mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-22 21:41:04 +01:00
05248206f7
Remove /^\s*\$FreeBSD\$$\n/
377 lines
15 KiB
Plaintext
377 lines
15 KiB
Plaintext
Copyright (c) 2001 Charles Mott <cm@linktel.net>
|
|
All rights reserved.
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions
|
|
are met:
|
|
1. Redistributions of source code must retain the above copyright
|
|
notice, this list of conditions and the following disclaimer.
|
|
2. Redistributions in binary form must reproduce the above copyright
|
|
notice, this list of conditions and the following disclaimer in the
|
|
documentation and/or other materials provided with the distribution.
|
|
|
|
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
SUCH DAMAGE.
|
|
|
|
User PPP NAT (Packet Aliasing)
|
|
|
|
|
|
|
|
0. Contents
|
|
1. Background
|
|
2. Setup
|
|
3. New commands in ppp
|
|
4. Future Work
|
|
5. Authors / Acknowledgements
|
|
6. Revision History for Aliasing Code
|
|
|
|
|
|
|
|
1. Background
|
|
|
|
User mode ppp has embedded NAT (Network Address Translation) code.
|
|
Enabling this, either by the "-nat" command line option or the
|
|
"nat enable yes" command in a ppp.conf file, makes the ppp host
|
|
automatically NAT IP packets forwarded from a local network, making
|
|
them appear to come from the ppp host machine. Incoming packets
|
|
from the outside world are then appropriately de-NAT'd.
|
|
|
|
The process of NAT'ing involves both the IP address and the TCP or UDP
|
|
port numbers. ICMP echo and timestamp packets are natted by their id
|
|
numbers. ICMP error messages can be properly directed by examining the
|
|
fragment of the offending packet which is contained in the body of the
|
|
message.
|
|
|
|
This software was specifically meant to support users who have
|
|
unregistered, private address IP networks (e.g. 192.168.0.x or 10.0.0.x
|
|
addresses). The ppp host can act as a gateway for these networks, and
|
|
computers on the local area net will have some degree of Internet access
|
|
without the need for a registered IP address. Additionally, there will
|
|
be no need for an Internet service provider to maintain routing tables
|
|
for the local area network.
|
|
|
|
A disadvantage of NAT is that machines on the local network,
|
|
behind the ppp host, are not visible from the outside world. They can
|
|
establish TCP connections and make UDP inquiries (such as domain name
|
|
service requests) but the connections seem to come from the ppp host
|
|
itself. There is, in effect, a partial firewall. Of course, if this is
|
|
what you want, the disadvantage becomes an advantage.
|
|
|
|
A second disadvantage is that "IP encoding" protocols, which send IP
|
|
address or port information within the data stream, are not supported
|
|
for the cases where exception code exists. This implementation has
|
|
workarounds for FTP and IRC DCC, the most well known of the IP encoding
|
|
protocols. This frees users from depending on using the ftp passive
|
|
mode and avoiding IRC DCC sends, as is sometimes the case with other
|
|
masquerading solutions.
|
|
|
|
The implementation supports all standard, non-encoding TCP and UDP protocols.
|
|
Examples of these protocols are http, gopher and telnet. The standard UDP
|
|
mode of Real-Audio is not presently supported, but the TCP mode does work
|
|
correctly.
|
|
|
|
The NAT code also handles many ICMP messages. In particular,
|
|
ping and traceroute are supported.
|
|
|
|
|
|
|
|
2. Packet Aliasing Setup
|
|
|
|
It is recommended that users first verify correct ppp operation without
|
|
NAT enabled. This will confirm that the ppp.conf file is
|
|
properly set up and that there are no ppp problems. Then start ppp with
|
|
the "-nat" option on the command line. The user should verify that
|
|
the ppp host can correctly connect to the Internet in NAT
|
|
mode. Finally, check that machines on the private network can access
|
|
the Internet.
