Hello:
I've been trying to diagnose this problem for some time and I can't
even get debugging info out of this box. I'm really thinking that I'm
missing something simple, but can't see it for the trees.
Here's the setup.
inet ------ andrew ------ xander
|
------------ users
I'm trying to setup andrew (OBSD 3.5) as the DMZ (finally getting
around to it). Xander (OBSD 3.7) is going to be my webserver, etc box.
Please don't say upgrade, that'll happen when 3.9 comes out.
Everything is working, NAT, RDR for the other stuff, just not the web
server. I've tried some variations for rdr used rdr pass, etc, but
nothing in the logs. I use:
tcpdump -n -e -ttt -i pflog0 port 80
Which I believe is corrent. But, nothing shows in the logs even
though I'm telling pf, pass in log quick ... for port 80. Plus xander
is told to let port 80 through and it does so when I plug in his
internal address. So, this is a andrew problem.
But, this is as far as I've been able to take it. Hopefully, I'm not
doing something entirely stupid.
Here is xanders pf.conf:
incoming_if = "ne3"
bittorrent = "{ 49150, 49151, 49152, 49153, 49154, 49155, 49156, 49157,
49158, 49159, 49160, 49161, 49162, 49163, 49164, 49165 }"
set block-policy return
set loginterface $incoming_if
scrub in all max-mss 1452
scrub out all max-mss 1452
block log all
pass quick on lo0 all
pass in on $incoming_if proto tcp from any to any port $bittorrent
flags S/SA keep state
pass in on $incoming_if proto tcp from any to any port ssh flags S/SA
keep state
#****************************
pass in log quick on $incoming_if proto tcp from any to any port 80
flags S/SA keep state
pass out on $incoming_if from any to any flags S/SA keep state
Here is andrews pf.conf:
# macros
int_if = "xl0"
ext_if = "tun0"
xander = 192.168.0.2
giles = 192.168.0.1
tcp_services = "{ 22, 25 }"
bittorrent = "{ 49150, 49151, 49152, 49153, 49154, 49155, 49156, 49157,
49158, 49159, 49160, 49161, 49162, 49163, 49164, 49165 }"
bittorrentstart = 49150
msn = "{ 6891, 6892, 6893, 6894, 6895, 6896, 6897, 6898, 6899, 6900 }"
msnStart = 6891
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}"
set block-policy return
set loginterface $ext_if
scrub in all max-mss 1452
scrub out all max-mss 1452
altq on $ext_if cbq bandwidth 320Kb qlimit 100 queue { std_out,
ssh_out, dns_out, tcp_ack_out, btorrent_out, tcp_serv_out }
queue std_out bandwidth 40% cbq(default, borrow)
queue tcp_serv_out bandwidth 10% cbq(borrow)
queue ssh_out bandwidth 10% cbq(ecn, borrow)
queue dns_out bandwidth 10% cbq(borrow)
queue tcp_ack_out bandwidth 10% cbq(borrow)
queue btorrent_out bandwidth 20% cbq(ecn, borrow)
altq on $int_if cbq bandwidth 100Mb qlimit 100 queue { std }
queue std cbq(default)
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
rdr on $ext_if proto tcp from any to any port $bittorrent -> $xander
port $bittorrentstart:*
#********************
rdr pass on $ext_if proto tcp from any to any port 80 -> $xander port
80
rdr on $ext_if proto tcp from any to any port $msn -> $giles port
$msnStart:*
rdr on $ext_if proto tcp from any to any port 49166 -> 192.168.0.10
port 49166
rdr on $ext_if proto udp from any to any port 49166 -> 192.168.0.10
port 49166
# filter rules
block log all
pass quick on lo0 all
#***********************
# I tried this with just rdr and rdr without this. Neither worked
#pass in log quick on $ext_if proto tcp from any to any port 80 \
# flags S/SA synproxy state queue tcp_serv_out
pass in quick on $ext_if proto tcp from any to $xander \
port $bittorrent flags S/SA synproxy state queue btorrent_out
pass in quick on $ext_if proto { tcp, udp } from any to $giles \
port $msn flags S/SA synproxy state queue btorrent_out
pass in quick on $ext_if proto tcp from any to 192.168.0.10 \
port 49166 flags S/SA synproxy state queue btorrent_out
pass in quick on $ext_if proto tcp from any to $ext_if \
port 49166 flags S/SA keep state queue btorrent_out
pass in quick on $ext_if proto udp from any to 192.168.0.10 \
port 49166 synproxy state queue btorrent_out
pass in quick on $ext_if proto udp from any to $ext_if \
port 49166 keep state queue btorrent_out
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
block drop in log quick on $ext_if inet proto tcp from any to ($ext_if)
port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state queue tcp_serv_out
pass in inet proto icmp all icmp-type $icmp_types keep state queue
std_out
pass in on $int_if from $int_if:network to any keep state queue
std_out
pass out on $int_if from any to $int_if:network keep state queue
std_out
pass in on $int_if from $int_if:network to $int_if:network keep state
queue std
pass out on $int_if from $int_if:network to $int_if:network keep state
queue std
pass out on $ext_if proto tcp all modulate state flags S/SA queue
std_out
pass out on $ext_if inet proto tcp from any to any flags S/SA \
keep state queue(std_out, tcp_ack_out)
pass out on $ext_if inet proto { udp, icmp } all keep state queue
std_out
pass out on $ext_if inet proto { tcp, udp } from any to any port domain
\
keep state queue(dns_out)
pass out on $ext_if inet proto tcp from any to any port ssh \
flags S/SA keep state queue(std_out, ssh_out)
best regards,
Reid Nichol
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
