Hello, I have been lurking on the list for many months now. I was hoping that I would learn enough that when the time came I would not need to asking any stupid question, However my cunning plan has failed and here is my first (hopefully last?) stupid question.
I set up a new OpenBSD 3.2 box this weekend. It has three interfaces. Internal, External and wireless. The external interface is connected to a cable modem as a dhcp client. I have (it seems) gotten everything to work except for two items. The first being important, the second just a nicety. 1. I have webserver on the internal LAN which listens on port 8000. I can view the webserver internally by IP and by name (using LMHOST records). I have not however been able to access the internal webserver from the outside. I saw a post the weekend about name based virtualhosting on web servers. This does not seem to apply to me as I have the server setup to respond to IP and have no virtualdomains configured. So I guess my question is do I have my redirect setup correctly, and if so where lies the problem? 2. (and this one really is not that important) I can not seem to get a response to ICMP to outside addresses. I can ping both directions from the firewall and I believe my pings are getting out, but the responses to not return to the internal clients. Thanks, Darley # OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $ # # ###---------------------------------------------------------------------- ### MACROS - define interfaces: internet, intranet, wireless net ### if_ext = "dc0" if_int = "fxp0" if_wir = "an0" INT_Net="192.168.XX.XX/27" WIFI_Net="192.168.YY.YY/27" bad_ports = "69,135,137,138,139,445,524,548,1433,6000,31337,666,12345" no_route = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \ 255.255.255.255/32 }" ###---------------------------------------------------------------------- ### Optimization ### #set optimization aggressive #set timeout tcp.established 3600 #set timeout { tcp.opening 30, tcp.closing 120 } #set limit { states 20000, frags 5000 } ###---------------------------------------------------------------------- ### statistics logging on external interface ### set loginterface $if_ext set loginterface $if_wir ###---------------------------------------------------------------------- ### NAT Gateways ### nat on $if_ext from $INT_Net to any -> $if_ext nat on $if_ext from $WIFI_Net to any -> $if_ext # Redirect outside ports to internal servers rdr on dc0 proto tcp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000 rdr on dc0 proto udp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000 ###---------------------------------------------------------------------- ### DEFAULT RULES ### # INCOMING DEFAULT: block and normalize all #scrub in on all block in log all # OUTGOING DEFAULT: block all block out log all # SPECIAL IMMEDIATE BLOCKS: # block bad ports and external broadcasts block in quick proto { udp,tcp } from any to any port { = $bad_ports } block in quick on $if_ext from any to 255.255.255.255 block in quick on $if_wir from any to 255.255.255.255 # block weird tcp packets on WAN: block in quick on $if_ext inet proto tcp from any to any flags FUP/FUP block in quick on $if_ext inet proto tcp from any to any flags SF/SFRA block in quick on $if_ext inet proto tcp from any to any flags /SFRA # block weird tcp packets on WiFi: block in quick on $if_wir inet proto tcp from any to any flags FUP/FUP block in quick on $if_wir inet proto tcp from any to any flags SF/SFRA block in quick on $if_wir inet proto tcp from any to any flags /SFRA # don't allow anyone to spoof non-routeable addresses block in quick on $if_ext from $no_route to any block out quick on $if_ext from any to $no_route ###---------------------------------------------------------------------- ### LOOPBACK ### pass in quick on lo0 all pass out quick on lo0 all ###---------------------------------------------------------------------- ### EXTERNAL INTERFACE ### # INCOMING: accept ssh pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 22 flags S/SA keep state pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000 # INCOMING DEFAULT: block all incoming # OUTGOING: block non nated packets, pass the others block out quick on $if_ext from !$if_ext/24 to any pass out quick on $if_ext proto tcp from $if_ext/24 to any flags S/SA keep state pass out quick on $if_ext proto { udp } from $if_ext/24 to any keep state # ICMP: ping # remove next to block ping from Internet pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state pass out on $if_ext inet proto icmp all icmp-type 8 code 0 keep state # OUTGOING DEFAULT: block all outgoing ###---------------------------------------------------------------------- ### INTERNAL INTERFACE ### # INCOMING: traffic to fw, accept ssh & dhcp only, block the rest pass in quick on $if_int proto tcp from $if_int/27 to $if_int/27 port = 22 flags S/SA keep state pass in quick on $if_int proto { tcp,udp } from $if_int/27 to $if_int/27 port = 67 keep state block in quick on $if_int from any to $if_int/27 # INCOMING: frwd traffic to all destinations (except bad ports & broadcasts) pass in quick on $if_int from $if_int/27 to any # INCOMING DEFAULT: block the rest (spoofed packets...) # OUTGOING: pass all. pass out quick on $if_int proto { tcp,udp } from any to $if_int/27 keep state # ICMP: ping pass out on $if_int inet proto icmp all icmp-type 8 code 0 keep state ###---------------------------------------------------------------------- ### WIRELESS INTERFACE ### # INCOMING: traffic to fw, accept ssh & dhcp only, block the rest pass in quick on $if_wir proto tcp from $if_wir/27 to $if_wir/27 port = 22 flags S/SA keep state pass in quick on $if_wir proto { tcp,udp } from $if_wir/27 to $if_wir/27 port = 67 keep state block in quick on $if_wir from any to $if_wir/27 # INCOMING: frwd traffic to all destinations (except bad ports & broadcasts) pass in quick on $if_wir from $if_wir/27 to any # INCOMING DEFAULT: block the rest (spoofed packets...) # OUTGOING: pass all. pass out quick on $if_wir proto { tcp,udp } from any to $if_wir/27 keep state # ICMP: ping