|
|
|
|
The NAT software handles all packets, whether they come from
|
|
the host or another computer on the local area network. Thus, a correctly
|
|
operating ppp host indicates that the software should work properly for
|
|
other computers on the private network.
|
|
|
|
If the ppp host can access the Internet, but other computers on the local
|
|
network cannot, check that IP forwarding is enabled on the ppp host. Also,
|
|
verify that the other computers use this machine as a gateway. Of course,
|
|
you should also verify that machines within the local area network
|
|
communicate properly. A common error is inconsistent subnet addresses
|
|
and masks.
|
|
|
|
|
|
|
|
3. New commands in ppp
|
|
|
|
In order to control NAT behaviour in a simple manner (no need for
|
|
recompilation), a new command has been added to ppp: nat. This
|
|
is in addition to the -nat command line option. System managers and
|
|
more experienced users may prefer to use the ppp command syntax
|
|
within the ppp.conf file. The nat command also allows NAT
|
|
behaviour to be more precisely specified.
|
|
|
|
The decision to add a command instead of extending 'set' or 'option' was
|
|
to make obvious that these options only work when NAT is enabled.
|
|
|
|
The syntax for 'nat' is
|
|
|
|
ppp> nat option [yes|no]
|
|
|
|
where option is given by one of the following templates.
|
|
|
|
|
|
- nat enable [yes|no] (default no)
|
|
|
|
Enable NAT functionality. If disabled, no other NAT
|
|
options will have any effect. You should usually enable NAT
|
|
before routing any packets over the link; good points are in the
|
|
initial script or right before adding a route. If you do not always
|
|
want NAT, consider using the -nat option to ppp instead of this
|
|
command.
|
|
|
|
|
|
- nat deny_incoming [yes|no] (default yes)
|
|
|
|
Set to "yes" to disable all incoming connections. This just drops
|
|
connections to, for example, ftp, telnet or web servers. The NAT
|
|
mechanism prevents these connections. Technically, this option denies
|
|
all incoming TCP and UDP requests, making the NAT software a
|
|
fairly efficient one-way firewall. The default is no, which will allow
|
|
all incoming connections to telnetd, ftpd, etc.
|
|
|
|
|
|
- nat log [yes|no]
|
|
|
|
Controls logging of NAT link creation to "/var/log/alias.log" - this
|
|
is usually only useful if debugging a setup, to see if the bug is in
|
|
the PPP NATing. The debugging information is fairly limited, listing
|
|
the number of NAT links open for different protocols.
|
|
|
|
|
|
- nat same_ports [yes|no] (default yes)
|
|
|
|
When a connection is being established going through the NAT
|
|
routines, it will normally have its port number changed to allow the
|
|
NAT code to track it. If same_ports is enabled, the NAT
|
|
software attempts to keep the connection's source port unchanged.
|
|
This will allow rsh, RPC and other specialised protocols to work
|
|
_most of the time_, at least on the host machine. Please, do not
|
|
report this being unstable as a bug - it is a result of the way
|
|
NAT has to work. TCP/IP was intended to have one IP address
|
|
per machine.
|
|
|
|
|
|
- nat use_sockets [yes|no] (default yes)
|
|
|
|
This is a fairly obscure option. For the most part, the NAT
|
|
software does not have to allocate system sockets when it chooses a
|
|
NAT port number. Under very specific circumstances, FTP data
|
|
connections (which don't know the remote port number, though it is
|
|
usually 20) and IRC DCC send (which doesn't know either the address or
|
|
the port from which the connection will come), there can potentially be
|
|
some interference with an open server socket having the same port number
|
|
on the ppp host machine. This possibility for interference only exists
|
|
until the TCP connection has been acknowledged on both sides. The safe
|
|
option is yes, though fewer system resources are consumed by specifying
|
|
no.
