OpenBSD pf firewall for small network, adsl in, doing nat. I want to rdr certain ports on the firewall to an internal server. My rdr and pass lines work fine for some services (http [80], rsync [873], etc) but two services DON'T work--MS RDP (Remote Desktop) which runs on port 3389 on the windows boxes. I'm rdring ports 4001 and 4002 to two different computers. This works if I take out the line "block all" and doesn't work when I do "block all"--http and rsync work regardless.
Hope I'm not doing something TOO newbish.
thanks, Scott Sipe
p.s. pf is godly, thanks so much for the great piece of software! :)
#### my pf.conf #######################################################
ext_if="fxp1" int_if="fxp0"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
tcp_in = "{ 22, 80, 873, 4001, 4002 }"
icmp_types = "echoreq"set block-policy return set loginterface $ext_if
scrub in all
#altq on $ext_if priq bandwidth 360Kb queue { q_pri, q_def }
#queue q_pri priority 7
#queue q_def priority 1 priq(default)nat on $ext_if from $int_if:network to any -> ($ext_if)
# These are actual IP addresses in the real version # rdr on $ext_if proto tcp from any to any port 80 -> $server port 80 rdr on $ext_if proto tcp from any to any port 4001 -> $comp1 port 3389 rdr on $ext_if proto tcp from any to any port 4002 -> $comp2 port 3389
# rdr outgoing FTP requests to the ftp-proxy rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# With the following line commented everything works--with it # uncommented, ports 80,873 work, but no 4001,4002 #block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets
pass in quick on $ext_if inet proto tcp from any to any port $tcp_in flags S/SA modulate state
pass out quick on $ext_if inet proto tcp from any to any flags S/SA modulate state
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp from any to any keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
# # Deal with inside traffic # pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state
