Hi,
I'm currently using OpenBSD 4.0 as a firewall, as well as using it
to run some public facing services (http, xmpp etc). What I'd like
to do is move some of these services onto other servers by redirecting
ports in order to make upgrading easier.
I've already done this with SMTP, using an rdr rules, which has been
working for a number of years without any problems. SMTP mail is
delivered to the public firewall, and immediately redirected onto my
mail server for processing.
However, I'm now trying to do the same with some other ports, without
any luck. I'm starting by trying to allow access to the web page for
an internal ejabberd installation (running on port 5280, on host
192.168.11.3), however adding in a similar rule for port 5280 fails
to work for both external and internal connections, and though
tcpdump shows the redirect happening, the browser receives no response,
and the web server log shows that it hasn't received anything.
When I connect from an internal machine (fenris), the tcpdump running
on the firewall shows a redirect to the ejabberd server (cagliostro):
16:42:10.711474 fenris.60780 > cagliostro.5280: [|tcp] (DF)
But nothing reaches cagliostro.
My pf.conf is as follows. If anyone can tell me what I'm doing wrong,
I'd greatly appreciate it, thanks.
ExtIF="rl1" # External interface
IntIF="rl0" # External interface
IntNet="192.168.11.0/24" # Internal network
NoRoute="{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }"
Services="{ ssh, http, https, 5222, 5223, 5269, 5280, 6667 }"
set skip on lo
# Redirect SMTP traffic to mail server.
rdr on $ExtIF inet proto tcp from any to 80.17.9.12 port 25 -> 192.168.11.3
port 25
# ejabberd redirects
rdr on $ExtIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3
port 5280
rdr on $IntIF inet proto tcp from any to 80.17.9.12 port 5280 -> 192.168.11.3
port 5280
# NAT rules
nat on $ExtIF from 192.168.11.0/24 to any -> $ExtIF
# Ban local address spoofing.
block in log quick on $ExtIF from $NoRoute to any
block out log quick on $ExtIF from any to $NoRoute
# Allow local network to connect via ssh
pass in quick on $ExtIF inet proto tcp from $IntNet to any port = 22
pass in quick on $ExtIF inet proto tcp from any to any port 25 keep state
pass in quick on $ExtIF inet proto tcp from any to any port 5280 keep state
# Allow external networks to connect to services
pass in log quick on $ExtIF inet proto tcp from any to any port $Services keep
state
pass in log quick on $IntIF inet proto tcp from any to any port $Services keep
state
# Finally, default deny
block in log quick on $ExtIF from any to any
# Allow outgoing out, and keep state
pass out on $ExtIF from any to any keep state
block in inet6
--
Be seeing you, http://www.glendale.org.uk
Sam. xmpp:[EMAIL PROTECTED]