|
|
|
|
|
|
- nat unregistered_only [yes|no] (default no)
|
|
|
|
NAT normally remaps all packets coming from the local area
|
|
network to the ppp host machine address. Set this option to only map
|
|
addresses from the following standard ranges for private, unregistered
|
|
addresses:
|
|
|
|
10.0.0.0 -> 10.255.255.255
|
|
172.16.0.0 -> 172.31.255.255
|
|
192.168.0.0 -> 192.168.255.255 */
|
|
|
|
In the instance that there is a subnet of public addresses and another
|
|
subnet of private addresses being routed by the ppp host, then only the
|
|
packets on the private subnet will be NAT'd.
|
|
|
|
|
|
- nat port <proto> <local addr>:<port> <nat port>
|
|
|
|
This command allows incoming traffic to <nat port> on the host
|
|
machine to be redirected to a specific machine and port on the
|
|
local area network. One example of this would be:
|
|
|
|
nat port tcp 192.168.0.4:telnet 8066
|
|
|
|
All traffic to port 8066 of the ppp host would then be sent to
|
|
the telnet port (23) of machine 192.168.0.4. Port numbers
|
|
can either be designated numerically or by symbolic names
|
|
listed in /etc/services. Similarly, addresses can be either
|
|
in dotted quad notation or in /etc/hosts.
|
|
|
|
|
|
- nat addr <local addr> <public addr>
|
|
|
|
This command allows traffic for a public IP address to be
|
|
redirected to a machine on the local network. This function
|
|
is known as "static NAT". An address assignment of 0 refers
|
|
to the default address of the ppp host. Normally static
|
|
NAT is useful if your ISP has allocated a small block of
|
|
IP addresses to the user, but it can even be used in the
|
|
case of a single, dynamically allocated IP address:
|
|
|
|
nat addr 10.0.0.8 0
|
|
|
|
The above command would redirect all incoming traffic to
|
|
machine 10.0.0.8.
|
|
|
|
If several address NATs specify the same public address
|
|
as follows
|
|
|
|
nat addr 192.168.0.2 public_addr
|
|
nat addr 192.168.0.3 public_addr
|
|
nat addr 192.168.0.4 public_addr
|
|
|
|
then incoming traffic will be directed to the last
|
|
translated local address (192.168.0.4), but outgoing
|
|
traffic to the first two addresses will still be NAT'd
|
|
to the specified public address.
|
|
|
|
|
|
|
|
4. Future Work
|
|
|
|
What is called NAT here has been variously called masquerading, packet
|
|
aliasing and transparent proxying by others. It is an extremely useful
|
|
function to many users, but it is also necessarily imperfect. The
|
|
occasional IP-encoding protocols always need workarounds (hacks).
|
|
Users who are interested in supporting new IP-encoding protocols
|
|
can follow the examples of alias_ftp.c and alias_irc.c.
|
|
|
|
ICMP error messages are currently handled only in the incoming direction.
|
|
A handler needs to be added to correctly NAT outgoing error messages.
|
|
|
|
IRC and FTP exception handling make reasonable, though not strictly correct
|
|
assumptions, about how IP encoded messages will appear in the control
|
|
stream. Programmers may wish to consider how to make this process more
|
|
robust.
|
|
|
|
The NAT engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c
|
|
and alias_util.c) runs in user space, and is intended to be both portable
|
|
and reusable for interfaces other than ppp. To access the basic engine
|
|
only requires four simple function calls (initialisation, communication of
|
|
host address, outgoing NAT and incoming de-NATing).
|
|
|
|
|
|
|
|
5. Authors / Acknowledgements
|
|
|
|
Charles Mott (cm@linktel.net) <versions 1.0 - 1.8, 2.0, 2.1>
|
|
Eivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands>
|
|
|
|
Listed below, in chronological order, are individuals who have provided
|
|
valuable comments and/or debugging assistance.
|
|
|
|
Gary Roberts
|
|
Tom Torrance
|
|
Reto Burkhalter
|
|
Martin Renters
|
|
Brian Somers
|
|
Paul Traina
|
|
Ari Suutari
|
|
J. Fortes
|
|
Andrzej Bialeki
|
|
|
|
|
|
|
|
6. Revision History for Aliasing Code
|
|
|
|
Version 1.0: August 11, 1996 (cjm)
|
|
|
|
Version 1.1: August 20, 1996 (cjm)
|
|
PPP host accepts incoming connections for ports 0 to 1023.
