On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:
> Per-Olov Sjvholm <p...@incedo.org> writes:
>
>> It seems the first one is unable to convert as is seems "no match in
on..."
>> does not work.
>
> Off the top of my head, move the rdr-to bits to your pass rules, make
> sure the pass rule without the rdr-to is either the last or a
> quick. Or use a negation in the criteria for your match rule. Hard to
> be more specific without the full rule set.
>
> - P
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
Here is some more info from the rule set...
I for sure try to find the easiest "no rdr" statement replacement to what I
had in 4.6. Maybe a mix of sticky match rules in "match" statements and "pass"
statements with "rdr-to" in them will do the trick. However. I try to replace
the earlier "no rdr" with a negated match rule. It seem I miss something here
or it's simply not possible to achieve anymore. At least it seems to be a
problem to replace the earlier "rdr" rules from 4.6 with just drop in "match"
statments. Am I *forced* to mix also pass rules with "rdr-to" in them?????
Below is the spec of the problem.... Switch directly to 4.7 break FTP if I
cannot easily solve the "no rdr" problem
---#--- This is what I have in rc.conf.local ---#---
r...@xanadu:~#more /etc/rc.conf.local
named_flags="" # for normal use: ""
pf=YES # Packet filter / NAT
sshd_flags="-4" # for normal use: ""
dhcpd_flags="vlan2" # for normal use: ""
ntpd_flags="" # for normal use: ""
ftpproxy_flags="-R 192.168.2.35 -p 21 -b 82.82.222.222" # for normal
use: ""
---#--- For the case relevant stuff cut out from pf.conf in 4.6.... ---#---
nat-anchor "ftp-proxy/*"
nat on $INTERNET_INT inet from $DMZ1_ORIGO -> $INTERNET_INT_IP2
rdr-anchor "ftp-proxy/*"
nat on $INTERNET_INT from $DMZ1_ORIGO to any -> $INTERNET_INT_IP2
nat on $INTERNET_INT from $LAN_INT:network to any -> $INTERNET_INT_IP1
nat on $INTERNET_INT from $DMZ1_INT:network to any -> $INTERNET_INT_IP1
no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 ->
$DMZ1_ORIGO
pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any
keep state
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush
global)
---#--- I translated this to the following in 4.7---#---
anchor "ftp-proxy/*"
match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
#rdr-anchor "ftp-proxy/*"
match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to $INTERNET_INT_IP2
match out on $INTERNET_INT from $LAN_INT:network to any nat-to
$INTERNET_INT_IP1
match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
$INTERNET_INT_IP1
# no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
# >>>>>>PROBLEM TO TRANSLATE THE ABOVE ROW<<<<<<
# rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 ->
$DMZ1_ORIGO
match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
rdr-to $DMZ1_ORIGO
pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state
pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any
keep state
pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush
global)
Everything works except the FTP service on my RFC1918 DMZ.
Suggestions very much appreciated.
(Using just match rules instead of pass rules with rdr-to if possible....)
/Peo
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
