Leonardo Rodrigues wrote:
Hello everyone!
I'm having a bit of trouble trying to access a Windows 2003 server
that is behind an OpenBSD 3.9 -current firewall.
>From the LAN, I can remote access the 2k3 server easily, by just
opening the mstsc and entering the machine's IP (192.168.0.1).
The problem is, I want to access the 2k3 server from home, and my PF
rules aren't working =(
I try to connect to the firewall's external IP via the ms terminal
service client, but my connection times out...
Here's my pf.conf
#BEGIN
lab_if = "em0" # i'm still not using it.
adm_if = "rl0"
ext_if = "rl1"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from $adm_if:network to any -> $ext_if
#RDP rdr rule
rdr on $ext_if proto tcp from any to $ext_if port 3389 -> 192.168.0.1 port 3389
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# RDP (MS Terminal Service)
pass in on $ext_if proto tcp from any to any port 3389
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $adm_if from $adm_if:network to any keep state
#pass in on $lab_if from $lab_if:network to any keep state
pass out on $adm_if from any to $adm_if:network keep state
#pass out on $lab_if from any to $lab_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#END
I think I'm missing something very obvious here... so, better ask the
list than slam my head on the wall :D
Also, as one can see from the .conf file, I have two networks, ADM
(192.168.0.0/24) and LAB (192.168.1.0/24), that must be isolated from
each other. I still haven't figured that one out yet. Anyone willing
to give me some light onto this matter?
Thanks in advance, and kudos for everyone that makes OpenBSD a great OS :)
What is the output of pfctl -sn ?
Is pf enabled ?
Does the Windows machine have a route to the outside world ?
Is there any firewalling enabled on the windows box that may be
interfering ?