|
|
|
|
Version 1.2: September 7, 1996 (cjm)
|
|
Fragment handling error in alias_db.c corrected.
|
|
|
|
Version 1.3: September 15, 1996 (cjm)
|
|
- Generalised mechanism for handling incoming connections
|
|
(no more 0 to 1023 restriction).
|
|
- Increased ICMP support (will handle traceroute now).
|
|
- Improved TCP close connection logic.
|
|
|
|
Version 1.4: September 16, 1996
|
|
Can't remember (this version only lasted a day -- cjm).
|
|
|
|
Version 1.5: September 17, 1996 (cjm)
|
|
Corrected error in handling incoming UDP packets
|
|
with zero checksum.
|
|
|
|
Version 1.6: September 18, 1996
|
|
Simplified ICMP data storage. Will now handle
|
|
tracert from Win95 as well as FreeBSD traceroute.
|
|
|
|
Version 1.7: January 9, 1997 (cjm)
|
|
- Reduced malloc() activity for ICMP echo and
|
|
timestamp requests.
|
|
- Added handling for out-of-order IP fragments.
|
|
- Switched to differential checksum computation
|
|
for IP headers (TCP, UDP and ICMP checksums
|
|
were already differential).
|
|
- Accepts FTP data connections from other than
|
|
port 20. This allows one ftp connections
|
|
from two hosts which are both running packet
|
|
aliasing.
|
|
|
|
Version 1.8: January 14, 1997 (cjm)
|
|
- Fixed data type error in function StartPoint()
|
|
in alias_db.c (this bug did not exist before v1.7)
|
|
|
|
Version 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>)
|
|
- Upgraded base PPP version to be the source code from
|
|
FreeBSD 2.1.6, with additional security patches. This
|
|
version should still be possible to run on 2.1.5, though -
|
|
I've run it with a 2.1.5 kernel without problems.
|
|
(Update done with the permission of cjm)
|
|
|
|
Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>)
|
|
- Added support for IRC DCC (ee)
|
|
- Changed the aliasing routines to use ANSI style throughout -
|
|
minor API changes for integration with other programs than PPP (ee)
|
|
- Changed the build process, making all options switchable
|
|
from the Makefile (ee)
|
|
- Fixed minor security hole in alias_ftp.c for other applications
|
|
of the aliasing software. Hole could _not_ manifest in
|
|
PPP+pktAlias, but could potentially manifest in other
|
|
applications of the aliasing. (ee)
|
|
- Connections initiated from packet aliasing host machine will
|
|
not have their port number aliased unless it conflicts with
|
|
an aliasing port already being used. (There is an option to
|
|
disable this for debugging) (cjm)
|
|
- Sockets will be allocated in cases where there might be
|
|
port interference with the host machine. This can be disabled
|
|
in cases where the ppp host will be acting purely as a
|
|
masquerading router and not generate any traffic of its own.
|
|
(cjm)
|
|
|
|
Version 2.0: March, 1997 (cjm)
|
|
- Incoming packets which are not recognised by the packet
|
|
aliasing engine are now completely dropped in ip.c.
|
|
- Aliasing links are cleared when a host interface address
|
|
changes (due to re-dial and dynamic address allocation).
|
|
- PacketAliasPermanentLink() API added.
|
|
- Option for only aliasing private, unregistered IP addresses
|
|
added.
|
|
- Substantial rework to the aliasing lookup engine.
|
|
|
|
Version 2.1: May, 1997 (cjm)
|
|
- Continuing rework to the aliasing lookup engine to support
|
|
multiple incoming addresses and static NAT.
|
|
- Now supports outgoing as well as incoming ICMP error messages/
|
|
- PPP commands to support address and port redirection.
|
|
|