Hi, I'm currently using OpenBSD 4.0 as a firewall, as well as using it to run some public facing services (http, xmpp etc). What I'd like to do is move some of these services onto other servers by redirecting ports in order to make upgrading easier.
I've already done this with SMTP, using an rdr rules, which has been working for a number of years without any problems. SMTP mail is delivered to the public firewall, and immediately redirected onto my mail server for processing. However, I'm now trying to do the same with some other ports, without any luck. I'm starting by trying to allow access to the web page for an internal ejabberd installation (running on port 5280, on host 192.168.11.3), however adding in a similar rule for port 5280 fails to work for both external and internal connections, and though tcpdump shows the redirect happening, the browser receives no response, and the web server log shows that it hasn't received anything. When I connect from an internal machine (fenris), the tcpdump running on the firewall shows a redirect to the ejabberd server (cagliostro): 16:42:10.711474 fenris.60780 > cagliostro.5280: [|tcp] (DF) But nothing reaches cagliostro. My pf.conf is as follows. If anyone can tell me what I'm doing wrong, I'd greatly appreciate it, thanks. ExtIF="rl1" # External interface IntIF="rl0" # External interface IntNet="192.168.11.0/24" # Internal network NoRoute="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }" Services="{ ssh, http, https, 5222, 5223, 5269, 5280, 6667 }" set skip on lo # Redirect SMTP traffic to mail server. rdr on $ExtIF inet proto tcp from any to 80.17.9.12 port 25 -> 192.168.11.3 port 25 # ejabberd redirects rdr on $ExtIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3 port 5280 rdr on $IntIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3 port 5280 # NAT rules nat on $ExtIF from 192.168.11.0/24 to any -> $ExtIF # Ban local address spoofing. block in log quick on $ExtIF from $NoRoute to any block out log quick on $ExtIF from any to $NoRoute # Allow local network to connect via ssh pass in quick on $ExtIF inet proto tcp from $IntNet to any port = 22 pass in quick on $ExtIF inet proto tcp from any to any port 25 keep state pass in quick on $ExtIF inet proto tcp from any to any port 5280 keep state # Allow external networks to connect to services pass in log quick on $ExtIF inet proto tcp from any to any port $Services keep state pass in log quick on $IntIF inet proto tcp from any to any port $Services keep state # Finally, default deny block in log quick on $ExtIF from any to any # Allow outgoing out, and keep state pass out on $ExtIF from any to any keep state block in inet6 -- Be seeing you, http://www.glendale.org.uk Sam. xmpp:[EMAIL PROTECTED]