>Number:         11133
>Category:       kern
>Synopsis:       Clients are able to freeze systems running IPNAT
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 04 13:57:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jared D. McNeill
>Release:        Appx. Aug. 7, 2000
>Organization:
>Environment:
	
System: NetBSD blackhole.invisible.ca 1.5E NetBSD 1.5E (BLACKHOLE) #0: Sun Aug 27 05:12:33 ADT 2000 jmcneill@sun:/usr/src/sys/arch/i386/compile/BLACKHOLE i386


>Description:
It's possible to completely lock a system running ipnat and ftp proxying on
NetBSD 1.5E.
>How-To-Repeat:
Using CuteFTP 4.2 beta on the Windows box, I FTP'd through the NAT to a
Windows box down the road, IP address 10.160.61.178. When I
connect to it from the NAT itself, I get the following response:

blackhole:~$ ftp 10.160.61.178
Connected to 10.160.61.178.
220-Wolfpac Industries FTP service
    WarFTPd 1.70.b01.04 (Aug 18 1998) Ready
    (C)opyright 1996 - 1998 by Jarle (jgaa) Aase - all rights reserved.
220 Please enter your user name.
Name (10.160.61.178:jmcneill): 

However, whenever I connect to it through the NAT with CuteFTP, the NAT
locks. I haven't tested with any other clients; I don't enjoy pressing the
reset button every few minutes.

IP Filter: v3.4.9 initialized.  Default = pass all, Logging = enabled

/etc/ipnat.conf:
map ep0 192.168.0.0/24 -> 10.160.21.130/32 proxy port ftp ftp/tcp
map ep0 192.168.0.0/24 -> 10.160.21.130/32 portmap tcp/udp 30000:60000
map ep0 192.168.0.0/24 -> 10.160.21.130/32


>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted: