Re: PF redirection and pflogging
Thanks Imre!!! That seems to have done the trick for both issues.
Cheers!
-Parvinder Bhasin
On Aug 21, 2008, at 2:28 PM, Imre Oolberg wrote:
Hallo!
My guess is you dont get anything logged since you pass with rdr
rules. Maybe it is cleaner to keep translation and filtering
separate, e.g. have translation rules like this
rdr on $ext_if proto tcp from any to $webby_ip port 80 -
$webby_server port 80
And then you need to pass not to the external interface's ip address
but to where is your so to say real server, e.g. rule
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
should rather read
pass in on $ext_if proto tcp from any to $webby_server port 80 keep
state
And also note that rule like this works when there aint other rules
what matches the package. Maybe it is more straight-forward at least
for debugging to add to it 'quick' keyword which makes the rule
match no matter what follows, like this
pass in quick on $ext_if proto tcp from any to $webby_server port 80
keep state
Imre
Parvinder Bhasin wrote:
List,
I am having some issues while redirecting traffic to port 80 on the
$squid_server.
I have this server serving two purpose: apache web server and
squid server. I can definately get to the PROXY services fine but
cannot get to the WWW (port 80) on the same server.
Another issue is that when I try to actively look at the pflog by
running tcpdump -n -e -ttt -i pflog0 , I don't get anything
even when the traffic is passing and/or getting blocked.
Any help is highly appreciated.
thx.
For this I have the following pf config:
ext_if=sk0
int_if=gem0
pf_log=pflog0
webby
set skip on enc0
set skip on gre0
external_ip=70.40.22.17
external_ips={70.40.22.17 70.40.22.18 70.40.22.19}
external_net={70.40.22.17 70.40.22.18 70.40.22.19}
internal_ip=172.16.10.10
internal_networks={172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}
webby_ip=70.40.22.18
webby_server=172.16.10.11
squid_ip=70.40.22.19
squid_server=172.16.10.12
# block_ip=70.40.22.20
block_server=172.16.10.12
##TABLES
table bruteforce persist
table kiddies persist
OPTIONS #
set loginterface $ext_if
set loginterface $int_if
scrub in
NAT/REDIRECTS
nat on $ext_if from !($ext_if) to any - ($ext_if:0)
# rdr pass on $ext_if proto tcp from any to $block_ip port 80 -
$squid_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 80 -
$webby_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 443 -
$webby_server port 443
rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 -
$squid_server port 3128
rdr pass on $ext_if proto tcp from any to $squid_ip port 80 -
$squid_server port 80
## FILTERS #
block log quick from bruteforce
block log quick from kiddies
block in log on $pf_log
# pass in quick on $int_if
pass out keep state
pass in on $ext_if proto icmp from any to $external_ip keep state
pass in on $ext_if proto tcp from any to $external_ip port ssh keep
state
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
pass in on $ext_if proto tcp from any to $webby_ip port 443 keep
state
pass in log (all, to $pf_log) on $ext_if proto tcp from any to
$squid_ip port 3128 keep state
pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
# pass in on $ext_if proto tcp from any to $block_ip port 80 keep
state
pass in on $ext_if proto tcp from any to $external_ips port 22 keep
state
pass inet proto tcp from any to $external_net port 22 flags S/SA
keep state (max-src-conn 25, max-src-conn-rate 15/5, overload
bruteforce flush global)
# block in quick on $ext_if
Re: PF redirection and pflogging
Hallo!
My guess is you dont get anything logged since you pass with rdr rules.
Maybe it is cleaner to keep translation and filtering separate, e.g.
have translation rules like this
rdr on $ext_if proto tcp from any to $webby_ip port 80 - $webby_server
port 80
And then you need to pass not to the external interface's ip address but
to where is your so to say real server, e.g. rule
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
should rather read
pass in on $ext_if proto tcp from any to $webby_server port 80 keep state
And also note that rule like this works when there aint other rules what
matches the package. Maybe it is more straight-forward at least for
debugging to add to it 'quick' keyword which makes the rule match no
matter what follows, like this
pass in quick on $ext_if proto tcp from any to $webby_server port 80
keep state
Imre
Parvinder Bhasin wrote:
List,
I am having some issues while redirecting traffic to port 80 on the
$squid_server.
I have this server serving two purpose: apache web server and squid
server. I can definately get to the PROXY services fine but cannot get
to the WWW (port 80) on the same server.
Another issue is that when I try to actively look at the pflog by
running tcpdump -n -e -ttt -i pflog0 , I don't get anything even
when the traffic is passing and/or getting blocked.
Any help is highly appreciated.
thx.
For this I have the following pf config:
ext_if=sk0
int_if=gem0
pf_log=pflog0
webby
set skip on enc0
set skip on gre0
external_ip=70.40.22.17
external_ips={70.40.22.17 70.40.22.18 70.40.22.19}
external_net={70.40.22.17 70.40.22.18 70.40.22.19}
internal_ip=172.16.10.10
internal_networks={172.16.10.0/24 172.16.100.0/24 172.16.200.0/24}
webby_ip=70.40.22.18
webby_server=172.16.10.11
squid_ip=70.40.22.19
squid_server=172.16.10.12
# block_ip=70.40.22.20
block_server=172.16.10.12
##TABLES
table bruteforce persist
table kiddies persist
OPTIONS #
set loginterface $ext_if
set loginterface $int_if
scrub in
NAT/REDIRECTS
nat on $ext_if from !($ext_if) to any - ($ext_if:0)
# rdr pass on $ext_if proto tcp from any to $block_ip port 80 -
$squid_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 80 -
$webby_server port 80
rdr pass on $ext_if proto tcp from any to $webby_ip port 443 -
$webby_server port 443
rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 -
$squid_server port 3128
rdr pass on $ext_if proto tcp from any to $squid_ip port 80 -
$squid_server port 80
## FILTERS #
block log quick from bruteforce
block log quick from kiddies
block in log on $pf_log
# pass in quick on $int_if
pass out keep state
pass in on $ext_if proto icmp from any to $external_ip keep state
pass in on $ext_if proto tcp from any to $external_ip port ssh keep state
pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state
pass in on $ext_if proto tcp from any to $webby_ip port 443 keep state
pass in log (all, to $pf_log) on $ext_if proto tcp from any to
$squid_ip port 3128 keep state
pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state
# pass in on $ext_if proto tcp from any to $block_ip port 80 keep state
pass in on $ext_if proto tcp from any to $external_ips port 22 keep state
pass inet proto tcp from any to $external_net port 22 flags S/SA keep
state (max-src-conn 25, max-src-conn-rate 15/5, overload bruteforce
flush global)
# block in quick on $ext_if
