Re: PF and MS RDP trouble (help!)
Leonardo Rodrigues wrote:
Hello everyone!
I'm having a bit of trouble trying to access a Windows 2003 server
that is behind an OpenBSD 3.9 -current firewall.
From the LAN, I can remote access the 2k3 server easily, by just
opening the mstsc and entering the machine's IP (192.168.0.1).
The problem is, I want to access the 2k3 server from home, and my PF
rules aren't working =(
I try to connect to the firewall's external IP via the ms terminal
service client, but my connection times out...
Here's my pf.conf
#BEGIN
lab_if = em0 # i'm still not using it.
adm_if = rl0
ext_if = rl1
tcp_services = { 22, 113 }
icmp_types = echoreq
priv_nets = { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from $adm_if:network to any - $ext_if
#RDP rdr rule
rdr on $ext_if proto tcp from any to $ext_if port 3389 - 192.168.0.1 port 3389
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# RDP (MS Terminal Service)
pass in on $ext_if proto tcp from any to any port 3389
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $adm_if from $adm_if:network to any keep state
#pass in on $lab_if from $lab_if:network to any keep state
pass out on $adm_if from any to $adm_if:network keep state
#pass out on $lab_if from any to $lab_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#END
I think I'm missing something very obvious here... so, better ask the
list than slam my head on the wall :D
Also, as one can see from the .conf file, I have two networks, ADM
(192.168.0.0/24) and LAB (192.168.1.0/24), that must be isolated from
each other. I still haven't figured that one out yet. Anyone willing
to give me some light onto this matter?
Thanks in advance, and kudos for everyone that makes OpenBSD a great OS :)
What is the output of pfctl -sn ?
Is pf enabled ?
Does the Windows machine have a route to the outside world ?
Is there any firewalling enabled on the windows box that may be
interfering ?
PF and MS RDP trouble (help!)
Hello everyone!
I'm having a bit of trouble trying to access a Windows 2003 server
that is behind an OpenBSD 3.9 -current firewall.
From the LAN, I can remote access the 2k3 server easily, by just
opening the mstsc and entering the machine's IP (192.168.0.1).
The problem is, I want to access the 2k3 server from home, and my PF
rules aren't working =(
I try to connect to the firewall's external IP via the ms terminal
service client, but my connection times out...
Here's my pf.conf
#BEGIN
lab_if = em0 # i'm still not using it.
adm_if = rl0
ext_if = rl1
tcp_services = { 22, 113 }
icmp_types = echoreq
priv_nets = { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from $adm_if:network to any - $ext_if
#RDP rdr rule
rdr on $ext_if proto tcp from any to $ext_if port 3389 - 192.168.0.1 port 3389
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# RDP (MS Terminal Service)
pass in on $ext_if proto tcp from any to any port 3389
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $adm_if from $adm_if:network to any keep state
#pass in on $lab_if from $lab_if:network to any keep state
pass out on $adm_if from any to $adm_if:network keep state
#pass out on $lab_if from any to $lab_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#END
I think I'm missing something very obvious here... so, better ask the
list than slam my head on the wall :D
Also, as one can see from the .conf file, I have two networks, ADM
(192.168.0.0/24) and LAB (192.168.1.0/24), that must be isolated from
each other. I still haven't figured that one out yet. Anyone willing
to give me some light onto this matter?
Thanks in advance, and kudos for everyone that makes OpenBSD a great OS :)
Re: PF and MS RDP trouble (help!)
Leonardo Rodrigues wrote:
Hello everyone!
I'm having a bit of trouble trying to access a Windows 2003 server
that is behind an OpenBSD 3.9 -current firewall.
From the LAN, I can remote access the 2k3 server easily, by just
opening the mstsc and entering the machine's IP (192.168.0.1).
The problem is, I want to access the 2k3 server from home, and my PF
rules aren't working =(
I try to connect to the firewall's external IP via the ms terminal
service client, but my connection times out...
Here's my pf.conf
#BEGIN
lab_if = em0 # i'm still not using it.
adm_if = rl0
ext_if = rl1
tcp_services = { 22, 113 }
icmp_types = echoreq
priv_nets = { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from $adm_if:network to any - $ext_if
#RDP rdr rule
rdr on $ext_if proto tcp from any to $ext_if port 3389 - 192.168.0.1 port 3389
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# RDP (MS Terminal Service)
pass in on $ext_if proto tcp from any to any port 3389
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $adm_if from $adm_if:network to any keep state
#pass in on $lab_if from $lab_if:network to any keep state
pass out on $adm_if from any to $adm_if:network keep state
#pass out on $lab_if from any to $lab_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#END
I think I'm missing something very obvious here... so, better ask the
list than slam my head on the wall :D
Also, as one can see from the .conf file, I have two networks, ADM
(192.168.0.0/24) and LAB (192.168.1.0/24), that must be isolated from
each other. I still haven't figured that one out yet. Anyone willing
to give me some light onto this matter?
