Re: pf nat-to doesn't match a crafted packet

Mon, 28 Aug 2023 16:46:56 -0700 

How are you injecting the crafted packet into the stack?

On Tue, 29 Aug 2023, 01:14 , <p...@delphinusdns.org> wrote:

> >Synopsis:      pf nat-to doesn't match a crafted packet
> >Category:      system
> >Environment:
>         System      : OpenBSD 7.3
>         Details     : OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25
> MDT 2023
>                          dera...@arm64.openbsd.org:
> /usr/src/sys/arch/arm64/compile/GENERIC.MP
>
>         Architecture: OpenBSD.arm64
>         Machine     : arm64
> >Description:
>         I was testing a seemingly valid Internet packet going out my
> gateway
> but the pf firewall doesn't match nat-to to this one for some reason.  I'm
> possibly overlooking something but every other packet exiting my gateway is
> nat'ed.  What causes this?  How can this be exploited?
>
> >How-To-Repeat:
> Here is the tcpdump from the host 1 hop behind the NAT router:
>
> 16:59:08.438082 192.168.177.13 > 49.12.42.182: icmp: host 7.198.187.211
> unreachable [icmp cksum ok] for 11.69.44.241.52699 > 7.198.187.211.55672:
> udp 51351 [tos 0x9c] (ttl 147, id 17124, len 51419, optlen=40 NOP RR{39}=
> RR{#106.155.117.54 233.26.79.111 129.127.249.242 60.117.146.16
> 179.39.29.224 213.65.49.78 0.16.45.109 252.168.188.0 123.108.138.224}) (ttl
> 64, id 65443, len 96)
>   0000: 4500 0060 ffa3 0000 4001 ad81 c0a8 b10d  E..`....@.......
>   0010: 310c 2ab6 0301 55aa 0000 0000 4f9c c8db  1.*...U.....O...
>   0020: 42e4 0000 9311 c756 0b45 2cf1 07c6 bbd3  B......V.E,.....
>   0030: 0107 2704 6a9b 7536 e91a 4f6f 817f f9f2  ..'.j.u6..Oo....
>   0040: 3c75 9210 b327 1de0 d541 314e 0010 2d6d  <u...'...A1N..-m
>   0050: fca8 bc00 7b6c 8ae0 cddb d978 0000 0000  ....{l.....x....
>
> and here is the tcpdump on the pppoe interface:
>
> 16:59:08.440403 192.168.177.13 > 49.12.42.182: icmp: host 7.198.187.211
> unreacha
> ble [icmp cksum ok] (ttl 63, id 65443, len 96)
>
> Here is the relevant anchor rules I have:
>
>        match out on $ext_if inet from <rfc1918> to any nat-to ($ext_if)
>
> and:
>
>         table <rfc1918> const { 10/8, 172.16/12, 192.168/16 }
>
> Why did pf not translate this?  ... that's kinda kinky.
>
> >Fix:
> Not known.
>
>
> dmesg:
> OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25 MDT 2023
>     dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
> real mem  = 8432840704 (8042MB)
> avail mem = 8139239424 (7762MB)
> random: good seed from bootblocks
> mainbus0 at root: ACPI
> psci0 at mainbus0: PSCI 1.1, SMCCC 1.2
> cpu0 at mainbus0 mpidr 0: ARM Cortex-A72 r0p3
> cpu0: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> cpu0: 1024KB 64b/line 16-way L2 cache
> cpu0: CRC32,ASID16
> cpu1 at mainbus0 mpidr 1: ARM Cortex-A72 r0p3
> cpu1: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> cpu1: 1024KB 64b/line 16-way L2 cache
> cpu1: CRC32,ASID16
> cpu2 at mainbus0 mpidr 2: ARM Cortex-A72 r0p3
> cpu2: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> cpu2: 1024KB 64b/line 16-way L2 cache
> cpu2: CRC32,ASID16
> cpu3 at mainbus0 mpidr 3: ARM Cortex-A72 r0p3
> cpu3: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> cpu3: 1024KB 64b/line 16-way L2 cache
