Hi vpp-devers,
We have a report of an unexpected behavior when using a static NAT with
ICMP.
It appears that configuring an outside interface to allow ICMP also allows
forwarding
of all protocols as well.
If you start with, say, a blocked TCP on port 22 and an SNMP on port 161,
then
adding a NAT static map of ICMP on an inside-facing address of 192.16.0.53
for
an outside interface of TenGigabitEthernet6/0/0, then suddenly TCP/UDP are
accessible from the outside using SSH and SNMP. (No, this isn't vppctl
syntax. :-))
(config)# nat static map icmp local 192.168.0.53 external outside
(config)# show nat static
Static Mappings
Proto Local IP Port External IP Port Interface Twice NAT Out to
In Route Table
----- ------------ ---- ------------ ---- --------- ---------
--------- -----------
192.168.0.53 0 0.0.0.0 0 outside
ipv4-VRF:0
192.168.0.53 0 192.168.0.53 0
ipv4-VRF:0
Did the ICMP mapping open more than was expected or intended here?
I chased this down in the code a bit, but I'm not sure what the _intent_ is
supposed to be.
When "address only" is true (ie, both ports are 0), then the protocol
appears not to be
used in any of the NAT-entry lookups. Is that somehow allowing UDP and TCP
to slide
through?
Thanks,
jdl
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16389): https://lists.fd.io/g/vpp-dev/message/16389
Mute This Topic: https://lists.fd.io/mt/74208726/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
