subject:"RDR for internal machine"

Re: RDR for internal machine

2003-03-31 Thread Srebrenko Sehic

On Mon, Mar 31, 2003 at 10:53:09AM -0600, Darley Ware wrote:

 1.  I have webserver on the internal LAN which listens on port 8000.  I can
 view the webserver internally by IP and by name (using LMHOST records).  I
 have not however been able to access the internal webserver from the
 outside.  I saw a post the weekend about name based virtualhosting on web
 servers.  This does not seem to apply to me as I have the server setup to
 respond to IP and have no virtualdomains configured.  So I guess my question
 is do I have my redirect setup correctly, and if so where lies the problem?

And you permit packets on $internal_if going to internal web server? rdr
rules are not enough. Btw, filtering happens _after_ rdr, so you have to
permit packets after the translation.

What does tcpdump on webserver shows? Do you see any packets?

 2.  (and this one really is not that important)  I can not seem to get a
 response to ICMP to outside addresses.  I can ping both directions from the
 firewall and I believe my pings are getting out, but the responses to not
 return to the internal clients.

Lemme get this right. You ping hosts outside your LANs and don't get
responses back to the clients, but from the firewall itself, it works?

Check your rules. If you 'block all on $inside_if' or something, you
have to explicitly pass in/out icmp traffic on $inside_if.

Again, tcpdump output could be nice.

// haver

Re: RDR for internal machine

2003-03-31 Thread Trevor Talbot

On Monday, Mar 31, 2003, at 08:53 US/Pacific, Darley Ware wrote:

1.  I have webserver on the internal LAN which listens on port 8000.   
I can
view the webserver internally by IP and by name (using LMHOST  
records).  I
have not however been able to access the internal webserver from the
outside.  I saw a post the weekend about name based virtualhosting on  
web
servers.  This does not seem to apply to me as I have the server setup  
to
respond to IP and have no virtualdomains configured.  So I guess my  
question
is do I have my redirect setup correctly, and if so where lies the  
problem?

2.  (and this one really is not that important)  I can not seem to get  
a
response to ICMP to outside addresses.  I can ping both directions  
from the
firewall and I believe my pings are getting out, but the responses to  
not
return to the internal clients.
As the others commented, tcpdump logs would have been useful.  You can
also apply tcpdump to pflog0 to see what pf is logging.  Make sure to
use tcpdump's -e switch there.
Rule comments inline:

# OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
#
### 
--
### MACROS  - define interfaces: internet, intranet, wireless net
###

if_ext = dc0
if_int = fxp0
if_wir = an0
INT_Net=192.168.XX.XX/27
WIFI_Net=192.168.YY.YY/27
bad_ports = 69,135,137,138,139,445,524,548,1433,6000,31337,666,12345

no_route = { 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
  255.255.255.255/32 }
### 
--
### Optimization
###

#set optimization aggressive
#set timeout tcp.established 3600
#set timeout { tcp.opening 30, tcp.closing 120 }
#set limit { states 2, frags 5000 }
### 
--
### statistics logging on external interface
###

set loginterface $if_ext
set loginterface $if_wir
### 
--
### NAT Gateways
###

nat on $if_ext from $INT_Net to any - $if_ext
nat on $if_ext from $WIFI_Net to any - $if_ext
# Redirect outside ports to internal servers
rdr on dc0 proto tcp from any to (dc0) port 8000 - 192.168.XX.71 port  
8000
rdr on dc0 proto udp from any to (dc0) port 8000 - 192.168.XX.71 port  
8000

### 
--
### DEFAULT RULES
###

# INCOMING DEFAULT: block and normalize all
#scrub in on all
block in log all
# OUTGOING DEFAULT: block all
block out log all
# SPECIAL IMMEDIATE BLOCKS:

# block bad ports and external broadcasts
block in quick proto { udp,tcp } from any to any port { = $bad_ports }
block in quick on $if_ext from any to 255.255.255.255
block in quick on $if_wir from any to 255.255.255.255
# block weird tcp packets on WAN:
block in quick on $if_ext inet proto tcp from any to any flags FUP/FUP
block in quick on $if_ext inet proto tcp from any to any flags SF/SFRA
block in quick on $if_ext inet proto tcp from any to any flags /SFRA
# block weird tcp packets on WiFi:
block in quick on $if_wir inet proto tcp from any to any flags FUP/FUP
block in quick on $if_wir inet proto tcp from any to any flags SF/SFRA
block in quick on $if_wir inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in  quick on $if_ext from $no_route to any
block out quick on $if_ext from any to $no_route
### 
--
### LOOPBACK
###

pass in quick on lo0 all
pass out quick on lo0 all
These are overridden by the $bad_ports block rule above.  Not likely
an issue, but something to be aware of.
### 
--
### EXTERNAL INTERFACE
###

# INCOMING: accept ssh
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 22  
flags
S/SA keep state
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000
No keep state.  This is a problem because...

# INCOMING DEFAULT: block all incoming

# OUTGOING: block non nated packets, pass the others
block out quick on $if_ext from !$if_ext/24 to any
pass out quick on $if_ext proto tcp from $if_ext/24 to any flags S/SA  
keep
state
...this rule cannot pick up SA/SA, which will be the outbound response  
to
the inbound S/SA for the webserver.

pass out quick on $if_ext proto { udp } from $if_ext/24 to any keep  
state

# ICMP: ping
# remove next to block ping from Internet
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
pass out on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
# OUTGOING DEFAULT: block all outgoing

### 
--
### INTERNAL INTERFACE
###

# INCOMING: traffic to fw, accept ssh  dhcp only, block the rest
pass in quick on $if_int proto tcp from $if_int/27 to $if_int/27 port  
= 22
flags S/SA keep state
pass in quick on $if_int

Re: RDR for internal machine

2003-03-31 Thread clemens

Zitiere Darley Ware [EMAIL PROTECTED]:

 1.  I have webserver on the internal LAN which listens on port 8000.  I can
 view the webserver internally by IP and by name (using LMHOST records). I
 have not however been able to access the internal webserver from the
 outside.  I saw a post the weekend about name based virtualhosting on web
 servers.  This does not seem to apply to me as I have the server setup to
 respond to IP and have no virtualdomains configured.  So I guess my question
 is do I have my redirect setup correctly, and if so where lies the problem?

No, you're blocking the redirected request. Redirection happens before the 
evaluation of pass/block rules. So

 rdr on dc0 proto tcp from any to (dc0) port 8000 - 192.168.XX.71 port 8000

redirects the request to 192.168.xx.71:8000 on dc0, and

 block in log all
 pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000

does not let it pass, because the destination for the request is not $if_ext 
but 192.168.XX.71. So if you change it to 

 pass in quick on $if_ext proto tcp from any to 192.168.XX.71 port = 8000
 keep state

it should work.

 2.  (and this one really is not that important)  I can not seem to get a
 response to ICMP to outside addresses.  I can ping both directions from the
 firewall and I believe my pings are getting out, but the responses to not
 return to the internal clients.

If i understand you correctly, pinging works from the firewall in all 
directions (inwards and outwards), but not from internal clients to servers 
outside the firewall. Add

 pass in on $if_int inet proto icmp all icmp-type 8 code 0 keep state

to your rules for your internal interface, and all should be fine. You're 
blocking the pings on your internal interface, if i'm not mistaken.

 Thanks,
 
 Darley

Hope to have helped,

Clemens

Re: RDR for internal machine

Re: RDR for internal machine

Re: RDR for internal machine

3 matches

Site Navigation

Mail list logo

Footer information