Thanks for the various responses, and especially to trondd for lots of
email help, which enabled me to fix the problem.
The problem was caused by two faults in my setup, which i thought i'd
describe here, in case anyone else has similar problems.
The main problem was that my /etc/hosts (and so dnsmasq) had hard-coded
entries for my external DNS name, mapping it to an internal
(172.16.x.y) IP address. So pf's rules for redirecting incoming data on
the external IP address were not being used when the connection was
from my internal network. The fix was to simply remove these entries
from /etc/hosts and restart dnsmasq.
The second problem was that my pf.conf had 'pass out quick' (from the
FAQ's example) before the other rules. I had to change this to 'pass
out' so that it didn't override the later 'pass out quick on $int_if
proto tcp to pc5 port 5281 received-on $int_if nat-to $int_if' rule.
Everything's working fine now.
I hope that's useful to someone.
- Julian
On Tue, 28 Oct 2014 18:57:12 +0000
Julian Smith <ju...@op59.net> wrote:
> On Tue, 28 Oct 2014 13:40:52 -0400
> trondd <tro...@gmail.com> wrote:
>
> > Are you telnetting to the external IP of the server from the internal
> > client?
>
> Yes. Actually i've tried using the external IP and the internal IP.
> Both have the same result - telnet says 'telnet: Unable to connect to
> remote host: Connection refused'.
>
> Telneting from an external machine works fine.
>
> >
> > Have you enabled logging in pf? Are the packets blocked or are they passed
> > by a different rule that doesn't give the expected results?
>
> Yes, i've enabled logging and i see various items such as:
>
> ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
> (ttl 117, id 29686, len 48)
> 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
> (ttl 117, id 29765, len 48)
> 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 >
> 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok]
> 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc]
> (ttl 117, id 29841, len 48)
>
> But i don't see anything when the internal
> connection is refused.
>
> I enabled logging with:
>
> sudo ifconfig pflog0 up
> sudo tcpdump -v -i pflog0
>
> For completeness, here's my pf.conf:
>
> ========
> int_if="sk0"
> ext_if="rl0"
>
> tcp_services="{ 22, 80, 113 }"
> icmp_types="echoreq"
>
> # options
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> # filter rules
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> # Redirect Undo keyserver connections to pc5:
> pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281
>
> # Attempting to allow 5281 to forward to pc5 from internal network. But
> doesn't
> # work...
> pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to
> pc5
> pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to
> $int_if
> #pass out on egress proto tcp from any to any port 5281 received-on $int_if
> nat-to $int_if
>
> pass in on $int_if
>
> # for our ftp server.
> pass in on egress proto tcp to port 21
> pass in on egress proto tcp to port > 49151
>
> pass in on rl0 proto tcp to port 21
> pass in on rl0 proto tcp to port > 49151
> ========
>
>
> Many thanks,
>
> - Julian
>
--
http://op59.net
