Hi all-
I've just completed a new OBSD 3.1 build, and am trying to get some form
of tcp reflection working on this system. I know that the best choice
would be to create a DMZ... this is not a study in best practices, this
is an effort to get this feature _working_. I've attempted to get this
working via tcp proxy (nc) and via the convoluted redirect method. Here
is my network description:
Internet <-----> (dc0) Firewall (dc1) <---------> Server 192.168.1.20
10.0/8 192.168.0/16 |
|-> Client 192.168.1.21
int_if="dc1"
ext_if="dc0"
int_net="192.168.1.0/24"
server="10.109.10.97"
webserver="192.168.1.20"
First, I tried to use the following redirection rules as provided by the
OpenBSD FAQ and Daniel himself (thanks Daniel). I can't even get to
testing them, pfctl complains of a syntax error on the last rule:
rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> $server
no nat on $int_if proto tcp from $int_if to $int_net
nat on $int_if proto tcp from $int_net to $server port 80 -> $int_if
/etc/nat.conf:22: syntax error
pfctl: syntax error in file: nat rules not loaded
So, I'm trying to use the tcp proxy method via netcat, but that doesn't
work either. I first attempted to use the default example as found in
the OBSD FAQ:
(inetd.conf)
127.0.0.1:5000 stream tcp wait nobody /usr/bin/nc nc -w 20 192.168.1.20
80
(nat.conf)
rdr on $int_if proto tcp from $int_net to $ext_if port 80 -> 127.0.0.1
port 5000
The client appears to connect to the proxy just fine, based on the
output of "pfctl -ss", netstat, and tcpdump. However, it appears that
the firewall is not translating the destination, as tcpdump on the
server shows a source address of 127.0.0.1. I've tried various
redirection/nat rules, and nothing seems to be working. Best results
end in a flood of S/F packets being sent between the firewall and server
(after a lengthy delay of nothingness)... worst results show a S/SA
connection between the client and firewall, then nothing.
Any suggestions?
TIA,
Jason
