On 11 sep 2010, at 23.49, Per-Olov Sjvholm wrote: > > On 10 sep 2010, at 21.24, Peter N. M. Hansteen wrote: > >> Per-Olov Sjvholm <p...@incedo.org> writes: >> >>> It seems the first one is unable to convert as is seems "no match in on..." >>> does not work. >> >> Off the top of my head, move the rdr-to bits to your pass rules, make >> sure the pass rule without the rdr-to is either the last or a >> quick. Or use a negation in the criteria for your match rule. Hard to >> be more specific without the full rule set. >> >> - P >> -- >> Peter N. M. Hansteen, member of the first RFC 1149 implementation team >> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ >> "Remember to set the evil bit on all malicious network traffic" >> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. >> > > > Here is some more info from the rule set... > > I for sure try to find the easiest "no rdr" statement replacement to what I had in 4.6. Maybe a mix of sticky match rules in "match" statements and "pass" statements with "rdr-to" in them will do the trick. However. I try to replace the earlier "no rdr" with a negated match rule. It seem I miss something here or it's simply not possible to achieve anymore. At least it seems to be a problem to replace the earlier "rdr" rules from 4.6 with just drop in "match" statments. Am I *forced* to mix also pass rules with "rdr-to" in them????? Below is the spec of the problem.... Switch directly to 4.7 break FTP if I cannot easily solve the "no rdr" problem > > > > > ---#--- This is what I have in rc.conf.local ---#--- > r...@xanadu:~#more /etc/rc.conf.local > named_flags="" # for normal use: "" > pf=YES # Packet filter / NAT > sshd_flags="-4" # for normal use: "" > dhcpd_flags="vlan2" # for normal use: "" > ntpd_flags="" # for normal use: "" > ftpproxy_flags="-R 192.168.2.35 -p 21 -b 82.82.222.222" # for normal use: "" > > > > ---#--- For the case relevant stuff cut out from pf.conf in 4.6.... ---#--- > > nat-anchor "ftp-proxy/*" > nat on $INTERNET_INT inet from $DMZ1_ORIGO -> $INTERNET_INT_IP2 > rdr-anchor "ftp-proxy/*" > > nat on $INTERNET_INT from $DMZ1_ORIGO to any -> $INTERNET_INT_IP2 > nat on $INTERNET_INT from $LAN_INT:network to any -> $INTERNET_INT_IP1 > nat on $INTERNET_INT from $DMZ1_INT:network to any -> $INTERNET_INT_IP1 > > no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21 > rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -> $DMZ1_ORIGO > > pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state > > pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags S/SA keep state > pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any keep state > > pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states 70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush global) > > > ---#--- I translated this to the following in 4.7---#--- > > anchor "ftp-proxy/*" > match out on $INTERNET_INT inet from $DMZ1_ORIGO nat-to $INTERNET_INT_IP2 > #rdr-anchor "ftp-proxy/*" > > match out on $INTERNET_INT from $DMZ1_ORIGO to any nat-to $INTERNET_INT_IP2 > match out on $INTERNET_INT from $LAN_INT:network to any nat-to $INTERNET_INT_IP1 > match out on $INTERNET_INT from $DMZ1_INT:network to any nat-to $INTERNET_INT_IP1 > > # no rdr on $INTERNET_INT proto tcp from any to $INTERNET_INT_IP2 port 21 > # >>>>>>PROBLEM TO TRANSLATE THE ABOVE ROW<<<<<< > > # rdr on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 -> $DMZ1_ORIGO > match in on $INTERNET_INT proto { tcp udp } from any to $INTERNET_INT_IP2 rdr-to $DMZ1_ORIGO > > pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp} all keep state > > pass in log quick on $DMZ1_INT inet proto tcp from $DMZ1_ORIGO to any flags S/SA keep state > pass in log quick on $DMZ1_INT inet proto { icmp udp } from $DMZ1_ORIGO to any keep state > > pass in log quick on $INTERNET_INT inet proto tcp from any to $DMZ1_ORIGO port { 21 143 993 } flags S/SA keep state (max-src-nodes 50, max-src-states 70, max-src-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush global) > > > > > Everything works except the FTP service on my RFC1918 DMZ. > > > Suggestions very much appreciated. > (Using just match rules instead of pass rules with rdr-to if possible....) > > > /Peo > -- > GPG keyID: 5231C0C4 > GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 > GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4 >
Sorry... Forgot that I had this rule as well that is involved... pass in log quick on $INTERNET_INT inet proto tcp from any to $INTERNET_INT_IP2 port { 21 } flags S/SA keep state (max-src-nodes 50, max-src-states 70, max-s rc-conn 70, max-src-conn-rate 20/30, overload <bad_hosts> flush global) That is the reason I don't want a "no-rdr" for port 21 to INTERNET_IP2 so it terminates in the firewall with the ftp-proxy and not in the DMZ server. /Peo -- GPG keyID: 5231C0C4 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x766ED29D5231C0C4