Thanks in advance, and kudos for everyone that makes OpenBSD a great OS :)
Looks like you may want to do a rdr pass since otherwise you are doing
a block drop in quick to all priv_nets and your W2K3 server is on one
of those nets.
Re: PF and MS RDP trouble (help!)
On 4/9/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Hello everyone! I'm having a bit of trouble trying to access a Windows 2003 server that is behind an OpenBSD 3.9 -current firewall. From the LAN, I can remote access the 2k3 server easily, by just opening the mstsc and entering the machine's IP (192.168.0.1). The problem is, I want to access the 2k3 server from home, and my PF rules aren't working =( I try to connect to the firewall's external IP via the ms terminal service client, but my connection times out... Here's my pf.conf snip ruleset What methods have you used to diagnose this? Read the FAQ page and the man pages. http://www.openbsd.org/faq/pf/logging.html /usr/bin/man pfctl pflogd tcpdump Turn on logging for all block rules and start pflogd. Then, try the following command and retest the connection attempt: /sbin/pflogd /sbin/ifconfig pflog0 up /usr/sbin/tcpdump -netttoi pflog0 port 3389 If you still can't find what's stopping the connection after examining pflog0, send the output of the following command back to the list: /sbin/pfctl -vvvsa
Re: PF and MS RDP trouble (help!)
You're using keep state in other places. Why is it missing from pass
in on $ext_if proto tcp from any to any port 3389?
Leonardo Rodrigues wrote:
I'm having a bit of trouble trying to access a Windows 2003 server
that is behind an OpenBSD 3.9 -current firewall.
From the LAN, I can remote access the 2k3 server easily, by just
opening the mstsc and entering the machine's IP (192.168.0.1).
The problem is, I want to access the 2k3 server from home, and my PF
rules aren't working =(
I try to connect to the firewall's external IP via the ms terminal
service client, but my connection times out...
Here's my pf.conf
#BEGIN
lab_if = em0 # i'm still not using it.
adm_if = rl0
ext_if = rl1
tcp_services = { 22, 113 }
icmp_types = echoreq
priv_nets = { 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8
}
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from $adm_if:network to any - $ext_if
#RDP rdr rule
rdr on $ext_if proto tcp from any to $ext_if port 3389 - 192.168.0.1
port 3389
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# RDP (MS Terminal Service)
pass in on $ext_if proto tcp from any to any port 3389
pass in on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $adm_if from $adm_if:network to any keep state
#pass in on $lab_if from $lab_if:network to any keep state
pass out on $adm_if from any to $adm_if:network keep state
#pass out on $lab_if from any to $lab_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#END
I think I'm missing something very obvious here... so, better ask the
list than slam my head on the wall :D
Re: PF and MS RDP trouble (help!)
On 4/9/06, Vijay Sankar [EMAIL PROTECTED] wrote: Leonardo Rodrigues wrote: Looks like you may want to do a rdr pass since otherwise you are doing a block drop in quick to all priv_nets and your W2K3 server is on one of those nets. Unless you're assuming the connection was sourced from $priv_nets, you are incorrect. block drop in quick on $ext_if from $priv_nets to any You would be correct if it were reversed: block drop in quick on $ext_if from any to $priv_nets Regardless, hand-holding people who pose PF questions prior to proper diagnosis is the worst thing someone could possibly do to help them.
Re: PF and MS RDP trouble (help!)
Thanks for the tips, I was able to log the redirection rules and trace the problem. And there was none at all! PF was working perfectly. The packets were being redirected but I was getting no answer from the 2k3. So, I phoned the sys admin, chatted a little, and found out that he didn't set a gateway to the 2k3 server after a maintenance session. Heh... life is hard ain't it? :) On 4/9/06, NetNeanderthal [EMAIL PROTECTED] wrote: On 4/9/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: Hello everyone! I'm having a bit of trouble trying to access a Windows 2003 server that is behind an OpenBSD 3.9 -current firewall. From the LAN, I can remote access the 2k3 server easily, by just opening the mstsc and entering the machine's IP (192.168.0.1). The problem is, I want to access the 2k3 server from home, and my PF rules aren't working =( I try to connect to the firewall's external IP via the ms terminal service client, but my connection times out... Here's my pf.conf snip ruleset What methods have you used to diagnose this? Read the FAQ page and the man pages. http://www.openbsd.org/faq/pf/logging.html /usr/bin/man pfctl pflogd tcpdump Turn on logging for all block rules and start pflogd. Then, try the following command and retest the connection attempt: /sbin/pflogd /sbin/ifconfig pflog0 up /usr/sbin/tcpdump -netttoi pflog0 port 3389 If you still can't find what's stopping the connection after examining pflog0, send the output of the following command back to the list: /sbin/pfctl -vvvsa
