11:36 UTC 
State Changed
From-To: open->feedback

Ruslan asked for feedback.
Comment 3 Sheldon Hearn freebsd_committer freebsd_triage 2000-08-22 16:11:36 UTC 
Responsible Changed
From-To: freebsd-bugs->ru

Ruslan asked for feedback in private, so nobody else is 
going to know when developments progress.
Comment 4 ru freebsd_committer freebsd_triage 2000-08-31 15:40:07 UTC 
State Changed
From-To: feedback->closed

Though there are some issues to be addressed with how libalias(3) 
handles outgoing ICMP messages, this particular misbehavior was 
caused by improper firewall configuration. 

The originator confirms (in private email) that the problems 
disappeared after supplying a proper ruleset for firewall: 

On Wed, Aug 23, 2000 at 10:16:09AM -0700, Mark Miller wrote: 
> 
> > But there are still some issues with your setup. 
> > Natd(8) was designed to be run on `public' interface, not 
> > the `internal' one, while in your case they are the same (ep0). 
> > Such a configuration requires a special ruleset to work properly. 
> > Replace your single `divert' rule with the following two ones 
> > and let me know whether it works for you: 
> > 
> > ipfw add 50 divert natd ip from 192.168.1.0/24 to not 192.168.1.0/24 out via ep0 
> > ipfw add 50 divert natd ip from any to X.194.243.192 in via ep0 
> 
> This works great!  I have noticed a significant improvement in efficiency 
> when accessing many different sites on the internet.