On Monday, Mar 31, 2003, at 08:53 US/Pacific, Darley Ware wrote:
1. I have webserver on the internal LAN which listens on port 8000.
I can
view the webserver internally by IP and by name (using LMHOST
records). I
have not however been able to access the internal webserver from the
outside. I saw a post the weekend about name based virtualhosting on
web
servers. This does not seem to apply to me as I have the server setup
to
respond to IP and have no virtualdomains configured. So I guess my
question
is do I have my redirect setup correctly, and if so where lies the
problem?
2. (and this one really is not that important) I can not seem to get
a
response to ICMP to outside addresses. I can ping both directions
from the
firewall and I believe my pings are getting out, but the responses to
not
return to the internal clients.
As the others commented, tcpdump logs would have been useful. You can
also apply tcpdump to pflog0 to see what pf is logging. Make sure to
use tcpdump's -e switch there.
Rule comments inline:
# OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
#
###
--
### MACROS - define interfaces: internet, intranet, wireless net
###
if_ext = dc0
if_int = fxp0
if_wir = an0
INT_Net=192.168.XX.XX/27
WIFI_Net=192.168.YY.YY/27
bad_ports = 69,135,137,138,139,445,524,548,1433,6000,31337,666,12345
no_route = { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
255.255.255.255/32 }
###
--
### Optimization
###
#set optimization aggressive
#set timeout tcp.established 3600
#set timeout { tcp.opening 30, tcp.closing 120 }
#set limit { states 2, frags 5000 }
###
--
### statistics logging on external interface
###
set loginterface $if_ext
set loginterface $if_wir
###
--
### NAT Gateways
###
nat on $if_ext from $INT_Net to any - $if_ext
nat on $if_ext from $WIFI_Net to any - $if_ext
# Redirect outside ports to internal servers
rdr on dc0 proto tcp from any to (dc0) port 8000 - 192.168.XX.71 port
8000
rdr on dc0 proto udp from any to (dc0) port 8000 - 192.168.XX.71 port
8000
###
--
### DEFAULT RULES
###
# INCOMING DEFAULT: block and normalize all
#scrub in on all
block in log all
# OUTGOING DEFAULT: block all
block out log all
# SPECIAL IMMEDIATE BLOCKS:
# block bad ports and external broadcasts
block in quick proto { udp,tcp } from any to any port { = $bad_ports }
block in quick on $if_ext from any to 255.255.255.255
block in quick on $if_wir from any to 255.255.255.255
# block weird tcp packets on WAN:
block in quick on $if_ext inet proto tcp from any to any flags FUP/FUP
block in quick on $if_ext inet proto tcp from any to any flags SF/SFRA
block in quick on $if_ext inet proto tcp from any to any flags /SFRA
# block weird tcp packets on WiFi:
block in quick on $if_wir inet proto tcp from any to any flags FUP/FUP
block in quick on $if_wir inet proto tcp from any to any flags SF/SFRA
block in quick on $if_wir inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in quick on $if_ext from $no_route to any
block out quick on $if_ext from any to $no_route
###
--
### LOOPBACK
###
pass in quick on lo0 all
pass out quick on lo0 all
These are overridden by the $bad_ports block rule above. Not likely
an issue, but something to be aware of.
###
--
### EXTERNAL INTERFACE
###
# INCOMING: accept ssh
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 22
flags
S/SA keep state
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000
No keep state. This is a problem because...
# INCOMING DEFAULT: block all incoming
# OUTGOING: block non nated packets, pass the others
block out quick on $if_ext from !$if_ext/24 to any
pass out quick on $if_ext proto tcp from $if_ext/24 to any flags S/SA
keep
state
...this rule cannot pick up SA/SA, which will be the outbound response
to
the inbound S/SA for the webserver.
pass out quick on $if_ext proto { udp } from $if_ext/24 to any keep
state
# ICMP: ping
# remove next to block ping from Internet
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
pass out on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
# OUTGOING DEFAULT: block all outgoing
###
--
### INTERNAL INTERFACE
###
# INCOMING: traffic to fw, accept ssh dhcp only, block the rest
pass in quick on $if_int proto tcp from $if_int/27 to $if_int/27 port
= 22
flags S/SA keep state
pass in quick on $if_int