> cpu3: CRC32,ASID16
> efi0 at mainbus0: UEFI 2.7
> efi0: https://github.com/pftf/RPi4 rev 0x10000
> smbios0 at efi0: SMBIOS 3.3.0
> smbios0: vendor https://github.com/pftf/RPi4 version "UEFI Firmware
> v1.21" date 11/13/2020
> smbios0: Raspberry Pi Foundation Raspberry Pi 4 Model B
> apm0 at mainbus0
> ampintc0 at mainbus0 nirq 256, ncpu 4 ipi: 0, 1, 2: "interrupt-controller"
> agtimer0 at mainbus0: 54000 kHz
> acpi0 at mainbus0: ACPI 6.3
> acpi0: sleep states
> acpi0: tables DSDT FACP CSRT DBG2 GTDT IORT APIC PPTT BGRT
> acpi0: wakeup devices
> acpiiort0 at acpi0
> "BCM2849" at acpi0 not configured
> "BCM2835" at acpi0 not configured
> "BCM2854" at acpi0 not configured
> "ACPI0004" at acpi0 not configured
> xhci0 at acpi0 XHC0 addr 0x600000000/0x1000 irq 175, xHCI 1.0
> usb0 at xhci0: USB revision 3.0
> uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev
> 3.00/1.00 addr 1
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0004" at acpi0 not configured
> "BCM2848" at acpi0 not configured
> "BCM2850" at acpi0 not configured
> "BCM2856" at acpi0 not configured
> "BCM2845" at acpi0 not configured
> "BCM2841" at acpi0 not configured
> "BCM2841" at acpi0 not configured
> "BCM2838" at acpi0 not configured
> "BCM2839" at acpi0 not configured
> "BCM2844" at acpi0 not configured
> pluart0 at acpi0 URT0 addr 0xfe201000/0x1000 irq 153
> "BCM2836" at acpi0 not configured
> "BCM2EA6" at acpi0 not configured
> "MSFT8000" at acpi0 not configured
> sdhc0 at acpi0 SDC1 addr 0xfe300000/0x100 irq 158
> sdhc0: base clock frequency unknown
> "BCM2855" at acpi0 not configured
> bse0 at acpi0 ETH0 addr 0xfd580000/0x10000 irq 189: address
> dc:a6:32:cc:db:a7
> brgphy0 at bse0 phy 1: BCM54210E 10/100/1000baseT PHY, rev. 2
> "PNP0C06" at acpi0 not configured
> acpitz0 at acpi0: critical temperature is 90 degC
> simplefb0 at mainbus0: 640x480, 32bpp
> wsdisplay0 at simplefb0 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> uhub1 at uhub0 port 1 configuration 1 interface 0 "VIA Labs USB2.0 Hub"
> rev 2.10/4.21 addr 2
> uhidev0 at uhub1 port 4 configuration 1 interface 0 "APC Back-UPS ES 700G
> FW:871.O4 .I USB FW:O4" rev 1.10/1.06 addr 3
> uhidev0: iclass 3/0, 146 report ids
> upd0 at uhidev0
> uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
> uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
> uhid2 at uhidev0 reportid 3: input=0, output=0, feature=1
> uhid3 at uhidev0 reportid 4: input=0, output=0, feature=1
> uhid4 at uhidev0 reportid 5: input=0, output=0, feature=1
> uhid5 at uhidev0 reportid 6: input=1, output=0, feature=1
> uhid6 at uhidev0 reportid 7: input=0, output=0, feature=2
> uhid7 at uhidev0 reportid 8: input=0, output=0, feature=2
> uhid8 at uhidev0 reportid 9: input=0, output=0, feature=2
> uhid9 at uhidev0 reportid 10: input=0, output=0, feature=1
> uhid10 at uhidev0 reportid 11: input=0, output=0, feature=1
> uhid11 at uhidev0 reportid 12: input=3, output=0, feature=3
> uhid12 at uhidev0 reportid 13: input=0, output=0, feature=1
> uhid13 at uhidev0 reportid 14: input=0, output=0, feature=1
> uhid14 at uhidev0 reportid 15: input=0, output=0, feature=1
> uhid15 at uhidev0 reportid 16: input=0, output=0, feature=1
> uhid16 at uhidev0 reportid 17: input=0, output=0, feature=1
> uhid17 at uhidev0 reportid 18: input=0, output=0, feature=1
> uhid18 at uhidev0 reportid 23: input=0, output=0, feature=2
> uhid19 at uhidev0 reportid 24: input=0, output=0, feature=1
> uhid20 at uhidev0 reportid 28: input=0, output=0, feature=3
> uhid21 at uhidev0 reportid 32: input=0, output=0, feature=2
> uhid22 at uhidev0 reportid 34: input=0, output=0, feature=1
> uhid23 at uhidev0 reportid 35: input=0, output=0, feature=2
> uhid24 at uhidev0 reportid 36: input=0, output=0, feature=2
> uhid25 at uhidev0 reportid 37: input=0, output=0, feature=2
> uhid26 at uhidev0 reportid 38: input=0, output=0, feature=2
> uhid27 at uhidev0 reportid 39: input=0, output=0, feature=1
> uhid28 at uhidev0 reportid 40: input=0, output=0, feature=4
> uhid29 at uhidev0 reportid 48: input=0, output=0, feature=2
> uhid30 at uhidev0 reportid 49: input=0, output=0, feature=2
> uhid31 at uhidev0 reportid 50: input=0, output=0, feature=2
> uhid32 at uhidev0 reportid 51: input=0, output=0, feature=2
> uhid33 at uhidev0 reportid 52: input=0, output=0, feature=1
> uhid34 at uhidev0 reportid 53: input=0, output=0, feature=1
> uhid35 at uhidev0 reportid 54: input=0, output=0, feature=1
> uhid36 at uhidev0 reportid 64: input=0, output=0, feature=1
> uhid37 at uhidev0 reportid 65: input=0, output=0, feature=2
> uhid38 at uhidev0 reportid 80: input=0, output=0, feature=1
> uhid39 at uhidev0 reportid 81: input=0, output=0, feature=1
> uhid40 at uhidev0 reportid 96: input=0, output=0, feature=2
> uhid41 at uhidev0 reportid 97: input=0, output=0, feature=1
> uhid42 at uhidev0 reportid 98: input=0, output=0, feature=4
> uhid43 at uhidev0 reportid 120: input=0, output=0, feature=1
> uhid44 at uhidev0 reportid 121: input=0, output=0, feature=1
> uhid45 at uhidev0 reportid 122: input=0, output=0, feature=4
> uhid46 at uhidev0 reportid 123: input=0, output=0, feature=2
> uhid47 at uhidev0 reportid 124: input=0, output=0, feature=1
> uhid48 at uhidev0 reportid 125: input=0, output=0, feature=1
> uhid49 at uhidev0 reportid 126: input=0, output=0, feature=1
> uhid50 at uhidev0 reportid 127: input=0, output=0, feature=1
> uhid51 at uhidev0 reportid 140: input=0, output=0, feature=1
> uhid52 at uhidev0 reportid 141: input=0, output=0, feature=1
> uhid53 at uhidev0 reportid 142: input=0, output=0, feature=1
> uhid54 at uhidev0 reportid 143: input=0, output=0, feature=1
> uhid55 at uhidev0 reportid 144: input=0, output=0, feature=1
> uhid56 at uhidev0 reportid 145: input=0, output=0, feature=2
> uhid57 at uhidev0 reportid 146: input=0, output=0, feature=2
> umass0 at uhub0 port 3 configuration 1 interface 0 "Samsung Flash Drive
> FIT" rev 3.10/11.00 addr 4
> umass0: using SCSI over Bulk-Only
> scsibus0 at umass0: 2 targets, initiator 0
> sd0 at scsibus0 targ 1 lun 0: <Samsung, Flash Drive FIT, 1100> removable
> serial.090c1000521110001360
> sd0: 244752MB, 512 bytes/sector, 501253132 sectors
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on sd0a (081866428dff49a4.a) swap on sd0b dump on sd0b
> WARNING: / was not properly unmounted
> WARNING: bad clock chip time
> WARNING: CHECK AND RESET THE DATE!
> pppoe0: received unexpected PADO
>
>

Reply via email to