On 11 sep 2010, at 23.49, Per-Olov Sjvholm wrote:
>
> On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote:
>
>> Per-Olov Sjvholm <p...@incedo.org> writes:
>>
>>> It seems the first one is unable to convert as is seems "no match in
on..."
>>> does not work.
>>
>> Off the top of my head, move the rdr-to bits to your pass rules, make
>> sure the pass rule without the rdr-to is either the last or a
>> quick. Or use a negation in the criteria for your match rule. Hard to
>> be more specific without the full rule set.
>>
>> - P
>> --
>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>> "Remember to set the evil bit on all malicious network traffic"
>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>
>
>
> Here is some more info from the rule set...
>
> I for sure try to find the easiest "no rdr" statement replacement to what I
had in 4.6. Maybe a mix of sticky match rules in "match" statements and "pass"
statements with "rdr-to" in them will do the trick. However. I try to replace
the earlier "no rdr" with a negated match rule. It seem I miss something here
or it's simply not possible to achieve anymore. At least it seems to be a
problem to replace the earlier "rdr" rules from 4.6 with just drop in "match"
statments. Am I *forced* to mix also pass rules with "rdr-to" in them?????
Below is the spec of the problem.... Switch directly to 4.7 break FTP if I
cannot easily solve the "no rdr" problem
>
>
>
>
> ---#--- This is what I have in rc.conf.local ---#---
> r...@xanadu:~#more /etc/rc.conf.local
> named_flags="" # for normal use: ""
> pf=YES # Packet filter / NAT
> sshd_flags="-4" # for normal use: ""
> dhcpd_flags="vlan2" # for normal use: ""
> ntpd_flags="" # for normal use: ""
> ftpproxy_flags="-R 192.168.2.35 -p 21 -b 82.82.222.222" # for normal
use: ""
>
>
>
> ---#--- For the case relevant stuff cut out from pf.conf in 4.6.... ---#---
>
> nat-anchor "ftp-proxy/*"
> nat on $INTERNET_INT inet from $DMZ1_ORIGO -> $INTERNET_INT_IP2
> rdr-anchor "ftp-proxy/*"
>
> nat on $INTERNET_INT from $DMZ1_ORIGO to any -> $INTERNET_INT_IP2
> nat on $INTERNET_INT from $LAN_INT:network to any -> $INTERNET_INT_IP1
> nat on $INTERNET_INT from $DMZ1_INT:network to any -> $INTERNET_INT_IP1
>
> no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
> rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 ->
$DMZ1_ORIGO
>
> pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
state
>
> pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
> pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
any keep state
>
> pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush
global)
>
>
> ---#--- I translated this to the following in 4.7---#---
>
> anchor "ftp-proxy/*"
> match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2
> #rdr-anchor "ftp-proxy/*"
>
> match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to $INTERNET_INT_IP2
> match out on $INTERNET_INT from $LAN_INT:network to any nat-to
$INTERNET_INT_IP1
> match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to
$INTERNET_INT_IP1
>
> # no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21
> # >>>>>>PROBLEM TO TRANSLATE THE ABOVE ROW<<<<<<
>
> # rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 ->
$DMZ1_ORIGO
> match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2
rdr-to $DMZ1_ORIGO
>
> pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep
state
>
> pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags
S/SA keep state
> pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to
any keep state
>
> pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO
port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states
70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush
global)
>
>
>
>
> Everything works except the FTP service on my RFC1918 DMZ.
>
>
> Suggestions very much appreciated.
> (Using just match rules instead of pass rules with rdr-to if possible....)
>
>
> /Peo
> --
> GPG keyID: 5231C0C4
> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
> GPG key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
>
Sorry... Forgot that I had this rule as well that is involved...
pass in log quick on $INTERNET_INT inet proto tcp from any to
$INTERNET_INT_IP2 port { 21 } flags S/SA keep state (max-src-nodes 50,
max-src-states 70, max-s
rc-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush global)
That is the reason I don't want a "no-rdr" for port 21 to INTERNET_IP2 so it
terminates in the firewall with the ftp-proxy and not in the DMZ server.
/Peo
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4
