[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Redirection Question

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Redirection Question
From: "Michael Alaimo" <ratfinklelinkle_(_at_)_hotmail_(_dot_)_com>
Date: Wed, 02 Apr 2003 12:16:11 -0500

I am trying to redirect a windows xp remote desktop connection through an OpenBSD router. Here is my pf.conf I know the redirection rule works, but it only works with one line excluded. This line is "block in log on $ExtIF all". Now my thinking was that a rdr rule would be executed before the pf rules took place. Can someone explain why redirection works with this rule exempt and how to solve it with all rules intact?

Thanks a bunch

Mike

#pf.conf ExtIF="xl0" # External Interface IntIF="rl0" NoRouteIPs="{ 10.1.1.1/8, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" Xl0Services="{ 6000, xdmcp, ftp, ident, ssh }" Rl0Services="{ 138, 137, 139, 445 }" X10ServicesUDP="{ xdmcp, pop3 }"

# Clean up fragmented and abnormal packets
scrub in all

nat on xl0 from 10.1.1.1/24 to any -> 131.238.135.243

rdr on $ExtIF proto { tcp, udp } from any to any port 3389 -> 10.1.1.18 port 3389

# don't allow anyone to spoof non-routeable addresses
block in  log quick on $ExtIF from $NoRouteIPs to any
block out log quick on $ExtIF from any to $NoRouteIPs


#block in log on { $ExtIF, $IntIF } all
block in log on $ExtIF all

#allow xdmcp to happen pass in log on $ExtIF inet proto udp from any to any port $X10ServicesUDP keep state

pass in log on $ExtIF inet proto tcp from 131.238.158.183 to any port 3333 flags S/SA keep state

#allow services to take place pass in log on $ExtIF inet proto tcp from any to any port $Xl0Services flags S/SA keep state pass in log on $IntIF inet proto tcp from any to any port $Rl0Services flags S/SA keep state

#pass in log proto { tcp, udp, icmp } from $ExtIF to $IntIF
#pass in log proto { tcp, udp, icmp } from $IntIF to $ExtIF

# and let out-going traffic out and maintain state on established connections # pass out all protocols, including TCP, UDP and ICMP, and create state, # so that external DNS servers can reply to our own DNS requests (UDP). block out log on $ExtIF all pass out log on $ExtIF inet proto tcp all flags S/SA keep state pass out log on $ExtIF inet proto udp all keep state pass out log on $ExtIF inet proto icmp all keep state pass out log on $IntIF inet proto tcp all flags S/SA keep state pass out log on $IntIF inet proto udp all keep state pass out log on $IntIF inet proto icmp all keep state

_________________________________________________________________ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail

Prev by Date: Why use OpenBSD? Here might be one reason.
Next by Date: [OT] ucspi-tcp-0.88 compilation error on 3_3_BASE
Previous by thread: Re: Why use OpenBSD? Here might be one reason.
Next by thread: [OT] ucspi-tcp-0.88 compilation error on 3_3_BASE
Index(es):
- Date
- Thread

Visit your host, monkey.org