Re: pf redirect problem

Thu, 02 Sep 2010 15:20:36 -0700 

Here's some log output.  I forgot to note this is on OpenBSD 4.2.  The first
entry is a successful connection to one of the working redirects.  Connection
attempts to the redirect I'm trying to add don't show up in the log even after
adding a log directive in the filter rules.

-T


 tcpdump: listening on pflog0, link-type PFLOG
Sep 02 15:00:13.263016 rule 24/(match) pass in on fxp0: 75.xxx.xxx.209.51635 >
192.168.1.16.22: [|tcp] (DF)
Sep 02 15:00:14.783786 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
> 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:15.529433 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
> 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:16.279410 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
> 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:17.779913 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
> 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:18.529400 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
> 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:19.279498 rule 0/(match) block in on fxp0: 208.xxx.xxx.236.32780
> 38.xxx.xxx.206.53:[|domain]
Sep 02 15:00:20.780050 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 >
38.xxx.xxx.206: icmp: echo request
Sep 02 15:00:21.529443 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 >
38.xxx.xxx.206: icmp: echo request
Sep 02 15:00:22.280000 rule 0/(match) block in on fxp0: 208.xxx.xxx.236 >
38.xxx.xxx.206: icmp: echo request
________________________________
From: sven falempin [sven.falem...@gmail.com]
Sent: Thursday, September 02, 2010 2:05 PM
To: Timothy Beyer
Cc: misc@openbsd.org
Subject: Re: pf redirect problem

tcpdump on pflog will probably help (see the FAQ)

2010/9/2 Timothy Beyer
<timot...@titaniumant.com<mailto:timot...@titaniumant.com>>
Hello,

I'm having trouble setting up a redirect rule and I'm not sure where I'm
going
wrong.  My redirect line and filter rules look like:

rdr on $ext_nic proto tcp from any to 38.xxx.xxx.213 -> 192.168.1.227
pass in on $ext_nic proto tcp from any to 192.168.1.227 port ssh queue ssh
pass in on $ext_nic proto tcp from any to 192.168.1.227 port www queue www

The output of 'pfctl -s nat' is:

nat on fxp0 inet from 192.168.1.0/24<http://192.168.1.0/24> to any ->
38.xxx.xxx.206
nat on fxp0 inet from 192.168.2.0/24<http://192.168.2.0/24> to any ->
38.xxx.xxx.207
nat on fxp0 inet from 192.168.3.0/24<http://192.168.3.0/24> to any ->
38.xxx.xxx.208
nat on dc3 inet from 192.168.1.0/24<http://192.168.1.0/24> to any ->
192.168.10.156
nat on fxp0 inet from 192.168.10.15 to any -> 38.xxx.xxx.206
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.209 -> 192.168.1.16
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.210 -> 192.168.1.21
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.212 -> 192.168.1.12
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.211 -> 192.168.1.24
rdr on fxp0 inet proto tcp from any to 38.xxx.xxx.213 -> 192.168.1.227

All of the other redirects are working.  I see my filter rule in the output
from 'pfctl -s rules' but I can't connect via ssh from an external network
after reloading pf.conf.  Any insight would be very much appreciated.  I've
posted my full conf at http://pastebin.com/TZa0WzE0 if needed.

Thanks,

Tim




--
 No doubt it is one of the functions of art to replace religious faith by the
effective ingredient of beauty. At least beauty must have the power of a poem,
that is to say of a crime.

Reply via email to