Hi All,
I'm trying to get redirection working on an OpenBSD 4.3 stable bridge
and not having any luck getting redirection to work.
I'm doing the filtering and redirection on the external interface and
passing everything on the internal interfaces. I want to redirect
traffic coming into the external interface, destined for machines behind
the bridge, to the external interface to authenticate using authpf.
When i ssh to a host behind the bridge (192.168.5.2 for example) I don't
see any redirection happening when i watch the traffic with tcpdump. I
also tried doing the redirection on bridge0 with the same results.
Any help would be greatly appreciated.
TIA,
Aaron
interfaces:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33208
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:30:18:b1:eb:17
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::230:18ff:feb1:eb17%re0 prefixlen 64 scopeid 0x1
inet 192.168.5.100 netmask 0xffffff00 broadcast 192.168.5.255
re1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:30:18:b1:eb:18
media: Ethernet autoselect (autoselect half-duplex)
status: active
inet6 fe80::230:18ff:feb1:eb18%re1 prefixlen 64 scopeid 0x2
enc0: flags=0<> mtu 1536
bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
groups: pflog
tcpdump output:
19:41:40.024232 arp who-has 192.168.5.2 tell 192.168.5.254
19:41:40.024484 arp reply 192.168.5.2 is-at 00:30:f1:01:d3:d8
19:41:40.024640 192.168.3.142.1177 > 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 <mss 1260,nop,nop,sackOK> (DF) (ttl
126, id 50179, len 48)
19:41:42.975391 192.168.3.142.1177 > 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 <mss 1260,nop,nop,sackOK> (DF) (ttl
126, id 51142, len 48)
19:41:49.011873 192.168.3.142.1177 > 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 <mss 1260,nop,nop,sackOK> (DF) (ttl
126, id 52381, len 48)
Here are my rules:
ext_if = "re0"
int_if = "re1"
lan = "192.168.5.0/24"
allowed_in = "www https"
table <lan_hosts> const { 192.168.5.0/24 !fe80::230:18ff:feb1:eb18 }
table <authpf_users> persist
set limit states 20000
set limit frags 10000
set limit table-entries 5000000
set optimization normal
set block-policy drop
set timeout frag 10
set timeout tcp.established 3600
set skip on { lo }
set fingerprints "/etc/pf.os"
scrub out on re0 all random-id fragment reassemble
scrub in all fragment reassemble
nat-anchor "/*" all
nat-anchor "/*" all
rdr-anchor "/*" all
rdr-anchor "/*" all
rdr pass on re0 inet proto tcp from any to any port = ssh -> 192.168.5.100
binat-anchor "/*" all
anchor "/*" from <authpf_users> to any
anchor "/*" all
block drop log all
block drop in quick from urpf-failed to any
pass in on re1 inet from <lan_hosts> to ! 127.0.0.1 flags S/SA keep state
pass in on re1 inet from <lan_hosts> to ! 192.168.5.100 flags S/SA keep
state
pass in on re0 inet proto tcp from any to any port = www flags S/SA keep
state
pass in on re0 inet proto tcp from any to any port = https flags S/SA
keep state
pass out on re1 inet all flags S/SA keep state
pass out on re0 inet proto udp from any to any port = domain keep state
pass in on re0 proto icmp all keep state
