Re: pf rdr pass query

Tue, 21 Aug 2007 05:25:05 -0700 

I got it working by putting a filter rule in like...

pass on $int_if inet proto tcp from any to $int_nb port $prt_nb keep state
however the faq seems to me to say if you include 'pass' in the rdr rule then a corresponding filter rule is not required. 

perhaps i need a lie down...

if anyone can clarify I'd be very grateful


mgb wrote:

List,

I'm running 4.1 GENERIC and am having trouble with redirecting traffic.
my openbsd box has a static public address on fxp0 and an 10/8 address on fxp1. there is a box behind openbsd with 10.0.0.250 and is listening on tcp/9999. any connections for ext_ip on tcp/9999 needs redirecting to 10.0.0.250 on the same tcp port. 

the PF FAQ states...
"The only exception to this rule is when the pass keyword is used within the rdr rule. In this case, the redirected packets will pass statefully right through the filtering engine: 
the filter rules won't be evaluated against these packets"
However 10.0.0.250 is not seeing any traffic when I attempt to connect to ext_ip tcp port 9999 from an public-external host, the openbsd box sends a icmp host (ext_ip) unreachable. 

i am sure i'm doing something silly, any ideas?

Here is my pf.conf

#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="fxp0"

int_if="fxp1"

# external IP of this box
ext_ip="<IP>"

# nameservers to use from ext_if
ext_ns="{ <dns1>, <dns2> }"

# the range for clients
nat_ip="10.0.0.254/8"

# ports allowed
ext_pt="{ 80, 443, 9001, 9030 }"

# service pair
int_nb="10.0.0.250"
prt_nb="9999"

set skip on lo
set block-policy drop
set loginterface $ext_if

scrub all

nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from any to $ext_ip port $prt_nb -> $int_nb

block in quick inet6 all
block all
anchor "ftp-proxy/*"
pass out log quick on $ext_if inet proto udp from ($ext_if) to $ext_ns port 53 keep state pass out quick on $ext_if inet proto tcp from ($ext_if) to any modulate state 
pass on $int_if inet proto tcp from $nat_ip to $int_if port 8123 keep state
pass on $int_if inet proto udp from $nat_ip to $ext_ns port 53 keep state

Reply via email to