[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF Problem, can't route to my internal webserver

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: PF Problem, can't route to my internal webserver
From: Jesse Lucas <jlucas_(_at_)_neoprimitive_(_dot_)_net>
Date: Thu, 24 Feb 2005 16:10:20 -0500

John N. Brahy wrote:
> I have been reading the pf docs and I can't figure out what I'm doing
> wrong.

I had the same problem. The example in the PF User's Guide for passing inbound traffic on port 80 to an internal machine doesn't work. Or, it didn't work for me, anyway.

If you read a little further in the PF User's Guide it mentions using the 'pass' keyword.

This worked for me. But I don't know if it's secure. Can someone else verify?

# FORWARD PORT 80 REQUESTS TO 192.168.1.127 (THE WEBSERVER)
rdr pass on $ext_if proto tcp from any to any port 80 -> 192.168.1.127 \
port 80

Entire pf.conf follows...

-E

# cat pf.conf
# macros
int_if = "xl1"
ext_if = "xl0"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)


# FORWARD PORT 80 REQUESTS TO 192.168.1.127 (THE WEBSERVER)
rdr pass on $ext_if proto tcp from any to any port 80 -> 192.168.1.127 \
port 80

# FORWARD SSH DEFAULT PORT 22 TO THE WEBSERVER'S PORT 22
rdr pass on $ext_if proto tcp from any to any port 22 -> 192.168.1.127 \
port 22

# REDIRECT SSH ON PORT 23 TO LOCALHOST (FOR ADMIN'ING THE FIREWALL)
rdr pass on $ext_if proto tcp from any to any port 23 -> 127.0.0.1 \
port 22

rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021

# filter rules
block all

pass quick on lo0 all

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#

I can use the machine for outgoing traffic without a problem, but I can't redirect incoming port 80 requests to an internal machine. I have a rdr statement in the pf.conf file but it's not seeming to do it. It says it blocks it with this message:
Feb 24 04:33:17.777718 rule 0/0(match): block in on sis0: x.x.x.x.8222 >
10.1.1.124.80: tcp 1 (DF)
Where x.x.x.x is the remote computer outside of my network trying to
access my dev server.
Any help would be greatly appreciated.
# ------------------------------------------------------------------------ - # Interfaces # ------------------------------------------------------------------------ - # sis0 - internet # fxp0 - internal network set loginterface sis0 set timeout interval 10 set timeout frag 30 set limit { states 10000, frags 10000 } set optimization aggressive set block-policy return set fingerprints "/etc/pf.os" set state-policy if-bound
loopbackInterface="lo0"
internalInterface="fxp0"
externalInterface="sis0"
scrub in log on $externalInterface all
outboundTCP="{ 21,22,23,25,43,53,80,110,443,554,871,1214,1863,2401,5050,5999,6667 }" outboundUDP="{ 53,123 }" OutTracerouteUDP="{ 33434 >< 33525 }" devServer = "10.1.1.124" firewall = "xx.xx.xx.x" nat on $externalInterface from 10.1.1.0/24 to any -> $externalInterface rdr on $externalInterface proto tcp from any to $firewall port 80 -> $devServer port 80
block in log all
block out log all
antispoof for $externalInterface inet
pass in quick on $loopbackInterface all
pass out quick on $loopbackInterface all
pass in quick on $internalInterface all
pass out quick on $internalInterface all
pass in quick on $externalInterface inet proto tcp from any to $devServer port 80 flags S/AUPRFS synproxy state pass out quick on $externalInterface inet proto tcp from $devServer to any port 80 flags S/AUPRFS synproxy state pass out quick on $externalInterface inet proto tcp from any to any port $outboundTCP flags S/SA modulate state pass out quick on $externalInterface inet proto udp from any to any port $outboundUDP keep state pass out quick on $externalInterface inet proto icmp all icmp-type 8 code 0 keep state pass out quick on $externalInterface inet proto udp from any to any keep state

Follow-Ups:
- Re: PF Problem, can't route to my internal webserver
  - From: Brad

Prev by Date: Re: floppy woes
Next by Date: Re: [Fwd: Majordomo results]
Previous by thread: Re: [SOLVED] floppy woes
Next by thread: Re: PF Problem, can't route to my internal webserver
Index(es):
- Date
- Thread

Visit your host, monkey.org