Portforwarding off-by-1; private IP leaked in ICMP message

Support section for FREESCO v0.3.x

Portforwarding off-by-1; private IP leaked in ICMP message

Postby phillipsjk256 » Sat Nov 28, 2009 1:43 am

Update: Solved off-by-1 issue. Did not check if solution also resolves address leaking issue.

Hello,

Since the FreeBSD 8.0 release was out, I decided to BitTorrent the DVD. When I noticed I was not uploading as fast as I could be, I decided to get around to poking holes in the router for BitTorrent. It didn't work. First, I double-checked my settings:
Code: Select all
# BitTorrent Ports; 2 per client
#tcp,6881,6882,192.168.26.69
#tcp,6883,6884,192.168.26.5
#tcp,6885,6886,192.168.26.9
tcp,6887,6888,192.168.26.100
#tcp,6889,6890,192.168.131.9

Note: 192.168.26.69 and 192.168.26.5 are static IP addresses, as is 192.168.26.100 (originally the dynamic 192.168.26.10). 192.168.26.9-10 and 192.168.131.9 are dynamic IP addresses.

After checking the ports were forwarded properly, I called my ISP. They denied blocking the ports. I then tried some online port-scanners and discovered that port 6887 was open when I asked the BT client to open 6888. I then blamed the bittorrent client. However, a local nmap scan exonerated the BT client. http://forum.transmissionbt.com/viewtopic.php?f=2&t=9068

Packet sniffing (on the Internet-facing side of the router) seems to solidly implicate the router.
During the attached capture I am using http://labs.programming-designs.com/portscanner/ to scan my router with the port range from 6880-6890. Interesting packets:

11: first probe on port 6880
12: What a closed port looks like; [RST,ACK]
26: probe on port 6883; no response. Suggests it got forwarded (im)properly? (to brother's computer running WinXP), then dropped.
45-48: TCP handshake for probe on port 6887; router side does not properly close connection (but [FIN] packet is ACK'd by 50). Connection closed by packet 60.
53,54: port 6888 (That is supposed to be forwarded, open) is closed. (port 6888 is open on the LAN side)
58,59: probe on port 6889 is responded to with an ICMP Host unreachable message that leaks the private IP: 192.168.131.1 . The router was correct: the host in question (192.168.131.9) was unreachable at the time.
65,66: probe on port 6890 (that is supposed to be forwarded to the same host) gets a closed response.

I think my next step is to try to explicitly make the forwarded ports a range.
Update:
Code: Select all
tcp,6887,-6888,192.168.26.100

appears to give the correct behavior.
You do not have the required permissions to view the files attached to this post.
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am

Re: Portforwarding off-by-1; private IP leaked in ICMP message

Postby Lightning » Sat Nov 28, 2009 2:38 pm

I am initially thinking that you did not completely understand the port forwarding rules and what they did on your system.
# BitTorrent Ports; 2 per client
#tcp,6881,6882,192.168.26.69
#tcp,6883,6884,192.168.26.5
#tcp,6885,6886,192.168.26.9
tcp,6887,6888,192.168.26.100
#tcp,6889,6890,192.168.131.9

According to these settings you would be forwarding external port 6887 to internal port 6888 on the machine at 192.168.26.100
Which specifically using a torrent I am not exactly sure what the client would do with miss matched external and internal ports, because it would most likely broadcast the wrong port. What this table should really be doing is exactly what you accomplished setting a port range, which is that the external port matches the internal port. Like

# BitTorrent Ports; 2 per client
tcp,6887,6887,192.168.26.100
tcp,6888,6888,192.168.26.100

Or

# BitTorrent Ports; 2 per client
tcp,6887,-6888,192.168.26.100



By adding the - to your rule and making it a range previously this is in essence what you did except with all of the ports in that range.

I am curious if once configured correctly if the IP is still leaked ?
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Portforwarding off-by-1; private IP leaked in ICMP message

Postby phillipsjk256 » Sun Nov 29, 2009 8:54 pm

I was sort of expecting you to ask that, so I did not completely dismantle my testing apparatus:

"Internet"
|
ADSL modem (bridge mode)
|
10Mbit Hub -------- Packet sniffing machine (DHCP client disabled; no IP)
|
Freesco Router -------- 192.168.131.x unconnected
|
10/100Mbps Switch (192.168.26.x subnet)
|
Machine requesting port scan

Updated portfw.cfg:
Code: Select all
# BitTorrent Ports; 2 per client
tcp,6881,-6882,192.168.26.69
tcp,6883,-6884,192.168.26.5
tcp,6885,-6886,192.168.26.9
tcp,6887,-6888,192.168.26.100
tcp,6889,-6890,192.168.131.9


Attached is a fresh port-scan. The leaked private IP problem went away. Interesting packets:
26, 27: Probe of 6880, closed.
31, 32: Probe of 6881, closed.
36, 37: Probe of 6882, closed.
43: Probe of 6883, blackholed.
47: Probe of 6884, blackholed.
51, 52: Probe of 6885, closed.
56, 57: Probe of 6886, closed.
61: Probe of 6887, blackholed. (suspend mode)
66: Probe of 6888, blackholed. (No BitTorrent today)
70: Probe of 6889, blackholed. (Disconnected)
74: Probe of 6890, blackholed. (Disconnected)

I think I understand your explanation for what happened: It is a feature that allows you to "shift" or translate what ports an internal machine is listening on:
Code: Select all
tcp,8080,80,192.168.26.100

The above should redirect connections to port 8080 to an internal webserver (port 80) at 192.168.26.100.

This does not work for BitTorrent because the client tells the tracker what port it is listening on. The BT client has no way of knowing that the router is moving the port around. (Unless the router gets UPnP support or something (allows applications to automatically poke holes in router).)

Update: Tried again with the alternate syntax:
Code: Select all
tcp,6889,6889,192.168.131.9
tcp,6890,6890,192.168.131.9


Fresh packet capture (scan4.txt):
23: Probe of 6889, blackholed. (Disconnected)
27: Probe of 6890, blackholed. (Disconnected)
You do not have the required permissions to view the files attached to this post.
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am

Re: Portforwarding off-by-1; private IP leaked in ICMP message

Postby Lightning » Mon Nov 30, 2009 2:56 am

The above should redirect connections to port 8080 to an internal webserver (port 80) at 192.168.26.100.

This does not work for BitTorrent because the client tells the tracker what port it is listening on. The BT client has no way of knowing that the router is moving the port around. (Unless the router gets UPnP support or something (allows applications to automatically poke holes in router).)

Yes, exactly and I am very glad that the router stopped leaking the internal IP. Because even though it is an unroutable IP address the less information provided is best.
If you are afraid that you might make a mistake. The chances are high that you will never learn anything.
User avatar
Lightning
FREESCO GOD !!
 
Posts: 12079
Joined: Wed Nov 14, 2001 6:50 am
Location: Oregon, USA

Re: Portforwarding off-by-1; private IP leaked in ICMP message

Postby phillipsjk256 » Tue Dec 01, 2009 10:21 pm

I mentioned the address leaking mainly because it violates RFC 1918:
Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links. Routers in networks not
using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private networks. If such a router receives
such information the rejection shall not be treated as a routing
protocol error.
- http://www.faqs.org/rfcs/rfc1918.html

I realize that almost any bug can be worked into an exploit, given enough time, but somehow I don't think that's going to be a problem.
User avatar
phillipsjk256
Junior Member
 
Posts: 40
Joined: Tue Mar 01, 2005 3:55 am


Return to FREESCO Support for v0.3.x

Who is online

Users browsing this forum: No registered users and 8 guests

cron