Hello, everybody!
I have a problem with redirection, and I can't find any solution. I'm a newbie just now for using OpenBSD and pf.
I have at home 2 machines behind OpenBSD firewall, an XP and a Linux - it means the DMZ, web-server and others. My network connection is ADSL. I have registrated Dynamic DNS name, I'm using a ddclient. I configured the pf to redirect http requests to the linux, and it has worked fine since the last few days. I followed Daniel's instructions (http://www.benzedrine.cx/transquid.html) for setting up transparent squid, and the problems began after that. The proxy works fine, but now I can't reach the linux via http, and I don't understand, why. I only made the needable changes for transparent proxy in pf.conf. Then, when I want to reach my test homepage, the browser couldn't connect. When I started logging with tcpdump on pflog0, I saw the pf's blocking rule dropping the http requests. I don't understand why it makes mistake, because I didn't make any changes in blocking rules. For debugging, I turned off transparent proxy and commented out transproxy rules in pf.conf (http worked before), but the problem is still persisting, I could not reach my linux via http. After that I commented out the redirect rule, if a firewall's http test page maybe working, but it didn't.
At the same time my ssh redirection to the linux with a different port works fine, only http doesn't.
And the VNC redirection to the WinXP machine works fine too.
If I reload an earlier and simplier pf.conf files with http redirect modification, the problem is still the same.
My pf.conf file:
#Macros
ext_if = "tun0" int_if = "rl1" int_if2 = "rl2"
LAN_server = "192.168.2.3"
#LAN_firewall = "192.168.1.1"
LAN_clients = "{ 192.168.1.0/24 192.168.2.0/24 }"
Friends = "{ 192.168.1.4, 192.168.2.3, x.x.x.x }"
PRIVATE_BLOCKS = "{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
FW_services = "{ ssh, 5867 }"
VNC_ports = "{ 5800, 5900 }"
CVSupServers = "{ 152.66.243.8, 193.225.13.161, 194.242.157.43, 131.159.252.181 }"
CVSupPorts = "{ 5999 }"
DynDNSServer = "{ 63.208.196.94 }"
DynDNSPorts = "{ 8245 }"
LAN_to_INT_services = "{ www, https, ssh, smtp, pop3 }"
set optimization aggressive
scrub in log on $ext_if all
#NAT and Redirect
nat on $ext_if from $LAN_clients to any -> ($ext_if)
rdr on $ext_if proto tcp from $Friends to $ext_if port 5867 -> 192.168.2.3 port 22
rdr on $ext_if proto tcp from any to $ext_if port www -> 192.168.2.3 port www
rdr on $ext_if proto tcp from any to any port $VNC_ports -> 192.168.1.4
rdr pass on $ext_if proto tcp from $DynDNSServer to $ext_if port $DynDNSPorts -> 192.168.2.3
#Transparent proxy redirection
#rdr on { $int_if $int_if2 } proto tcp from $LAN_clients to any port www -> 127.0.0.1 port 3128
#Blocking rules
#block in quick inet6 all #block out quick inet6 all block drop in log quick on $ext_if inet from $PRIVATE_BLOCKS to any block drop out log quick on $ext_if inet from any to $PRIVATE_BLOCKS
antispoof for $ext_if inet
block in log on $ext_if proto { udp, tcp, icmp } all
#block return in log on $ext_if proto { udp, tcp } all
block out log on $ext_if proto { udp, tcp, icmp } all
#Immediate blocks
# fuzz any 'nmap' attempt
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA#Passing rules
#loopback pass in quick on lo0 all pass out quick on lo0 all
#UDP name resolution
pass out on $ext_if inet proto udp from $ext_if to any keep state
#to contact internet services
pass out on $ext_if inet proto tcp from $ext_if to any port $LAN_to_INT_services flags S/AUPRFS modulate state
#ping
pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
#passive ftp
pass out on $ext_if inet proto tcp from $ext_if to any port 21 flags S/AUPRFS modulate state
pass out on $ext_if inet proto tcp from $ext_if to any port > 1024 flags S/AUPRFS modulate state
#Transparent proxy
#pass in on { $int_if $int_if2 } inet proto tcp from any to 127.0.0.1 port 3128 keep state
#pass out on $ext_if inet proto tcp from any to any port www keep state
#CVS update
pass out quick on $ext_if inet proto tcp from $ext_if to $CVSupServers port $CVSupPorts flags S/SA modulate state
# DynDNS.org update
pass out quick on $ext_if inet proto tcp from any to $DynDNSServer port $DynDNSPorts flags S/SA modulate state
#Time server#
pass out quick on $ext_if inet proto { tcp, udp } from $ext_if to 148.6.0.1 port ntp flags S/SA modulate state
#SSH
pass in on $ext_if inet proto tcp from $Friends to $ext_if port $FW_services modulate state
pass in on $ext_if inet proto tcp from $Friends to $LAN_server port 22 flags modulate state
#DMZ web access
pass in on $ext_if inet proto tcp from any to $ext_if port www flags S/SA synproxy state
#VNC to WinXP
pass in on $ext_if inet proto tcp from $Friends to 192.168.1.4 port $VNC_ports flags S/SA modulate state
block in on $int_if2 all
pass in on $int_if2 inet proto tcp from $Friends to any port $FW_services modulate state
This configuration file has worked me before without any problem.
Is there anyone who can help me?
